California Delete Act penalties: what non-compliance actually costs
· 2 min read · DROP Privacy
What are the penalties under the California Delete Act?
The California Delete Act (SB 362) attaches real, accruing cost to non-compliance. The exposure comes in several forms — and because the underlying duty recurs every 45 days, the risk compounds rather than resolving. Here is what is actually at stake.
The $200-per-day registration penalty
The most concrete penalty is for failing to register. Any business that meets the definition of a data broker must register annually with the California Privacy Protection Agency (CPPA). Failing to do so carries a statutory penalty of $200 per day. That is a fixed, per-day meter that runs the entire time you are unregistered — and the data-broker registry is public, so non-registration is easy to discover.
Am I sure I even have to register?
If you knowingly collect and sell the personal information of consumers you have no direct relationship with, you very likely qualify. We break the definition down in who must register as a data broker. When in doubt, treat it as a question for counsel rather than an assumption.
Administrative fines for deletion failures
Beyond registration, failing to honor deletion requests exposes you to administrative fines that accrue over time, on top of existing CCPA enforcement. Because the obligation repeats on a 45-day cycle, a process that misses records — or skips a cycle — doesn't produce a single, fixed penalty. It produces a recurring liability that grows each cycle until it is fixed.
The dangerous part of the Delete Act is not one big fine. It is a continuous duty where "mostly compliant" quietly accumulates exposure every 45 days.
Audits raise the stakes from 2028
Starting January 1, 2028, data brokers must undergo independent third-party audits of their compliance on a recurring basis. An audit turns "we think we're compliant" into "prove it." Without a defensible, tamper-evident record of what you deleted and when, an audit becomes a liability rather than a formality. (See the full 2026 compliance timeline for every date.)
The indirect costs
The statutory and administrative penalties are only part of the picture:
- Reputational damage — a public compliance failure is visible to consumers, regulators, journalists, and competitors.
- CCPA stacking — Delete Act violations sit on top of, not instead of, existing CCPA exposure.
- Remediation under pressure — fixing a broken process during an enforcement action is far more expensive than building a reliable one ahead of the deadline.
The cheapest way to avoid all of it
Penalties are avoidable: register on time, and run an accurate, auditable deletion cycle every 45 days. That is what DROP Privacy is built to do — it runs the full deletion cycle and produces the tamper-evident proof an auditor will ask for, without consumer PII leaving your systems. Request a demo to see the attestation it generates.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →