On October 30, the California Privacy Protection Agency (CPPA) announced an investigative sweep to ensure data brokers comply with the Delete Act. Effective January 1, the Delete Act requires parties to register by January 31 of the year after they satisfy the definition of a “data broker,” with non-compliance penalties to include, among other amounts, a $200 per day administrative fine. The CPPA’s Enforcement Division will take action against those data brokers that have failed to comply.
In addition to the registration requirement, the Delete Act requires data brokers to disclose the number of consumer deletion requests, response times to those requests, and whether they collect the personal data of minors, reproductive healthcare data, or precise geolocation data. Data brokers also must provide a link on their websites informing consumers of their rights under the CPPA. The Delete Act charges data brokers an annual fee to fund the registry and to develop the data broker requests and opt-out platform, known as DROP, which will launch in 2026. The CPPA aims to ensure continuous deletion of personal information by data brokers every 45 days.
