SACRAMENTO, California. (OIC) Starting in 2026, the rights of Californians to withdraw their data from data brokers – large companies like Google and Meta/Facebook which amass data about users to sell to advertisers, political groups, and others – will be heavily expanded. SB 362, known as the Delete Act, strengthens the existing provisions of the California Consumer Privacy Act (CCPA) to guarantee individuals the ability to delete their data via a centralized state webpage.

Current privacy protections in California are governed by the California Privacy Protection Agency. Under SB 362, by January 1, 2026, it will be required to create a website that allows any resident of California to delete their data from any registered data broker; registration is mandatory for any company who sells consumer data to third parties. By August 1, 2026, all data brokers in the state will have to be compliant.

It is currently possible for users to demand deletion of their data individually from data brokers, as well as from companies with $25 million or more in revenue each year or more than 100,000 users. However, if a user wants to go “off the grid” and delete all their data, it is currently very tedious. Under the new law, a user would be able to – with a few button presses – delete their data from all data brokers across the state.

In a time where the sale of data is one of the driving forces of the technological economy, and the privacy rights of users are encroached upon more and more each day, this legislation is set to significantly help Californians – and, as was seen with the original passage of the CCPA, expand privacy rights around the world. As data brokers will sell to nearly anyone – including law enforcement agencies, the military, and other groups who would otherwise be restricted in the information they can obtain about civilians – these types of protections are critical.

Further, the law requires that the systems for making these deletion requests be incredibly robust. While the “delete all” option is inherently flashy, the system is also required to give residents the right to selectively exclude data brokers. In practice, this will allow people to still make the targeted types of requests the CCPA currently allows for, but without having to search through long privacy policies for contact information, or wait the significant lengths of time companies are allowed to take before deleting data. The system is also guaranteed to be free, accessible, and information-providing; the law requires that the system explain the various types of data that data brokers can have, and what will be deleted.

The provisions are also “set and forget”; while there’s no way for an individual to fully opt-out of having their data collected by data brokers (as scraping is usually passive, and checking every little piece of data prior to assembly is nearly impossible), the law does allow residents to require that their data be deleted once every 45 days. Selling or sharing any data would also be prohibited for everyone who elects to do so.

Lastly, the law creates strong foundations for the future. Starting in 2028, all data brokers in the state – no matter how large or small – will have to go triennial audits by independent third-party agencies, with reports on how they are handling data maintained for six years and filed with the California Privacy Protection Agency. While specific requirements of the audit have not yet been made (other than that the company is following the basics of the law), it is a strong foundation for more privacy-protecting legislation to come.

The Open Information Collective commends the California State Legislature, and the bill’s author Senator Josh Becker, for passing this legislation, and looks forward to future actions by the Legislature in furtherance of the right to privacy. If you need help with the California Consumer Privacy Act, or other privacy laws in California and the rest of the world, contact us; we’re always glad to help people in defending their privacy rights.

By Amy Parker

Founding Member Amy Parker is a computer science student at California State University, Fullerton, and a community advocate for government transparency and LGBTQ+ rights. She uses she/her/hers pronouns. You can contact her at amy@amyip.net or amyipdev@csu.fullerton.edu.

Leave a Reply

Your email address will not be published. Required fields are marked *