This week, California’s governor signed a first-in-the-nation law that will impose new regulations on data brokers, requiring such entities to delete personal data pursuant to consumer requests. Data brokers specialize in collecting personal data or data about companies, mostly from public records but sometimes sourced privately, and selling or licensing such information to third parties for a variety of uses. S.B. 362 allows California residents the ability to delete all personal data collected by any of the states’ 500 registered data brokers through a “delete button” on the California Privacy Protection Agency’s (CPPA) webpage beginning in 2026. The only other state that requires a data broker registry is Vermont. However, Vermont has not yet implemented or proposed a similar rule.
The goal behind this law is to provide California consumers a simple means to delete their personal data from ALL data brokers instead of having to submit individual requests for deletion. However, industry leaders and advertising groups have voiced their opinion that this law hinders the data sharing economy and harms services like identity verification.
With more than two years before this law goes into effect, industry leaders have plenty of time to voice their concerns with these restrictions. The pending regulations from the CPPA outlining the details of compliance with this law will hopefully clarify who is considered a data broker and the technical requirements for the mechanism to delete consumer data. We will monitor the development of the new regulations.