Data broker registration checklist for the California Delete Act
· 2 min read · DROP Privacy
Before the deletion cycle, there's registration
The California Delete Act's recurring deletion duty only kicks in once you're a registered data broker — but registration is itself a legal requirement with its own deadline and its own penalty. Use this checklist to get the foundation right before the 45-day deletion cycle begins.
Step 1 — Determine whether you're a data broker
A data broker is a business that knowingly collects and sells the personal information of consumers it has no direct relationship with. If that describes any part of your business, you likely need to register. We break the definition down in who must register as a data broker.
- Do you sell, license, or trade consumer personal information?
- Is some of that data about people who never signed up with you directly?
- Are you subject to the CCPA?
If you answered yes, treat registration as required and confirm with counsel.
Step 2 — Register with the CPPA
Registration is done with the California Privacy Protection Agency (CPPA) and is an annual obligation.
- Register through the CPPA's data broker registration system.
- Pay the required annual registration fee.
- Provide the business and contact information the registry requires.
Failing to register carries a statutory penalty of $200 per day — a meter that runs the entire time you're unregistered. The registry is public, so non-registration is easy to discover.
Step 3 — Know the deadlines
Registration is annual, and the Delete Act's processing duties follow their own timeline:
- Register (and renew annually) with the CPPA.
- From August 1, 2026, begin processing deletion requests through the DROP platform.
- Re-process accessible requests at least every 45 days thereafter.
- From January 1, 2028, begin recurring independent third-party audits.
The full set of dates is in our 2026 compliance timeline.
Step 4 — Stand up the deletion capability
Registration makes you accountable; it doesn't make you compliant. Before the August 2026 processing deadline, you need a reliable way to:
- Download the DROP batch each cycle.
- Match it against your data accurately, without copying consumer PII around.
- Decide, respond, and suppress matched consumers going forward.
- Keep a tamper-evident record you can show an auditor.
How long does it take to be ready?
Longer than you'd think — building accurate, auditable matching at scale is an engineering project, not a form submission. That lead time is exactly why registration and capability-building should happen well before the deadline, not on it.
Step 5 — Keep records
Retain proof of registration, your processing logs, and the deletion attestations each cycle produces. When the 2028 audits arrive, this record is the difference between a formality and a liability. See what non-compliance costs.
Turning the checklist into a running system
DROP Privacy automates everything after registration — the full 45-day cycle plus the proof an auditor will ask for. Request a demo to see it run end to end.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →