United States of America: Implementation of mandatory triennial audit obligations under Civil Code Section 1798.99.86(e), as enacted by Senate Bill 362 (DELETE ACT)
Description
Implementation of mandatory triennial audit obligations under Civil Code Section 1798.99.86(e), as enacted by Senate Bill 362 (DELETE ACT)
Beginning on 1 January 2028, the mandatory audit obligations in Civil Code Section 1798.99.86(e), as enacted by Senate Bill 362 (DELETE ACT), are required to be implemented by data brokers. These obligations require each data broker to undergo an audit by an independent third party to determine compliance with the deletion-mechanism provisions, with the audit requirement recurring every three years thereafter. For each audit, the data broker must submit the audit report and any related materials to the California Privacy Protection Agency within five business days of a written request issued by the agency, and must retain the audit report and materials for at least six years.
Original sourceScope
Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
executive
Government Body
central government
Complete timeline of this policy change
Hide details
2023-02-08
under deliberation
2023-04-10
under deliberation
2023-05-31
under deliberation
2023-09-14
adopted
2023-10-10
adopted
2024-01-01
in grace period
2026-01-01
in force
2026-08-01
in force