California’s Delete Act: What CIOs, CDOs, Businesses Need to Know

California’s Delete Act, a bill that targets data brokers and gives consumers power to have all their personal data deleted upon request, now just needs Gov. Gavin Newsom’s signature before Oct. 14 to become law – but how will the rules impact business outside the Golden State?

The Delete Act would fall under the California Privacy Rights Act (CPRA) and California Data Broker Law and is targeted specifically at data brokers, providing a robust set of guidelines and a registry for such data-collecting businesses. The law would give consumers power to delete information from every data broker registered in the state through a single verifiable request.  

The bill says consumers can delete data by using a website that will be hosted by the California Privacy Protection Agency, which has a 2026 deadline to create the website. In 2026, data brokers registered with the state must process delete requests once a month and undergo third-party audits every three years starting in 2028. Brokers who don’t comply will face daily fines.

California’s law is not the first state law to target data brokers. Vermont, Texas, and Oregon all have laws creating broker registries. Vermont’s law has been in effect since 2019. California’s Data Broker law defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Related:US Data Privacy Relationship Status: It’s Complicated

Impact Outside the Golden State

As the fifth largest economy in the world, California’s business regulations are far-reaching and influential for other states considering similar regulations. For organizations doing business in the state, knowing the laws and requirements will be crucial, experts say.

Chris Pierson, CEO of executive cybersecurity and privacy protection firm BlackCloak, said CIOs, CISOs and others in tech leadership roles need to consider implications -- not just those in the data broker business. “These professionals should be looking at and thinking about the attack surface for key individuals at their companies,” Pierson told InformationWeek in an interview. “How can you remove that information to decrease the attack surface for your executives?”

The second step, he said, “on the creative side, for the CIOs, CISOs, CFO, CTOs, are you utilizing data brokers that may fall under the rule this California law is posing? You have your two years to go ahead and build controls to decrease and limit risks.”

Data privacy efforts have mostly been led on a state level in the U.S., with several states creating their own regulations.

Related:How to Address AI Data Privacy Concerns

While there is a federal data privacy bill, the American Data Privacy Protection Act (ADPPA), the proposal is currently in US Congress limbo and chances for passage are unclear. ADPPA would instruct the Federal Trade Commission (FTC) to create a national registry of data brokers and create a “do not collect” mechanism for individuals to opt out of personal data collection.

At the federal level, the Consumer Financial Protection Bureau said it intends to regulate a broader swath of data brokers by expanding the number of companies subject to the Fair Credit Reporting Act.

Opponents Say Law's Scope Too Broad, Favors Big Businesses

According to Texas-based technology attorney Robert Scott, businesses “get a little bit nervous when government starts to take actions that look like heavy regulatory involvement and a slippery slope. Everybody agrees that data brokers should be regulated, but what’s the next level? Does it expand? Could any political party or group or jurisdiction point this at any various industries?”

The ad industry, data broker lobbying groups, and others have been fighting the bill.

Dan Smith, president and CEO of the Consumer Data Industry Association (CDIA), in a statement called the Delete Act “severely flawed.” The group is calling for a pause before Newsom signs the bill. “The bill undermines consumer fraud protections, hurts small businesses’ ability to compete, and solidifies the big platforms’ data dominance,” Smith said. “That could incentivize a cottage industry of groups to mislead consumers into paying for services they don’t understand.”

Related:FCRA Regulation May Expand to Cover More Data Brokers

Privacy groups, on the other hand, have been supportive of the proposed law.

The Delete Act’s author, California State Senator Josh Becker, stands by the bill, in a press release said its passage “signals that California is taking seriously the need to empower consumers to control their own personal data from unknown third-party data brokers.”

BlackCloak’s Pierson thinks other states will enact similar laws to the Delete Act to rein in data brokers. That, he said, could spark more action at the federal level. “It’s the petri dish experiment -- they’ll say, ‘Let’s go ahead an see if this catches on like wildfire at the state level before we do anything federally.’”