The issue of personal data deletion has become a core concern in global data governance. Admittedly, many companies have provided ways for consumers to opt out in the face of legal pressures. Specifically, the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce,” which can be expanded to regulate companies that fail to offer an opt-out mechanism. Furthermore, if the data broker possesses data from people in the European Union, the data broker should comply with the General Data Protection Regulation (GDPR), which empowers data subjects to request the removal of their personal data. However, in practice, many data brokers simply ignore opt-out requests and do not offer an opt-out option. To enable data subjects to regain control over their own data, legal systems are grappling with how to balance consumer privacy rights and effective enforcement.
California Senate Bill 362, signed into law on October 10, 2023, required the California Privacy Protection Agency (CPPA) to establish an accessible deletion mechanism by January 1, 2026. Also known as the Delete Act, this bill applies to all California “data brokers,” which are businesses that knowingly collect and sell to third parties the personal information of a consumer with whom they do not have a direct relationship. The Delete Act mandates that the deletion mechanism must enable individuals to submit a single verifiable consumer request requiring all data brokers to delete any personal information related to the consumer, including data held by any associated service providers or contractors.
The Delete Act significantly strengthens the accountability of data brokers by imposing increased penalties, and requiring CPPA to create a centralized mechanism that shifts the burden from consumers to data brokers. Starting August 1, 2026, consumers will not only be able to submit deletion requests through a single interface, but data brokers will also be required to access this deletion system at least once every 45 days to process requests. With stricter enforcement and penalties, data brokers must implement notification systems and monitoring protocols to ensure compliance.
This act seeks to balance the risks and benefits that exist between consumers and data brokers. Data brokers often collect personal information indirectly, through third-party sources rather than from consumers. During data processing, consumers are exposed to potential risks, such as misuse, or leakage of their personal data, often not knowing when or how their data was collected. While consumers bear most of the potential risks, data brokers and associated service providers or contractors reap the economic benefits of processing this data.
For consumers, ex post remedies are costly and burdensome due to an absence of contracts, evidentiary challenges and uncertainties, and limited recoverable damages. Moreover, consumers typically lack any direct legal relationship with the entities that hold or process their data, making it nearly impossible to submit individual deletion requests to each relevant party.
China has also introduced the authority to enhance compliance to alleviate a similar tension between individual rights and enforcement mechanisms. The Personal Information Protection Law grants consumers the right to request deletion of their personal data and establishes penalties for unlawful handling of personal information. However, when personal data is resold or transferred to third parties, consumers often lack awareness of which entities hold their information. As a result, even when a deletion request is submitted to a known processor, there is no effective mechanism to verify whether the deletion was comprehensively executed or identify specific categories of data involved.
Chinese authorities have begun to play a more active role. On February 19, 2025, the Cyberspace Administration of China (CAC) announced penalties for 78 mobile apps that failed to properly cancel user accounts within the specified timeframe, requiring them to implement corrective measures. Subsequently, on March 28, 2025, the CAC in coordination with other agencies, launched a campaign titled “Special Actions for Personal Information Protection in 2025,” which emphasized the need for companies to implement reliable mechanisms for personal data deletion and account cancellation. While these initiatives demonstrate progress, governmental regulatory enforcement in China primarily remains focused on punishing unlawful conduct by data controllers rather than ensuring that individual deletion requests are fulfilled. As a result, litigation remains the primary channel through which consumers in China can enforce their deletion rights.
While California’s Delete Act emphasizes consumer empowerment and centralized mechanisms, China’s regulatory scheme leans more toward government-led enforcement against violators. Both frameworks highlight a critical problem: the gap between individuals’ data rights and their ability to meaningfully exercise those rights.
To close this gap, we need more comprehensive legal guidance. Regulatory frameworks should not only clearly define what compliance looks like but also provide technical and procedural standards for implementation. As data ecosystems become increasingly complex, ensuring symmetry between the risks borne by individuals and the responsibilities placed on entities that hold data is essential for building trust in digital governance.