California Delete Act: What You Need to Know for Compliance

The landscape of data privacy is evolving faster than companies can keep up with, and consumers are reaping the benefits of recent regulations.

Still, businesses must do their best to understand current and future legislation, like the recently enacted California Delete Act.

What is the California Delete Act?

Another privacy law to add to the list is The California Delete Act, which represents a significant evolution in data privacy laws, particularly impacting how data brokers handle consumer information. Building on the foundation of the California Consumer Privacy Act (CCPA), this new legislation brings additional responsibilities for businesses, especially data brokers. Understanding these changes is crucial.

The Delete Act mandates data brokers to streamline the process consumers use to request the deletion of their personal information, thereby granting individuals unprecedented control over their digital footprint.

Here are six key aspects of the Delete Act you should know about:

Data broker registration and information disclosure: The Act requires data brokers to register with the California Privacy Protection Agency, pay a registration fee, and provide specified information. This includes metrics related to CCPA requests received, complied with, and denied, as well as the median and mean number of days for substantive responses to these requests.

Accessible deletion mechanism: By January 1, 2026, the California Privacy Protection Agency must establish an accessible deletion mechanism, which allows consumers —through a single verifiable request — to ask every data broker maintaining their personal information to delete it. It also enables consumers to selectively exclude specific data brokers and verify the status of their deletion requests.

Data broker obligations for deletion requests: Starting August 1, 2026, data brokers must access the deletion mechanism at least once every 45 days to process all deletion requests. They must delete the consumer’s personal information and direct their service providers or contractors to do the same. Exceptions are provided for cases where the data is necessary for specific purposes or exempt from deletion.

Regular deletion and restrictions on selling/sharing information: After a consumer’s deletion request is fulfilled, data brokers must delete the consumer’s personal information at least once every 45 days and are prohibited from selling or sharing new personal information of the consumer, with certain exceptions.

Audit requirements: Beginning January 1, 2028, and every three years after that, data brokers must undergo an audit by an independent third party to ensure compliance with these provisions. Audit reports and related materials must be submitted to the California Privacy Protection Agency upon request and maintained for at least six years.

Penalties for non-compliance: Data brokers that fail to comply with the requirements of the accessible deletion mechanism are liable for administrative fines, fees, expenses, and costs. The funds collected are to be used for costs incurred in enforcing these provisions and maintaining the deletion mechanism.

The CCPA and its influence on the Delete Act

The California Consumer Privacy Act (CCPA) set a precedent in the United States for consumer data protection. Introduced in 2018, it was the first major privacy law in the country and has since influenced numerous state-level privacy laws.

The CCPA grants Californian consumers rights relating to access, deletion, and portability of personal data. Businesses must provide detailed disclosures and controls for consumers to opt-out of data ‘sales’. The CCPA’s broad definition of ‘sell’, parental consent requirements for children under 13, and the penalties for non-compliance (which can reach up to $7,500 per intentional violation) underscore the importance of adherence.

How Concentric AI can help with compliance

Concentric AI already plays a crucial role in ensuring organizations comply with CCPA. Our solution helps discover and identify data, monitor and classify data for risk, and remediate data risk issues. Leveraging advanced machine learning technologies for autonomous data scanning and categorization, organizations can understand what personal information they hold and assess the associated risks, ensuring compliance with data deletion requests.

However, handling deletion requests under the California Delete Act and CCPA can be daunting. Concentric AI quickly identifies and categorizes personal data, monitors it for risk, and facilitates efficient response to deletion requests. This goes beyond compliance, enhancing trust and accountability between organizations and consumers.

With Concentric AI, you are in a better position to fulfill deletion requests because:

You understand what data you have: Before you can delete data in response to a consumer request, you need to know what data you have. Identification is the process of locating and recognizing all the data your organization holds. This includes data in various formats and locations, such as databases, cloud storage, email systems, and physical records.

You can classify data by type and sensitivity: Once data is identified, classification helps in categorizing it based on its type and sensitivity. For example, personal data, financial information, health records, and other sensitive data types are classified differently. This classification is crucial because different types of data are subject to different legal and regulatory deletion requirements.

Your deletion can be accurate and compliant: With data properly identified and classified, it becomes much easier to respond accurately to deletion requests. When a request is received, you can quickly locate the specific data related to that individual and understand the legal implications of deleting it.

You can automate the deletion process: Advanced data management systems like Concentric AI use the classification tags to apply predefined rules for handling data. For instance, if a piece of data is tagged as ‘personal information under CCPA’, the system knows it can be subject to deletion requests and processes it accordingly.

You reduce human error: Manual data handling is prone to errors, which can lead to compliance risks. Automated data identification and classification minimize the risk of human error, ensuring that all relevant data is accurately and consistently handled during deletion requests.

You save resources: Manually searching for and processing data for deletion is time-consuming and resource intensive. By automating identification and classification, organizations can respond to deletion requests more efficiently, freeing up valuable resources for other tasks.

Want to see, with your own data, how Concentric AI can help you with privacy compliance? Book a demo today.