What is the Delete Act and what does it mean for my business?

The Delete Act (SB 362) is a California privacy law that creates new obligations for data brokers, including annual registration with the California Privacy Protection Agency (CPPA), participation in a centralized deletion system, and routine processing of consumer deletion requests. Beginning in 2026, data brokers must check the state's Data Broker Requests and Opt-Out Platform (DROP) at least every 45 days, honor deletion requests, and maintain compliance audit documentation.

How do the Delete Act and DROP change privacy compliance in California?

The Delete Act introduces a one-stop, state-managed deletion system that replaces broker-by-broker opt-outs under CCPA/CPRA. It adds stricter audit requirements, increases transparency, and raises the compliance burden for any business that sells or shares California consumer data. The law also expands oversight of data brokers and strengthens consumer privacy rights.

How can DataGrail help my business stay compliant?

DataGrail helps automate the fulfillment of deletion and opt-out requests across more than 2,000 SaaS applications, ensuring accuracy and auditability. The platform provides a Live Data Map to show where consumer data lives, centralizes compliance monitoring, and offers end-to-end DSR workflows to help organizations meet the Delete Act's deletion, reporting, and audit obligations.

What steps should my organization take now to prepare?

Businesses should determine whether they qualify as data brokers, review data-sharing practices, update deletion workflows, and strengthen data mapping. Organizations should also evaluate privacy technology like DataGrail to automate DSR fulfillment and ensure readiness before DROP goes live in 2026.

Glossary Contents

Article 30

CA CCPA

Consent

CPRA

Data Governance

Data Inventory Explained

Data Privacy

Data Security Management

Data Subject Access Request (DSAR Management) for GDPR Compliance

Delete Act

Do Not Sell My Information

Ethical AI

GDPR

LGPD – Brazil’s Privacy Law

Nevada’s SB 220

Personally Identifiable Information (PII)

Preference Management

Quebec Bill 64

Record of Processing Activities (RoPA)

Verifiable Consumer Request (VCR)

What is Data Mapping? (Defined & Explained)

What to include in a Privacy Policy

Delete Act

Q: What is DROP and how does it work?

DROP—the Data Broker Requests and Opt-Out Platform—is the centralized online system mandated by the Delete Act. It allows Californians to submit a single deletion request that applies to all registered data brokers. Brokers must check DROP regularly, process new deletion submissions at least every 45 days, notify service providers of required deletions, and stop selling or sharing data about those consumers.

What is the Delete Act? (California Delete Act, SB 362)

The Delete Act is a California privacy law (SB 362) that requires data brokers to make it easier for people to delete their personal information across multiple companies at once.

Key points:

Creates a one-stop mechanism (run by the California Privacy Protection Agency) where people can submit a single request to delete their data from all registered data brokers.
Strengthens registration and reporting requirements for data brokers operating in California.
Increases enforcement powers and penalties for non-compliance.

For brands, the Delete Act raises the bar on:

Data visibility – knowing which third parties/brokers hold your customers’ data.
DSR operations – ensuring deletion rights can be fulfilled completely, not just in your core systems.
Vendor and data-sharing governance – tightening oversight of how customer data circulates through your broader ecosystem.

Delete Act & DROP: Frequently Asked Questions for California Privacy Compliance

California’s Delete Act and the forthcoming DROP platform mark a major shift in how organizations must handle consumer deletion requests and manage data broker relationships. If your business collects, sells, or shares personal information about Californians, these new rules could reshape your compliance strategy. This FAQ breaks down what you need to know — and how DataGrail helps you stay ahead of regulatory change.

Let’s define what the Delete Act means for your business

The Delete Act (SB 362) is a California privacy law designed to give consumers stronger control over how data brokers handle their personal information. Under the law, any company classified as a data broker — meaning a business that sells or shares personal data about consumers with whom it has no direct relationship — faces sweeping new compliance obligations.

The Delete Act moves data broker oversight from the California Attorney General to the California Privacy Protection Agency (CPPA) and requires brokers to register annually. More importantly, the law mandates that all registered data brokers participate in a centralized one-stop deletion mechanism that allows California residents to issue a single request to delete their personal data across all brokers at once.

Beginning in 2026, data brokers must check this centralized system (DROP) at least every 45 days, process deletion requests, notify their service providers/contractors to delete relevant data, stop collecting or selling new data about those consumers, and maintain compliance documentation. The law also introduces independent compliance audits every three years starting in 2028 — raising the bar for accountability and transparency across the data-broker ecosystem.

What is DROP and how does it work?

DROP — the Data Broker Requests and Opt-Out Platform — is the centralized consumer deletion portal mandated by the Delete Act and operated by the CPPA. Once launched, DROP will fundamentally change how Californians exercise their right to delete personal information held by data brokers.

Through DROP, a consumer (or an authorized agent) can submit one free deletion request that applies to all registered data brokers. Instead of navigating individual opt-out processes, consumers will have a single, unified experience — dramatically simplifying privacy rights management.

Data brokers must log into DROP regularly, check for new deletion submissions at least every 45 days, and process requests accordingly.

Key features of DROP

One-stop deletion request: A single submission applies to every registered data broker.
Consumer flexibility: People can choose to exclude specific brokers from their request.
Automated obligation trigger: Data brokers must check DROP regularly, process incoming requests, and honor deletion and opt-out rights.
Expected availability in 2026, per CPPA updates.

DROP’s launch will create a new administrative and operational burden for data brokers — and will also impact companies that share or sell data to them.

Here’s how these new rules change privacy compliance in California

The Delete Act and DROP represent a significant expansion of California’s privacy enforcement approach. Unlike CCPA/CPRA, where consumers needed to contact each business individually, the Delete Act introduces a centralized deletion infrastructure — a first-of-its-kind model in the United States.

This shift means:

Organizations that operate as data brokers must now handle more frequent, centralized, and verifiable deletion requests.
Enhanced oversight — including mandatory audit requirements — raises the stakes for any company that sells or shares personal data.
Even businesses not traditionally considered data brokers may feel downstream effects, especially if they sell behavioral data, rely on lookalike audience providers, or partner with data brokers across their marketing ecosystem.

Overall, the Delete Act tightens California’s privacy compliance landscape and reinforces the expectation that businesses maintain clear visibility into where consumer data lives — and how it moves across their digital footprint.

Back to Glossary

Related Terms

Quebec Bill 64

What to include in a Privacy Policy

LGPD – Brazil’s Privacy Law