Skip to main content
Back to Blog
Compliance

CCPA & the DELETE Act: What Every Data Broker Needs to Know in 2026

California's DELETE Act (SB 362) changed the game for data brokers. Here's what registration, deletion rights, and compliance look like in practice.

SIE DataFebruary 18, 20264 min read

The Regulatory Landscape Has Changed

If you buy, sell, or facilitate the exchange of consumer data, California considers you a data broker — and the rules have gotten significantly stricter.

The California Consumer Privacy Act (CCPA), amended by the CPRA and supplemented by the DELETE Act (SB 362), creates a comprehensive framework that every data company needs to understand.

What Is the DELETE Act?

Signed into law in 2023 and now fully operational, the DELETE Act (SB 362) established:

  • The California Data Broker Registry: All data brokers must register annually with the California Privacy Protection Agency (CPPA)
  • One-stop deletion: Consumers can submit a single deletion request that applies to all registered brokers
  • Penalties for non-compliance: Failure to register carries fines of $200/day, and the CPPA can pursue additional enforcement actions

    • This means that if your company meets the definition of a data broker under California law and you haven't registered, you're already out of compliance.

    Who Qualifies as a Data Broker?

    Under California Civil Code Section 1798.99.80, a data broker is a business that:

    "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

    Key points:

  • Direct relationship matters. If the consumer gave you their data directly (e.g., they signed up for your service), you're likely not a data broker for that data.
  • Selling includes sharing data for monetary or other valuable consideration.
  • Knowingly means you're aware that personal information is being collected and transferred.

    • The Registration Process

    Registration with the CPPA Data Broker Registry requires:

    1. Business name, physical address, and primary contact 2. Website URL and privacy policy link 3. Description of data categories collected 4. Description of consumers' opt-out rights 5. Annual registration fee 6. Attestation of compliance with deletion mechanisms

    Registration must be renewed annually. The CPPA maintains a public registry that consumers — and regulators — can search.

    Building a Compliant Data Pipeline

    For companies that operate as data brokers, compliance isn't a one-time checkbox. It requires infrastructure:

    Deletion Handling

    When a deletion request comes through the CPPA's mechanism, you need to:

  • Identify all records associated with the consumer
  • Delete or de-identify those records within the statutory timeframe
  • Propagate the deletion to downstream partners who received the data
  • Log the deletion for audit purposes

    • Opt-Out Mechanisms

    Your website must include a clear "Do Not Sell My Personal Information" mechanism. Under the CPRA, this extends to sharing for cross-context behavioral advertising.

    Data Provenance

    For every record in your system, you should be able to answer:

  • Where did this data originate?
  • What consent was obtained?
  • Who has received this data?
  • When was it last refreshed?

CCPA vs. FCRA: Know the Difference

One of the most critical distinctions in the data industry is between CCPA-regulated data and FCRA-regulated data.

FCRA data (credit scores, employment history, criminal records) is governed by the Fair Credit Reporting Act and can only be used for permissible purposes like credit decisions, employment screening, or insurance underwriting.

Intent signals — behavioral indicators like topic research, technology stack changes, or permit filings — are not FCRA data. They reflect market intent, not creditworthiness. This distinction is fundamental to operating a compliant intent data business.

At SIE Data, we maintain a strict FCRA firewall. We never collect, store, or distribute FCRA-regulated fields. Our signals are marketing enablement tools — intent, not eligibility.

Practical Steps for 2026

1. Audit your data flows: Map every source, destination, and processing step 2. Register with the CPPA if you meet the data broker definition 3. Implement deletion infrastructure that can handle bulk requests 4. Document data provenance for every record 5. Train your team on the distinction between intent signals and regulated data 6. Review your contracts with downstream buyers to ensure compliance obligations flow through

Looking Ahead

California remains the bellwether for US data privacy regulation, but it's not alone. Colorado, Connecticut, Virginia, and other states have enacted their own privacy laws. Federal privacy legislation continues to advance in Congress.

The companies that build compliance into their infrastructure today — rather than treating it as an afterthought — will have a significant competitive advantage as regulation expands.

SIE Data was built compliance-first. Every signal in our platform carries provenance metadata, passes through our FCRA firewall, and respects consumer deletion rights. It's not just good ethics — it's good business.

---

We're registered with CA CPPA. Are you compliant?

SIE Data is a registered data broker under the California DELETE Act (SB 362). Our platform automates compliance across 18 state privacy jurisdictions.

Apply for Enterprise Beta →

CCPADELETE ActCPPAcompliancedata brokersCalifornia

Ready to try SIE Data?

Start free with 25 credits. No credit card required.

Get Started Free