Understanding California’s Delete Act and the DROP System

Introduction

The California Delete Act, formally enacted as Senate Bill 362 and commonly referred to as the California Delete Act, represents one of the most consequential developments in U.S. privacy law since the California Consumer Privacy Act (CCPA). The Delete Act establishes a centralized, enforceable framework that requires registered data brokers to honor consumer deletion requests through a single, state-managed opt-out platform. Its primary objective is to reduce the complexity California consumers face when attempting to delete personal information that has been knowingly collected and sold by third parties.

At its core, the Delete Act is designed to restore meaningful control over personal data to California residents. Historically, consumers were forced to submit multiple deletion requests to dozens, or even hundreds, of data brokers, each with its own process and verification standards. The Delete Act eliminates this burden by mandating participation in the DROP system, a unified deletion mechanism that allows a single request to be transmitted to all registered data brokers. This system dramatically reshapes how consumer deletion requests are submitted, verified, and fulfilled across the data broker ecosystem.

The California Privacy Protection Agency (CPPA) serves as the primary regulator and enforcement authority under the Delete Act. The CPPA is responsible for maintaining the data broker registry, administering the opt-out platform DROP, issuing final regulations, conducting audits, and publishing audit results. Through its administrative law authority, the CPPA ensures that compliance obligations are applied consistently and transparently across the market. Importantly, the Delete Act builds upon and extends the California Consumer Privacy Act rather than replacing it. While the CCPA grants consumers the right to request deletion and opt out of the sale of personal information, the Delete Act introduces a mandatory, centralized infrastructure that data brokers must use. Together, these laws form a comprehensive privacy regime that strengthens accountability, simplifies enforcement, and enhances consumer trust.

Requirements for Data Brokers

Under the California Delete Act, data brokers must register annually with the California Privacy Protection Agency and pay a registration fee. A registered data broker is defined as a business that knowingly collects and sells personal information of California consumers with whom it does not have a direct relationship. This distinction is critical, as first-party data collected directly from consumers in the context of a direct relationship generally falls outside the data broker definition. Registration is not merely a formality. Registered data brokers must maintain accurate and up-to-date information regarding their data practices, including the categories of personal information collected, whether they sell personal information for valuable consideration, and whether they process insurance information or pseudonymous identifiers. Failure to register or provide accurate append disclosures can result in enforcement actions and daily penalties.

A core operational requirement is the creation and maintenance of a DROP account. Data brokers must access the DROP platform at least once every 45 days to retrieve and process deletion requests. DROP requests may include multiple identifiers, such as a name, phone number, or additional identifiers necessary to locate personal data across internal systems. The obligation to check the platform regularly ensures that consumer requests are not ignored or delayed. Data brokers must also comply with other applicable legal frameworks, including the Fair Credit Reporting Act (FCRA) and sector-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA). Personal information that is exempt under federal law, including certain insurance information and health data, is excluded from deletion requirements. However, non-exempt personal information remains fully subject to consumer deletion obligations.

Compliance Obligations

The Delete Act imposes significant compliance obligations on data brokers, extending beyond mere participation in the DROP system. Data brokers must process verified deletion requests within 45 days of receipt, consistent with CCPA timelines. This includes consumer deletion requests submitted directly, through an authorized agent, or via the opt-out platform DROP. In addition to responding to requests, data brokers must maintain internal records documenting how they process deletion lists, request lists, and confirmation actions. These records are subject to CPPA review and may be examined during audits. Audit results may be published, reinforcing accountability and incentivizing strong compliance programs.

Non-compliant data brokers face escalating penalties. The statute authorizes civil penalties of up to $200 per day for each day of noncompliance, including failure to register, failure to process deletion requests, or failure to maintain an accessible deletion mechanism. These penalties can accumulate rapidly, particularly for businesses that knowingly collect and sell large volumes of consumers’ data. Compliance also requires alignment with broader California law. Data brokers must continue to honor opt-out requests under the CCPA, provide disclosures regarding data practices, and respect consumer rights related to access, correction, and deletion. The Delete Act does not replace these obligations; rather, it centralizes and enforces them through a standardized system.

The DROP System and Deletion Requests

The DROP system, short for Data Removal Opt-Out Platform, is the operational centerpiece of the Delete Act. Managed by the CPPA, the DROP platform allows California consumers to submit a single request to delete personal information held by all registered data brokers. This opt-out platform, DROP, fundamentally changes how deletion requests are initiated and fulfilled. Consumers can submit deletion requests through the DROP platform by providing identifying information sufficient to locate their personal data. These DROP deletion requests are then distributed to registered data brokers, who must retrieve them through their DROP account and initiate internal deletion workflows. The platform supports both delete requests and opt-out functionality, enabling consumers to stop future sales of personal information.

Data brokers are required to confirm completion of data deletion requests through the DROP system. Confirmation is not optional; it is a formal compliance step that signals to regulators that the request has been honored. This confirmation requirement closes a long-standing enforcement gap by creating an auditable trail for consumer requests and broker responses. The DROP platform is scheduled to become operational by January 1 2026, with mandatory compliance for honoring DROP requests beginning August 1 2026. These deadlines give data brokers a limited window to update systems, train staff, and integrate deletion mechanisms that can scale across large volumes of consumer requests.

Consumer Empowerment

One of the most transformative aspects of the California Delete Act is its emphasis on consumer empowerment. By replacing fragmented, broker-specific processes with a centralized deletion mechanism, the law makes it realistic for California consumers to exercise their rights at scale. A single request through the DROP platform can now reach every registered broker simultaneously. Consumers benefit from increased transparency and reduced friction. They no longer need to identify individual data brokers, navigate inconsistent request forms, or track multiple responses. Instead, consumer signs of deletion activity, such as confirmations and timelines, are centralized, providing clarity and confidence that personal data has been addressed.

The Delete Act also reinforces consumer choice. In addition to deletion, consumers may submit opt-out requests to prevent future data sales. This dual functionality ensures that consumer deletion is not undermined by continued collection or resale of personal information after a request has been honored. By strengthening consumer rights under the CCPA, the Delete Act helps normalize privacy-respecting business practices. California consumers gain meaningful leverage over how their personal data is collected, used, and sold, while businesses are encouraged to adopt privacy-by-design principles.

Disclosure Obligations and Transparency

Transparency is a foundational requirement of the Delete Act. Data brokers must clearly disclose their data practices, including what personal information is collected, whether it is sold for valuable consideration, and how consumers can exercise their rights. These disclosure obligations apply both at registration and in ongoing consumer-facing notices. Data brokers must also disclose how they process deletion requests, including the use of the DROP platform and any verification steps required for verified deletion requests. Consumers must be informed whether an authorized agent may submit requests on their behalf and what documentation is required.

Accurate recordkeeping is essential. Data brokers must maintain internal logs of consumer requests, deletion actions, and confirmations. These records support CPPA oversight and ensure that deletion mechanisms operate as advertised. Failure to maintain accurate records may itself constitute a compliance violation. Ultimately, transparency serves both regulatory and commercial purposes. Clear disclosures build consumer trust, reduce disputes, and demonstrate good-faith compliance with California law.

Deletion Mechanism and Process

The deletion mechanism established by the Delete Act is structured, time-bound, and auditable. Once a new delete request is received, whether through DROP requests or direct consumer requests, the data broker must verify the request, locate relevant personal information collected, and initiate deletion workflows. Deletion is not limited to static records. Data brokers must delete personal data across active databases, archival systems, and any downstream systems where the information is stored. This includes party data received from third parties and data associated with multiple identifiers. Newly collected records must also be deleted if they fall within the scope of a valid request.

After completing the deletion, the data broker must confirm compliance through the DROP platform. This confirmation creates a standardized record that the CPPA may review during audits. The obligation to confirm deletion ensures that data brokers cannot silently ignore or partially fulfill requests. An accessible deletion mechanism is not optional. The Delete Act requires that systems be designed to handle deletion at scale, reflecting the expectation that consumer requests will increase significantly once the DROP platform is widely adopted.

Conclusion

Compliance with the California Delete Act offers more than regulatory risk mitigation. For data brokers, compliance can become a strategic advantage. Businesses that demonstrate respect for consumer privacy are more likely to earn trust from partners, regulators, and the public. Avoiding enforcement actions is another tangible benefit. Penalties for noncompliance, including daily fines and reputational damage, can quickly outweigh the expenses incurred in building compliant systems. Proactive compliance reduces long-term legal and operational risk.

Compliance also supports operational clarity. By standardizing how deletion requests are received, processed, and confirmed, data brokers can reduce internal complexity and improve data governance. Clear processes lead to fewer errors, faster response times, and stronger audit readiness. Ultimately, the Delete Act signals a broader shift in how personal data is governed in California. Data brokers that align early with its key requirements will be better positioned to adapt as privacy regulation continues to evolve.