Dive Brief:
- California Gov. Gavin Newsom on Tuesday signed the Delete Act into law, which directs the state’s privacy protection agency to create a portal by January 2026 for consumers to have their data deleted by all data brokers in the state if they request it.
- Consumers already have the ability to submit deletion requests, but they have to do it broker-by-broker; the new law enables them to do it in a single request.
- “The Delete Act protects our most sensitive information,” Josh Becker, the state senator who championed the law, said in a statement when the bill was moving through the legislature.
Dive Insight:
The key enforcer is the California Privacy Protection Agency, created as part of the state’s sweeping data privacy law enacted a few years ago, the California Consumer Privacy Act.
Under the new law, the agency is training its enforcement authority on a narrow category of businesses: data brokers. There are about 500 in the state, and by the end of next year they must register with the CPPA to be included in the agency’s database and comply with requests to delete data made by consumers who will use a portal the agency is to create by the beginning of 2026.
By registering with the state, data brokers will be directly linked to the portal and subject to enforcement if they don’t honor consumer requests.
Limited target
Much of the attention on data privacy laws has been on so-called first-party data providers — businesses that operate websites, apps and other consumer-facing ways to provide goods and services to people and also collect and maintain data from those transactions.
Companies use that data to tweak customer offerings and build marketing campaigns around, among other things, and laws like the California Consumer Protection Act require these businesses to tell people how they collect and use their data and provide a way for people to request their data not be used in that way or deleted.
The Delete Act is different; the third-party data brokers it targets have no interaction with the people whose data they collect; instead, these companies collect data through scraping, the use of cookies and end-user licensing agreements in mobile apps, sharing arrangements with first-party businesses that collect data, and also public records. These brokers make money by selling the data to businesses, typically for marketing purposes.
“Brokers operate exclusively by collecting, aggregating, processing and selling data,” John Gilmore, head of research at DeleteMe, told Legal Dive. DeleteMe is in the business of removing people’s information from data brokers for a fee.
Data brokers tend to specialize, with some collecting and selling personal data that’s related to medical history, travel history, consumer purchases or website browsing, among others.
The industry has been going through a number of changes in recent years, driven in part by shifts in how major technology companies like Apple and Google treat data, and this law is just a further blow to it, Gilmore said.
“This doesn’t spell the end of the industry,” he said. “Already, most of the major browsers, like Mozilla Firefox, Chrome, Safari and Internet Explorer, have already started phasing out cookies. So, tracking technology is already being eliminated from web browsing, and phones two years ago started what’s called app tracking transparency. That allows consumers to turn off apps that are collecting information. The writing has been on the wall now for more than five years.”
For these companies, failure to register with the state and comply with deletion requests will expose them to legal liability that includes a daily $200 penalty for each consumer whose data they don’t delete. But for most businesses, including those that use data broker services, the new law creates no liability beyond what they face from other privacy laws, like California’s big consumer privacy law.
“The only people who have to worry about litigation risk from the new law are the 500 companies registered with the state of California,” Gilmore said. “I don’t think third-party companies need to worry all that much about the Delete Act. If they don’t think they need to register, I don’t think companies that rely on data brokers should worry about litigation risk.”
Any hardship it creates to the broader business community will be to companies' ability to use the data in their marketing and for other purposes, but there’s no additional legal exposure.
“The Delete Act is narrow enough and it defines its covered entities enough and it defines compliance narrowly enough that, if you look at the law and say, ‘I’m not covered,’ you probably aren’t,” he said.