Data brokers: data collection and deletion.

Senator Becker anchors this measure by tying the California Privacy Rights Act framework to a broadened, data-broker oversight regime that centers detailed reporting and a consumer-controlled deletion mechanism. The core objective is to increase transparency around data collection by data brokers and to provide a unified, accessible mechanism for individuals to have their personal information deleted across all brokers that hold it.

The bill expands registration obligations for data brokers by requiring a broader set of disclosures at registration and in the agency’s public-facing materials. In addition to the broker’s name and contact points, the measure requires reporting on whether the broker collects specific categories of data, including names, dates of birth, ZIP codes, email addresses, phone numbers, login or account information, various government identifiers, mobile advertising identifiers, connected television or vehicle identification numbers, citizenship data, union membership, sexual orientation, gender identity and expression, biometric data, and precise geolocation, as well as whether the broker collects reproductive health data. It also requires the broker to indicate whether data has been shared or sold to foreign actors, the federal government, other state governments, law enforcement, or developers of GenAI systems, and to identify up to three additional common data categories if the listed items do not apply. The agency’s public-facing page would display registration details for most of these items but would exclude certain sensitive categories from public view.

A robust deletion framework is established: by January 1 of the year after enactment, the agency must implement an accessible deletion mechanism that allows a single verifiable request to delete all personal information held by the broker or its contractors for a given consumer, with options to limit the scope by excluding specific brokers. The mechanism must permit secure, privacy-protecting submission methods, be usable by consumers with disabilities and in multiple languages, and allow authorized agents to assist. It cannot charge a fee to submit deletion requests, must permit status tracking, and must describe the deletion process and examples of deletable data. Beginning August 1, 2026, data brokers must access the mechanism at least every 45 days and, within 45 days of a deletion request, process the deletion or, if verification fails, treat the request as an opt-out of sale or sharing and direct service providers to do likewise. Denied requests may be processed as opt-outs under specified protections, and brokers must direct both themselves and their contractors to implement deletion or opt-out actions accordingly, subject to defined exceptions.

The bill also specifies enforcement and oversight measures: data brokers that fail to register face administrative fines, fees owed for the unregistered period, and the agency’s investigative costs, with penalties deposited into the Data Brokers’ Registry Fund to offset state court and agency costs. Failure to delete as required carries separate penalties, with a per-day fine for each deletion that is not performed and related expenses. Beginning in 2028, the measure requires audits of data brokers by independent third parties on a three-year cycle, with audit reports and materials submitted to the agency within a short window and retained for at least six years. The agency may charge an access fee for using the deletion mechanism, with such fees deposited into the same fund. Finally, the bill clarifies that the public page will not display certain sensitive data, aligning disclosure practices with privacy protections while still advancing transparency.

The authors frame the measure as aligning with and advancing the California Privacy Rights Act of 2020, arguing that expanded disclosures, cross-border sharing information, an auditable compliance regime, and a consumer-centric deletion mechanism collectively strengthen consumer rights and accountability for data brokers. The approach situates these changes within California’s broader privacy enforcement framework, detailing the relationships between data brokers, the agency, service providers, and GenAI developers, and outlining the procedural steps for registration, deletion, and audit as written in the bill.