Skip to main content

Don’t DROP the Ball on Upcoming Changes to the California Delete Act: 5 Key Steps Companies Should Take Before the August 1 Effective Date

By: Ana Razmazma, Natalie Kim, Kayla Tanaka, Brent Tuttle

The most consequential phase of California’s Delete Act (SB 362) takes effect on August 1, 2026, when every data broker that is subject to the Delete Act must retrieve and process deletion requests through CalPrivacy’s centralized Delete Request and Opt-Out Platform (DROP). The platform has been live for California residents since January 1, 2026, and over 300,000 California residents have already registered and submitted deletion requests through DROP. 

The financial stakes are significant. Failure to register as a data broker carries an administrative fine of $200 per day. Far more serious, beginning August 1, a data broker that fails to process deletion requests via DROP faces a fine of $200 per deletion request for each day that the data broker fails to delete personal information as required by the Delete Act. These fines apply whether or not the data broker is registered.  

CalPrivacy can also recover its cost of investigation and administrative action from data brokers that violate the Delete Act.  

Fines under the Delete Act may compound quickly: A data broker that has not registered or that leaves even a modest backlog of deletion requests unprocessed may accumulate seven figure (or greater) exposure in a day. For example, from August 1 onward, if just 50,000 California residents request that a data broker delete any of their personal information held by the business, and the data broker fails to do so within the required 45-day window, the potential fine could be $10 million for each day that the data broker fails to delete the in-scope personal information as required by the Delete Act.  

CalPrivacy has formed a dedicated Data Broker Enforcement Strike Force and has already brought multiple public enforcement actions under the Delete Act, so this is not a theoretical risk. 

Here are five key steps companies should consider taking to prepare for the Delete Act’s August 1 effective date.

 

1. Confirm Whether the Company Is a “Data Broker,” Even if the Company Doesn’t Think It Is  

The Delete Act defines a data broker broadly as any business (as defined by the California Consumer Privacy Act (CCPA)) that knowingly collects and sells to third parties the personal information of a California resident with whom the business does not have a direct relationship.  

The Delete Act leverages the CCPA’s definition of “sell” which broadly defines this concept as “making available … a [California resident’s] personal information by the business to a third party for monetary or other valuable consideration.” 

Companies should assess whether or not they are a data broker as soon as possible.  

Some companies have taken the position that they “share” personal information for “cross-context behavioral advertising” (online ads targeted to someone based on their activity across different websites and apps) under the CCPA, but that they do not “sell” personal information. These companies should carefully consider this position given the potential liability under the Delete Act and recent CCPA enforcement actions that assert “sharing” for “cross-context behavioral advertising” is also a “sale.” 

CalPrivacy’s recent enforcement actions to date under the Delete Act have focused heavily on companies that failed to recognize they qualified as a data broker or that failed to register as a data broker. For example, in December 2025, CalPrivacy’s Data Broker Enforcement Strike Force fined ROR Partners LLC, a Nevada-based marketing firm, $56,600 for failing to register as a data broker, underscoring that a company need not consider itself a “data broker” to fall within the Delete Act’s scope.

  

2. Register with CalPrivacy and Set Up the DROP Account 

If a company qualifies as a data broker, it should register with CalPrivacy (the annual fee is $6,000 plus processing costs) and establish its DROP account well before August 1. 

Under the Delete Act, data brokers must register between January 1 and January 31 following each year in which the company acted as a data broker. A data broker that fails to register by January 31 may trigger a $200-per-day fine plus CalPrivacy’s investigative costs. However, the late registration fines are modest compared to an unregistered data broker’s potential liability for failure to honor deletion requests from August 1 onward.

  

3. Develop and Test the Company’s DROP Processing Workflow  

Starting August 1, data brokers must access DROP at least once every 45 days, download the consumer deletion lists, match them against the data broker’s records, and delete matching personal information (including inferences, or conclusions the broker has drawn about a person) unless a statutory exception applies.  

Data brokers should decide whether they will integrate via CalPrivacy’s API or process lists manually; test the workflow in advance; and assign clear internal ownership. Note that unless a statutory exception applies, requests may be denied only where the requester’s identity cannot be verified, and even denied requests must be treated as opt-outs of “sale” and “sharing” for “cross-context behavioral advertising.” 

The Delete Act’s deletion obligations extend downstream to a data broker’s service providers and contractors. Ahead of the August 1 deadline, data brokers should consider completing a data inventory, identifying every system and vendor holding personal information covered by the Delete Act, and updating contracts to require vendors to execute deletions on the company’s instruction and confirm completion. 

 

4. Implement Ongoing Suppression of Deleted Personal Information

Deletion is not a one-time event. Data brokers must maintain a record of all deletion requests that they receive via DROP and ensure California residents’ personal information stays deleted, meaning that the data broker must maintain “suppression lists,” or records of the deleted personal information used to make sure the data broker does not collect that personal information again. 

 

5. Prepare for Delete Act Audits

Beginning January 1, 2028, data brokers must undergo independent third-party audits once every three years assessing their compliance with the Delete Act. CalPrivacy may request the audit report and related materials, which data brokers must provide within five business days of receiving a written request from CalPrivacy. Data brokers must retain audit reports and related materials for six years.

The Bottom Line

With August 1 less than two months away, businesses that may qualify as data brokers should treat Delete Act readiness as an urgent priority. The Delete Act’s per-request, per-day fine structure converts delay or risk-based approaches into potentially significant compounding liability. 

 

 

Related Insights

View more insights