The Delete Act: California has already settled with four data brokers

The California Privacy Protection Agency (CPPA) has announced two sets of settlements with a total of four data brokers who allegedly violated California’s Delete Act.

The companies have agreed to pay civil penalties of between $34,000 to $54,200 after they alleged failed to register with California’s data broker registry.

Here’s a look at what the Delete Act requires and how to avoid being subject to enforcement action by the CPPA.

Are you a data broker?

Under the Delete Act (and California’s other data broker laws) a data broker is a business that knowingly collects and sells to third parties the personal information of California consumers with whom the business does not have a direct relationship.

So, for example, if you’re selling personal information about the users of someone else’s app, you likely meet this definition.

Note that the term “sell” in this context is interpreted broadly, covering not only monetary transactions but also the exchange of personal information for any other “valuable consideration” (which means basically any benefit).

There are exceptions, however, to the extent that your activities are covered by certain other state and federal laws, including:

• The Fair Credit Reporting Act (FCRA)
• The Gramm-Leach-Bliley Act (GLBA)
• The Insurance Information and Privacy Protection Act (IIPPA)
• The Confidentiality of Medical Information Act (CMIA)
• The Health Insurance Portability and Accountability Act (HIPAA)

What the Delete Act requires

The main obligation under the Delete Act is to register with the California Privacy Protection Agency (CPPA) by January 31 each year. You’ll need to pay a registration fee, currently set at $6,600.

When registering, you’ll need to provide some detailed information about your activities, including:

• Metrics on the privacy requests you’ve received from California residents and your responses to those requests
• A declaration of whether you collect the personal information of minors, precise geolocation data, or reproductive health care data.
• A link to a privacy notice on your website that explains how consumers can exercise their privacy rights.
• Information about whether you are regulated by laws listed in the section above (e.g., the FCRA, the GLBA, etc.)

Future Delete Act obligations

Certain other Delete Act obligations will take effect at a later date. For example:

• Complying with requests via the deletion mechanism: By January 1, 2026, you’ll have to comply with the CPPA’s centralized deletion mechanism. This mechanism will allow consumers to request the deletion of their personal information from all registered data brokers.
• Checking the deletion mechanism: From August 1, 2026, you’ll need to access the deletion mechanism at least every 45 days to process consumer deletion requests within 45 days of receipt.
• Ongoing deletion process: After complying with a deletion request, you must continue to delete any new personal information collected from that consumer at least once every 45 days, unless the consumer specifies otherwise.
• Independent audits: From January 1 2028, you must undergo an independent third-party audit every three years to ensure compliance with the Delete Act.

While the Delete Act’s $200 per day penalties are relatively small, the CPPA—and other authorities such as the Federal Trade Commission (FTC)—have been proactively enforcing privacy and consumer protection laws against data brokers.

As such, the importance of ensuring good data protection practices and complying with privacy law has never been higher.

You might also like to read: