1798.99.86.
(a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers’ personal information from unauthorized use, disclosure, access, destruction, or modification.
(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any
personal information related to that consumer held by the data broker or associated service provider or contractor.
(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).
(4) Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.
(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:
(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.
(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.
(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.
(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by
the California Privacy Protection Agency.
(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).
(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.
(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.
(8) The accessible deletion mechanism shall support the ability of a consumer’s authorized agents to aid in the deletion request.
(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to
verify the status of the consumer’s deletion request.
(10) The accessible deletion mechanism shall provide a description of all of the following:
(A) The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).
(B) The process for submitting a deletion request pursuant to this section.
(C) Examples of the types of information that may be deleted.
(c) (1) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:
(A) Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.
(B) In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(C) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).
(D) Direct all
service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer’s personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.
(2) Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer’s personal information if either of the following apply:
(A) It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.
(B) The deletion is not required pursuant to Section 1798.145 or 1798.146.
(3) Personal information described in paragraph
(2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.
(d) (1) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).
(2) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or
sharing the personal information is permitted under Section 1798.145 or 1798.146.
(e) (1) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.
(2) For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.
(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.
(f) (1) The California Privacy Protection Agency may charge an
access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (d) that does not exceed the reasonable costs of providing that access.
(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers’ Registry Fund.