The DELETE Act establishes a federal framework to register data brokers, build a centralized system to process one deletion request across all registered brokers, and enforce deletion with annual audits and reporting. It creates a national standard that aims to simplify how individuals purge their personal information and how brokers disclose their data practices.
The bill also preempts conflicting state privacy laws unless a state offers greater protections and provides a funding mechanism for enforcement and administration.
At a Glance
What It Does
Data brokers must register with the FTC within 18 months of enactment and annually thereafter, providing detailed information about data collection, opt-out options, sales, and credentialing. The bill also asks the FTC to establish a centralized system to process single deletion requests across registered brokers using hashed registries.
Who It Affects
Registered data brokers that maintain persistent identifiers, individuals seeking deletion, and the FTC as the enforcing agency. The system relies on brokers’ participation in hashed registries.
Why It Matters
It creates a uniform, verifiable route for individuals to delete data across multiple brokers, standardizes disclosure requirements, and strengthens regulatory oversight to curb misuses of personal information.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Section 2 of the act focuses on two pillars: first, the data broker registration regime; second, the centralized data deletion system. Data brokers must register with the FTC, providing core identifiers, contact details, opt-out mechanisms, and information about data collection and sharing practices.
The registration information must be publicly available in a machine-readable format, with a disclaimer about accuracy and risk to individuals.
The centerpiece is a centralized deletion system. It requires regulators to establish a secure process that allows a single deletion request to reach all registered brokers that hold an individual’s persistent identifiers.
The system uses salted and hashed registries to match deletion requests with broker records, and brokers must delete data within 31 days of matching, while retaining narrowly defined information for legal or compliance purposes. The system is accessible via a commission-operated website and must be free of charge for consumers.Brokers pay an annual subscription to access the centralized system, capped at 1% of the system’s expected operating cost, with funds reserved for enforcement and maintenance.
The act also imposes enforcement powers on the FTC, allows preemption of conflicting state privacy laws (unless a state provides greater protection), and requires independent audits every three years, with annual reporting to Congress on enforcement actions and study findings.
The Five Things You Need to Know
The bill requires data brokers to register with the FTC within 18 months of enactment and annually thereafter, including detailed descriptions of data practices and opt-out mechanisms.
The centralized deletion system uses hashed registries to enable a single deletion request to propagate to all registered brokers that hold persistent identifiers.
Data brokers must delete relevant personal information within 31 days after matching deletion requests, with narrow exclusions for legal or research needs.
Brokers owe an annual subscription fee to access the database, capped at 1% of the system’s expected annual operating cost.
The FTC will enforce the act, conduct audits every three years, and the act preempts inconsistent state privacy laws unless a state offers greater protections.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Data Broker Annual Registration
Data brokers must register with the Commission not later than 18 months after enactment, and annually thereafter. The registration must include the broker’s name, contact information, opt-out methods, sales and sharing practices, and whether the broker allows third-party opt-outs. The Commission may require additional information it deems appropriate to assess how the broker collects and uses personal information.
Public Availability of Registration Information
Registration details submitted under the act must be publicly available in a downloadable, machine-readable format. The Commission may redact information if disclosure would threaten public safety or welfare, and each broker must acknowledge that the Commission cannot verify the accuracy of the information.
Centralized Data Deletion System—Establishment
A centralized system must be created to implement reasonable security measures and to enable a single deletion request for all registered brokers that maintain persistent identifiers. The system will support hashed registries, allow brokers to query the registry to confirm deletion opportunities, and provide a web-based interface for consumers to submit requests at no cost.
Centralized System—Requirements
The system must (i) permit deletion of all personal information related to a requester and discontinue future collection, (ii) require a standardized form, (iii) collect identifiers such as email and phone, (iv) salt and hash all submitted data, (v) allow only registered brokers to submit hashed queries, and (vi) use different salts per registry. It also requires the Commission to provide guidance to ensure consistent implementation.
Transition and Matching Process
Within 8 months after regulations, brokers must access the hashed registries at least every 31 days and process deletion requests associated with matches. The FTC will publish guidance within 6 months on how to implement this process.
Data Deletion and Exclusions
Upon matching, brokers must delete personal information within 31 days, while retaining information necessary for human subjects research, warrants, court orders, or certain authorized activities. Deleted information must be reported to the Commission with the count of records deleted. Information retained for specific purposes may only be used for those purposes.
Annual Fees and Fund Use
Registered brokers must pay an annual subscription fee to access the centralized system. The fee cannot exceed 1% of the system’s expected annual operating cost. Funds collected are reserved for enforcement and maintenance of the centralized system and registries.
Enforcement Authority
The FTC will enforce the act as an unfair or deceptive practice, using existing FTC powers. The act preserves agency authority and requires rulemaking under the Administrative Procedure Act.
Study, Reports, and Preemption
The Commission will study the system’s implementation and effectiveness, and report findings to Congress within three years and annually for four years. The act preempts state privacy laws only where inconsistent, while allowing state laws with greater protections to prevail.
Definitions
Key terms include: data broker, persistent identifier, credentialing, hashed registries, salt, and delete. The definitions determine who must comply and how data is treated within the centralized system.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individual consumers who hold persistent identifiers and wish to delete their data across multiple brokers, using a single request.
- Privacy advocacy groups and consumer protection agencies seeking stronger privacy rights and enforcement.
- The Federal Trade Commission, as the primary enforcement and oversight body ensuring consistent national standards.
- Large data brokers that register and align with centralized processes, gaining clarity and predictable obligations.
Who Bears the Cost
- Registered data brokers who must register, pay annual fees, and modify systems to support hashed registries and deletion workflows.
- IT, legal, and compliance teams within brokers responsible for implementing hashing, deletion matching, and reporting.
- Auditing firms contracted to perform third-party audits and the FTC’s own enforcement resources.
Key Issues
The Core Tension
Balancing robust nationwide deletion rights with the practical costs and technical challenges of enforcing a single, centralized system across a diverse and dynamic data-broker ecosystem.
The act creates a national standard for data deletion that may interact with state privacy regimes. While it provides broad permissions to delete and limit data collection, it also allows certain data to be retained for legal and research purposes, which could complicate total data erasure.
The preemption clause aims to harmonize rules across states, but it permits stronger state protections, potentially leading to a patchwork of protections in practice. The centralization and hashing approach, while designed for privacy, raises questions about data accuracy, reliance on hashed matching, and the sufficiency of disclosures from brokers.
Finally, the transition timelines depend on successful rulemaking; if regulations are delayed, real-world implementation could lag behind the statute’s intended effects.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.