Who must register as a data broker under the California Delete Act?
· 2 min read · DROP Privacy
The California Delete Act's deletion obligations only apply to "data brokers" — but the definition is broader than many businesses expect. Here is who has to register with the California Privacy Protection Agency (CPPA), and what that registration actually commits you to.
What counts as a data broker in California?
Under California law, a data broker is a business that knowingly collects and sells the personal information of consumers with whom it does not have a direct relationship. The "no direct relationship" part is what catches businesses off guard: if you buy, aggregate, enrich, or resell consumer data about people who never signed up with you directly, you are likely a data broker — even if data isn't your primary product.
Do I have to register as a data broker?
If your business meets that definition and is subject to the CCPA, yes — California requires annual registration with the CPPA. Registration is its own legal duty, separate from the deletion obligations, and failing to register carries a $200-per-day statutory penalty. If you are unsure, treat it as a question for counsel rather than an assumption.
What does registration obligate you to do?
Registering as a data broker brings you fully within the Delete Act's recurring deletion regime. In practical terms, you must:
- Register annually with the CPPA and pay the required fee.
- Process deletion requests submitted through the state's Delete Request and Opt-out Platform (DROP), at least once every 45 days.
- Suppress matched consumers going forward, treating each deletion as an ongoing opt-out.
- Submit to independent audits of your compliance beginning in 2028.
Registration and deletion are two different duties. Registering does not make you compliant — it makes you accountable for the 45-day deletion cycle that follows. The full set of dates is in our 2026 compliance timeline.
What happens if you don't register?
Beyond the $200-per-day registration penalty, operating as an unregistered data broker leaves you exposed to CCPA enforcement and undermines any later claim that you acted in good faith. Because the registry is public, non-registration is also discoverable — by regulators, journalists, and competitors.
If the Delete Act applies to you
Once you have registered, the engineering challenge begins: matching the DROP batch against your data every 45 days, accurately and provably. DROP Privacy runs that cycle for you — privacy-preserving hash matching, automated DROP responses, forward suppression, and a tamper-evident proof of deletion, without consumer PII leaving your systems.
Next: read the full 2026 compliance timeline, or request a demo.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →