Signed, Sealed, Deleted: A Look At The California Delete Act, Law360
Recently proposed Delete Request and Opt-Out Platform regulations would revise and expand upon the existing data broker registration regulations under the California Delete Act.
This article examines the potential compliance implications of these DROP proposals and existing Delete Act requirements.
Background on the Delete Act and DROP Regulations
In October 2023, California added to its compendium of privacy laws and regulations when the state enacted S.B. 362, or the Delete Act. The Delete Act expands upon California's data broker registration law, which previously required data brokers to register with the state's attorney general.
Under the Delete Act, data brokers are now required to register annually with the California Privacy Protection Agency, disclose additional details regarding their information collection and sharing practices, and submit to independent compliance audits every three years to evaluate their compliance with consumer deletion requests.
Effective December 2024, the CPPA adopted regulations providing additional information about the law's data broker registration requirements.
The Delete Act also requires the CPPA to establish, by Jan. 1, 2026, an "accessible deletion mechanism" that allows a consumer, through a single verifiable request, to convey a request to delete their personal information to all data brokers, or the consumer can elect that the request not be directed to certain data brokers specified by the consumer.
Once the deletion mechanism is established, data brokers in California will be required to honor such deletion requests received through this one-stop option. To that end, on March 7, the CPPA voted to authorize the agency to advance proposed data broker regulations concerning the DROP regulations to formal rulemaking.
The formal public comment period for the proposed DROP regulations is open until June 10.
Are You a Data Broker? Are You Sure?
The Delete Act applies to data brokers, meaning businesses that knowingly collect and sell to third parties the personal information of consumers with whom the business does not have a "direct relationship." The data broker registration regulations define "direct relationship" to mean that "a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business's products or services within the preceding three years."
The proposed DROP regulations would revise this definition slightly and specify that "[a] business does not have a 'direct relationship' with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business."
Therefore, the data broker registration regulations bring within scope of covered data brokers businesses that collect and sell to third parties the personal information of a consumer that did not intend to interact with the business.
The data broker registration regulations also clarify that "[a] business is still a data broker if
it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer."1
Notably, the law incorporates the broad definition of "sale" under the California Consumer Privacy Act, which defines sales to include disclosures of personal information to third parties for "monetary or other valuable consideration."
This definition has been interpreted to mean that certain disclosures of personal information in the online advertising context — e.g., for targeted advertising — could be a sale if the business is receiving any sort of benefit from the exchange and the recipient of the data is not strictly processing it as a service provider on behalf of the business.
Importantly, this means that businesses that are not typically thought of as data brokers could come within the scope of the Delete Act. A business could be deemed a data broker if, for example, it uses third parties to augment its customer lists and then onward sells that augmented data for targeted advertising purposes.
Compliance Considerations
The Delete Act, the data broker registration regulations, the proposed DROP regulations and CPPA enforcement make clear that there are certain steps data brokers subject to the law must take to mitigate the risk of noncompliance. These steps include the following.
Scope
As indicated above, businesses must look to the broad definition of data broker in these laws and evaluate critically whether they may be considered a data broker.
Deletion Requests
Once the DROP regulations are finalized, data brokers will not be able to rely on their own deletion request mechanisms alone, if any, to satisfy deletion requirements under California law.
Instead, the Delete Act will require them to visit the accessible deletion mechanism, known as the DROP, at least once every 45 days to review and process new deletion requests. For consumers who previously submitted a deletion request, data brokers will be required to delete those consumers' information at least once every 45 days, and cannot thereafter sell or share those consumers' personal information.
Audits
Effective Jan. 1, 2028, data brokers must undergo an independent audit every three years.
Upon request, data brokers also may be required to submit audit reports and related materials to the CPPA within five business days of such request.
Data brokers must maintain audit reports and related materials for at least six years. Companies that constitute data brokers will need to engage external independent auditors to audit their compliance with consumer deletion requests and could be subject to regulatory scrutiny of those results, underscoring the importance of a buttoned up compliance program with the act's deletion requirements from the outset.
Deleting Data: Easy in Theory, Difficult in Practice
Complying with requests submitted through the DROP will raise a number of compliance considerations even for data brokers that have existing deletion processes in place for deletion requests submitted directly from individuals under the CCPA or other state consumer privacy laws.
The first key issue will be matching consumers who have submitted deletion requests through the DROP to information in the data broker's own databases.
Once a data broker accesses a consumer deletion list through the DROP, the proposed DROP regulations would require the data broker to compare the listed consumer identifier information — e.g., email address, phone number, or combination of name, date of birth and ZIP code — with applicable consumer personal information maintained in the data broker's own records.
If there is a match, the data broker would need to delete all personal information associated with the matched identifier, subject to certain limitations.
The proposed DROP regulations specify that if the consumer deletion list includes multiple identifiers:
the data broker must separately compare each unique category of identifier with the applicable identifiers in its own records. If more than fifty percent (50%) of the unique identifiers match those in the data broker's records, the data broker must delete all personal information associated with that consumer.
As an example, the proposed DROP regulations state that:
if a data broker compares its records with a consumer deletion list that includes name, date of birth, and zip code, and only finds a match for the name and zip code with a particular consumer record, the data broker must delete that consumer's associated personal information because approximately sixty-seven percent (67%) of the individual identifiers match with the consumer deletion list.
If a data broker associates multiple consumers with a matched identifier from the consumer deletion list, e.g., an email address, the data broker must opt each associated consumer out of the sale or sharing of their personal information.
Once a consumer has been matched in the data broker's own records, the second key issue is determining what information to delete. The proposed DROP regulations mandate that a data broker must delete all personal information, including inferences based in whole or in part on personal information collected from third parties or from consumers in a non-"first party" capacity, that is associated with a matched identifier in the data broker's records.
Notably, data brokers do not need to delete personal information collected directly from the consumer when the consumer intended to interact with the business. This helps to mitigate against unintended consequences of submitting a deletion request through the DROP, such as having a consumer's loyalty account deleted.
The Delete Act also incorporates a number of the CCPA's deletion-specific and general exemptions. A data broker does not, for example, need to delete personal information if it is reasonably necessary to maintain the personal information to complete a transaction for which the personal information was collected or otherwise perform a contract between the business and the consumer, help to ensure security and integrity (to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes), or comply with a legal obligation.
Deletion also is not necessary if it would restrict the data broker's ability to exercise or defend legal claims.
In addition to information that may be retained pursuant to an exception, the proposed DROP regulations require data brokers to maintain the minimum personal information to be able to continue to delete the consumer's personal information at least once every 45 days. Practically speaking, this may mean adding consumers who have submitted DROP requests to suppression lists and providing those lists to the data broker's data suppliers to ensure the suppliers do not continue to provide those consumers' personal information.
Finally, in addition to deleting consumers' personal information from a data broker's own systems, the proposed DROP regulations would require data brokers to direct all service providers and contractors to delete all personal information in their possession related to a consumer associated with a matched identifier.
Litigation Outlook: Not So Bright
The Delete Act does not create a private right of action and is instead enforceable administratively by the CPPA. The CPPA has demonstrated considerable interest in enforcement against data brokers, announcing in October 2024 that it was conducting an investigative sweep focusing on enforcing data broker registration requirements under the Delete Act and bringing enforcement actions following that sweep in February 2025.2
This approach is consistent with other U.S. state privacy laws that typically favor regulatory enforcement over private litigation. Notably, in May 2024, Vermont's Legislature passed a privacy bill, H. 121, or the Vermont Data Privacy Act, that included a private right of action for violations of certain processing restrictions by data brokers. Vermont's governor vetoed that bill due to significant pushback related to the private right of action, so it ultimately was never enacted.
Other state efforts to enact privacy legislation with a broad private right of action — e.g., early iterations of a draft privacy bill in Washington state, for example — also historically failed, indicating that a private right of action is not palatable in many cases. California's Delete Act follows this trend by leaving enforcement to the CPPA.
In practice, regulatory enforcement of privacy laws like the Delete Act may allow for clearer guidelines as to compliance, given how courts have struggled in recent years to apply established legal doctrine such as questions of personal jurisdiction in the context of emerging privacy laws.
For example, on April 21, in an en banc decision in Briskin v. Shopify, the U.S. Court of Appeals for the Ninth Circuit reversed a dismissal of claims brought under various California privacy laws on jurisdictional grounds, holding that the defendant technology company was subject to specific personal jurisdiction in California because (1) the company conceded its geolocation technology allowed it to know where the plaintiff's device was located when it installed cookies on that device, and (2) the plaintiff's complaint alleged that the defendant used the data gathered by those cookies to create and sell consumer profiles allegedly in violation of California law.
Courts in other jurisdictions have struggled with personal jurisdiction issues, highlighting the challenges of applying long-standing legal doctrines to rapidly evolving technologies. This may be why California opted to rely on regulatory enforcement of the Delete Act rather than attempting to establish a private right of action.
Looking Beyond California
Businesses may ask themselves whether they should comply with California's Delete Act on a nationwide basis, given the emergence of data broker laws in other states. Specifically, three other states — Oregon, Texas and Vermont — have enacted data broker registration requirements similar to those initially implemented in California.
To date, however, California is the only state to have (1) enacted the universal deletion mechanism requirement and (2) obligated data brokers to adhere to specific deletion requirements with respect to consumer data.
The proposed DROP regulations in California also impose a more onerous scope of applicability by implementing the "intent to interact" requirement for determining whether a consumer and a business have a direct relationship. Accordingly, compliance with California's Delete Act requirements on a national level may result in more onerous, self-imposed obligations than are legally required.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
1. The proposed DROP Regulations would revise this to say that "[a] business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about the consumer that it collected outside of a 'first party' interaction with the consumer."
2. On February 20, 2025, the CPPA announced that it brought an enforcement action against Jerico Pictures, Inc., a Florida-based data broker doing business under the name National Public Data. The CPPA sought a $46,000 fine against the company for its failure to timely register as a data broker on the Registry. The CPPA alleged that National Public Data registered as a data broker on September 18, 2024, which is 230 days after the January 31, 2024 registration deadline for data brokers that operated in 2023. The CPPA also asserted that National Public Data only registered on the Registry after the CPPA's Enforcement Division contacted the company during an investigation regarding a 2024 data breach that resulted in the exposure of 2.9 billion records, including names and Social Security numbers.
Separately, on February 27, 2025, the CPPA reached a settlement with Background Alert, Inc. ("Background Alert"), a California-based data broker for its failure to timely register on the 2025 Registry. The CPPA alleged that Background Alert created and sold profiles about individuals through the website, backgroundalert.com. In particular, the CPPA alleged that Background Alert collected billions of public records, drew inferences from those records to identify individuals who may be associated with other individuals, and identified patterns to create profiles about consumers. Per the settlement, Background Alert was required to shut down its operations through 2028 or face a $50,000 fine.
Related People
Related Services
Media Contact
Lisa Franz
Director of Public Relations
Jeremy Heallen
Public Relations Senior Manager
mediarelations@Hunton.com
