What is the Delete Act and what does it mean for my business?

The Delete Act (SB 362) is a California privacy law that creates new obligations for data brokers, including annual registration with the California Privacy Protection Agency (CPPA), participation in a centralized deletion system, and routine processing of consumer deletion requests. Beginning in 2026, data brokers must check the state's Data Broker Requests and Opt-Out Platform (DROP) at least every 45 days, honor deletion requests, and maintain compliance audit documentation.

How do the Delete Act and DROP change privacy compliance in California?

The Delete Act introduces a one-stop, state-managed deletion system that replaces broker-by-broker opt-outs under CCPA/CPRA. It adds stricter audit requirements, increases transparency, and raises the compliance burden for any business that sells or shares California consumer data. The law also expands oversight of data brokers and strengthens consumer privacy rights.

How can DataGrail help my business stay compliant?

DataGrail helps automate the fulfillment of deletion and opt-out requests across more than 2,000 SaaS applications, ensuring accuracy and auditability. The platform provides a Live Data Map to show where consumer data lives, centralizes compliance monitoring, and offers end-to-end DSR workflows to help organizations meet the Delete Act's deletion, reporting, and audit obligations.

What steps should my organization take now to prepare?

Businesses should determine whether they qualify as data brokers, review data-sharing practices, update deletion workflows, and strengthen data mapping. Organizations should also evaluate privacy technology like DataGrail to automate DSR fulfillment and ensure readiness before DROP goes live in 2026.

Glossary Contents

Article 30

CA CCPA

Consent

CPRA

Data Governance

Data Inventory Explained

Data Privacy

Data Security Management

Data Subject Access Request (DSAR Management) for GDPR Compliance

Delete Act

Do Not Sell My Information

Ethical AI

GDPR

How to automate privacy compliance?

LGPD – Brazil’s Privacy Law

Nevada’s SB 220

Personally Identifiable Information (PII)

Preference Management

Quebec Bill 64

Record of Processing Activities (RoPA)

Verifiable Consumer Request (VCR)

What is AI governance?

What is CCPA Compliance?

What Is Consent Management?

What is Data Mapping? (Defined & Explained)

What is Shadow AI?

What to include in a Privacy Policy

Delete Act

Q: What is DROP and how does it work?

DROP—the Data Broker Requests and Opt-Out Platform—is the centralized online system mandated by the Delete Act. It allows Californians to submit a single deletion request that applies to all registered data brokers. Brokers must check DROP regularly, process new deletion submissions at least every 45 days, notify service providers of required deletions, and stop selling or sharing data about those consumers.

Summarize this content with:

ChatGPT

Perplexity

Claude

Grok

What is the Delete Act? (California Delete Act, SB 362)

The Delete Act is a California privacy law (SB 362) that requires data brokers to participate in a centralized deletion mechanism, allowing California residents to request that all registered data brokers delete their personal information through a single submission. Signed into law on October 10, 2023, and amended by SB 361 in October 2025, the Delete Act is the first law of its kind in any jurisdiction.

Key points:

Creates the Delete Request and Opt-Out Platform (DROP), a centralized portal operated by CalPrivacy (formerly the CPPA), where consumers can submit a single deletion request that applies to every registered data broker. DROP launched on January 1, 2026.
Requires all data brokers to register annually with CalPrivacy by January 31, disclosing the categories of personal information they collect, whether they sell data to foreign actors, government entities, law enforcement, or AI developers, and other processing details.
Beginning August 1, 2026, data brokers must access DROP at least every 45 days, process all verified deletion requests within 45 days, treat unverified requests as opt-outs from sale or sharing, direct service providers and contractors to delete relevant data, and continue deleting any newly collected data about consumers who have submitted deletion requests on the same 45-day cycle.
Introduces independent third-party compliance audits every three years beginning January 1, 2028, with audit records retained for at least six years and submitted to CalPrivacy upon request.
Imposes per-request, per-day penalties of $200 for each unprocessed deletion request, in addition to unpaid registration fees and CalPrivacy's investigative costs.

For brands, the Delete Act raises the bar on:

Data visibility: knowing which third parties and brokers hold your customers' data, and whether any of your vendors qualify as data brokers under the statute.
DSR operations: ensuring deletion rights can be fulfilled completely across all systems, including downstream partners and service providers, not just your core platforms.
Vendor and data-sharing governance: tightening contractual oversight of how customer data circulates through your broader ecosystem, including requiring vendors to confirm their registration status and DROP compliance plans.

Delete Act & DROP: Frequently Asked Questions for California Privacy Compliance

DROP is live. Data broker enforcement begins August 1, 2026. If your business collects, sells, or shares personal information about Californians, these rules could reshape your compliance strategy. This FAQ breaks down what you need to know and how DataGrail helps you stay ahead of regulatory change.

What does the Delete Act mean for your business?

The Delete Act (SB 362) targets data brokers, defined under the statute as a business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The law uses core definitions from the CCPA, including "consumer" (a California resident) and "sale" (any exchange of personal information for monetary or other valuable consideration).

CalPrivacy's regulations clarify that merely collecting data directly from a consumer does not establish a "direct relationship." The consumer must both intend and expect to interact with the business. Companies that collect data from consumers through indirect channels (such as third-party pixels, data enrichment services, or lookalike audience matching) may fall within the data broker definition even if they also have some direct consumer interactions.

The Delete Act transferred data broker oversight from the California Attorney General to CalPrivacy and requires all data brokers to register annually by January 31. As of January 1, 2026, the CalPrivacy data broker registry listed 545 registered data brokers.

SB 361, signed into law on October 8, 2025, significantly expanded the Delete Act's registration requirements. Data brokers must now disclose whether they collect specific categories of information including names, dates of birth, government-issued IDs, login credentials, mobile advertising IDs, connected television IDs, vehicle identification numbers, biometric data, union membership, sexual orientation, gender identity, and citizenship or immigration status. Brokers must also report whether, in the prior year, they sold or shared data to foreign actors, federal or state government entities, law enforcement, or developers of generative AI systems or models. SB 361 also doubled the daily penalty from $100 to $200 per violation and extended penalties beyond registration failures to cover failures to process consumer deletion requests.

What is DROP and how does it work?

DROP, the Delete Request and Opt-Out Platform, is the centralized consumer deletion portal mandated by the Delete Act and operated by CalPrivacy at privacy.ca.gov. DROP launched on January 1, 2026, following final regulations approved by the California Office of Administrative Law on November 13, 2025.

Through DROP, a consumer (or an authorized agent) can submit one free deletion request that applies to all registered data brokers. Instead of navigating individual opt-out processes at hundreds of separate companies, consumers now have a single, unified experience. Consumers can also exclude specific brokers from their request if they choose.

Key features of DROP:

One-stop deletion: a single submission applies to every registered data broker.
Consumer flexibility: individuals can exclude specific brokers from any request.
Identity matching: data brokers must implement reasonable identity-matching procedures to determine whether a consumer's deletion request corresponds to information in their records.
Processing obligations: beginning August 1, 2026, data brokers must access DROP at least every 45 days, retrieve matching requests, process verified deletions within 45 days, and report the status of each request back through the platform.
Ongoing deletion: once a consumer submits a deletion request, brokers must continue deleting any new data collected about that consumer on the same 45-day cycle.
if a broker cannot verify a consumer's identity, the request must still be treated as anUnverified requests: opt-out from the sale or sharing of that consumer's personal information.

Failure to check DROP within the mandated 45-day intervals constitutes an independent violation, meaning that penalties accrue not only for failing to process requests but for failing to check for them.

How do these rules change privacy compliance in California?

The Delete Act and DROP represent a structural change in California's privacy enforcement approach. Under the CCPA/CPRA, consumers who wanted their data deleted from data brokers had to contact each business individually, often navigating different submission formats, verification procedures, and response timelines across dozens or hundreds of companies. The Delete Act replaces that fragmented process with centralized deletion infrastructure.

This shift means:

Organizations that operate as data brokers face a new, high-frequency operational obligation. Checking DROP every 45 days and processing all incoming requests within that same window is a continuous compliance requirement, not a periodic one.

Enhanced oversight, including mandatory audits starting in 2028, raises the stakes for any company that sells or shares personal data. Audit reports must be retained for six years and produced to CalPrivacy on request, creating a long-term accountability trail.

The SB 361 amendments add disclosure obligations that extend well beyond previous requirements, including mandatory reporting of data sales to foreign actors and AI developers. This reflects the legislature's concern about data flows to adversarial nations and the use of personal data in training AI systems.

Even businesses not traditionally considered data brokers may face downstream effects. Companies that sell behavioral data, rely on lookalike audience providers, purchase data from brokers for marketing, or partner with data brokers across their advertising ecosystem should evaluate whether their vendors' compliance (or lack of it) creates risk for their own operations. If a data broker that supplies your marketing data fails to process deletion requests and you continue using that data, the compliance gap in your supply chain becomes your problem.

CalPrivacy has signaled that enforcement will be active. The agency has already announced multiple enforcement actions against data brokers for registration violations, and the per-request daily penalty structure introduced by SB 361 means that noncompliant brokers face escalating financial exposure for every unprocessed request.