California Delete Act SB 362: August 2026 Data Broker Regist

Published May 2, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

California’s Delete Act (SB 362) creates a centralized deletion mechanism: California residents submit one request to CPPA and all registered data brokers must honor it within 45 days. August 1, 2026 is the operational deadline for the mechanism — any data broker (entity that sells/licenses personal data of Californians without a direct relationship) not registered by then faces $200/day fines and public non-compliant listing. Three underrecognized data broker categories: AI training data vendors, programmatic advertising DMPs/DSPs, and people-search services. January 2026 CPPA advisory confirmed old registrations don’t transfer — re-registration under SB 362 required. March 2026 advisory confirmed the 45-day window starts when CPPA transmits the request, requiring real-time API monitoring.

Bottom Line: If your company aggregates, enriches, or licenses consumer data that includes California residents — including AI training datasets — run an immediate self-assessment. If you qualify as a data broker, register with CPPA before August 1. The registration is straightforward; the engineering work to build a deletion workflow is the longer pole.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
Medium
▾

Any Algerian data analytics company, advertising technology platform, or AI training data vendor that processes California resident data is potentially a data broker under SB 362. Algeria’s active tech community has companies selling data enrichment services, audience targeting data, and consumer analytics — if any of this data touches California residents, the Delete Act registration obligation applies regardless of where the company is incorporated.

Infrastructure Ready?
Partial
▾

Implementing the CPPA API connection and deletion audit trail is a 4-8 week engineering project for a company with clean data architecture. Companies with fragmented or un-governed data stores — common in early-stage data businesses — face longer timelines because deletion requires knowing precisely where every consumer record lives.

Skills Available?
Partial
▾

California privacy law compliance expertise is available through international firms. The technical implementation (API integration with CPPA deletion feed, identity resolution for deletion matching) is standard engineering work available at Algerian software development rates.

Action Timeline
Immediate
▾

August 1 is the hard deadline for the deletion mechanism. Registration has been required since January 1, 2024 — companies that have not yet registered are already in violation.

Key Stakeholders
Data analytics companies, advertising technology platforms, AI training data vendors, marketing data brokers, CTOs, legal counsel, DPOs

Decision Type
Tactical
▾

Compliance with existing California law. The strategic question is whether to continue California-resident data operations or exit that market. Most companies will choose compliance.

Quick Take: Algerian data companies that aggregate, enrich, or license consumer data should run an immediate self-assessment: do any records in your database belong to California residents? If yes, you are a data broker under SB 362 and must register with the CPPA before August 1. The registration process itself is straightforward — the technical work of building a deletion workflow is the longer pole.

What the Delete Act Closes That CCPA Left Open

California’s CCPA (and its successor, CPRA) gave California residents the right to request deletion of their personal data from companies they had a direct relationship with. The gap the Delete Act addresses is the data broker ecosystem — companies that collect and trade personal data entirely outside any direct consumer relationship. A person who buys a mattress online may have their name, address, purchase history, income estimate, and lifestyle segment sold to a data broker, licensed to a second broker, enriched with location history from a third, and packaged into a marketing audience by a fourth — without the consumer ever knowing which of these downstream entities holds their data or how to request deletion from any of them.

The CCPA’s individual-request mechanism failed against data brokers because it required consumers to know which data brokers hold their data, identify each one individually, submit separate deletion requests to hundreds of companies, verify each request through a separate identity verification process, and repeat this annually as data re-aggregates. The Delete Act replaces this individual hunt with a centralized opt-out: California residents submit a single deletion request through the CPPA’s deletion mechanism, and all registered data brokers must honor it within 45 days.

The August 1, 2026 deadline is the date by which the CPPA’s centralized deletion mechanism must be operational and data brokers must be honoring requests flowing through it. The registration obligation (creating the registry that makes this mechanism work) has been active since January 1, 2024 — brokers who have not yet registered are already in violation.

Who Is a Data Broker Under California SB 362

The Delete Act defines a data broker as any business that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship. The critical phrase is “does not have a direct relationship” — the data broker definition captures the downstream ecosystem, not first-party data holders.

1. Register with the CPPA by August 1, 2026 — or Face $200/Day Per Broker Fines

Every data broker operating on California resident data must register annually with the CPPA and pay the registration fee ($500 for businesses with fewer than 5 employees; higher tiers for larger businesses). Registration requires disclosing: business identity and contact information, the categories of personal information sold or licensed, a description of the data collection practices, and whether the broker processes data of minors.

The $200 per day per data broker fine structure is distinct from CCPA’s revenue-based fines. A data broker that fails to register for 90 days faces $18,000 in fines before any enforcement action is even filed — and the CPPA has signaled it will pursue aggressive enforcement after the August 1 mechanism deadline. Non-registration is a per se violation: the CPPA does not need to prove harm to consumers, only that the broker operated without registration.

Three categories of business that may not have self-identified as data brokers but may fall within scope:

AI training data vendors: If your company aggregates personal data (social media profiles, consumer behavior datasets, demographic databases) and licenses this data to third parties for AI model training, you are likely a data broker under SB 362. The CPPA has taken a broad view of “selling or licensing” that includes licensing for model training purposes.

Programmatic advertising infrastructure: Data management platforms (DMPs) and demand-side platforms (DSPs) that process California resident data and make it available for audience targeting, even when the final transaction is with an advertiser rather than a consumer, are operating within the data broker ecosystem. The CPPA’s guidance from its January 2025 enforcement advisory covers “audience segment providers” explicitly.

People-search and background check services: Any platform that aggregates name, address, phone, employment history, and relationship data from public records and licenses access to individuals or businesses is a data broker without question. These services have the largest exposure under the Delete Act — their entire business model is selling personal information about individuals with whom they have no direct relationship.

2. Honor Deletion Requests Through the CPPA Mechanism Within 45 Days

From August 1, 2026, when a California resident submits a deletion request through the CPPA’s centralized mechanism, every registered data broker must delete that consumer’s personal information within 45 days. The deletion obligation covers personal information held directly by the broker and personal information transferred to service providers in the preceding 12 months.

The technical implementation requirements are non-trivial. Brokers must implement an API connection to the CPPA’s deletion request system, build identity resolution logic to match incoming deletion requests to the correct consumer records in their databases, maintain deletion audit trails to demonstrate compliance, and re-delete data for the same consumer on an annual basis if re-aggregation occurs.

For AI training data vendors, the deletion obligation intersects with a difficult technical question: can you delete a consumer’s data from a trained model? The CPPA’s current guidance takes the position that deletion applies to the training dataset and to any derived profiles, not to the model weights themselves — but this interpretation is not final, and litigation on this point is anticipated.

3. Implement Re-Identification Safeguards and Annual Re-Deletion

The Delete Act includes an anti-circumvention provision targeting the common data broker practice of re-aggregating deleted data from other sources. If a consumer’s data is deleted in response to a deletion request, the data broker cannot re-acquire and process that same consumer’s data from another data broker or data aggregator for at least 90 days. Annual re-deletion is required for consumers who made a deletion request: the CPPA mechanism allows consumers to make standing deletion requests that persist year-over-year, and brokers must honor these persistent requests at each annual registration renewal.

The August 1 Enforcement Reality: What CPPA Is Signaling

The CPPA announced in March 2026 that it would publish the first public data broker registry on August 1, 2026 — the same date the deletion mechanism becomes operational. Companies that are not registered by August 1 will appear on a public “non-compliant broker” list that the CPPA intends to update monthly. This public disclosure mechanism creates reputational risk beyond the $200/day fine structure: enterprise clients procuring data from brokers have begun including Delete Act registration as a contractual requirement in data vendor due diligence.

Two CPPA enforcement advisories from early 2026 are significant for compliance planning:

January 2026 Advisory: The CPPA confirmed that data brokers who registered under the old data broker law (California Civil Code § 1798.99.80, the pre-Delete Act registry) must re-register under SB 362 — the registrations are not automatically transferred. Brokers who assumed their 2023 or 2024 registration carried over are wrong and should verify their SB 362 registration status immediately.

March 2026 Advisory: The CPPA confirmed that the 45-day deletion window begins from the date the CPPA mechanism transmits the request to the registered broker, not from the date the consumer submits the request. This matters operationally: brokers must have real-time or near-real-time API monitoring of the CPPA deletion feed, not a weekly or monthly batch process.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

Does the Delete Act apply to a company that provides analytics software but does not sell data — it only processes data on behalf of its clients?

No. If your company acts exclusively as a service provider processing data on behalf of clients (as a data processor, in GDPR terminology) and does not independently sell or license that data to third parties, you are not a data broker under SB 362. The data broker definition requires that the business sell or license personal information to third parties, not merely process it under contract. However, if your analytics platform also resells aggregate audience data, derived insights, or anonymized behavioral datasets to other parties as a separate product line, that secondary activity may qualify as data brokerage.

What does “deleting” data from an AI training dataset actually mean under California law?

The CPPA’s current guidance (January 2026) requires deletion from: (a) the original training dataset files, (b) any fine-tuning datasets derived from the training data that retain individual-level records, and (c) any consumer profiles derived from and identifiable to the individual. It does NOT currently require deleting the trained model weights themselves, on the theory that model weights are a mathematical transformation rather than a copy of the original data. This interpretation is subject to legal challenge and may evolve. Companies in the AI training data business should monitor CPPA guidance on this point actively.

If a data broker registers under SB 362 but a consumer’s deletion request includes data that was licensed to three downstream buyers before the request — who is responsible for deleting from the downstream buyers?

The originating data broker bears responsibility for notifying all known downstream buyers to delete the consumer’s data. SB 362 requires brokers to maintain records of all third parties to which consumer data was transferred in the preceding 12 months. Upon receiving a deletion request, the broker must notify each downstream buyer within 5 business days. The downstream buyer then has its own 45-day deletion window. This chain-of-deletion requirement is one of the most operationally complex aspects of the law for brokers who operate in syndicated data markets.

—