The California Delete Act: A Guide for Data Brokers & Buyers

The California Delete Act (Senate Bill 362) gives Californian residents greater control over the information state-registered data brokers hold about them. Since its enactment in 2023, the Delete Act has undergone significant developments that will affect buyers and sellers of personal data alike. 

This article highlights what you should know about the Delete Act as a data broker or a company purchasing personal data from a data broker. 

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

California’s data privacy landscape 

Anyone who has done business in California in recent years will know that the Delete Act is just one part of a wider framework. 

The California Consumer Privacy Act of 2018 (CCPA) was the state’s first major privacy law. It gave consumers the right to know what personal data businesses collect, the right to delete personal data, the right to opt out of the sale of personal data, and more. 

In 2020, the California Privacy Rights Act (CPRA) amended and expanded the CCPA by making provisions for the correction of personal data as well as placing limits on the use of sensitive personal data. 

2023’s Delete Act builds on the CCPA and the CPRA, specifically targeting data brokers, and making it easier for consumers to opt out of data broker tracking. When a new online platform administered by the California Privacy Protection Agency (CPPA) launches in 2026, the Delete Act will also streamline the right to delete (guaranteed by the CCPA) with a one-stop mechanism for consumers to request the removal of their data from all registered data brokers at once. 

For those unfamiliar with the law, the Delete Act defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” 

While the CPPA oversees data broker registrations and compliance monitoring, the California Attorney General retains general enforcement authority.

Key features of the California Delete Act 

The California Delete Act lays out responsibilities for both brokers and the new California Privacy Protection Agency. 

• All brokers dealing with the personal data of California residents must register annually with the CPPA, disclosing detailed information about the kind of data they collect. Annual registration costs $6,600. Successful application means the data broker is added to the CPPA’s public-facing Data Broker Registry. 

• Data brokers failing to register with the CPPA will be subject to a daily fine  while failure to comply with deletion requests will result in a $200 per day penalty per violation. 

• By January 1, 2026, the CPPA must create a centralized deletion platform, also known as the Data Broker Requests and Opt-out Platform (DROP). This platform will allow consumers to request that any personal information held about them is deleted by all registered data brokers.  

• When DROP is launched, data brokers must check for deletion requests at least every 45 days and process them within 45 days. Once deleted, the data must not be sold or used, but the Act does not explicitly outline retention limits for backup or archived data. 

• Data brokers are required to create a dedicated page on their website explaining how consumers can exercise their privacy rights. 

• By July 1 of each year, data brokers must disclose details related to deletion requests received, their response times, and the percentage of requests granted or denied. 

• Starting January 1, 2028, and every three years thereafter, data brokers must undergo an independent audit to assess compliance and submit audit reports upon the CPPA’s written request. 

These key elements summarize how data brokers must comply, but what are the consequences when they don’t? 

The CPPA’s enforcement actions so far 

On October 30, 2024, the CPPA’s Enforcement Division initiated a public investigation into data brokers’ compliance with the Delete Act’s registration requirements.  

In November 2024, the CPPA announced settlements with two data brokers for failing to register as required. The companies agreed to pay fines of $35,400 and $34,400, respectively, covering violations from February to July 2024. 

As of February 2025, the CPPA has taken action against six data brokers. Notably, a $46,000 fine was sought against Jerico Pictures, Inc. (doing business as National Public Data) for delayed registration and non-payment of the annual fee. 

What the Delete Act means for non-data brokers 

While the Delete Act primarily targets data brokers, it is worth noting its wider business impacts.  

Many companies rely on data brokers so they can conduct business-critical operations such as marketing and risk assessment (e.g., financial companies using so-called “alternative data” to determine credit risk). 

As more consumers submit Delete Act requests, their data will be removed all registered brokers. This will ultimately reduce the pool of available consumer data for businesses. It may also mean that less granular detail is available, with a negative impact on the insights the business is able to draw from reduced datasets. It will become more and more important to consider alternative ways to collect customer insights.

Delete or erase: how can you ensure data is gone forever?  

While the Delete Act mandates that consumer data must not be sold or shared after its removal; it does not explicitly mention which data destruction techniques data brokers should use. 

What the Delete Act really means by “deletion” may be established in the future, but for data brokers who want to stay compliant with the law now, software-based data sanitization is the most efficient, secure choice.  

Simply “deleting” data does not guarantee it has been permanently and completely destroyed, and data may still exist in backups or fragmented storage. 

Deleted data may still be retrievable through forensic methods, posing a potential privacy loophole. Secure erasure techniques, such as NIST 800-88-compliant overwriting, ensure that personal information is irreversibly destroyed. 

How Blancco can help  

Data brokers can use certified data erasure to ensure irreversible data removal and fully comply with the Delete Act. Blancco’s solutions meet NIST 800-88, IEEE 2883, and other stringent standards that support compliance with global data protection regulations, including CCPA and the EU GDPR. 

Blancco offers a suite of solutions to erase data across your entire range of data storage assets, including data in active storage environments. 

Blancco File Eraser: Erase files and folders from desktops, laptops, and servers manually or automatically. 

Blancco LUN Eraser: Erase data in active storage environments while allowing your operating system to remain intact.  

Blancco Virtual Machine Eraser: Automatically destroy no-longer-needed data on VMs and hypervisors.  

Blancco Management Portal: Access reports and certificates and centrally manage users, licenses, and erasures. 

A precedent for changes in privacy regulation?  

As part of the worldwide push towards greater data privacy, the California Delete Act may help to usher in more stringent regulations elsewhere. If more states or countries start to expect similar deletion mechanisms from non-data broker businesses, all companies may need to prioritize data deletion processes in a more streamlined, proactive way. 

For the U.S. specifically, the Delete Act will likely influence future privacy laws at the state or federal level, particularly as discussions around federal privacy legislation like the American Data Privacy Protection Act (ADPPA) continue. With growing public and regulatory scrutiny on data brokers, other states may follow suit with similar regulations. 

Businesses must prepare by reassessing their data collection and retention policies, implementing automated compliance tools, and ensuring that their deletion mechanisms align with regulatory expectations. As enforcement mechanisms become more stringent, companies operating within California—and potentially beyond—must proactively address privacy concerns to avoid costly penalties. 

You may be interested in:

Drive Destruction vs. Data Erasure: Which Data Disposal Method is Most Secure?

How Blancco Helps Organizations Achieve Compliance with NIST SP 800-88

DoD, NIST, or IEEE? Choosing the Most Secure Option from Modern Data Sanitization Standards

Blancco Drive Eraser