California’s Delete Act Signed Into Law

California Governor Gavin Newsom signed the Delete Act this week. The new law, passed by the legislature last month, revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data.

Data Deletion Requests

Under the bill, the California Privacy Protection Agency must develop a system by January 1, 2026 that allows residents to make a single data deletion request to multiple registered data brokers operating in the state, of which there are almost 500. Residents will be able to make any requests, free of charge. Starting on August 1, 2026, the law requires all registered data brokers to access the system at least once every 45 days to 1) review and process new deletion requests and 2) delete any new personal data that has come in about residents who have already submitted relevant deletion requests.

Enhanced Disclosure Requirements

The law will require registered data brokers to disclose more information to the CPPA including whether it collects sensitive information (e.g. geolocation data, children’s data, reproductive health data). They also will be required to submit metrics on how they process consumers requests. Registered brokers also must disclose whether their operations fall under certain state and federal laws including the Federal Credit Reporting Act, the Health Information Portability and Accountability Act, and the California Confidentiality of Medical Information Act.

Audits

Starting January 1, 2028, registered data brokers will be required to undertake an independent external audit every three years to certify their compliance with the law.