Key point: Starting August 1, 2026, registered data brokers will need to access California’s new one-stop-shop deletion platform to process deletion requests or risk significant fines.

Last month, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s (CalPrivacy) regulations further implementing the Delete Act (SB 362). Effective January 1, 2026, the Delete Act makes several changes to California’s data broker law, including charging CalPrivacy with creating a new one-stop-shop for California residents to request that all registered data brokers delete their personal information. California residents can begin registering on January 1, 2026, and data brokers must process requests starting August 1, 2026. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

In the below article, we provide a brief background on the Delete Act and summarize the new regulations.

Delete Act

California’s legislature first passed the state’s data broker registration law in 2019 (AB 1202).

In 2023, the California legislature amended the law through passage of the Delete Act (SB 362).

Among other things, the 2023 amendment transferred oversight authority for the data broker registry to CalPrivacy, required data brokers to provide significantly more information when registering, and increased penalties for noncompliance.

The Delete Act also charged CalPrivacy with creating a new Delete Request and Opt-out Platform (DROP) to provide California residents with a one-stop-shop to request that all registered data brokers delete their personal information. Specifically, section 1798.99.86 provides that, by January 1, 2026, CalPrivacy must establish an accessible deletion mechanism that, among other things, allows “a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.”

Starting August 1, 2026, data brokers must access the DROP at least once every 45 days to process deletion requests, including directing all service providers and contractors to delete the information. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

Of note, the scope of the Delete Act’s deletion requirement is broader than in the California Consumer Privacy Act (CCPA) insofar as it requires the deletion of any personal information related to that consumer and not just information collected directly from the consumer as is required by the CCPA. The Delete Act states that a data broker is not required to delete the information if it is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in section 1798.105(d) (exceptions to CCPA’s deletion right) or deletion is not required pursuant to sections 1798.145 (CCPA exemptions) or 1798.146 (CCPA medical-related exemptions).

Finally, the Delete Act grants CalPrivacy permissive rulemaking authority to adopt implementing regulations. CalPrivacy initiated rulemaking in April 2025. The final regulations were adopted by CalPrivacy’s board in September 2025 and approved by the OAL in November.

In the next section, we provide a summary of the Delete Act regulations. It also should be noted that the rulemaking package revised the definition of “direct relationship.” The amendment removed the three-year lookback period. It clarified that a “business does not have a ‘direct relationship’ with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business.” It also revised the final sentence to now state “A business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about that consumer it collected outside of a ‘first party’ interaction with the consumer.”

Delete Act Regulations

The new regulations primarily do two things. First, they establish the structure for the DROP through a new Article 3. Second, the regulations address requirements for consumers and authorized agents. We address each of those in turn below. In addition, CalPrivacy staff prepared a presentation with an overview of the DROP.

     Delete Request and Opt-Out Platform Requirements

Pursuant to Article 3, data brokers must create a DROP account through the CalPrivacy website before first accessing the DROP. The regulations impose account security and access control obligations on data brokers, including a mandate to immediately notify CalPrivacy of any unauthorized use or security breach involving their account or the DROP. When creating an account, data brokers must select the appropriate consumer deletion list(s) they will retrieve through the DROP, choosing all consumer deletion lists containing identifiers that match the personal information in their records, except where multiple lists would produce a completely duplicative set of consumers (in which case selecting one list is permitted). Data brokers can update their list selections once every 45 days, and they must do so before next accessing the DROP if their collection practices expand.

Businesses that begin operating as data brokers after the registration period must create a DROP account, begin accessing the DROP within 45 days of commencing operations, and pay a first‑time access fee (scaled by month of first access).

The regulations require data brokers to access the DROP at least once every 45 days to download their selected consumer deletion list(s), using either manual or supported automated methods. Data brokers are responsible for manually downloading their list(s) if automation fails for any reason and, if the failure is not due to user error, they must notify CalPrivacy within 45 days. After the first download of each list, all subsequent downloads contain only new or amended deletion requests, although CalPrivacy will permit a full re-download upon written request for compliance, reconciliation, or audit purposes.

Section 7613 of Article 3 sets forth the operational steps data brokers must follow to process deletion requests, which include standardizing the applicable personal information from their records (e.g., using lowercase text; removing extraneous characters; formatting date of birth, zip code, and phone number) and hashing the personal information using the algorithm provided in the consumer deletion list, then comparing against the identifiers contained in the selected consumer deletion list. For each match, the data broker must delete all personal information associated with the matched identifier — including inferences based on personal information collected from third parties or consumers in a non-“first party” capacity — direct its service providers and contractors to delete the personal information, and, if multiple consumers share the matched identifier, opt all such consumers out of sales and sharing while retaining only the minimal information necessary to maintain compliance. However, data brokers are not required to delete personal information that is exempt under section 1798.99.86 or that the data broker collected directly from consumers in a “first party” capacity. If no match is found, data brokers must retain the consumer deletion list solely to compare against newly collected personal information before such information is sold or shared.

After the first DROP access, data brokers must, at every subsequent access session, report the status of each deletion request received in the prior session using standardized codes (i.e., record “deleted,” “opted out of sale,” “exempted,” or “not found”). If a later match is found in newly collected data (after previously reporting “record not found”), the data broker must update the status at the next session. Further, if reporting is done manually, the status report must be uploaded in a machine‑readable CSV file before downloading new lists and must mirror the list format with response codes added.

If a business no longer operates as a data broker, it must notify CalPrivacy within 45 days, delete all personal information provided through DROP within 30 days after its final registration or audit (whichever is later), and then deactivate its DROP account.

Section 7616 provides additional data broker requirements, including use restrictions, data security obligations, and, notably, a prohibition on data brokers contacting consumers to verify DROP deletion requests.

     Consumer and Authorized Agent Delete Requests

Pursuant to Article 4, consumers must submit their deletion requests through the DROP and have their California residency verified. Non-California residents cannot use the DROP. Consumers can request a review of their residency classification within 10 calendar days of the classification. Consumers are also permitted to provide additional information to effectuate their requests, including date of birth, email address, phone number, and pseudonymous identifiers such as MAIDs. Consumers can amend or cancel a deletion request no sooner than 45 days after submitting the request.

Authorized agents are permitted to “aid” a consumer in submitting a request. To do so, the consumer or authorized agent must disclose the authorized agent’s full name, email address, and trade name if the authorized agent is a business.