California Delete Act (SB 362)

The California Delete Act (SB 362) was signed into law on October 10, 2023, and takes effect in stages beginning January 1, 2026. The law significantly expands consumer rights over data held by data brokers by creating a single opt-out mechanism that covers all registered data brokers simultaneously.

What Is the California Delete Act?

The California Delete Act amends the California Data Broker Registration law and creates a centralized deletion mechanism operated by the California Privacy Protection Agency (CPPA). Instead of contacting each data broker individually, California consumers will be able to submit a single deletion request through an online tool administered by the CPPA, which will forward the request to all registered data brokers.

Data brokers that receive a deletion request must retrieve requests at least every 45 days and complete deletion within 90 days of retrieval. Data brokers must also suppress future collection of the consumer's data. Deletion requests must be honored free of charge and without requiring consumers to create an account.

Key Dates

• January 31, 2024: Data brokers must register with the CPPA and pay a registration fee
• January 1, 2026: The CPPA must make the accessible deletion mechanism (called the Data Deletion Request Opt-Out Platform, or DROP) available to consumers
• August 1, 2026: Data brokers must begin processing deletion requests received through the DROP

Who Does the California Delete Act Apply To?

The California Delete Act applies to data brokers — businesses that knowingly collect and sell to third parties the personal information of consumers with whom they do not have a direct relationship. Data brokers must register annually with the CPPA and pay a registration fee. Failure to register carries penalties of $200 per day.

Consumer Rights Under the California Delete Act

California consumers are entitled to:

• Right to delete: submit a single request through the CPPA deletion mechanism to have personal information deleted by all registered data brokers simultaneously
• Right to opt out of future data collection: once a deletion request is submitted, data brokers must suppress future sale or sharing of that consumer's data

Data brokers must retrieve deletion requests from the DROP at least every 45 days and complete deletion within 90 days of retrieval. They must also conduct reviews at least once every 90 days to identify and delete any newly collected data for opted-out consumers.

Enforcement

The California Privacy Protection Agency enforces the California Delete Act. Civil penalties of up to $200 per day for failure to register, and up to $200 per consumer per day for failure to honor deletion requests, may be imposed.

How UniConsent Supports California Delete Act Compliance

UniConsent helps businesses manage their data practices and consumer rights obligations under California's privacy framework:

• Consent management to minimize unnecessary data collection
• Consumer rights request management including deletion workflows
• Integration with data broker compliance processes
• Opt-out preference management

Get started with UniConsent or explore our features.

Other California Privacy Laws

• CCPA: California Consumer Privacy Act, learn more at CCPA
• CPRA: California Privacy Rights Act, learn more at CPRA
• CIPA: California Invasion of Privacy Act, learn more at CIPA

Other US State Privacy Laws

• CPA: Colorado Privacy Act, learn more at CPA
• VCDPA: Virginia Consumer Data Protection Act, learn more at VCDPA
• UCPA: Utah Consumer Privacy Act, learn more at UCPA
• CTDPA: Connecticut Data Protection Act, learn more at CTDPA
• TDPSA: Texas Data Privacy and Security Act, learn more at TDPSA
• DPDPA: Delaware Personal Data Privacy Act, learn more at DPDPA
• NJDPA: New Jersey Data Protection Act, learn more at NJDPA
• FDBR: Florida Digital Bill of Rights, learn more at FDBR

Compare different US State Privacy Laws