The Delete Act and DROP: What You Need to Know

In 2026, the California Delete Act will reshape how data brokers manage consumer privacy. We’ve compiled a full breakdown of what’s changing, who needs to comply, and by when. 

What is the Delete Act?

The California Delete Act (S.B. 362) directs the California Privacy Protection Agency (CalPrivacy) to build a centralized system, the Data Broker Requests and Opt-Out Platform (DROP), that allows consumers to submit a single request to delete their non-exempt personal information across all registered data brokers.

Consumers can start submitting requests on January 1, 2026, but data brokers aren’t required to act on them until August 1, 2026. Until that point, data brokers’ only ongoing obligation is to register with CalPrivacy every January.

DROP Timeline at a Glance

• October 10, 2023: Delete Act signed into law.
• January 1, 2024: Data Broker Registry opens at CalPrivacy.
• July 1, 2024: Updated public disclosures required.
• Fall 2025: CalPrivacy launches education and awareness efforts.
• January 1, 2026: Consumers can submit DROP requests.
• Spring 2026: Data broker API access opens.
• August 1, 2026: Data brokers must begin checking DROP and processing requests every 45 days.
• January 1, 2028: First independent compliance audit (recurring every three years).

Who Must Comply?

Under California law, a data broker is any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

The definition is intentionally broad. There’s no revenue threshold or exemption for companies that only sell a portion of their data. Even brands that primarily collect first-party data may qualify if they also source data elsewhere and sell or share it downstream.

Hundreds of organizations have registered so far, but legal analysts have speculated that far more organizations qualify under the official definition.

Not sure whether your business counts as a data broker? Use this free guide to evaluate your business practices.

Is a DROP Request a Deletion or an Opt-Out?

Both.

When a consumer submits a DROP request, they’re asking data brokers to delete their information while functionally also submitting a Do Not Sell or Share request.

Data brokers must process the request as an opt-out even if they cannot verify the request. The data broker must also direct all of their service providers and/or contractors to process deletion and opt-out requests on behalf of the consumer. 

How Does DROP Work in Practice?

Consumer Experience

A typical user flow looks like this:

1. A consumer  signs up with a primary email address.
2. He verifies his California residency.
3. He may provide additional identifiers (name variations, phone number, date of birth, etc.) to help brokers find his records.
4. DROP records this information in a hashed format.
5. He selects which brokers should receive the request or chooses “ALL.”
   

DROP keeps the request active across all brokers going forward.

Data Broker Experience

A registered broker must:

1. Create a DROP account.
2. Register and pay fees annually (Jan 1–31).
3. Select the relevant deletion lists (email, phone, MAID, etc.) to match with data subjects.
4. Access DROP at least once every 45 days to action new requests.
5. Report back on the status of each request within 45 days.
   

Accessing and Processing DROP Lists

Starting August 1, 2026, data brokers will access request lists in one of two ways:

• Manual download every 45 days
• API connection for automated ingestion

DROP provides only the minimum personal data needed for processing. Data brokers are not allowed to contact consumers directly to verify their requests. 

Compliance Reporting

Data brokers must report the outcome of each DROP request within 45 days, using one of four categories for each request:

• Record deleted
• Record opted-out of sale
• Record exempt
• Record not found

Key Compliance Deadlines

Every January: 

• Register with CalPrivacy

August 1, 2026:

• Begin checking and processing DROP requests every 45 days.
  

January 1, 2028 and every 3 years:

• Undergo independent audits.

No Cure Period

The Delete Act includes no cure period. Enforcement can move forward as soon as a violation occurs.

Brokers must process requests within 45 days, and unverified deletion requests must be treated as opt-outs. Requests cannot be denied. 

2025 Enforcement Examples

CalPrivacy has already taken action against non-compliant data brokers:

• July 2025: Accurate Append (WA) fined $55,400 for failing to register.
• May 2025: National Public Data (FL) fined $46,000 for missing registration and fee obligations.
• Feb 2025: Background Alert (CA) ordered to suspend operations until 2028 or pay a $50,000 penalty.
  

How DataGrail Helps

The Delete Act adds new operational requirements for privacy teams, but the right tools can simplify the process and reduce the risk of falling behind.

Third-Party Oversight & AI-Powered Risk Intelligence

DataGrail gives your team visibility into how personal data moves across vendors and partners. Track entities to which data may be sold or shared, automatically flag high-risk relationships, identify shadow systems, and stay a step ahead of enforcement. 

Automated Consumer Rights Request Handling

Request Manager streamlines access, deletion, correction, portability, and opt-out workflows. The DataGrail API supports bulk request processing to smoothly handle requests received via DROP. 

If you’d like to see how DataGrail can help your team prepare for the Delete Act, request a demo.

And if you want to stay plugged into what’s coming next in state privacy legislation, consider joining Privacy Basecamp, our Slack community for privacy professionals.