AB 302 creates a special privacy pathway for current and former California elected officials, judges, and certain household members to have their personal contact and location information removed from commercial databases and from government publications. The bill directs the California Privacy Protection Agency to compile contact lists of elected officials and to accept judge lists from the Judicial Council, then use those lists to request deletions from data brokers and businesses.
Why it matters: the measure imposes new, time-sensitive deletion duties on businesses and governmental entities, narrows how and when protected individuals’ data can be sold, and creates civil enforcement tools and penalties. That combination affects registered data brokers, private businesses that collect personal data, the Judicial Council and local agencies, and legal teams that will manage compliance and litigation risk.
At a Glance
What It Does
The bill defines a new class of "protected individuals" (elected officials, judges, and certain household members), requires the Privacy Agency to assemble lists of those people, and pushes deletion requests to registrants and data brokers. It also gives protected individuals a route to ask government agencies to stop publishing or to remove already-published personal information.
Who It Affects
Registered data brokers and any business that collects or sells the enumerated personal data; the Judicial Council (for judge opt-outs); local and state governmental entities that publish records; and public attorneys who may bring enforcement actions on behalf of protected individuals.
Why It Matters
AB 302 extends CCPA-style deletion and sale restrictions specifically to public servants and their households, creates a confidential, agency-maintained deletion workflow, and shortens statutory response timelines — shifting operational and legal risk from individuals to businesses, data brokers, and public agencies.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 302 builds a targeted protection scheme around a narrowly defined group: current and former elected representatives as identified by the Secretary of State, appointed court officers and magistrates, and household members who live with those officials. The bill also supplies a concrete list of the kinds of information covered — residential addresses, personal emails and phone numbers, driver’s license and passport numbers, geolocation data, license plate identifiers, certain family relationships, and links to a person’s school, daycare, place of worship, or employer — while carving out information already published with informed consent, material that is part of news reporting on matters of public concern, and data that a law requires be public.
Operationally, the California Privacy Protection Agency (CPPA) must obtain a roster of state and local elected officials and accept judge rosters from the Judicial Council; judges and elected officials can remove themselves from those lists before the agency acts. The CPPA then uploads the lists into the state’s accessible deletion mechanism and uses that channel to push deletion requests to registered data brokers.
The bill also lets protected individuals ask the agency to help with deletions from other businesses not registered as data brokers.When a protected individual or the agency requests deletion from a private business, the business must delete the covered personal information within a short statutory window. For information already published by a governmental entity — for example, on a public-facing webpage — the bill creates a written request process (certified mail or email) requiring the agency to acknowledge receipt and to remove published material promptly.
The statute also bars businesses from knowingly selling a protected individual’s personal information where the seller knows, or should know, that the sale creates an imminent and serious threat that leads to harms such as assault, harassment, trespass, or malicious destruction of property.Enforcement is split. The Attorney General alone may pursue the civil penalty for unlawful sales that cause imminent harm, while protected individuals and certain public attorneys (the AG, county counsel, or city attorneys) may sue for violations of the deletion and removal provisions.
Available remedies include declaratory and injunctive relief, reasonable attorneys’ fees, actual damages, and the possibility of punitive damages when a business or government entity willfully refuses to comply after knowing the requester is a protected individual.
The Five Things You Need to Know
By March 1, 2026 the California Privacy Protection Agency must obtain a list of all state and local elected officials (and accept judge lists from the Judicial Council) and provide opt-out opportunities before acting.
A private business that receives a deletion request under the bill must delete the protected individual’s covered personal information within 72 hours.
Starting August 1, 2026, entities that receive a deletion notification via the state’s accessible deletion mechanism must complete deletion within five days.
The bill prohibits knowingly selling a protected individual’s information when the seller knows, or should know, the sale poses an imminent and serious threat and results in harms such as assault or harassment; the Attorney General may seek a civil penalty up to $5,000 for each violation.
Protected individuals, the Attorney General, county counsel, and city attorneys can bring actions to enforce deletion and publication-removal rules; courts may award actual damages, attorneys’ fees, and punitive damages for willful refusals.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Agency list, upload to deletion mechanism, and confidentiality
This added Civil Code section directs the CPPA to obtain a list of all state and local elected officials (including contact details) and requires the Judicial Council to provide a judge list. The CPPA must upload those rosters to the statewide accessible deletion mechanism and, beginning August 1, 2026, mandates that any entity receiving a deletion notification via that mechanism complete deletion within five days. The section makes the lists and their contents confidential and exempt from the California Public Records Act and provides a private right of action and punitive damages for willful noncompliance.
Definitions governing protected individuals and covered personal information
This definitions section fixes the scope of who is protected (current/former elected representatives as determined by the Secretary of State, court officers/magistrates, and household members) and what counts as personal information for the purpose of these protections. The list is broader than a narrow identifier list: it names addresses, contact points, geolocation, identifiers like driver’s license numbers, and connections to places such as schools or workplaces, while excluding information published with informed consent, material legitimately part of news reporting, or data required by law to be public.
Business obligations on sale and deletion requests
This provision allows a protected individual—or the CPPA acting for them—to ask a business to refrain from selling and to delete covered personal information. The mechanics are simple and demanding: once a business receives such a request under this section it must delete the specified personal information within 72 hours. Practically, that creates a tight operational window for verification, propagation to downstream processors, and proof of deletion.
CPPA’s role with official rosters and data broker outreach
Here the bill spells out the CPPA’s duty to collect elected-official rosters and to submit deletion requests on behalf of those officials and judges to any registered data broker. It requires updates after elections and appointments and authorizes the agency to assist protected individuals with deletions from businesses that aren’t registered data brokers. The provision therefore centralizes outreach through the CPPA but leaves some deletion requests to individual initiatives for non-registered entities.
Process to remove personal information from governmental publications
Protected individuals (or authorized representatives) may ask governmental entities to refrain from publishing or to remove existing publications containing personal information. Requests must be written and sent by certified mail or email with adequate identification of the publication. The government must acknowledge receipt and either block future publication or remove already-published material within 72 hours, a short deadline that will require agencies to adapt web, records, and publication workflows.
Sale prohibition where sale creates imminent, serious threats
This section creates a targeted prohibition on the sale of a protected individual’s data when the seller knows or reasonably should know the sale creates an imminent and serious threat that leads to enumerated harms (assault, harassment, trespass, malicious property destruction). The civil penalty is limited to actions brought by the Attorney General and capped at $5,000 per violation, which focuses criminal-like deterrence through executive civil enforcement rather than a broad private right.
Civil enforcement and remedies for deletion and removal violations
This enforcement provision gives protected individuals and certain public attorneys (AG, county counsel, city attorney) the ability to sue for violations of the deletion and publication-removal rules. Available relief includes declaratory and injunctive remedies, reasonable attorney fees, and actual damages; a court may also award punitive damages where the defendant willfully refused to comply knowing the requester was a protected individual. The split enforcement regime differentiates AG authority over unlawful sales from broader private and local-enforcement options for deletion/removal.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Current and former California elected officials and judges (and household members): they gain a statutory path to remove sensitive contact and location data from commercial databases and to have government-published personal information taken down.
- Public servants at heightened risk (e.g., those facing credible threats or doxxing): the sale-prohibition tied to imminent threats and the expedited deletion windows reduce the time an attacker can exploit commercial lists.
- Privacy and security teams at public agencies: the CPPA-centralized process and confidential lists let agency compliance units coordinate removals and limit repeated individual outreach to data brokers.
Who Bears the Cost
- Registered data brokers and private businesses that collect or sell personal data: they must implement rapid deletion workflows (72-hour windows and, for notifications via the accessible mechanism, five-day windows), adjust contracts with downstream buyers, and absorb verification and record-keeping costs.
- Local agencies and the Judicial Council: they must cooperate with list assembly, process written removal requests, and implement short-notice takedowns — functions likely to require operational changes and resources, creating a potential state-mandated local program.
- Legal departments and small entities without compliance teams: the new civil-liability landscape (actual and punitive damages, attorneys’ fees, and AG enforcement) increases litigation risk and may drive defensive over-redaction or higher compliance costs.
Key Issues
The Core Tension
The core dilemma in AB 302 is protecting the personal safety and privacy of public servants and their households versus preserving transparency, public access to government information, and robust news reporting; the bill favors swift suppression and confidentiality to reduce threats, but doing so risks narrowing public scrutiny of officials and entangling agencies and publishers in difficult verification work with legal and constitutional implications.
The bill stitches privacy protections onto an existing deletion apparatus (the CPPA’s accessible deletion mechanism) while layering in new, faster deadlines and a confidential roster process. That creates several practical tensions.
First, the law prescribes multiple deletion timelines depending on the procedural path: a 72-hour deletion requirement for businesses receiving a direct request, a five-day obligation for entities notified through the state deletion mechanism, and existing law that schedules periodic data-broker checks on the accessible mechanism. Those differing clocks will require careful implementation guidance; without it, businesses and brokers may misunderstand which standard applies and face exposure for misses.
Second, the bill walks a tight line between protecting safety and preserving public access. It excludes information "relevant to" news reporting and data required by law to be public, but the language leaves room for dispute over what is sufficiently "relevant" to override a removal request.
Journalists, transparency advocates, and watchdogs will press those boundaries, while agencies and private businesses will need verification rules to avoid over-removing public records. Finally, the enforcement design is split: the AG is the only actor who can seek the $5,000 civil penalty for prohibited sales, while deletion and removal enforcement is available to protected individuals and certain public attorneys.
That allocation concentrates certain enforcement levers in the executive branch while leaving others to private and local actors — a choice that could produce uneven enforcement and strategic litigation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.