The California Delete Act Explained: Enterprise Obligations Beyond Data Brokers
The California Delete Act Explained: Enterprise Obligations Beyond Data Brokers
When California's Delete Act — formally known as Senate Bill 362 — was signed into law in October 2023, the initial headlines focused on data brokers: businesses that collect and sell personal information about individuals they do not directly interact with. And while the Delete Act does place significant new obligations on registered data brokers, enterprise legal counsel and compliance officers are increasingly recognising that the law's implications extend far beyond that narrow definition. For organisations handling California consumer data at scale, california delete act compliance is becoming a strategic priority — not just a legal technicality.
This guide explains what the California Delete Act requires, how it intersects with existing US and global privacy obligations, and what practical steps enterprises must take to align their data erasure programmes with California's evolving data privacy landscape.
## What Is the California Delete Act (SB 362)?The California Delete Act amends the California Consumer Privacy Act (CCPA) framework and creates a new, centralised mechanism through which California residents can request deletion of their personal information from all registered data brokers in a single interaction. The California Privacy Protection Agency (CPPA) is responsible for developing and operating this centralised deletion platform, which must be operational by January 2026.
Key provisions of the Delete Act include:
- Centralised deletion requests: California residents will be able to submit a single deletion request to the CPPA's platform, which will then distribute that request to all registered data brokers.
- Data broker registration: Any business meeting the definition of a data broker must register with the CPPA annually and pay a registration fee.
- Deletion compliance timelines: Data brokers must process and complete deletion requests received through the platform within 45 days.
- Opt-out of data sales: Consumers can simultaneously request that data brokers stop selling or sharing their personal information.
- Audit requirements: Data brokers must conduct independent audits every three years starting in 2028, verifying their compliance with deletion request processing and data minimisation obligations.
Penalties for non-compliance with the Delete Act can reach $200 per day for each day a data broker fails to process a deletion request, with additional enforcement authority granted to the CPPA under CCPA's existing penalty structure.
## Why Enterprise Organisations Beyond Data Brokers Must Pay AttentionHere is where many enterprise compliance teams make a critical error: assuming that because their organisation is not a data broker, the California Delete Act is irrelevant to their operations. This assumption carries significant legal and operational risk for three reasons.
### Reason 1: The "Data Broker" Definition Is Broader Than You May ThinkUnder California law, a data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Critically, this does not require brokerage to be a core business activity. Organisations that monetise customer data through advertising ecosystems, data licensing arrangements, or data sharing partnerships with affiliates may meet the data broker definition even if they consider themselves primarily a technology company, retailer, or financial services firm.
Legal counsel should conduct a formal assessment of whether your organisation's data sharing and monetisation activities trigger data broker registration obligations under SB 362.
### Reason 2: CPPA's Enforcement Reach Extends to CCPA ObligationsThe California Delete Act builds on the CCPA and CPRA framework, and the CPPA has authority to investigate and enforce the full spectrum of California privacy law. Enterprises subject to CCPA — generally those with annual gross revenues exceeding $25 million, or those collecting data on 100,000 or more California consumers — are already obligated under CCPA's right to deletion provisions. The Delete Act reinforces and operationalises those obligations.
If your organisation has not implemented a technically robust and auditable response to CCPA consumer data erasure obligations, the Delete Act's increased enforcement focus and audit requirements create new exposure.
### Reason 3: The Delete Act Signals California's Direction of TravelCalifornia has consistently been the most aggressive US state in enacting consumer data privacy legislation, and its laws frequently become models for federal proposals and other state-level legislation. The infrastructure created by the CPPA's centralised deletion platform will normalise consumer expectations around rapid, verified, and centrally coordinated data deletion — expectations that will extend to all organisations handling California consumer data, regardless of data broker classification.
## How SB 362 Intersects with CCPA, Article 17, and CPPA ObligationsCalifornia delete act compliance does not exist in isolation. For most enterprise organisations, SB 362 sits within a broader web of data erasure obligations that includes:
CCPA (as amended by CPRA): Grants California consumers the right to request deletion of their personal information, requires businesses to respond within 45 days (with a 45-day extension available), and mandates that deletion requests are communicated to service providers and contractors who have received that data.
GDPR Article 17 — Right to Erasure (Right to be Forgotten): EU enterprises or those serving EU residents face parallel deletion obligations under GDPR, requiring erasure without undue delay when one of Article 17's specified grounds applies. Notably, GDPR's Right to Erasure applies to data held on all media — including backup systems, archived storage, and decommissioned hardware.
CPPA Regulations: The CPPA has issued and continues to develop regulations under CPRA that impose additional requirements around deletion verification, service provider contracts, and auditing. Organisations should monitor CPPA rulemaking as regulations directly affecting the centralised deletion platform continue to evolve through 2025 and 2026.
For multinational enterprises subject to both GDPR and CCPA/Delete Act, maintaining separate compliance programmes for each regulation is operationally unsustainable. A unified data erasure framework that satisfies both GDPR Article 17 and California consumer data erasure obligations — across all data formats, storage media, and business processes — is both more efficient and more defensible.
## Enterprise Data Erasure Obligations Under the Delete Act: A Practical BreakdownWhether your organisation is a registered data broker or a broader enterprise subject to CCPA obligations, the following areas require active compliance attention:
### 1. Responding to Consumer Deletion RequestsWhen a California consumer submits a deletion request — whether directly to your organisation or through the CPPA's centralised platform — you must:
- Verify the consumer's identity
- Identify all instances of that consumer's personal information across your systems
- Delete the data from your active systems, backup systems, and any media on which it is stored
- Instruct all service providers, contractors, and data partners who have received that data to delete it
- Confirm deletion to the consumer within the required timeframe
Step three is where most enterprises face their greatest operational challenge. Personal information is rarely confined to a single database. It exists in structured databases, file systems, email archives, backup tapes, cloud storage volumes, and — critically — on physical hardware that may have been decommissioned or transferred to ITAD partners.
### 2. Data Erasure on Decommissioned HardwareThe Delete Act and CCPA's deletion provisions apply to personal information wherever it is stored. Hardware that is retired, refurbished, or transferred without verified data erasure may retain consumer personal information that remains subject to deletion obligations — including California consumer data erasure obligations — even after the device has left your premises.
's File Eraser and address this risk by enabling targeted file-level and full-disk erasure across active and decommissioned hardware, producing tamper-proof Certificates of Erasure that document which data was erased, by which method, and when. This audit trail directly supports your ability to demonstrate compliance with deletion requests under SB 362.
### 3. Service Provider Contracts and Flow-Down ObligationsCCPA requires that contracts with service providers include provisions requiring those providers to assist with consumer rights requests, including deletion. Under the Delete Act, this obligation extends to your ITAD partners, cloud providers, and any third party that processes California consumer data on your behalf. Your contracts must require these parties to maintain auditable deletion capabilities and to provide evidence of deletion on request.
### 4. Audit ReadinessThe Delete Act's three-year audit requirement for data brokers beginning in 2028 signals that regulators expect documented, independently verifiable evidence of deletion compliance — not simply assertions. Even if your organisation is not a registered data broker, CPPA's broader enforcement authority means that audit readiness is sound risk management.
A certified erasure solution evaluated to Common Criteria EAL 4+ generates the independently verifiable documentation that underpins audit-ready compliance. Common Criteria EAL 4+ certification means the software's security claims have been validated by an independent, accredited testing laboratory — a materially stronger assurance than vendor self-certification.
## Common Compliance Mistakes Enterprises Make With the California Delete ActMistake 1: Assuming "delete" means only database deletion
Deletion under California law means removal from all locations where data is stored, including backup systems and physical media. Database deletion alone is not compliant.
Mistake 2: Failing to operationalise consumer deletion request workflows before the CPPA platform goes live
The centralised CPPA deletion platform will begin directing requests to registered data brokers at scale in 2026. Organisations that have not invested in scalable, documented deletion workflows will face immediate operational pressure.
Mistake 3: Treating California compliance as a separate programme from GDPR
Enterprises operating across both jurisdictions should build a single, unified data erasure capability that satisfies both frameworks — reducing cost, complexity, and the risk of inconsistent implementation.
Mistake 4: Overlooking consumer data on decommissioned or transferred devices
Hardware that leaves your organisation without verified erasure remains a source of potential non-compliance. A documented ITAD process with certified erasure is essential.
Mistake 5: Neglecting to update service provider agreements
Post-CPRA, CCPA-compliant service provider contracts must include specific deletion assistance provisions. Review and update all relevant agreements with ITAD partners, cloud providers, and data processors.
1. Conduct a data broker classification review. Engage legal counsel to determine whether your organisation's data activities trigger SB 362 registration obligations.
2. Map all personal data storage locations. Identify every system, application, and physical or virtual media type on which California consumer personal information is stored.
3. Implement scalable deletion request workflows. Build or integrate systems capable of processing deletion requests across all data locations within CCPA's 45-day response window.
4. Deploy certified erasure solutions for hardware and file-level deletion. Ensure file-level and full-disk erasure capabilities cover all active and decommissioned media, with tamper-proof certificate generation.
5. Update service provider and ITAD contracts. Include explicit deletion assistance, certification, and audit cooperation provisions in all relevant third-party agreements.
6. Establish and retain erasure audit records. Maintain Certificates of Erasure and deletion request records consistent with your data retention policy and regulatory obligations.
7. Monitor CPPA rulemaking. The CPPA continues to develop regulations implementing the Delete Act. Assign responsibility for tracking regulatory developments to your compliance team.
The California Delete Act represents a significant maturation of US consumer data privacy law — one that creates direct operational obligations for enterprise organisations well beyond the data broker community. Whether you are subject to SB 362 as a registered data broker, or navigating the broader CCPA deletion obligation landscape as a large enterprise handling California consumer data, a technically robust, auditable, and certified data erasure programme is now a compliance necessity.
D-Secure's Drive Eraser and File Eraser — evaluated to Common Criteria EAL 4+ and producing tamper-proof Certificates of Erasure — provide the certified, enterprise-grade California data privacy and consumer data erasure capabilities your compliance programme requires. To help you structure your approach, download the Compliance Checklist — a practical tool for mapping your current data erasure capabilities against the requirements of SB 362, CCPA, and GDPR Article 17.
No comments yet. Be the first to comment.