California’s Delete Act Is Live: What Data Brokers Must Do Before August 1, 2026

California has a habit of moving first on data privacy — and then watching the rest of the country follow. The California Delete Act, signed into law in 2023, is the latest example. It doesn’t just add new rights to an existing framework: it changes the mechanics of how consumers exercise those rights, and it puts a significant new operational burden on every business that qualifies as a California data broker.

The consumer-facing platform — called DROP — went live on January 1, 2026. Data brokers have until August 1, 2026 to begin processing requests that come through it. That deadline is now less than five months away.

Here’s what compliance teams need to understand.

What Is the California Delete Act?

The Delete Act (SB 362) was enacted in 2023 as an amendment to California’s existing data broker registration law. The original law, passed in 2019, required data brokers to register with the California Attorney General and provide basic disclosures. The Delete Act goes further — significantly further.

The core innovation is DROP: a centralized platform that lets any California resident submit a single deletion request that applies to all registered data brokers simultaneously. Before DROP, a consumer who wanted their data deleted from data brokers had to identify each broker individually, navigate each company’s separate opt-out mechanism, and repeat the process indefinitely. DROP collapses that into a single action.

For consumers, this is a material improvement. For data brokers, it creates a new and continuous compliance obligation.

What Is DROP?

DROP stands for the Delete Request and Opt-Out Platform. It was built and is operated by the California Privacy Protection Agency (CPPA) — the state’s dedicated privacy enforcement body, established by Proposition 24 (CPRA) in 2020.

DROP is, in the CPPA’s framing, a “one-stop shop” for California residents to request that all California data brokers delete their personal information.

When a consumer submits a deletion request through DROP:

The request is logged by the CPPA
It is transmitted to every registered data broker
Each data broker must process the deletion within 45 days
The data broker must also direct its service providers and contractors to delete the consumer’s data

The platform opened to consumers on January 1, 2026. Consumers can now register and submit requests. The obligation for data brokers to act on those requests kicks in on August 1, 2026.

The Three Key Dates

January 1, 2026 — DROP Goes Live

Consumers can now register with DROP and submit deletion requests. Requests submitted between January 1 and August 1, 2026 are queued. Data brokers are not yet obligated to process them, but the clock is running.

August 1, 2026 — Data Brokers Must Begin Processing

This is the hard compliance deadline. From August 1, every registered California data broker must:

Access DROP at least every 45 days to retrieve pending deletion requests
Process each request within 45 days of receipt
Direct service providers and contractors to delete the consumer’s personal information

Any deletion request not processed within the required timeframe exposes the data broker to civil penalties.

January 1, 2028 — Mandatory Third-Party Audits Begin

Starting January 1, 2028, data brokers must undergo independent third-party audits every three years. The audits assess compliance with the Delete Act’s requirements. This isn’t a soft requirement — failure to conduct required audits, or audit failures, are additional enforcement exposure points.

Who Is a “Data Broker” Under California Law?

This is the threshold question for any compliance analysis. Under California law, a data broker is a business that:

Knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship

Key clarifications:

“Direct relationship” matters. If you collected the data directly from the consumer (they signed up for your service, made a purchase, etc.), you are not a data broker with respect to that consumer’s data — even if you sell it.
Consumer-reporting agencies regulated under the FCRA are largely exempt.
Financial institutions subject to the GLBA and healthcare entities subject to HIPAA have partial exemptions.
The business must be doing business in California — but given California’s size and the nature of digital commerce, this captures most U.S. data businesses with any California-resident data.

If you’re unsure whether your business qualifies, the California AG’s data broker registry is public and searchable. If companies similar to yours are registered, that’s a signal.

Key Requirements in Detail

1. Access DROP Every 45 Days

Data brokers must check the DROP platform at minimum every 45 days to retrieve new deletion requests. This isn’t a passive system — brokers must proactively pull requests.

Practical implication: This needs to be operationalized as a recurring workflow, not a one-time setup. Whether handled by a compliance team member, automated via API (the CPPA has indicated API access will be available), or managed by a third-party compliance vendor, it must happen on a documented, regular schedule.

2. Process Requests Within 45 Days

Once a deletion request is retrieved, the clock starts. The data broker has 45 days to complete the deletion and confirm it.

Practical implication: This requires a defined internal workflow — identifying where in your systems a consumer’s data exists, deleting it across all relevant databases and storage systems, and documenting the completion. For organizations without a mature data map, this is a significant undertaking.

3. Direct Service Providers and Contractors

Deletion obligations flow downstream. When a consumer’s data must be deleted, the data broker must also instruct its service providers and contractors to delete that data.

Practical implication: Review your vendor contracts. Do they include provisions requiring vendors to honor deletion instructions? If not, you need either contract amendments or new clauses in your standard vendor agreements before August 1. A deletion request you complete internally but fail to cascade to your data processors leaves you exposed.

Penalties

The Delete Act’s penalty structure is designed to scale with volume — which makes sense given that data brokers, by definition, hold data on large numbers of people.

Violation	Penalty
Failure to process a deletion request	$200 per day, per request
Failure to register as a data broker	$200 per day

The “per day, per request” framing for deletion failures is significant. A data broker that ignores DROP for 90 days and has 1,000 pending requests doesn’t face one $200/day penalty — it faces 1,000 × 90 days × $200 in theoretical exposure. At scale, non-compliance becomes catastrophically expensive very quickly.

The CPPA is the enforcement authority. It has demonstrated it is willing to use enforcement powers — the agency brought its first enforcement action under CCPA in 2024 and has indicated data broker compliance is a priority area.

What Compliance Teams Should Be Doing Now

With August 1 less than five months away, here’s a practical checklist:

1. Confirm whether your business is a registered California data broker. Check the California AG’s data broker registry. If you should be registered and aren’t, fix that first — the $200/day registration penalty compounds separately from deletion processing penalties.

2. Assess your data map. You cannot process deletion requests without knowing where consumer data lives across your systems. If you don’t have a current data inventory, start one now. Focus on data collected from or about California residents.

3. Review downstream vendor contracts. Identify all service providers and contractors who receive or process personal data you collect. Confirm your agreements include deletion obligation pass-through provisions.

4. Build the 45-day operational workflow. Design and document the internal process for receiving a DROP request, locating relevant data, completing deletion, instructing vendors, and confirming completion. Assign ownership. Test it before August 1.

5. Evaluate API integration. The CPPA is expected to offer API access to DROP for automated request retrieval. Monitor CPPA guidance for API documentation and evaluate whether automated integration makes sense for your volume.

6. Mark January 1, 2028 on your audit calendar. Third-party audit requirements don’t kick in for almost two years, but selecting an audit vendor and understanding what the audit will assess takes time. Don’t leave it until late 2027.

The Bigger Picture: Why DROP Changes the Landscape

Prior to DROP, California’s data broker opt-out system worked in theory but failed in practice. The burden was entirely on the consumer — find each broker, navigate each opt-out, repeat annually. Most consumers never bothered. Data brokers could technically claim compliance while knowing the exercise rate was negligible.

DROP inverts this. A single consumer action now creates an enforceable, time-bound obligation for every registered data broker simultaneously. The friction has been moved from the consumer to the industry.

This is the model other states are watching. Vermont’s data broker law — already one of the oldest in the country, and amended again this session — is likely to move toward a similar centralized mechanism. Other states with comprehensive privacy laws are evaluating similar platforms.

For data brokers, DROP is not a California-only problem. It is the preview of what national compliance will look like.

Quick Reference

Item	Detail
Law	California Delete Act (SB 362), enacted 2023
Platform	DROP — operated by CPPA
Consumer access live	January 1, 2026
Data broker processing deadline	August 1, 2026
DROP access frequency	At least every 45 days
Deletion processing window	45 days from receipt
Audit requirement begins	January 1, 2028 (every 3 years)
Penalty — failed deletion	$200/day per request
Penalty — failure to register	$200/day

Source: California Privacy Protection Agency; Troutman Pepper Locke California Delete Act Fact Sheet