Daniel SterlingThe California State Senate voted unanimously on May 27, 2026 to pass Senate Bill 923, closing a significant gap in one of the nation's strongest consumer privacy laws. Under the new measure, Californians can for the first time demand deletion of personal data that companies obtained from third-party data brokers — not just information consumers provided directly. The bill now heads to the Assembly before reaching the Governor's desk.
The Gap SB 923 Closes
To understand why this vote matters, it helps to know what the California Consumer Privacy Act (CCPA) did and did not cover before SB 923.
Since the CCPA took effect in 2020, California consumers have had the right to request deletion of personal data from companies — but that right applied only to data those companies collected directly from the consumer. A business that purchased your browsing history, financial records, location data, or contact details from a third-party data broker was under no legal obligation to delete that information when you asked.
Data brokers make it their business to aggregate information from hundreds of sources: retail transactions, social media activity, loyalty programs, mobile app data, public records, and more. Large data brokers hold profiles on the majority of American adults. Those profiles are then sold to businesses, insurers, landlords, employers, and political campaigns.
SB 923, sponsored by the California Privacy Protection Agency and authored by Senator Josh Becker (D-Menlo Park), closes this loophole. Under the bill's provisions — if it passes the Assembly and is signed by the Governor — consumers will be able to request deletion of all personal information a company holds about them, regardless of where that information came from, according to the bill text published on the California legislative portal.
The bill also requires businesses that operate exclusively online to provide consumers with both an email address and a digital method — such as a webform or portal — to submit access, correction, or deletion requests. Previously, some online-only companies directed consumers to postal mail or phone lines for privacy requests, creating practical barriers.
What You Can Do Right Now
It is worth noting that SB 923 has not yet been enacted — it still requires Assembly approval and the Governor's signature before it takes effect. California's legislative calendar typically carries major bills through the Assembly by September, with signature or veto decisions in the fall.
But the unanimous Senate vote signals strong political support, and consumers who want to act now have existing tools. The CCPA already requires the California Privacy Protection Agency to maintain a data broker registry. Through the Delete Act, California residents can submit a single deletion request to the California Privacy Protection Agency, which then contacts registered data brokers on your behalf to delete your information.
Under current law, that request applies to data brokers on the registry. SB 923 would extend deletion rights into the wider ecosystem of companies that have purchased data from those brokers — capturing a layer of the data economy that currently operates out of sight.
YMYL disclaimer: Privacy law is complex and varies by state. If you have questions about your rights under CCPA, how to file a deletion request, or whether a specific business is subject to these rules, consulting a privacy attorney is the most reliable path to a clear answer.
Why a Privacy Lawyer Can Make a Difference
The mechanics of data deletion requests are more contested than they might appear. Businesses frequently deny or partially fulfill deletion requests, citing exemptions — for fraud prevention, legal obligations, or internal research. A refusal that looks routine may in fact be a violation of your legal rights.
Privacy attorneys who specialize in consumer data law can review denial letters, assess whether a company's stated exemptions are valid, and pursue complaints with the California Privacy Protection Agency on your behalf. They can also advise businesses on the compliance changes SB 923 would require — including updating data inventories to track third-party-sourced records, modifying deletion workflows, and training staff on the expanded scope of consumer requests.
For businesses, the practical challenge SB 923 creates is significant. Many companies do not currently track which elements of a customer profile came from first-party interactions versus purchased data. Building that distinction into existing data architecture takes both legal and technical expertise — typically the joint work of a privacy attorney and an IT compliance specialist.
The Broader Pattern: States Leading on Privacy
California's move follows a pattern that has accelerated since 2020: state-level consumer privacy legislation advancing where federal law has stalled. More than 20 states now have comprehensive consumer privacy laws on the books, with varying deletion rights, breach notification requirements, and enforcement mechanisms.
SB 923's unanimous Senate passage suggests that expanding deletion rights to cover third-party-sourced data has become a politically viable proposition in California — which often signals where other states will move in the next two to three legislative cycles.
For California residents, the practical upshot is straightforward: the legal framework for demanding control over your own data is getting stronger. Whether you are managing your personal digital footprint or running a business that handles consumer data, the direction of travel is unmistakable.
ExpertZoom connects Californians with experienced privacy attorneys and IT compliance specialists who can help you understand your rights under current law — and what SB 923 will change once it is signed.
