California Delete Act: Data Broker Accountability in 2026

The digital age has ushered in an unprecedented era of data collection, with an opaque network of data brokers silently aggregating, buying, and selling personal information. In response to this burgeoning industry and the growing demand for individual privacy, California has once again positioned itself at the forefront of consumer data protection with the enactment of the California Delete Act (Senate Bill 362). This landmark legislation, now functionally enforceable as of March 12, 2026, alongside its revolutionary Delete Request and Opt-Out Platform (DROP), represents a seismic shift in data broker accountability and empowers consumers with robust new deletion rights.

The Delete Act builds upon California’s existing privacy framework established by the California Consumer Privacy Act (CCPA) of 2018 and the California Privacy Rights Act (CPRA) of 2020. While CCPA and CPRA granted consumers foundational rights such as the right to know, delete, and opt-out of the sale of personal data, exercising these rights against a multitude of data brokers often proved cumbersome, requiring individual requests to each entity. The Delete Act directly addresses this challenge by introducing a centralized, streamlined mechanism for data deletion, fundamentally reshaping the dynamics between individuals and the data brokerage industry.

A New Era of Data Control: Understanding the California Delete Act

The Genesis of SB 362: Addressing Data Broker Proliferation

The proliferation of data brokers, defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom they do not have a direct relationship, created a significant gap in consumer control over personal data. These entities often operate in the shadows, amassing vast digital dossiers on individuals without their direct knowledge or explicit consent. Prior to the Delete Act, unraveling this web and successfully removing one’s data from numerous brokers was a daunting, if not impossible, task for the average consumer.

Recognizing this systemic challenge, the California Delete Act (SB 362) was signed into law on October 10, 2023, with the explicit aim of bringing transparency and accountability to this opaque sector. It directly tasks the California Privacy Protection Agency (CPPA), also referred to as CalPrivacy, with establishing and overseeing the mechanisms necessary to empower consumers and enforce compliance. The legislation’s intent is clear: to ensure consumers’ constitutional right to privacy is protected by enabling them to easily request deletion of their personal information and preventing data brokers from collecting new information in the future.

Key Provisions and Enforceability Milestones

The California Delete Act introduces several critical provisions and a structured timeline for their implementation and enforcement, demanding significant operational adjustments from data brokers:

• DROP Portal Launch: The Delete Request and Opt-Out Platform (DROP) officially launched on January 1, 2026, allowing California residents to begin submitting their unified deletion requests. This state-run, free-to-use platform simplifies a previously fragmented and arduous process.
• Functional Enforceability: As of March 12, 2026, the Delete Act became functionally enforceable, signaling the CPPA’s readiness to administer and oversee the new regulations.
• Data Broker Registration: Data brokers were required to begin annual registration with the CPPA starting January 1, 2024, paying an annual fee ($6,000 for 2026) that helps fund the CPPA’s Data Broker Registry and the DROP platform. The CPPA maintains a public registry of these brokers. As of February 2026, over 575 data brokers were registered.
• First Processing Deadline: Starting August 1, 2026, data brokers are mandated to access the DROP platform at least once every 45 days and process all pending deletion requests within that same 45-day window.
• Ongoing Deletion Requirements: Beyond the initial deletion, if a consumer has submitted a request, data brokers must continuously delete all personal information of that consumer at least once every 31 days. Furthermore, they are prohibited from selling or sharing any new personal information acquired about that consumer, unless the consumer explicitly requests otherwise.
• Mandatory Third-Party Audits: Beginning January 1, 2028, and every three years thereafter, all registered data brokers must undergo an independent third-party audit to verify compliance with the Delete Act’s deletion requirements. Audit reports must be retained for six years and made available to the CPPA upon request.

The Data Request and Opt-Out Platform (DROP): A Centralized Command Center

How DROP Simplifies Consumer Deletion

The cornerstone of the California Delete Act is the Data Request and Opt-Out Platform (DROP). This innovative, centralized online tool, accessible via privacy.ca.gov, significantly simplifies the process for California residents to exercise their right to delete personal information. Instead of navigating individual websites or sending separate requests to potentially hundreds of data brokers, consumers can now submit a single, verifiable request through DROP.

The consumer experience is designed for ease of use:

1. Eligibility Verification: Users confirm California residency, often through secure state digital platforms like the California Identity Gateway or Login.gov. This ensures the request is legitimate and protects privacy, as information is not retained by DROP for other purposes.
2. Profile Creation: Consumers provide basic identifying details such as their name, date of birth, phone number, and email address. The platform emphasizes that only necessary information is collected to facilitate the deletion process, and it is securely stored and protected.
3. Request Submission: Once verified, the consumer submits their request, which is then distributed to all registered data brokers. Consumers also have the option to exclude specific data brokers from their request.
4. Status Tracking: The platform allows consumers to return and check the status of their deletion requests, providing an unprecedented level of transparency and control.

This “one-stop-shop” mechanism addresses a fundamental flaw in previous privacy frameworks by shifting the burden of deletion from the individual consumer to the data brokers themselves.

Technical Architecture and Data Flow for DROP

While the full technical specifications of DROP are continuously evolving and being refined by the CPPA, several key architectural components and data flows are critical to its operation:

• Standardized Intake: DROP acts as a standardized intake channel for deletion requests, ensuring consistency in how consumer information is gathered and transmitted to brokers.
• Identity Verification Services: The platform integrates with state-run identity services to securely verify consumer residency and eligibility for deletion requests, preventing fraudulent submissions.
• Request Distribution: After verification, DROP facilitates the secure distribution of deletion requests to all registered data brokers. While the CPPA has indicated that an API (Application Programming Interface) will be made accessible in Spring 2026, allowing for automated request retrieval by brokers, manual download options are also available.
• Data Standardization for Matching: CPPA regulations clarify the data standardization required for data brokers to compare the deletion lists from DROP with their own internal records. This includes addressing specific data elements such as date of birth, zip codes, phone numbers, and non-English characters, as well as methods for hashing identifiers when multiple identifiers are provided in a deletion list. This level of standardization is crucial for accurate matching and deletion.
• 100% Matching Threshold: To prevent erroneous deletions, the regulations stipulate a 100% consumer identifier match threshold for a deletion to be required. This ensures that only the data of the requesting individual is targeted for removal.
• Secure Data Handling: Information provided by consumers to DROP is protected and stored in a secure format, used solely for fulfilling the deletion request and not for other purposes like marketing.

This technical infrastructure underscores the CPPA’s commitment to creating a robust, efficient, and secure system for managing data deletion requests at scale.

Unprecedented Accountability: The Burden on Data Brokers

The Mandate to Delete and Frequent Processing Cycles

The California Delete Act places a significant and continuous obligation on data brokers. Beginning August 1, 2026, data brokers must not only access DROP at least every 45 days but also diligently process all verified deletion requests received through the platform within that 45-day timeframe. This “processing” entails identifying, locating, and deleting all associated personal information (including inferences drawn from that data) related to the consumer who submitted the request.

Furthermore, the Act imposes ongoing deletion duties. Once an initial deletion request has been fulfilled, data brokers are required to continue deleting all personal information about that consumer at least once every 31 days. Critically, they are also prohibited from selling or sharing any newly acquired personal information about that consumer, unless the consumer explicitly provides consent otherwise. This prevents a “revolving door” scenario where data is deleted only to be re-collected and re-sold shortly thereafter. Data brokers must also direct any service providers or contractors they utilize to comply with these deletion requests.

Strict Penalties and the Cost of Non-Compliance

Non-compliance with the California Delete Act carries substantial financial and reputational risks. The CPPA, through its dedicated Data Broker Enforcement Strike Force, is actively monitoring and pursuing violations. Penalties can quickly escalate:

• Failure to Register: Data brokers failing to register annually with the CPPA are subject to a daily fine of $200. The CPPA has already initiated public investigations and issued fines, including a proposed $46,000 fine for a broker that registered 230 days late, and settlements around $35,000 for other non-compliant entities.
• Failure to Comply with Deletion Requests: For each day a data broker fails to process a verified deletion request, they face an administrative fine of $200 per consumer, per day. Given the potential volume of requests through DROP, these penalties can accumulate rapidly into millions of dollars.
• Additional Costs: The CPPA can also recover expenses incurred during investigations and administrative actions, as well as unpaid registration fees.

All recovered penalties, fines, and fees are deposited into the Data Brokers’ Registry Fund, which is used to offset costs incurred by state courts, the CPPA, and the Attorney General in connection with enforcing the Act and maintaining the DROP platform. This financial mechanism ensures that enforcement efforts are self-sustaining.

The 2028 Audit Requirement: A New Standard of Oversight

Adding another layer of stringent accountability, the California Delete Act mandates that beginning January 1, 2028, and every three years thereafter, registered data brokers must undergo an independent third-party audit. These audits are designed to verify comprehensive compliance with the Act, scrutinizing:

• Technical Implementation: How data brokers integrate with DROP, retrieve requests, and match consumer identifiers to their data holdings.
• Deletion Processes: The efficacy and completeness of their data deletion mechanisms, ensuring all personal information (including inferences) is truly removed.
• Record-Keeping: The maintenance of internal records documenting how deletion lists are processed, requests are fulfilled, and confirmation actions are taken.
• Compliance with Ongoing Deletion: Verification that new data collected about a requesting consumer is continuously deleted every 31 days and not re-sold or re-shared.

These audit reports must be retained for six years and submitted to the CPPA upon request, providing the agency with a powerful tool for ongoing oversight and enforcement. This requirement signifies a shift from reactive enforcement to proactive, preventative compliance, forcing data brokers to build robust and auditable data governance programs.

Early Impact and Future Implications

Astounding Consumer Engagement

The initial response to DROP has been nothing short of astounding, underscoring a deep-seated public demand for greater data privacy. Despite the absence of paid advertising, consumer engagement with the platform has been substantial. By January 20, 2026, just three weeks after its launch, over 155,000 Californians had already submitted deletion requests. This number surged to over 215,000 by March 12, 2026, as per the research seed, and further to over 242,000 by March 2, 2026. This level of participation far exceeded the CPPA’s expectations and highlights the pressing need for such a centralized mechanism. The sheer volume of requests signals that data brokers face a significant operational challenge to comply with the August 1, 2026 processing deadline.

A Model for National and Global Privacy Initiatives?

California has consistently acted as a trailblazer in data privacy legislation, influencing other states and even federal discussions. The California Delete Act, as the first law of its kind to be passed and implemented in any jurisdiction, is poised to continue this trend. Its innovative “one-stop-shop” approach offers a compelling model for simplifying consumer rights in an increasingly complex digital world.

The Act shares philosophical commonalities with the European Union’s General Data Protection Regulation (GDPR), particularly the “right to erasure,” but goes further by creating a centralized government-managed platform to facilitate this right across an entire industry. The success and challenges of DROP will undoubtedly be closely watched by policymakers across the United States and internationally. Senator Ron Wyden (D-OR), for example, has already expressed support for DROP, hoping it could serve as a model for protecting federal employees’ data. This regional initiative could well pave the way for a more unified and accessible approach to data deletion rights on a broader scale, further shaping the future of data privacy.

Navigating the New Landscape: Recommendations for Businesses and Consumers

For Data Brokers: Proactive Compliance is Paramount

The California Delete Act is not merely a legal hurdle but a fundamental reshaping of how data brokers must operate. Proactive and comprehensive compliance is no longer optional; it is an economic and reputational imperative.

Data brokers should focus on:

• Robust Data Mapping and Inventory: Thoroughly understand what personal information is collected, where it is stored, how it is used, and with whom it is shared. This is foundational for effective deletion.
• Automated Deletion Processes: Invest in or develop automated systems for receiving, processing, and executing deletion requests from DROP. Manual processes will be overwhelmed by the volume of requests.
• Dedicated Compliance Teams: Establish or expand teams with expertise in privacy law and data governance to manage ongoing compliance, including the 45-day processing cycles and 31-day continuous deletion for new data.
• API Integration Readiness: Be prepared for the CPPA’s API access in Spring 2026 to streamline request retrieval and processing.
• Audit Preparedness: Implement meticulous record-keeping for all deletion requests and processing actions to demonstrate compliance during the mandatory triennial audits starting in 2028.
• Transparency: Ensure privacy policies are clear, comprehensive, and prominently display links for consumers to exercise their privacy rights, avoiding any “dark patterns” that discourage requests.

For Consumers: Empowering Data Stewardship

For California residents, the California Delete Act represents an unprecedented opportunity to regain control over their digital footprint.

Consumers are encouraged to:

• Utilize DROP: Take advantage of the free, user-friendly Delete Request and Opt-Out Platform (privacy.ca.gov) to submit deletion requests to all registered data brokers.
• Understand Your Rights: Familiarize yourself with the rights granted under the CCPA, CPRA, and the Delete Act.
• Monitor Your Data: While DROP automates much of the process, staying informed about which data brokers may hold your information remains a good practice.

The California Delete Act marks a watershed moment in the evolving landscape of data privacy. By centralizing deletion requests through DROP and imposing stringent accountability measures, California has set a new benchmark for consumer protection. This transformative legislation not only empowers individuals to reclaim their personal information but also sends a clear message to the data brokerage industry: transparency and accountability are no longer negotiable. As the August 1, 2026 processing deadline approaches, the coming months will reveal the full operational impact of this groundbreaking law, solidifying California’s legacy as a pioneer in data privacy.