The California Delete Act (SB 362) is a state law that provides a one-stop shop deletion mechanism for consumers to direct data brokers to delete their personal information.[1][2][3][4][5][6] The law requires data brokers to register with the California Privacy Protection Agency annually beginning January 2024, process deletion requests submitted through the deletion mechanism beginning August 2026, and undergo an independent audit every three years beginning January 2028.[7][8][9][10][11][12] It was the first law of its kind to be passed in the United States.[13]
The bill has some exceptions, and allows consumers to exclude specific data brokers from the deletion request.[14] It uses the same definition of data brokers as in the California Consumer Privacy Act, applying to companies which made more than $25 million in revenue the previous year, and which “annually buy, sell, or share the personal information of 100,000 or more consumers or households.” that make more than 50% of their annual revenue from the sale of personal information.[6] Once the request is made, data brokers are required to delete all personal information of the consumer every 45 days, and are banned from sharing or selling new personal information acquired about them.[14] Deletion requests denied because of the data brokers' inability to verify them are required to be processed as opt-outs for the sale and sharing of the consumer's personal information.[14]
History
While the California Consumer Privacy Act of 2018 allows consumers to request that individual businesses delete their data,[15] it is difficult and time-consuming to use, and fully erasing your digital footprint requires contacting potentially hundreds of companies.[16] The bill, written by Sen. Josh Becker and introduced on 8 February 2023,[17] was intended to simplify the process and make it practical to use.[16][14] It followed some other failed attempts by governments to regulate data brokers, including a failed federal bill in 2022 to allow consumers to delete data in one-stop shop, and a 2022 California act that would have required registered data brokers to disclose more information to the state.[16] The bill was passed in the context of long-held calls by civil liberties and privacy advocates for heavier regulation the industry, citing concerns about the lack of transparency in the sharing of consumer data and of the use of the data by law enforcement without a need for subpoenas or warrants.[4]
Supporters raised concerns about threats to abortion seekers, undocumented immigrants, and activists; opponents to the bill raised concerns about harms to ad businesses, and the use of the data by law enforcement and academics, as well as by nonprofits in collecting donations.[16] The concept of one-stop deletion of data faces heavy opposition by business groups,[16] and the bill faced heavy lobbying from them in opposition.[14] The Consumer Data Industry Association, a trade association for credit bureaus and background-checking companies, claimed that the bill could undermine consumer fraud protections.[14] The Association of National Advertisers claimed that small businesses and nonprofits would have difficulty finding customers and donors because of purported harm to advertising.[18]
Becker eventually made amendments to the bill increasing the time between which companies are required to delete consumer's personal data from the original 30 days to 45 days.[14] It was signed by California governor Gavin Newsom on October 10, 2023.[6] Data brokers began registering annually on January 31, 2024.[12] Proposed regulations related to the bill were released by the California Privacy Protection Agency on July 5, 2024, and public comments were considered until August 20, 2024.[19] Data brokers will be required to begin responding to requests for deletion on August 1, 2026, and begin undergoing audits every three years starting January 1, 2028.[12] Beginning January 1, 2029, they must disclose to the California Privacy Protection Agency whether they have undergone an audit and the most recent year in which they submitted a report from the audit to the agency.[12]