This week, California’s governor signed a first-in-the-nation law that will impose new regulations on data brokers, requiring such entities to delete personal data pursuant to consumer requests. Data brokers specialize in collecting personal data or data about companies, mostly from public records but sometimes sourced privately, and selling or licensing such information to third parties for a variety of uses. S.B. 362   allows California residents the ability to delete all personal data collected by any of the states’ 500 registered data brokers through a “delete button” on the California Privacy Protection Agency’s (CPPA) webpage beginning in 2026. The only other state that requires a data broker registry is Vermont. However, Vermont has not yet implemented or proposed a similar rule.

The goal behind this law is to provide California consumers a simple means to delete their personal data from ALL data brokers instead of having to submit individual requests for deletion. However, industry leaders and advertising groups have voiced their opinion that this law hinders the data sharing economy and harms services like identity verification.

With more than two years before this law goes into effect, industry leaders have plenty of time to voice their concerns with these restrictions. The pending regulations from the CPPA outlining the details of compliance with this law will hopefully clarify who is considered a data broker and the technical requirements for the mechanism to delete consumer data. We will monitor the development of the new regulations.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.