California Delete Act vs CCPA: how they differ and how they work together
· 3 min read · DROP Privacy
Two laws, one goal — but very different mechanics
The CCPA and the California Delete Act (SB 362) both give California consumers the right to have their personal information deleted. Because they overlap, it's easy to assume that complying with one covers the other. It doesn't. They work through different mechanisms, on different cadences, and the Delete Act adds obligations the CCPA never imposed.
What is the CCPA?
The California Consumer Privacy Act (as amended by the CPRA) gives consumers rights over the personal information that businesses collect about them — including the right to know, the right to delete, and the right to opt out of sale. Under the CCPA, a consumer exercises those rights business by business: they submit a request directly to a company, and that company must respond.
What is the California Delete Act?
The Delete Act builds on the CCPA by creating a single state platform — the Delete Request and Opt-out Platform (DROP) — where a consumer makes one verified request and every registered data broker must honor it. Instead of contacting hundreds of brokers individually, the consumer flips one switch, and the obligation lands on all registered brokers at once, on a repeating schedule.
Delete Act vs CCPA: the key differences
- Who it targets: the CCPA applies broadly to many businesses; the Delete Act's deletion regime targets registered data brokers specifically.
- The mechanism: CCPA requests go to each business directly; Delete Act requests come through the state's DROP platform.
- The cadence: under the CCPA you respond to requests as they arrive; under the Delete Act you must process the DROP batch on a recurring 45-day cycle, indefinitely.
- Ongoing suppression: the Delete Act explicitly requires you to keep suppressing a deleted consumer going forward, not just delete once.
- Audits: the Delete Act adds mandatory independent third-party audits starting in 2028 — something the CCPA does not require.
Does the Delete Act replace the CCPA?
No. The Delete Act is additive. CCPA obligations remain in full force; the Delete Act layers a centralized, recurring deletion duty on top for data brokers. Delete Act violations can stack on top of existing CCPA enforcement.
If I already comply with the CCPA, am I covered for the Delete Act?
Not necessarily. CCPA compliance is about responding to direct requests; Delete Act compliance is about pulling the DROP batch every 45 days, matching it at scale, suppressing forward, and producing audit-ready proof. They are different operational problems — and the Delete Act's is the harder one to do by hand.
If you're a registered data broker, treat the Delete Act as a new recurring obligation, not a subset of work you already do for the CCPA.
Where DROP Privacy fits
DROP Privacy handles the Delete Act-specific work: it runs the 45-day deletion cycle, matches the DROP batch without exposing consumer PII, suppresses forward, and produces a tamper-evident proof of deletion for the 2028 audits. Not sure whether you're even in scope? Start with who must register as a data broker, or request a demo.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →