California data brokers must begin processing consumer deletion requests through DROP on Aug. 1, giving registered brokers less than a month to connect the state’s privacy platform with their own data systems, service providers and reporting workflows.

DROP, the Delete Request and Opt-out Platform, allows California residents to send one deletion request to all active data brokers. 

The consumer portal says residents can verify eligibility, create a profile and submit a single request to more than 600 registered brokers. Starting Aug. 1, brokers must delete data within 90 days. Broker guidance breaks the obligation into a recurring cycle: brokers must download lists at least every 45 days, process requests and report status within 45 days of downloading.

The California Privacy Protection Agency, which uses the CalPrivacy brand, said the Delete Act regulations require brokers to access DROP at least once every 45 days, retrieve consumer deletion requests, process them and report each request’s status back into the platform. 

“Adoption of these regulations is a major milestone,” CalPrivacy Executive Director Tom Kemp said in the agency’s November announcement. “Californians will soon be able to delete their data from hundreds of data brokers with one simple action.”

A shift to continuous data management

The August deadline moves broker deletion from a one-time response model into a recurring data-management obligation. CalPrivacy’s processing guide instructs brokers to download consumer deletion lists, standardize and hash their own records, match those records against DROP identifiers and report each request as deleted, opted out, exempted or not found.

The matching process also reaches beyond a broker’s own databases. When a match is found, the same guide instructs brokers to delete all non-exempt personal information, including inferences, and direct relevant service providers and contractors to delete matching records. 

If no match is found, brokers must retain identifiers needed to screen newly collected records before future sale or sharing.

The Delete Act makes that suppression obligation continuous. After a consumer submits a deletion request and the broker deletes the data, the broker must delete the consumer’s personal information at least once every 45 days unless an exception applies. 

The broker also cannot sell or share newly collected personal information about the consumer unless the consumer requests otherwise or the law permits it.

Research reveals significant compliance gaps

The compliance gap is already visible. A 2026 ACM FAccT paper reviewing 522 registered California data brokers found only 9.2% were fully compliant with transparency requirements after the Delete Act took effect. 

In a separate audit of 250 brokers’ consumer request processes, the researchers found 43% made it impossible for consumers to exercise all required privacy rights and 64% introduced at least one design feature that added substantial friction.

The core workflow applies to brokers that operated in 2025, began brokering California residents’ data between Jan. 1 and Aug. 1, 2026 or plan to begin after Aug. 1. CalPrivacy says those brokers must create DROP accounts. The 2026 annual registration fee is $6,000 plus a third-party electronic-payment processing fee

California has also expanded what brokers must disclose during registration. Under SB 361, brokers must report whether they shared or sold consumers’ data in the past year to a foreign actor, the federal government, other state governments, law enforcement or a developer of a GenAI system or model.

The SB 361 provision is a disclosure requirement, not a prohibition on sharing data with generative AI developers. It puts the practice into the broker registry alongside disclosures covering categories such as citizenship data, union membership status, sexual orientation, gender identity and gender expression data, biometric data, precise geolocation and reproductive health care data.

Steep fines and looming compliance audits

The statute sets penalties for registration and deletion failures, including administrative fines of $200 per day for failure to register and $200 per deletion request for each day a broker fails to delete information as required, plus investigation and administrative costs. Independent third-party audits of broker compliance will begin Jan. 1, 2028 and repeat every three years.

The first August cycle will test whether brokers can translate a centralized state request into matched records, deletion decisions, downstream processor instructions and status reports.

CalPrivacy’s technical reference says the API and manual integration material is guidance only, leaving each broker responsible for meeting all statutory and regulatory requirements.

Personalized Feed
Personalized Feed