Data brokers
Coming soon: Delete Request and Opt-out Platform (DROP)
On this page
Under the Delete Act, data brokers have an obligation to register annually with the California Privacy Protection Agency (CalPrivacy). Beginning in 2026, data brokers must not only register with CalPrivacy, but also comply with the Delete Act’s accessible deletion mechanism requirements using CalPrivacy’s Delete Request and Opt-out Platform, also referred to as “DROP.” Starting August 1, 2026, data brokers will be required to process consumer DROP requests every 45 days.
Registration
Data brokers must register with CalPrivacy following each year in which their business meets the definition of “data broker” (see Cal. Civ. Code § 1798.99.80). View the 2025 data broker registry.
To register in 2026, data brokers will be required to first create a business account in DROP and then will be able to complete the registration form and pay the annual registration fee, due by January 31, through their DROP account.
A data broker that fails to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by CalPrivacy (Cal. Civ. Code § 1798.99.82(d)).
Businesses that do not operate as data brokers in 2025 are not required to register in 2026. However, any business that begins operating as a data broker in 2026 is not required to register in 2026, but in 2027. Therefore, it will need to pay a one-time access fee starting August 1, 2026, to integrate with DROP and process consumer deletion requests as required by law.
Deletion requests through DROP
In compliance with the Delete Act, starting August 1, 2026, all data brokers doing business in California will need to start processing consumer DROP requests every 45 days by downloading consumer deletion lists, deleting consumer personal information within their databases, and reporting the status of requests to CalPrivacy. It should be noted that DROP requests under the Delete Act are broader than consumer deletion requests under the California Consumer Privacy Act and carry different business obligations.
How to access the consumer deletion requests
Data brokers will log in to their DROP account to set up a manual or automated (via an Application Programming Interface or “API”) download of lists of hashed consumer identifiers, such as date of birth, email address, phone number, mobile advertising identifier, etc., either alone or in combination.
Data brokers must select the list(s) that will match the most records within their system. Generally, this means data brokers will need to select every list containing an identifier that the data broker regularly collects. Throughout the year, data brokers must continuously ensure that their selected list(s) accurately reflect the types of identifiers they are currently collecting and make changes to their list(s) selection as necessary.
How to process the consumer deletion requests
Once the data broker has downloaded the consumer DROP request list(s), they are responsible for comparing their data against the deletion list(s). For every match between the CalPrivacy-provided piece of personal data and the personal data in their own records, they must delete all non-exempt “personal information” (as defined in Cal. Civ. Code § 1798.140(v)) associated with the matched identifier(s). If the matched identifier(s) is associated with more than one consumer within the data broker’s records, they must opt all associated consumers out of the sale or sharing of their personal information. Data brokers must pass deletion requests to contractors and service providers.
Additionally, data brokers must maintain each consumer deletion request in a suppression list—regardless of whether or not they initially matched with records in their own database—to ensure ongoing compliance with the Delete Act. Data brokers are allowed to remove consumers from their suppression list if the consumer later cancels their deletion request.
How to report status for the consumer deletion requests
Once a data broker has completed processing the deletion requests, the data broker must then report one of the following statuses through DROP within 45 days: “record deleted,” “record opted out of sale,” “record exempt,” or “record not found.”
More information, guidance, and training resources coming soon.
Audits
Starting January 1, 2028, and every three years after, a data broker must undergo an audit by an independent third party to determine whether they have complied with the consumer deletion requirements detailed in the Delete Act and its regulations (see Cal. Civ. Code § 1798.99.86(e)). Audits and related materials must be kept for at least six years.
If CalPrivacy provides a written request for the audit, the data broker must submit the report and any related materials within five business days.
Penalties
Fines for failing to register are set by law at $200/day and failure to delete a consumer’s information are $200/day per consumer plus enforcement costs.