There is a gap in California’s privacy law that has existed since the California Consumer Privacy Act first came into force in 2020, and almost everyone who has spent time in privacy compliance has noticed it. The CCPA gives California consumers the right to request deletion of their personal information — but only the personal information that a business collected directly from them. The vast shadow dataset that businesses quietly accumulate by purchasing consumer profiles from data brokers, enriching records with third-party inferences, and supplementing first-party data with externally sourced behavioral intelligence? None of that has been touchable by a consumer deletion request. Until now, potentially.
What SB 923 Means for Consumers, Businesses, and the Future of the Right to Delete
Senator Josh Becker has introduced SB 923, the Expanding Privacy Rights Act, sponsored by the California Privacy Protection Agency (CalPrivacy). The bill would strengthen consumers’ rights under the California Consumer Privacy Act by expanding the right to delete personal information and by improving how consumers can exercise that right. Introduced on January 28, 2026, during Data Privacy Week, the bill is short, targeted, and — if it passes — consequential for virtually every company that uses enriched consumer profiles to drive commercial decisions.
The Problem SB 923 Is Trying to Fix
To understand why this bill matters, you have to understand how the modern data economy actually operates, as opposed to how a reasonable consumer might imagine it works.
When you hand over your email address to a retailer, you know the retailer has your email address. What you probably don’t know is that the retailer may have subsequently purchased a data broker file that tells them your estimated household income, your likely health conditions based on purchasing patterns, your political leanings inferred from zip code and magazine subscriptions, whether you’re likely to be pregnant, recently divorced, or in financial distress, and dozens of other attributes you never disclosed to anyone. That enriched profile then becomes the basis for the decisions that affect you: what prices you see, what credit offers you receive, what insurance products you’re targeted with, whether you get a follow-up call from a salesperson.
Under current law, the CCPA allows consumers to request deletion of personal information that a business collects directly from them, but it does not require deletion of personal data obtained from third parties such as data brokers. In practice, this means the most sensitive, the most invasive, and often the most consequential data in a business’s consumer file is precisely the data that is currently immune to deletion requests.
This expansion of the existing deletion right would close a critical gap in privacy protections by addressing the widespread practice of businesses supplementing consumer records with data purchased from data brokers and other third parties.
What SB 923 Actually Does
The bill’s core mechanism is elegantly simple. SB 923, as introduced by Senator Becker, would expand the existing deletion right to include requesting the deletion of any personal information that the business has collected about the consumer. The critical word change is a small but significant one: the current law covers personal information collected “from the consumer”; SB 923 changes the scope to cover personal information collected “from or about the consumer.” Those two words — “or about” — are doing enormous work.
The Third-Party Deletion Chain
One of the most operationally demanding provisions in the bill concerns what businesses must do after receiving a deletion request that covers third-party sourced data. The service provider or contractor shall notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.
This cascading deletion obligation is significant. A business that has shared consumer profile data downstream — with analytics partners, ad tech vendors, data enrichment services — would be required to propagate the deletion request through that network. For organizations with complex data-sharing architectures and multiple downstream data recipients, this creates a substantial operational undertaking that current data infrastructure is often not designed to handle.
The Record Retention Carve-Out
The bill does include one notable practical accommodation. If the business did not obtain the personal information from the consumer, the bill would allow the business to retain a record of the deletion request and the minimum data necessary to ensure the consumer’s personal information remains deleted from its records and is not being used for any other purpose.
This provision addresses an obvious operational problem: if a business deletes all record that it ever held certain data about a consumer, it has no way of preventing that data from re-entering its systems the next time it runs a batch enrichment process from the same data broker. Allowing retention of a minimal deletion record — essentially a suppression list — is the practical solution, and one that mirrors the approach already established in California’s Delete Act for data brokers.
Accessibility Requirements: The Other Half of the Bill
The deletion right expansion gets most of the attention, but the bill’s second major provision — the accessibility requirement — is equally important for compliance programs and arguably more immediately actionable.
A business shall, in a form that is reasonably accessible to consumers, make available to consumers two or more designated methods for submitting requests. For businesses that operate exclusively online, the bill is more prescriptive: they must provide both an email address and an online method — such as a webform or online portal — for consumers to submit access, correction, and deletion requests.
This provision addresses a real and documented compliance problem. The California Privacy Protection Agency has received significant volumes of consumer complaints about the difficulty of exercising privacy rights in practice — rights request portals that are buried in privacy policies, accessible only on desktop, require account creation, or time out before a request can be completed. For consumers with disabilities, non-standard devices, or limited digital literacy, the gap between a theoretical legal right and a practically exercisable one can be substantial.
The accessibility requirement aligns with broader principles already embedded in California privacy law — the CCPA’s regulations already require that rights request methods be “easy to use” — but SB 923 makes the multi-channel requirement explicit and legally mandatory rather than aspirational.
The CalPrivacy Sponsorship Signal
The most significant thing about SB 923 is arguably not what it says but who is behind it. The bill is sponsored by the California Privacy Protection Agency, and the chief of CalPrivacy told MLex the agency plans to become more active working with lawmakers to expand Californians’ privacy rights. A bill sponsored by the regulator that will enforce it is a different creature from a legislator’s standalone proposal. It signals regulatory intent, not just legislative aspiration — CalPrivacy is telling the industry what it believes the law should say, which is also a signal about how it will interpret and enforce what the law already says.
While SB 923 is not yet law, it has already attracted attention because CPPA sponsorship suggests the proposal could receive serious consideration as the legislative process moves forward. The Delete Act, also authored by Senator Becker and also closely associated with CalPrivacy, moved from introduction to enactment and became the model for the DROP platform, which has been a significant operational success. SB 923 explicitly builds on that foundation.
More than 176,000 consumers signed up for DROP, with the agency seeing an average of 7,000 sign-ups a day after launch. That level of consumer uptake demonstrates an appetite for data deletion rights that the agency is now seeking to extend beyond data brokers and into the broader commercial data ecosystem. SB 923 is the next phase of the same legislative strategy.
How SB 923 Fits Into the Broader California Privacy Architecture
To understand SB 923’s significance fully, it needs to be read in context with the other privacy infrastructure California has been building over the past several years.
- The CCPA (2020) established the baseline right to delete personal information collected directly from the consumer, along with rights to know, access, correct, and opt out of sale.
- The CPRA / Proposition 24 (2020) created the California Privacy Protection Agency as an independent enforcement body with rulemaking authority, and added the sensitive personal information category, the right to correct, and expanded obligations for data minimization and purpose limitation.
- The Delete Act / SB 362 (2023) extended deletion rights across all registered data brokers simultaneously through the DROP centralized platform, and transferred data broker registry oversight to CalPrivacy.
- The DROP launch (January 1, 2026) made that centralized deletion mechanism operational, allowing consumers to submit a single request to all registered data brokers at once.
- SB 923 (introduced January 28, 2026) now proposes to extend the deletion right into the broader commercial ecosystem — beyond data brokers and into the everyday businesses that use broker-sourced data to build consumer profiles.
Read together, the trajectory is clear. California is systematically closing the gaps between what consumers are theoretically entitled to delete and what they can actually cause to be erased. The DELETE RIGHT that originated as a right to remove data you personally handed over is evolving into something closer to a right to remove data that exists about you — a fundamentally more powerful concept, and one with substantially more significant implications for how businesses can structure their data operations.
What This Means for Compliance Programs
For privacy professionals and compliance teams, SB 923 is still a bill — it has not been enacted and will go through the California legislative process during the 2026 session. But CalPrivacy sponsorship makes it something that should be tracked seriously, planned for proactively, and used as a strategic planning input now rather than a reactive compliance obligation later.
The operational implications, if the bill passes in its current form, include:
- Data inventory and lineage mapping. Organizations that currently maintain consumer profiles enriched with third-party data need to understand, at a granular level, what third-party sources those profiles incorporate, what identifiers link the third-party data to consumer records, and how that data flows downstream. Without this foundation, fulfilling cascading deletion requests will be operationally impossible. Data mapping that many organizations have treated as a documentation exercise needs to become a live, queryable operational system.
- Downstream vendor agreements. The cascading deletion obligation means that data-sharing agreements with analytics partners, ad tech vendors, and data enrichment services need to contain deletion cooperation clauses. Many current vendor agreements are silent on deletion propagation. Organizations should begin auditing and amending vendor contracts now, before these obligations become legally mandatory.
- Consumer rights infrastructure. The accessibility requirement — mandating email and online portal submission methods — means organizations operating exclusively online need to review their current DSR intake process for both coverage and usability. Rights request mechanisms that work adequately for technically proficient users on standard desktop browsers may fail consumers using mobile devices, assistive technology, or non-English language settings. ADA compliance and accessibility standards should be applied to privacy request tooling, not just public-facing website content.
- Suppression list management. The bill’s record retention carve-out for deletion requests covering third-party-sourced data requires organizations to build and maintain suppression lists that prevent re-acquisition of deleted consumer data through subsequent data broker purchases. Organizations with recurring enrichment processes — quarterly or annual data hygiene runs — need to integrate suppression checking into those workflows.
- Re-enrollment and re-acquisition controls. One of the more challenging compliance questions SB 923 raises is what happens when a consumer whose third-party data has been deleted subsequently re-engages with the business directly. The bill does not appear to prohibit re-collection of first-party data from a consumer who has submitted a deletion request; what it prohibits is the ongoing retention and use of previously held third-party data about that consumer. The boundary between permissible re-collection and impermissible re-acquisition needs to be thought through carefully in the context of each organization’s data practices.
The Broader Stakes
California has a well-documented history of setting the regulatory baseline that other states eventually follow. The CCPA’s enactment in 2018 accelerated the pace of state privacy legislation nationally, with over 20 states now having comprehensive privacy frameworks modeled to varying degrees on the California approach. The Delete Act’s centralized deletion mechanism is already being studied by other states as a potential model for broker-specific deletion rights. If SB 923 passes, the expansion of deletion rights to cover all personal information regardless of source — not just data broker holdings — becomes the new frontier for state-level deletion rights nationally.
For businesses operating across multiple states, SB 923 represents not just a California compliance consideration but a preview of where privacy rights may be heading nationally. The gap between first-party deletion rights and third-party deletion rights has been a feature of every U.S. state privacy law enacted to date. California is now proposing to close that gap unilaterally.
Whether the bill passes in its current form, is amended to narrow its scope, or stalls in committee, it has already accomplished one thing that matters for compliance planning: it has put the industry on notice that the California Privacy Protection Agency considers the current deletion right inadequate, and that it intends to use its regulatory authority — both legislative sponsorship and enforcement discretion — to close the gap. For organizations that have been treating the third-party data gap as a permanent feature of the legal landscape rather than a temporary limitation, SB 923 is a signal worth taking seriously.
