What is the California Delete Act?
Senate Bill 362 was signed by Governor Gavin Newsom on October 10, 2023. It is enforced by the California Privacy Protection Agency (CPPA), the same body that oversees the California Consumer Privacy Act.
The centrepiece of the law is a centralised deletion request portal run by the state. A California resident visits the portal once, submits a single deletion request, and that request is sent automatically to every data broker registered with the CPPA. No hunting down individual companies. No sending separate emails. One request covers them all.
On the broker side, the obligations are concrete. Registered data brokers must check the portal at least once every 45 days, delete any records that match an incoming request, and document that they did so. They cannot wait passively for complaints to arrive -- the system requires them to act proactively.
What counts as a data broker under this law?
The Delete Act defines a data broker as a business that knowingly collects and sells personal information about California consumers with whom it has no direct relationship. The defining phrase is "no direct relationship" -- these are companies that gather data about people who have never knowingly interacted with them.
Classic examples include:
- People-search sites that publish home addresses, phone numbers, and family connections
- Background check companies that sell consumer reports to employers or landlords
- Marketing list providers that sell contact databases segmented by age, income, or interests
- Location data aggregators that buy GPS signals from apps and resell them
Businesses that collect data directly from their own customers -- to fulfil orders, run a membership, or power their own service -- are not data brokers under this definition. The relationship exists. The law does not apply.
How is the Delete Act different from the CCPA?
The California Consumer Privacy Act already gave residents the right to request deletion of their data from specific companies. The Delete Act builds on that but solves a different problem.
Under the CCPA, you had to know which company held your data, find their opt-out or deletion link, submit a request, and repeat that for every company separately. For data brokers -- which number in the hundreds -- that process was practically unusable.
The Delete Act changes four things:
- Single portal. One request reaches all registered brokers simultaneously, rather than requiring individual submissions to each company.
- Broker-specific scope. Rather than applying to all businesses, the Delete Act targets data brokers specifically -- the companies most likely to hold data about people who never chose to share it with them.
- Active compliance required. Brokers must check the portal and delete matching records on a regular schedule. They cannot treat deletion as an exception to be handled only when a complaint arrives.
- Forward-looking coverage. A deletion request covers future collection as well as existing records. A broker cannot delete your data today and re-collect it tomorrow without separate legal justification.
What are the penalties for non-compliance?
The CPPA can impose civil penalties of up to $200 per day for each data broker that fails to comply with the law's requirements. That applies to failures to register, failures to check the portal on schedule, and failures to delete matching records.
The CPPA also has audit authority -- it can examine a data broker's records to verify compliance rather than waiting for a resident to file a complaint. The deletion portal was required to be operational by January 1, 2026.
Does the Delete Act affect regular website owners?
For most website owners, the answer is no -- not directly. If you run your own site, collect data from your own visitors and customers, and use that data to run your own service, you are not a data broker. You have a direct relationship with the people whose data you hold.
Where it gets more complicated is if your business model involves selling that data to third parties. If you sell lead lists, share visitor segments with advertisers through cross-site tracking networks, or aggregate consumer profiles and licence them to other companies, you may well qualify as a data broker and face registration and deletion obligations.
For most independent site owners, the practical effect of the Delete Act is indirect: your visitors' data that ended up at people-search sites and marketing list providers can now be removed more easily. That may reduce the amount of personal data circulating about the people who trust your site.
What does this mean for analytics tools?
The Delete Act has real implications for analytics platforms that operate at scale across many sites. Tools that track visitors across unrelated websites, build cross-site profiles, and sell or share that data with advertisers or third parties look a lot like data brokers under this definition. They hold data about people who never chose to interact with them -- only with individual websites that happen to run the tracker.
Analytics tools that collect only first-party, anonymised data -- without cross-site tracking and without selling or sharing visitor data to third parties -- fall outside the data broker definition. TrackTrendy collects anonymised data about your own visitors, stores nothing that can identify an individual, and does not share data with anyone. There is no data to broker because there is no personal data being held.
Choosing that kind of tool is not just a GDPR decision. As laws like the California Delete Act expand the definition of what counts as problematic data handling, sticking to first-party anonymised analytics reduces regulatory exposure across multiple frameworks at once.