Data Broker Registries and the California Delete Act

Vermont passed the FIRST data broker act in 2019. The California Delete Act (2023) requires Data Broker registration with the California Privacy Protection Agency (CPPA), which enforces it, and creates a centralized deletion mechanism so a consumer can make ONE request to delete data across all registered brokers. Texas (2023) and Oregon (2024) also enacted data broker registration laws.

Vermont passed the FIRST data broker act in 2019, requiring annual registration plus a comprehensive information security program. A Data Broker is generally a company that collects and sells personal data without the consumer's direct relationship or knowledge.

The Delete Act's innovation

The California Delete Act (2023) requires data brokers to register with the California Privacy Protection Agency (CPPA), which enforces it. Its standout feature is a centralized deletion mechanism: a consumer makes ONE request and it reaches all registered brokers, instead of contacting each broker separately.

The Delete Act also adds transparency duties - for example, whether the broker collects precise geolocation, reproductive health data, or minors' data. Beyond California and Vermont, Texas (2023) and Oregon (2024) also enacted data broker registration laws.

Key terms - quick answers

What is “Data Broker”?

A company that collects and sells personal data without the consumer's direct relationship or knowledge.

What is “California Delete Act”?

A 2023 California law requiring data brokers to register with the CPPA and enabling a single centralized deletion request across all registered brokers.

What is “California Privacy Protection Agency (CPPA)”?

The California agency that administers and enforces the Delete Act's data broker registration and deletion mechanism.