Data Privacy, Datos Personales

California’s Delete Act (SB 362)

Abstract


Enacted in October 2023, California’s Delete Act—Senate Bill 362—creates a centralized deletion mechanism for consumers, administered by the California Privacy Protection Agency (CPPA).

1. Introduction and Legislative Overview

Senate Bill 362 (the Delete Act) was signed into law on October 10, 2023. The Act transfers data-broker registration and enforcement from the Attorney General to the CPPA, effective January 1, 2024, and requires the CPPA to establish an accessible mechanism for data deletion by January 1, 2026.

2. Definitions, Scope, and Exceptions

Under Cal. Civ. Code § 1798.99.80(c), a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Statutory exclusions include:

  • Businesses subject to the Fair Credit Reporting Act (FCRA),
  • The Gramm–Leach–Bliley Act (GLBA),
  • The Insurance Information and Privacy Protection Act, and
  • Entities or business associates whose processing is exempt under Cal. Civ. Code § 1798.146 (HIPAA-related).

3. Core Provisions of SB 362

3.1. Data Broker Registry & Disclosures

Data brokers must register annually with the CPPA (between Jan 1 and January 31) and pay fees into the Data Brokers’ Registry Fund. They must provide a public-facing link explaining how consumers can exercise rights under the California Privacy Rights Act (CPRA), including delete, correct, access, opt-out, and limit sensitive PI.

3.2. Accessible Deletion Mechanism (“DROP”)

By Jan 1, 2026, the CPPA must create a Delete Requests and Opt-Out Platform (DROP) that lets a consumer send one verified request requiring all registered brokers to delete their PI (subject to statutory exceptions).

The platform must be:

  • Free of charge,
  • Available in languages spoken by affected consumers,
  • Accessible to persons with disabilities,
  • Able to accept authorized-agent requests, and
  • Allow consumers to check the status.

3.3. Broker Compliance Obligations (from Aug 1, 2026)

Brokers must:

  • Access DROP at least every 45 days,
  • Process and complete requests within 45 days,
  • Instruct service providers/contractors accordingly, and
  • After honoring a deletion, delete PI at least every 45 days and refrain from new sales/sharing unless the consumer affirmatively opts in or an exception applies.

Instead of sending deletion reports to CPPA, brokers must compile and publish annual metrics by July 1, display them in their privacy policy, and provide them to CPPA during registration.

3.4. Audits and Enforcement

Starting Jan 1, 2028, brokers must undergo an independent compliance audit every three years. Upon written request, they must provide the report and supporting materials to CPPA within five business days. As of January 1, 2029, registration must disclose whether an audit was conducted and the most recent year for which it was performed.

Noncompliance (failure to register, deletion violations) subjects brokers to administrative fines, fees, and costs imposed by the CPPA.

4. Regulatory Implementation & Technical Considerations

The CPPA published a Notice of Proposed Rulemaking for broker registration on July 5, 2024, and the final regulations took effect Dec 26, 2024. These rules:

  • Define “direct relationship” as a consumer-initiated interaction within the past three years,
  • Clarify that selling PI not collected directly may still make a company a broker.
  • Fix the annual registration period at Jan 1–31,
  • Bar withdrawals after Jan 31, except for fraudulent/erroneous filings, and
  • Define “reproductive health care data.”

DROP rulemaking is ongoing, and CPPA continues to release preparatory materials.

5. Conclusion

SB 362 establishes the first statewide centralized deletion platform in the U.S. By shifting broker oversight to the CPPA, mandating triennial audits, and requiring annual publication of request metrics, the law strengthens transparency and accountability. Its effectiveness will depend on CPPA’s successful deployment of DROP and sustained compliance across the data-broker industry.

References

  1. California Legislative Information. Senate Bill 362 (Delete Act), Bill Text and Legislative Counsel’s Digest.
    https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362
  2. California Civil Code §§ 1798.99.80–1798.99.89 (as amended by SB 362).
    https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&chapter=1.5.&part=4.&lawCode=CIV&title=1.81.47
  3. California Privacy Protection Agency. Information for Data Brokers.
    https://cppa.ca.gov/data_brokers/
  4. CPPA. Notice of Proposed Rulemaking – Data Broker Registration (July 5, 2024).
    https://cppa.ca.gov/regulations/pdf/data_broker_npr_20240705.pdf
  5. CPPA. Final Data Broker Registration Regulations (effective Dec 26, 2024).
    https://cppa.ca.gov/regulations/pdf/data_broker_regs_final_20241226.pdf
  6. CPPA. Delete Requests and Opt-Out Platform (DROP) – Public Rulemaking/Project Materials.
    https://cppa.ca.gov/regulations/drop.html
  7. California Department of Finance / CPPA. FY 2024–25 Budget Change Proposal (Data Broker Registry Fund).
    https://esd.dof.ca.gov/trailer-bill/public/trailerBill/pdf/514