Guess the industry lobbying didn’t work.
On September 14 – the final day of the California legislative session – the full state assembly passed the Delete Act. It’s now on its way to Gov. Gavin Newsom’s desk.
If signed into law, the bill, set to take effect in 2026, would give California residents the right to request to have their personal data removed from all state-based data brokers through a single, verifiable consumer request.
Data brokers are defined as any entities that knowingly collect the personal data of people they don’t have a direct relationship with.
The act calls for the California Privacy Protection Agency (CPPA), which is in charge of CCPA and CPRA enforcement, to create a so-called “one-stop shop” website where Californians could place their deletion requests and opt out of all future tracking.
Data brokers would also have to register with the CPPA, disclose the types of personal information they collect and face a $200 fine (per day and per deletion request) for failing to delete information.
We asked the experts: If signed into law in its current form, what does the Delete Act mean for the ad tech industry?
- Sarah Hospelhorn, CMO, BigID
- Gary Kibel, partner, Davis+Gilbert
- Eli Peterson, head of public policy, TransUnion
- Harry Maugans, CEO, Privacy Bee
- Julie Rubash, chief privacy counsel, Sourcepoint
Sarah Hospelhorn, CMO, BigID
Continuing California’s track record of pioneering privacy regulation, the Delete Act may be the first in a series of laws that will effectively amplify to consumers just how frequently their personal data is bought and sold.
Just like the CCPA was a catalyst for US-based privacy regulations, the Delete Act could signify new table stakes for proactive privacy and accelerate the need for companies of all kinds – not just data brokers – to understand the data they collect and have the capability to actually delete specific data relating to individuals.
Gary Kibel, partner, Davis+Gilbert
Data brokers are already handling a greater volume of deletion and opt-out requests. With the passage of the Delete Act, they should expect this volume to skyrocket once the law takes effect.
It’s hard to find an analogous situation where lawmakers have made it easier for consumers not to engage with a business. Perhaps this is like the regulation of the tobacco industry where industry participants need to spend money to encourage consumers not to use their products.
But tobacco is harmful, whereas data brokers provide value by driving free ad-supported services that consumers love.
Eli Peterson, head of public policy, TransUnion
If enacted in its current form, we remain concerned the Delete Act will create disruption, confusion and eliminate choice across the California economy. Consumers are unlikely to understand which data is deleted, nor will it be immediately clear to them what the ramifications of deletion might be.
As written, the Delete Act only applies to third-party brokers, which results in preferential treatment for first-party Big Tech firms. Less competition in this case will mean higher costs which will filter down to the small businesses, nonprofits and even government entities who rely on that data to reach their customers and constituents.
Harry Maugans, CEO, Privacy Bee
California’s DELETE Act is a fantastically flawed attempt at solving a critical problem. The concept of a centralized place that consumers can use to request their data be removed sounds incredible, but there are real world technical challenges that render this act ineffective as it’s written.
For example, in section (b)(2)(B)(i), it claims the data broker is able to collect and retain information if the individual “requested” it, however there’s no clear definition of what a “request” is. From my decade of experience in the ad tech industry, I guarantee most data brokers will interpret it in ways that don’t apply to them. When a consumer visits a partner publisher, they could claim “implied consent” tied to their use of the site via language buried in their privacy policy. That simple loophole would shatter any effectiveness.
Additionally, since the centralized system is built on hashes, any alteration to the data such as a trailing space or capitalization would cause the hash to miss, resulting in no deletions taking place.
This bill is a great effort and the direction in which we need to push. However, as it’s written, it has far too many gaping holes to have any legitimate impact beyond building a false sense of security.
Julie Rubash, chief privacy counsel, Sourcepoint
The most direct impact the Delete Act may have is that implementing yet another mechanism to listen to yet another signal could be costly and time-consuming for data brokers. This may be particularly difficult for smaller data brokers with limited resources, preventing them from dedicating resources to innovation in other areas and further pushing power to larger companies.
The broader impact of the Delete Act will likely depend on how it’s implemented and how popular it is with consumers. If it’s utilized on a large scale, it could impact the ability to reach consumers with relevant advertising and the ability to monetize properties, which in turn could impact the availability of information on the internet to users without paid subscriptions. It could also have the greatest impact on smaller publishers and advertisers, who, without their own internal resources, may lean more heavily on data brokers to reach relevant customers and monetize their properties.
It’s questionable, however, whether a Delete Act mechanism would be utilized by consumers at scale. Consumers, generally speaking, value relevant advertising and personalization. They also value data transparency and choice, but I question whether a central deletion mechanism will give consumers the granular, just-in-time transparency and control they’re looking for.
Answers have been lightly edited and condensed.
