United States of America: Implementation of data broker deletion-processing and access obligations under Civil Code Section 1798.99.86(c)–(d), as enacted by Senate Bill 362 (DELETE ACT)

Beginning on 1 August 2026, the deletion-processing and access obligations in Civil Code Section 1798.99.86(c)–(d), as enacted by Senate Bill 362 (DELETE ACT), are required to be implemented by data brokers. These obligations require each data broker to access the accessible deletion mechanism at least once every 45 days and, within 45 days after receiving a request, delete all personal information related to the consumer unless deletion is not required under Section 1798.105(d), Section 1798.145, or Section 1798.146. A data broker must process unverifiable requests as opt-outs of the sale or sharing of personal information, and direct all associated service providers or contractors to delete the relevant information or process unverifiable requests as opt-outs. After a deletion request has been submitted and the consumer’s data has been deleted, the data broker must delete all personal information related to the consumer at least once every 45 days unless an exemption applies, and must not sell or share new personal information of that consumer unless the consumer requests otherwise or such selling or sharing is permitted under Section 1798.145 or Section 1798.146.