California Delete Act (SB 362): the 2026 compliance timeline for data brokers
· 3 min read · DROP Privacy
The California Delete Act (Senate Bill 362) turns a one-time privacy chore into a recurring legal obligation with hard deadlines. If your business is a registered data broker, here is exactly what the law requires and by when — in plain English.
What is the California Delete Act?
The California Delete Act (SB 362), signed in 2023, builds on the CCPA by creating a single place where a consumer can ask every registered data broker to delete their personal information at once. The California Privacy Protection Agency (CPPA) runs that mechanism: the Delete Request and Opt-out Platform (DROP). Before the Delete Act, a consumer had to find and contact each broker individually; now one verified request reaches every broker simultaneously, on a repeating schedule.
The compliance timeline at a glance
- January 1, 2026 — the DROP platform becomes accessible to consumers, who can begin submitting deletion requests.
- August 1, 2026 — data brokers must begin processing deletion requests through DROP, and then re-process accessible requests at least once every 45 days.
- January 1, 2028 — data brokers must begin undergoing independent third-party audits of their compliance, on a recurring basis.
The key date is August 1, 2026. That is when the duty to act begins — and it never pauses afterward. Standing up a reliable, auditable, repeatable cycle takes lead time, so the work starts well before the deadline, not on it.
What you have to do each cycle
Once processing begins, every accessible cycle (at most 45 days apart) you must:
- Process accessible requests — download the outstanding DROP batch and match it against your data.
- Delete the matching consumer's personal information, and direct your service providers and contractors to do the same.
- Suppress going forward — treat a deletion as an ongoing opt-out so you do not re-collect and re-sell that consumer.
- Keep records that demonstrate you actually did it, in a form you can show an auditor or regulator.
How often do data brokers have to process deletion requests?
At least once every 45 days. The obligation is continuous, not a one-time project: each new cycle brings a fresh batch, and matched consumers must stay suppressed indefinitely.
What are the penalties for non-compliance?
The Delete Act attaches real cost to inaction. Failing to register as a data broker carries a statutory penalty of $200 per day. Deletion and audit violations expose brokers to administrative fines that accrue over time, on top of existing CCPA enforcement — and the reputational damage of a public compliance failure. Because the duty recurs, a process that "mostly works" quietly compounds risk every 45 days.
Why a manual process won't hold
Matching a state-issued deletion batch against hundreds of millions of consumer records — accurately, every 45 days, while keeping defensible evidence — is not a spreadsheet task. It is an engineering problem with a deadline attached. That is exactly what DROP Privacy automates: it indexes your data privately, matches the DROP batch, decides each record, responds through the DROP API, suppresses forward, and produces a tamper-evident proof of deletion — on a schedule, without consumer PII ever leaving your systems.
Not sure whether the Delete Act even applies to you? Read who must register as a data broker, or request a demo to see a full cycle run end to end.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →