DROP Privacy — Delete Act Engine
Log in Request a demo
Home › Why it matters
The obligation

The California Delete Act, in plain terms

California gave consumers a single switch to make every registered data broker delete their data. If you're a broker, that switch creates a recurring legal duty — and a clock. Here's what the law requires and why automating it is the only sane path.

Aug 1, 2026
Data brokers must be processing DROP deletion requests by this date
Every 45 days
The recurring cycle to process accessible requests — indefinitely
$200/day
Statutory penalty for failing to register as a data broker
2028+
Independent third-party audits of broker compliance begin
Background

What the Delete Act actually does

The California Delete Act — Senate Bill 362, signed into law in 2023 — builds on the CCPA by creating one place where a consumer can ask all registered data brokers to delete their personal information at once. The California Privacy Protection Agency (CPPA) operates that mechanism: the Delete Request and Opt-out Platform (DROP).

Before the Delete Act, a consumer had to find and contact each broker individually. Now they make one verified request, and the obligation to act lands on every registered broker simultaneously — on a repeating schedule.

Who has to comply

The law applies to data brokers: businesses that knowingly collect and sell the personal information of consumers with whom they don't have a direct relationship. If your business is required to register as a data broker with the CPPA, the Delete Act's deletion obligations apply to you. Registration itself is an annual requirement, and failing to register carries its own daily penalty.

The timeline that matters

  • January 1, 2026 — the DROP platform becomes accessible to consumers, who can begin submitting deletion requests.
  • August 1, 2026 — data brokers must begin processing deletion requests through DROP, and then re-process accessible requests at least once every 45 days.
  • January 1, 2028 — data brokers must begin undergoing independent third-party audits of their compliance, on a recurring basis.

The processing deadline is close. Once brokers are required to process requests, the duty doesn't pause — it recurs every 45 days. Standing up a reliable, auditable cycle takes lead time, which is exactly what DROP Privacy gives you out of the box.

What you have to do each cycle

  • Process accessible requests at least once every 45 days.
  • Delete the matching consumer's personal information — and direct your service providers and contractors to do the same.
  • Suppress going forward: treat a deletion as an ongoing opt-out so you don't re-collect and re-sell that consumer.
  • Keep records that demonstrate you actually did it, in a form you can show an auditor or regulator.

What happens if you fall behind

The Delete Act attaches real cost to inaction. Failing to register as a data broker carries a statutory penalty of $200 per day. Deletion and audit violations expose brokers to administrative fines that accrue over time, on top of existing CCPA enforcement and the reputational damage of a public compliance failure. Because the obligation is continuous, a process that "mostly works" quietly compounds risk every 45 days.

Why automation is the only realistic answer

Matching a state-issued deletion batch against hundreds of millions of consumer records — accurately, every 45 days, while keeping evidence you can defend — is not a spreadsheet task. It's an engineering problem with a deadline attached. DROP Privacy exists to make that problem disappear: it indexes your data privately, matches the batch, decides each record, responds, suppresses forward, and produces the proof — on a schedule, without exposing PII.

Turn a legal deadline into a background job.

See how DROP Privacy runs the full Delete Act cycle for you — and hands you the attestation at the end.

Request a demoHow it works