SB1106 directs the California Privacy Protection Agency (CPPA) to build and operate a centralized deletion mechanism that lets a consumer submit a single verifiable request to delete personal information held by any registered data broker. The portal must support privacy-preserving submission methods, multiple languages, accessibility for people with disabilities, authorized agents, and options to exclude particular brokers or amend prior requests.
Beyond creating the portal, the bill imposes operational duties on registered data brokers: they must check the portal regularly, delete or exempt information under narrowly defined exceptions, instruct their service providers and contractors to delete copies, refrain from selling or sharing newly collected data after deletion unless an exception applies, and undergo triennial independent audits. The CPPA may charge data brokers a cost-based access fee that funds the registry, shifting some operational costs onto the industry while centralizing consumer control over deletions.
At a Glance
What It Does
Requires the CPPA to implement an accessible, secure online mechanism that accepts a single verifiable deletion request covering all registered data brokers and to provide multi-language, disability-accessible and agent-enabled submission channels. Registered data brokers must use the mechanism to identify verifiable requests, delete related personal information (and direct contractors/service providers to do the same), and treat unverifiable requests as opt-outs of sale/sharing under existing CCPA provisions when applicable.
Who It Affects
Registered data brokers and their service providers/contractors bear new operational and compliance duties; the CPPA gains a technical and enforcement role; advertisers, marketers, and other downstream buyers may lose persistent datasets; California consumers gain a practical, centralized path to remove personal data from the broker ecosystem.
Why It Matters
The bill consolidates deletion control at the agency level instead of forcing consumers to contact dozens of brokers individually, creating a single point of compliance and a likely new operational chokepoint for the broker industry. It also creates recurring technical and audit obligations that will alter how brokers manage retention, vendor relationships, and verification processes.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB1106 builds a one-stop deletion doorway. The CPPA must create and maintain a secure, privacy-protecting portal through which a consumer can submit a single, verifiable request asking every registered data broker to delete personal data about them.
The portal must be free to consumers, support multiple languages, be usable by people with disabilities, accept submissions from authorized agents, and provide status tracking and explanatory material about what deletion covers.
Once the portal is live, registered data brokers must consult it at regular intervals and act on deletion requests: they must delete the consumer’s personal information, tell their service providers and contractors to delete copies, and, where a request cannot be verified, treat it as an opt-out of sale or sharing under the CCPA framework. The statute preserves narrow retention exceptions (for example, those enumerated in Sections 1798.105(d), 1798.145 and 1798.146), and limits use of retained data strictly to those purposes.The bill also builds recurring compliance mechanics: brokers must repeat deletions on a periodic basis after an initial deletion, and the statute requires independent third-party audits starting in 2028 and every three years thereafter, with brokers keeping audit reports for six years and submitting them upon CPPA request.
To cover the CPPA’s costs, the agency may charge data brokers an access fee not exceeding the reasonable cost of providing portal access; collected fees go into a Data Brokers’ Registry Fund.Practically, SB1106 forces brokers to tie technical deletion capabilities to vendor management, verification workflows, and recordkeeping. For consumers, the combination of single-request deletion, status tracking, and multi-channel access significantly lowers the friction of exercising deletion rights; for brokers and their vendors, it creates a repeating operational cadence of checking the portal, implementing deletions, and documenting compliance for audits.
The Five Things You Need to Know
The CPPA must establish the centralized accessible deletion mechanism and operate an internet service consumers can use to submit a single verifiable deletion request.
Beginning August 1, 2026, data brokers must consult the accessible deletion mechanism at regular intervals and, within the statutory processing window, delete related personal information and instruct their service providers and contractors to delete corresponding copies.
If a deletion request cannot be verified, the broker must process the submission as an opt-out of sale or sharing under existing CCPA provisions rather than ignore it.
Starting January 1, 2028, and every three years thereafter, each data broker must undergo an independent third-party audit of compliance, retain audit reports for at least six years, and produce them to the CPPA within five business days of a written agency request.
The CPPA may charge data brokers a cost-based access fee for using the mechanism; collected fees are deposited in a dedicated Data Brokers’ Registry Fund.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
CPPA must stand up an accessible deletion mechanism
This provision obligates the California Privacy Protection Agency to design, secure, and operate a central deletion portal. Practically, the agency must specify verification processes, privacy-preserving submission channels, and user-facing material explaining the scope of deletion. That makes CPPA responsible for both the technical infrastructure and the policy choices embedded in verification and user experience — decisions that will determine how well the single-request model works in practice.
Required features: security, privacy, language, accessibility and agent support
The bill lists minimum functional requirements for the portal: reasonable administrative, physical, and technical safeguards; support for privacy-protecting submission methods; multi-language support; accessibility for people with disabilities; and status-tracking for consumers and their authorized agents. These specifics force CPPA to balance security and accessibility — for example, choosing verification procedures that prevent fraud without making the portal unusable for populations with limited documentation or technical fluency.
Data broker obligations: polling, deletion, propagation, and limits
Once the portal is operational, registered data brokers must access it at least on a recurring schedule and act on deletion requests within the bill’s processing window. They must delete consumers’ personal information and direct service providers and contractors to delete their copies. The statute preserves retention exceptions drawn from existing privacy rules (e.g., permitted business purposes and legal exceptions) and restricts retained data to those narrow purposes. The bill also bars data brokers from selling or sharing newly collected personal information of a consumer after deletion unless the consumer reconsents or a statutory exception applies.
Independent audits and recordkeeping
SB1106 requires independent third-party compliance audits beginning January 1, 2028, and every three years after. Data brokers must retain audit materials for at least six years and deliver them to CPPA within five business days of request. This creates a durable compliance trail and gives CPPA an evidence base for enforcement, but it also imposes recurring costs on brokers and binds auditors into the regulatory structure.
Access fee and Data Brokers’ Registry Fund
The CPPA may levy a fee on brokers when they access the portal, limited to the agency’s reasonable cost of providing access, and must deposit fees into a named fund. This provision creates a cost-recovery mechanism for the agency but leaves open how 'reasonable costs' are calculated and how fee levels will affect smaller brokers versus large operators.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California consumers who want a single, low-friction way to remove their data: the portal centralizes deletion and reduces the need to contact dozens of brokers individually.
- Consumers with limited English proficiency or disabilities: mandatory multi-language support and accessibility requirements lower practical barriers to exercising deletion rights.
- Consumer advocates and privacy-focused service providers: a centralized mechanism and audit records create stronger enforcement tools and transparency into broker practices.
Who Bears the Cost
- Registered data brokers and their service providers/contractors: they must implement recurring technical checks, process deletions across systems, manage vendor deletions, undergo periodic audits, and potentially pay access fees.
- The California Privacy Protection Agency: CPPA must design, secure, operate, and maintain the portal, administer verification, and handle increased operational and enforcement workload (partly offset by access fees).
- Advertisers and marketing platforms that rely on brokered data: they may face diminished accuracy or availability of broker-sourced data as brokers purge records and tighten retention, increasing costs to rebuild datasets or to obtain consented alternatives.
Key Issues
The Core Tension
The central dilemma is between maximizing consumer control and preserving legitimate, narrowly defined uses of personal information: strict, low-friction deletion favors consumer privacy but complicates fraud prevention, legal compliance, research, and business processes that rely on retained data; the bill tries to thread this needle via exceptions and limited retention use, but implementing workable verification, deletion propagation, and audit safeguards forces trade-offs among accessibility, security, and operational cost.
SB1106 resolves a familiar privacy problem — fragmentation of deletion rights across many brokers — by centralizing consumer control, but it leaves several hard implementation questions open. Verification is the practical hinge: the bill requires verifiable consumer requests but does not prescribe a verification standard, so CPPA will need to calibrate authentication to prevent fraudulent deletions without erecting prohibitive barriers for legitimate users.
That balance affects both fraud risk and accessibility for underserved groups.
Operationally, the statute forces brokers to propagate deletions through complex vendor chains. Translating a deletion order into effective erasure across ephemeral caches, derivative datasets, and downstream purchasers is technically challenging and potentially costly.
The audit regime and six-year retention of audit materials give CPPA investigatory leverage but also require auditors to have data access and methodologic transparency; ensuring audits are meaningful without exposing sensitive data will be an administrative challenge. Finally, the fee structure transfers some costs to brokers but raises distributional questions: how will CPPA set fees so they are proportional to usage and not a barrier for smaller registrants, and how quickly can the agency scale the portal without operational interruptions?
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.