1798.99.86.
(a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.
(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
(4) Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request. request subject to all of the following requirements:
(A) An authorized agent shall not aid in a deletion request unless the authorized agent is registered with, and certified by, the California Privacy Protection Agency.
(B) Consumer requests made by an authorized agent shall be subject to Section 7063 of Title 11 of the California Code of Regulations.
(C) Data broker processing of requests made by an authorized agent shall be subject to Section 7063 of Title 11 of the California Code of Regulations.
(D) An authorized agent shall ensure that the consumer is reasonably informed about a deletion decision and the rights granted to the consumer under this title.
(E) An authorized agent shall facilitate the consumer’s exercise of any rights granted to the consumer under subdivision (a).
(F) An authorized agent shall not sell, share, or use, or act on behalf of or in concert with an entity that sells, shares, or uses personal information to deliver advertising and marketing services to another business.
(G) An authorized agent shall not charge the consumer a fee, or act on behalf of or in concert with an entity that charges the consumer a fee, to facilitate a deletion request.
(H) If an authorized agent submits a consumer’s email as part of a deletion request, the email address shall allow the data broker to directly contact the consumer without an authorized agent.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer’s deletion request.
(10) The accessible deletion mechanism shall provide a description of all of the following:
(A) The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
(B) The process for submitting a deletion request pursuant to this section.
(C) Examples of the types of information that may be deleted.
(11) The accessible deletion mechanism shall include sufficient information for a data broker to directly contact the consumer in a manner that is substantially similar to the manner the consumer used to request the deletion.
(12) The accessible deletion mechanism shall include procedures to authenticate to a high level of certainty the identity of a consumer who submits a deletion request that comply with industry and government best practices and standards for identity verification, assurance, and fraud protection.
(c) (1) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:
(A) Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.
(B) In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(C) (B) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(2) When accessing the accessible deletion mechanism pursuant to the requirements described in paragraph (1), a data broker may do any of the following:
(D) (A) Direct (i) all service providers or contractors associated with the In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, ask the consumer if the consumer wants the data broker to process a request described by subparagraph (B) as an opt-out the request as an opt out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(ii) When processing a request pursuant to clause (i), the data broker may ask the consumer for information necessary to complete the request, including, but not limited to, information necessary to identify the consumer.
(iii) When processing a request pursuant to clause (i), the data broker shall direct all service providers or contractors associated with the data broker to process the request in the same manner as the data broker processed the request.
(B) (i) Deny the request if the data broker has a good faith, reasonable, and documented belief that the request is fraudulent.
(ii) If a data broker denies a request pursuant to clause (i), the data broker shall inform the consumer that the data broker will not comply with the request and provide an explanation describing why the data broker believes the request is fraudulent.
(C) Deny the request if the request was submitted through an authorized agent and the agent has not provided the consumer’s signed permission demonstrating that the authorized agent has the authority to act on the consumer’s behalf.
(2) (3) Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:
(A) It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
(B) The deletion is not required pursuant to Section 1798.145 or 1798.146.
(3) (4) Personal information described in paragraph (2) (3) shall only be used for the purposes described in paragraph (2) (3) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(d) (1) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) (3) of subdivision (c).
(2) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.
(e) (1) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(f) (1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.