California's Delete Act: The $200/Day Fine Data Brokers Can't Ignore

What Is the California Delete Act — And Why Did California Pass It?

California's existing privacy landscape — the California Consumer Privacy Act (CCPA) and its 2023 expansion under the California Privacy Rights Act (CPRA) — already gave consumers broad rights over their personal information, including the right to request deletion from individual businesses. But the CPPA identified a structural gap: when a consumer wanted to exercise their right to deletion against data brokers specifically, they faced a fragmented, burdensome process. A California resident seeking to remove their data from the data broker ecosystem would have to individually contact hundreds of companies, each with their own request portal, verification process, and response timeline.

SB 362 addressed this gap by mandating the CPPA build and operate a centralized "data deletion mechanism" — a single portal through which consumers can submit one deletion request that is then distributed to all registered data brokers simultaneously. Data brokers must honor those requests within 45 days and must delete the consumer's data from their databases as well as from the databases of service providers processing data on their behalf.

The law also introduced a comprehensive registration regime. Every data broker operating in California must register annually with the CPPA, pay a registration fee, and disclose specific information about their data practices — including the categories of personal information they collect, the purposes for which it is used, the length of time it is retained, and whether the broker collects data on minors. This registry is public, creating both transparency for consumers and an audit baseline for regulators.

Who Qualifies as a Data Broker Under California Law?

The definition of "data broker" in the Delete Act mirrors the definition in the California Data Broker Registration Act (Civil Code Section 1798.99.80): a business that knowingly collects and sells or shares the personal information of consumers with whom it does not have a direct relationship. That last clause — "with whom it does not have a direct relationship" — is the operative phrase, and it catches far more companies than leadership teams typically anticipate.

Consider the scope: a company that purchases consumer data from a credit bureau and uses it to enrich prospect records for outbound sales is a data broker. A company that aggregates public records — voter registrations, property records, court filings — and licenses that database to insurance underwriters is a data broker. An analytics firm that collects behavioral data from publisher networks and sells audience segments to advertisers is a data broker. In each case, the defining characteristic is the secondary sale or sharing of personal information about individuals who never had a direct commercial relationship with that company.

The Act carves out certain exemptions. Businesses whose data broker activity is incidental to their primary purpose — for example, a retailer that shares customer data with a contracted fulfillment provider — are not data brokers under this definition. Financial institutions covered by the Gramm-Leach-Bliley Act and covered entities under HIPAA have partial exemptions for data regulated by those federal laws, though not for all data categories they may handle. The CPPA has signaled it will interpret exemptions narrowly, so any company with arguable data broker characteristics should obtain a formal legal opinion before concluding it falls outside the law's scope.

Registration Requirements: What You Had to File — And Still Need to Maintain

The Delete Act's registration requirement was the first enforcement mechanism to take effect, with the initial deadline of January 31, 2024. Data brokers were required to register through the CPPA's online portal and provide a detailed disclosure covering their data practices. The registration is annual — brokers must renew each year and update their disclosures if their practices change materially during the year.

The $200/day non-registration penalty accrues from the day a data broker was required to register and failed to do so. For companies that missed the January 2024 deadline and have still not registered as of 2026, the math is stark: 730 days at $200/day equals $146,000 in accrued penalties before any deletion-related violations are even counted. The CPPA has confirmed it is cross-referencing its new registration database against known data broker operating in the state to identify non-registrants.

The registration fee is tiered based on the volume of consumers whose data the broker processes. Small brokers pay a minimum annual fee; large-scale operations with data on millions of California residents pay substantially more. The fee structure is designed both to fund the CPPA's enforcement operations and to reflect the greater systemic risk posed by high-volume brokers. The CPPA publishes a searchable registry of all registered data brokers — making non-registration a publicly visible compliance failure.

The $200/Day Fine: Mechanics, Exposure Calculations, and How Enforcement Works

The Delete Act's penalty structure is deliberately designed to scale with the volume and duration of non-compliance. The base penalty of $200 per consumer per day applies separately to: (1) failure to register or renew registration with the CPPA, and (2) failure to honor a deletion request submitted through the centralized portal within the required timeframe. These are two independent penalty streams that can run concurrently.

The 45-day response window for deletion requests begins the moment the CPPA's portal transmits the request to the data broker. Extensions of up to 45 additional days are permitted — but only if the broker notifies the consumer and the CPPA within the initial period and provides a specific reason for the extension. Simply failing to respond within 45 days triggers the $200/day clock, which then accrues on a per-request basis until the deletion is completed, the request is resolved through a documented exception, or the CPPA takes enforcement action and imposes a fixed penalty.

The CPPA may investigate compliance proactively — without waiting for a consumer to file a complaint. The agency has authority to access data broker systems, review deletion request logs, and audit the technical implementation of a broker's deletion pipeline. CPPA enforcement staff has stated publicly that the agency intends to conduct random audits of registered brokers beginning in 2026 to verify that the deletion infrastructure is operational and that requests submitted through the portal are being processed correctly.

Unlike many regulatory regimes that offer lengthy cure periods before penalties are imposed, the Delete Act's $200/day penalties accrue automatically from the moment a deadline is missed. Companies cannot retroactively argue they "intended to comply" — the penalty is statutory and accrues regardless of intent. The CPPA does have discretion over whether to pursue enforcement action and can negotiate settlements, but there is no mechanism to zero out accumulated daily penalties once they have begun accruing. This makes proactive compliance far more economical than reactive remediation.

How to Handle Deletion Requests at Scale: The Operational Reality

The centralized portal model creates a fundamentally different operational challenge than handling individual consumer requests through a company-owned intake form. When the CPPA portal distributes a deletion request, data brokers receive a structured data payload they must process automatically at volume. Manual review workflows — the kind that many companies built for initial CCPA compliance — will not scale to the portal's throughput without creating systematic 45-day deadline violations.

The operational requirements for compliant at-scale deletion processing include: an automated API integration with the CPPA portal to receive requests in real time; a reliable identity matching system capable of linking an incoming deletion request to all records associated with the consumer across internal databases and subprocessor systems; a documented deletion workflow with system-level controls ensuring data is removed within the required window; a verification and confirmation system that sends completion acknowledgment back to the CPPA portal; and an audit log maintaining a complete record of every request received, processed, and completed for regulatory review purposes.

The Delete Act and CCPA/CPRA: How the Frameworks Intersect

California's privacy regulatory landscape now involves three overlapping frameworks: the original CCPA, the CPRA amendments that expanded consumer rights and created the CPPA as an independent enforcement agency, and the Delete Act's data-broker-specific obligations. For companies that qualify as data brokers and also have direct consumer relationships — for example, a credit monitoring service that both sells consumer data and offers direct consumer products — all three frameworks apply simultaneously.

The CCPA/CPRA already gave California consumers the right to request deletion from businesses that collect their data directly. The Delete Act adds a parallel deletion channel through the CPPA portal specifically targeting the data broker ecosystem. Importantly, a consumer who submits a deletion request through the centralized portal does not waive their right to submit a separate direct deletion request to the same company under the CCPA/CPRA. Data brokers must be prepared to handle both channels and ensure both sets of obligations are tracked and fulfilled within their respective deadlines.

One significant CPRA interaction affects how data brokers handle opt-out of sale and sharing. Under CPRA, consumers can opt out of the sale or sharing of their personal information with third parties. For data brokers, this opt-out right effectively prevents the core business activity of reselling consumer data to new buyers. While an opt-out does not require deleting existing records the same way a deletion request does, it does require the broker to suppress the consumer from future sale or sharing activity — creating a separate suppression list obligation that must be maintained indefinitely.

The Delete Act and CPRA together create a compliance matrix where data brokers must simultaneously manage deletion requests (removing data), opt-out requests (suppressing data from future sales), and access requests (providing a copy of data). Each right type has its own workflow, deadline, and documentation requirement. Companies that have built these as separate standalone processes risk gaps at the intersections — for example, processing a deletion request without also checking and honoring any existing opt-out preference, or honoring an opt-out without verifying whether a pending deletion request has also been submitted through the portal.

Practical Compliance Steps for Data Brokers in 2026

If your organization is a data broker — or believes it may qualify — the immediate priority is assessing your current registration and operational status against both the registration obligations that have been in effect since January 2024 and the deletion processing obligations that activated January 31, 2026. Below is a structured compliance action plan organized by urgency.

How LowerPlane Supports CCPA and GDPR DSR Management

LowerPlane was built to eliminate the manual, spreadsheet-driven compliance work that creates systematic risk at scale. Our CCPA and GDPR modules provide purpose-built tooling for every stage of the data subject request lifecycle — from intake to fulfillment to audit documentation.

Frequently Asked Questions