California Delete Act (SB-362): What It Means for Your Privacy in 2026
On October 10, 2023, California Governor Gavin Newsom signed the California Delete Act (Senate Bill 362) into law. It is the most significant piece of data broker regulation in the United States — and in 2026, its key provisions are finally going live.
This guide covers what the Delete Act does, how it works, when its deadlines hit, what data brokers are required to do, and where it falls short.
What is the California Delete Act?
The California Delete Act (SB-362) establishes a centralized mechanism — called the DELETE system — that allows California residents to request the deletion of their personal information from all registered data brokers through a single request.
Before the Delete Act, if you wanted your data removed from 200+ people-search sites and data brokers, you had to submit separate opt-out requests to each one. Each broker had its own form, email address, or mail-in process. The Delete Act consolidates this into one submission.
The law builds on the existing California Data Broker Registration Act (SB-1202, 2019), which already required data brokers to register with the California Privacy Protection Agency (CPPA). The Delete Act adds teeth: registered brokers must now actually honor centralized deletion requests.
How the DELETE system works
The DELETE system is an online tool operated by the CPPA. Here is how it works in practice:
-
You submit a single request. A California resident visits the DELETE system portal and submits a deletion request with enough identifying information to be matched against broker databases.
-
The CPPA relays the request. The request is transmitted to all registered data brokers — currently over 500 companies are registered.
-
Brokers must process the deletion. Each registered broker is required to search for and delete the personal information associated with the request within 45 days.
-
Ongoing deletions. Brokers must also process the deletion every 45 days going forward — not just once. This is designed to prevent the common practice of re-adding data after an initial deletion.
Key deadlines and timeline
The Delete Act has a phased rollout:
| Date | Milestone |
|---|---|
| January 1, 2024 | Data broker registration requirements strengthened |
| August 1, 2026 | DELETE system must be fully operational |
| January 1, 2028 | CPPA must implement automated, one-step deletion |
The critical date is August 1, 2026. After that, the DELETE system should be available for consumer use, and registered brokers are legally required to participate.
What data brokers must do under SB-362
The Delete Act imposes several obligations on data brokers operating in California:
Register with the CPPA. Any company that meets the definition of a data broker under California law must register and pay an annual fee. Failure to register carries a $200-per-day fine.
Process DELETE requests. Registered brokers must honor deletion requests submitted through the DELETE system within 45 days.
Re-process regularly. Brokers cannot simply delete data once and re-collect it. They must process ongoing deletions every 45 days for consumers who have submitted requests.
Maintain an accessible opt-out. Brokers must also maintain their own individual opt-out mechanisms — the DELETE system is additive, not a replacement for existing rights.
Pay fees. Brokers must pay registration fees that fund the CPPA's operation of the DELETE system.
What the Delete Act does well
The Delete Act addresses two major pain points that have made data broker removal impractical for most people:
Scale. Instead of submitting 200+ individual requests, you submit one. This is a genuine improvement — the manual process has been the primary barrier to exercising deletion rights.
Re-listing prevention. The 45-day re-processing requirement is specifically designed to prevent the most common complaint about broker removal: that data reappears within weeks or months.
Accountability. By requiring registration and imposing fines, the law creates a paper trail. Brokers that refuse to comply face enforcement action from the CPPA.
Limitations of the Delete Act
No law is a complete solution, and the Delete Act has significant gaps that consumers should understand.
Only covers California-registered brokers
The DELETE system only applies to data brokers that register with the CPPA. While over 500 brokers have registered, industry estimates suggest there are more than 4,000 data broker companies operating in the US. Brokers based outside California, or those that are small enough to evade registration, may not be covered.
Only for California residents
The law applies to California residents. If you live in Texas, Florida, or New York, you cannot use the DELETE system. While some states are developing similar laws, there is no national equivalent.
Enforcement depends on the CPPA
The CPPA has a growing but still limited enforcement budget. Large-scale broker non-compliance would strain the agency's capacity to take action. Consumer Reports noted in a 2024 analysis that state privacy enforcement budgets remain "significantly underfunded relative to the scope of the problem."
Does not cover all data types
Certain categories of data are exempt, including data maintained by consumer reporting agencies subject to the Fair Credit Reporting Act (FCRA), data collected for security or fraud prevention, and data governed by sector-specific laws like HIPAA.
45-day processing window
Brokers have 45 days to process each deletion request. During that window, your data remains live and accessible. For someone facing an immediate privacy threat — domestic violence, stalking, doxxing — 45 days is a long time to wait.
No verification requirement
The Delete Act does not explicitly require brokers to provide proof that data was deleted. You are expected to trust that the broker complied. There is no mandated verification mechanism for consumers to confirm that their data is actually gone.
How Locko.AI goes beyond the Delete Act
The California Delete Act is a meaningful step forward, and Locko.AI supports its goals. But the law has structural limitations that automated enforcement can address:
Coverage beyond California registrants. Locko.AI scans and submits removal requests to 700+ data brokers, including brokers that may not be registered with the CPPA.
Available regardless of residence. You do not need to be a California resident to use Locko.AI. The platform submits requests under whatever legal authority applies — CCPA, state privacy laws, GDPR, or direct opt-out mechanisms.
Verification with evidence. Unlike the DELETE system, Locko.AI does not ask you to trust that deletions happened. The platform captures before-and-after evidence of each removal — screenshots with timestamps that document what was found and whether it was successfully removed.
Faster than 45-day cycles. Locko.AI can initiate removal requests and begin verification within days, not weeks. For urgent privacy situations, speed matters.
Ongoing monitoring. When brokers re-add data — and they do — Locko.AI detects it and automatically re-submits removal requests. This is similar in intent to the Delete Act's re-processing requirement, but happens through active monitoring rather than relying on broker self-compliance.
The Delete Act and services like Locko.AI are complementary. Use the DELETE system because it is your legal right. Use Locko.AI because rights are only as strong as the mechanisms that enforce them.
Frequently asked questions
When can I start using the California DELETE system?
The DELETE system is required to be fully operational by August 1, 2026. The CPPA has been developing the system and may launch earlier, but the legal deadline is August 2026.
Does the California Delete Act apply to me if I do not live in California?
No. The Delete Act provides rights only to California residents. However, you may have similar rights under your own state's privacy law — 19+ states now have consumer privacy statutes. Locko.AI submits requests under the applicable legal framework regardless of your location.
Will the Delete Act actually stop data brokers from selling my data?
The law requires registered brokers to delete your data upon request, but it does not prohibit data brokerage as an industry. Brokers can continue collecting and selling data for people who have not submitted deletion requests. It is a right you must actively exercise — it does not apply automatically.
See how exposed your personal information is across 700+ data broker databases. Locko.AI scans, removes, and verifies — with evidence you can see.
Take back control of your data
Take the privacy risk assessment to see which brokers have your personal information — then let Locko handle the removals automatically.