California has taken the lead this year with enactment of the nation’s most wide-reaching law (S.B. 362) over data brokers, companies that amass and sell personal information collected from the internet, public records, and other troves of information. Such data sets are often sold to other companies to use for advertising, identity verification, or other purposes.
While other states are exploring creation of their own data broker registries, the Golden State is now a step ahead by mandating the creation of a “delete button” where a consumer can ask to erase all of their data from all brokers in one request.
Privacy advocates praise the new law as a major milestone, but advertising companies and the data-sharing industry said they fear it could dramatically alter their business models. The debate now turns toward the California Privacy Protection Agency, which is in charge of creating this new deletion mechanism.
1. Why was this law created?
In 2019, California was the second state, after Vermont, to pass a law requiring data brokers to register with the state, in response to the 2017
The oversight is undercut if data brokers don’t bother registering with the state. Advocates such as the Privacy Rights Clearinghouse have indicated in the past that the roughly 500 registered data brokers in California would likely be larger if all brokers were registered.
The new law doubles the fine for failing to register to $200 per day to bolster oversight. More importantly, ownership of the registry is transferred from the state attorney general’s office to the California Privacy Protection Agency. The state agency—the only regulatory body in the US solely dedicated to privacy—would have more bandwidth and time to crack down on non-compliant data brokers, bill supporters said.
The registry also was intended for consumers to more easily find a data broker and request to opt out of the selling and sharing of their information. An individual sending requests to each of the 500 registered brokers is not realistic, advocates said, so a one-stop deletion button would grant consumers greater control and ease in exercising their privacy rights.
2. How would implementation work?
Details of the deletion mechanism still need to be worked out by the agency, which host the button on its website by 2026. Ideally, a state resident would be able to go to the page and request all their data be deleted by all registered brokers. The resident could specifically exclude certain brokers or alter a request after 45 days have passed.
To make a request, a consumer would have to submit personal information for their data to be identified. The agency will be tasked with finding a secure way to carry that out, as well as a process for a broker to verify the request. Companies that offer deletion services would also be able to access the agency’s mechanism, though brokers are calling for guidelines around such third-party services.
Beginning August 2026, a broker must access the mechanism once every 45 days and process all their deletion requests. The agency is working on creation of such a process. Potentially, a broker could get a server connection with the agency’s mechanism and sync with their deletion list. Another option: brokers may have to manually examine every request, export data from the agency’s mechanism, and then compare their datasets with it to fulfill the requests.
Audits and reports from the brokers will be required for accountability. Reports will mandate that brokers must include information such as the number of deletion requests denied and the time it takes them to act on deletion requests.
Regulations by the privacy agency will likely address other pressing questions, such as whether data derived from collected information—not just what was collected—would also have to be deleted. For example, a broker could create a dataset of what certain age groups are shopping for products based on collected demographic data or search histories of individuals.
3. What are downstream effects to watch for?
Many business groups opposed the law, saying it would significantly limit the amount of data available to smaller companies to market themselves, or would hamper critical services like identity verification. While the law carves out companies covered specifically under federal credit reporting laws, observers note that companies that indirectly support those sectors may not be covered under federal oversight.
The definition of “data broker” under the California law will likely result in increased broker registrations. At the same time, there could be more consolidation in the industry as smaller companies may not be able to afford the new requirements.
Consumer participation remains another uncertainty. The broker industry may make a concerted effort to educate people on circumstances when it may be harmful to delete all their personal data, such as necessary background checks for job applications.
Despite enactment, the industry may attempt to make further legislative changes to the law. At least one advertising group has suggested it could be amended before 2026, and other observers are watching to see if a lawsuit will be filed against the law.
Read More
Tighter Privacy Rules for Data Brokers Pursued in California
California Data Broker Bill Faces Increased Industry Opposition
Groundbreaking Data Broker Bill Passes California Legislature
California Data Broker Legislation Raises Compliance Concerns
Californians Get Stronger Deletion Rights Against Data Brokers
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.