California’s leading privacy regulations just became stricter. California Governor Gavin Newsom, a Democrat, signed into law the Delete Act, which requires data brokers to delete all information they have collected about an individual at the citizen’s request.
This requirement extends to “all service providers or contractors associated with the data broker” as well. Notably, citizens will not have to file repeated requests. After their first is processed, data brokers will be responsible for deleting all information of a consumer that has submitted a request at least once every 45 days, with only a few exceptions. In addition, once a consumer has filed a request, data brokers will be restricted in their ability to share or sell new personal information on the consumer.
While the 12 states, including California, that have data privacy laws include the right for residents to request deletion of their data, this new bill goes beyond these past protections. Instead of only having information collected directly from the person removed, the new law will require destroying all information gathered about an individual when requested.
The law also gives the California Privacy Protection Agency increased authority to regulate the data broker industry, which will be responsible for writing and implementing the new regulations. Data brokers will also be required to register with the CPPA,PPA which will, in turn, make the registry public. The law is scheduled to take effect on Jan. 1, 2026, giving the agency almost two years to write the rules. Legal challenges could delay the new regulations’ effective date.
Unsurprisingly, California is the first state in the country to pass a law like this with its history of ambitious data privacy legislation. The successful effort will likely inspire copycats elsewhere in the U.S., particularly in other liberal-leaning states. This happened with California’s first data privacy legislation and, more recently, with the state’s climate disclosure laws. The initial bill can often serve as a template for other states’ lawmakers.
Privacy advocates will be wary of efforts by industry members to join the push and pitch legislation that installs some protections but does not go as far as the original bill. This has happened with data privacy legislation, and proponents of tougher regulations for data brokers will be wary of allowing it to occur again. By targeting the states looking to act on data privacy, lobbyists can create an alternative template that other states look to use rather than only following the strict measures first passed. This industry strategy can also limit the downsides of a legislative patchwork of individual states with different rules by coordinating a multistate effort through these industry groups.
Still, when given the choice, most businesses prefer a national standard through Congress rather than the potential array of rules that can happen when issues are left to the states. While there have been federal efforts to pass stronger data privacy legislation for years, an agreement has yet to materialize, nor does it appear likely that there will be a breakthrough soon. One sticking point is the issue of pre-emption, whether the federal requirements should be a minimum or maximum standard.
The irony is that continued success at the state level further complicates the data privacy debate. Signs of success can undercut momentum in Congress by making lawmakers feel that the issue is being handled better by the states. In addition, laws covering new ground, like those out of California, raise the bar for what Congress would have to pass if federal legislation were to be the toughest standard. California’s data broker law has started a new chapter in the conversation on data privacy regulation. It may reignite discussions in Congress, but the states remain the most likely to be able to pass new measures.