What the Delete Act Actually Does

The Delete Act is a structural addition to California's existing data-broker registration regime that has been in place since 2020. Where the original framework simply required brokers to register annually with the state and disclose their categories of personal information, the Delete Act adds a centralised deletion mechanism with hard timelines, audit obligations, and penalties for non-compliance.

The Centralised Deletion Registry

The registry is a CPPA-operated platform where California consumers submit a single deletion request that automatically propagates to every registered data broker. Brokers must check the registry at least every forty-five days, identify any new requests that match individuals in their data sets, and delete the matching records within the timeline the regulations specify. Consumers do not need to know which brokers hold their data — the registry handles the fan-out.

Who Counts as a Data Broker

The Act defines a data broker as a business that knowingly collects and sells personal information about a consumer with whom the business does not have a direct relationship. The definition is narrower than it sounds — first-party publishers selling their own audience are not brokers, processors handling data on behalf of a controller are not brokers — but it catches the identity-graph providers, the cross-context advertising platforms, the people-search services, and a large swath of the audience-extension layer that publishers route programmatic data through.

Registration and the Public List

Every covered broker must register annually, pay a fee, and appear on a public list the CPPA maintains. By 2026 the list is the practical reference point for publishers auditing their downstream data flows: any vendor on the list is a data broker for Delete Act purposes, and the publisher's contractual obligations with that vendor must reflect the deletion-propagation reality.

The Forty-Five-Day Sweep and Its Operational Consequences

The pivotal operational rule is the deletion sweep cadence. Every forty-five days, every registered broker must check the registry and delete every matching record. The cadence creates a new kind of identity attrition that publishers have to engineer for.

How Audiences Decay Under the Sweep

An audience built on data-broker enrichment will shrink on a roughly six-week clock as California consumers who issued deletion requests propagate through the broker network. Publishers running US measurement that depends on identity resolution — programmatic audience targeting, attribution windows that depend on cross-site identifiers, lookalike modelling that uses broker-supplied seeds — will see California audience sizes drift downward in a saw-tooth pattern: each sweep removes a tranche, then incremental visitors fill back in until the next sweep.

Re-Identification Is Prohibited

The Act explicitly prohibits brokers from re-identifying a consumer who has been deleted, even if the broker subsequently obtains the same data from a different source. The prohibition closes the obvious loophole and means publishers cannot rely on their own first-party data to re-stitch deleted consumers back into broker-routed audiences. The deletion is meant to be durable, and the regulator's audit programme is built to detect re-identification patterns.

Publisher First-Party Data Is Outside the Sweep

The publisher's own first-party data — registered users, newsletter subscribers, loyalty members — is not subject to the Delete Act sweep because the publisher is not a data broker for those records. The publisher remains subject to CCPA and CPRA deletion rights, which are separate. The two regimes can interact: a Delete Act deletion at the broker layer can still leave the publisher's first-party record intact, and the publisher must continue to honour the consumer's separate CCPA deletion request through the publisher's own intake.

The Global Privacy Control Signal in the New World

The Delete Act intersects with the Global Privacy Control (GPC) header that browsers and privacy extensions send to indicate the user has set a universal opt-out preference. The CPPA's regulations confirm that publishers and brokers must honour the GPC as a valid CCPA opt-out, and the Delete Act's centralised registry adds a parallel path for the same outcome.

Two Signals, One Outcome

A California consumer has two ways to exit the commercial data ecosystem: send the GPC header from every browser they use, or submit a single Delete Act registry request. The two paths produce equivalent outcomes for most use cases but differ in scope. The GPC governs ongoing sale and share at every site the consumer visits. The registry deletes existing records held by brokers. Publishers should treat both as authoritative signals, and the CMP should be configured to recognise either.

The CMP's Role in Surfacing Both Paths

The compliant CMP for California audiences in 2026 surfaces the GPC honour status (the visitor has GPC set, opt-out is active), the publisher's own opt-out link (the consumer can decline sale and share at this site specifically), and a clear pointer to the CPPA registry for consumers who want the deletion-from-brokers outcome. The architecture is not technically demanding — three controls in the consent UI rather than one — but the wording matters and CPPA enforcement has been active on misleading or buried opt-out paths.

What Publishers Have to Do

The Delete Act is a regulation aimed at brokers, not publishers, but the operational consequences for publishers are real and require specific changes to the consent and data architecture.

Audit the Vendor Stack Against the Broker Registry

Every vendor in the publisher's ad and analytics stack should be cross-checked against the CPPA's public broker list. Vendors on the list are subject to the Delete Act regime, and the publisher's contracts with those vendors must reflect deletion propagation, audit log retention, and the forty-five-day sweep cadence. Most major identity-resolution vendors and several large SSPs are now on the list; the audit is not painful but it does need to happen at least annually.

Update the Privacy Notice and Consent UI

The publisher's privacy notice should explain the Delete Act registry path alongside the existing CCPA deletion right, with a direct link to the CPPA's registry. The consent UI should expose the GPC honour status when the visitor has the header set, and the opt-out controls should be styled with equal prominence to accept controls — the Attorney General's enforcement decisions through 2024 and 2025 made the dark-pattern test explicit.

Plan for the Audience Saw-Tooth

The measurement and audience-targeting teams need to know that California audience metrics will follow a six-week saw-tooth driven by the sweep cadence. The dashboards and the bid-pacing models should be tuned to the pattern rather than treating each dip as a fault. Publishers running rigorous attribution should also model the broker-deletion path as a separate attrition source so the post-sweep numbers can be reconciled cleanly.

Common Delete Act Mistakes That Trigger Findings

The first wave of CPPA enforcement under the Delete Act through 2025 has produced a clear pattern of publisher-side findings. The publisher's privacy notice describes the CCPA opt-out path but never mentions the Delete Act registry. The consent banner honours the GPC for sale and share but does not propagate the signal to the publisher's first-party deletion intake. The publisher contracts with a registered broker and never updates the contract to reflect the Delete Act deletion-propagation obligations. The CMP serves a 'manage preferences' panel that buries the opt-out three clicks deep behind a darker button than the accept-all. Each of these is a documentation or UX fix rather than a deep architectural change — but each is also exactly what the CPPA opens an investigation with.

The Bottom Line

The Delete Act gives California consumers a single button that exits them from the commercial data ecosystem, and by 2026 the registry is operational, the broker list is public, and the enforcement programme is active. For publishers the implications are real but bounded: the Delete Act does not require the publisher to do anything dramatic, but it does require the publisher to know which downstream vendors are brokers, to update the privacy notice and consent UI to surface the new path, to honour the GPC consistently, and to plan for the audience saw-tooth that the forty-five-day sweep produces. None of this is technically hard. All of it is operationally specific. The publishers who ran a clean audit in 2024 and 2025 are now executing on a settled architecture; the publishers who treated the Delete Act as a data-broker problem that did not concern them are spending 2026 on response letters and revising privacy notices under regulator deadline.