When do data brokers have to start processing DROP requests?

August 1, 2026. From that date, brokers must access DROP at least every 45 days, delete matched consumers, keep them suppressed, and report each result.

Compliance guide

California Delete Act compliance: a data broker's guide

Q: Who has to comply with the Delete Act?

Registered California data brokers. A data broker is a business that knowingly collects and sells the personal information of consumers it has no direct relationship with. There is no revenue minimum, and many lead vendors, data enrichment shops, and audience providers qualify without realizing it.

Q: How often do I have to check DROP?

At least once every 45 days, and run the whole cycle — match, delete, suppress, and report — on that same 45-day clock. Some sources read the deletion-completion window as longer, but it is unsettled, so a 45-day whole-cycle clock keeps you compliant under either reading.

Q: How much does data broker registration cost in California?

The annual registration fee is $6,000 plus processing, due by January 31 each year. Missing the deadline carries a $200-per-day penalty.

Everything a registered data broker needs to know about the Delete Act and DROP, in plain terms: the deadlines, the deletion cycle, suppression, reporting, what it costs to get it wrong, and how to be ready for August 1.

Last reviewed June 2026 Checked against the CalPrivacy DROP technical spec 12 min read

California's Delete Act gives residents one button that tells every registered data broker to erase them. If your business sells data on people it has no direct relationship with, that button now points at you. From August 1, 2026, you have to act on those requests on a schedule, prove you did, and keep those people deleted for good.

This guide covers what the law requires, the dates you cannot miss, what non-compliance costs, and the steps to be ready. It is written for the broker who has to operate this, not for a law review.

The short version

Consumer portal (DROP) went live: Jan 1, 2026
Mandatory broker processing begins: Aug 1, 2026
You must check DROP at least every: 45 days
Penalty for a missed deletion: $200 / req / day
Annual registration fee, due Jan 31: $6,000
First independent audit, then every 3 yrs: 2028

What the California Delete Act is

The Delete Act, Senate Bill 362, became California law in October 2023. It told the California Privacy Protection Agency, now usually called CalPrivacy, to build one place where any resident could ask all registered data brokers to delete their information at once. That place is the Delete Request and Opt-out Platform, or DROP. It opened to consumers on January 1, 2026.

Before DROP, a Californian who wanted out of the data trade had to file separate requests with hundreds of companies. Now they file once, and the request reaches every broker on the state registry. Your job is to receive it, find the person in your records, delete them, and report back. More than 500 brokers are registered, and the list is public.

Who counts as a data broker

Under California law, a data broker is a business that knowingly collects and sells the personal information of consumers it has no direct relationship with. The phrase that catches people is "no direct relationship." If you hold data on someone who is not your customer, and you sell or share it, you are probably a broker, even if you would never use the word.

There is no revenue minimum. There is no exemption for selling only part of your data. A company running a normal first-party business can still land inside the definition if it also buys data from outside and resells it.

The businesses most often surprised to qualify are lead-list sellers, data append and enrichment vendors, audience and segment providers, people-search sites, marketing data resellers, and analytics firms that license third-party data. If that describes you, run the five-question check before you assume you are clear. Cal. Civ. Code § 1798.99.80

The deadlines that matter

Two dates carry the most weight. January 31 is when you register and pay, every year. August 1, 2026 is when the deletion duty switches on. Miss the first and you can be fined for not registering. Miss the second and you can be fined per request, per day.

Date	What happens
Oct 2023	Delete Act (SB 362) signed into law
Jan 1, 2026	DROP opens to California residents; they can start filing
Jan 31, 2026	Annual registration and $6,000 fee due
Spring 2026	Broker API and sandbox open for integration
Aug 1, 2026	Brokers must begin retrieving and processing requests
2028	First independent compliance audit, then every three years

The 45-day deletion cycle

From August 1, 2026, the work runs on a loop. At least once every 45 days you log into DROP and pull the current list of people who asked to be deleted. You match that list against your own records. For every match, you delete the person's personal information, unless an exemption applies, and you tell your service providers and contractors to delete it too. Then you report what you did, per request, back to DROP.

The clock is 45 days from when you pulled the list: report a status for each request, and finish the deletions, inside that window. Some sources read the deletion-completion window as longer — up to 90 days — but the reading is unsettled, so treat 45 as your whole-cycle clock and you stay safe under either. The clean way to run it is not to cut that 45-day clock close. The failure that draws a fine is rarely a bad match. It is a forgotten cycle.

Easy to overlook

Directing your service providers and contractors to delete is part of the legal duty, not a nicety. The regulations require it, and an auditor will look for proof the instruction went out. If a vendor holds a copy of the data you deleted, your deletion is not finished.

Identifier lists and matching

DROP does not hand you names and emails in the clear. It hands you hashed identifiers. You hash your own records the same way and look for exact matches.

The hashing is fixed by the state. It is SHA-256, the output is Base64, and there is no salt. CalPrivacy publishes the exact rules for cleaning up each field before you hash it, plus a reference tool you can check your output against. A match has to be exact, 100 percent. There is no fuzzy matching and no judgment call.

You choose which identifier lists to pull based on what you actually hold. There are six:

List	Identifier	Type
NDZ	First name, last name, date of birth, ZIP	Composite
Email	Email address	Single field
Phone	Phone number	Single field
MAID	Mobile advertising ID	Single field
NameVIN	First name, last name, VIN	Composite
CTVID	Connected-TV ID	Single field

Two of these, NDZ and NameVIN, combine several fields. The rest are single identifiers. There is no standalone name list and no free-text street-address matching. Name only appears bundled with other fields, and address only appears as a ZIP inside NDZ.

Because the rules and the reference tool are public, the matching is the easy part. Any competent engineer can build it in a weekend. The hard part comes next.

Suppression, the part people miss

Deleting someone once is not the job. Keeping them deleted is.

Here is the trap. You delete a batch of people in August. In September a data partner sends you a fresh file, and some of those same people are back in your system. If all you ran was a one-time deletion, you have now re-collected people who legally asked to be gone, and you are out of compliance again without meaning to be.

The law accounts for this. You have to keep a record of everyone you have ever deleted and re-check your data against that record every cycle, indefinitely. DROP makes this non-optional in a second way. It gives you the full list of deletion requests only once, on your first pull. After that you only get changes. If you lose your local record, you cannot just re-download the whole thing. You would have to ask CalPrivacy in writing.

So your suppression record becomes the system of record for these obligations. Treat it that way. Back it up, and know which incoming feeds keep re-introducing deleted people, because that is where repeat violations start.

One more wrinkle: a consumer can withdraw a deletion request. When that happens, DROP signals it, and you have to stop treating that person as deleted. A list that only ever adds people, and never removes them, gets this backward and keeps deleting someone who asked you to stop.

Reporting and status codes

For every request you process, you report a result back to DROP using a fixed numeric code. There are four:

Code	Meaning
2	Exempted. A match was found, but the data is exempt from deletion.
3	Deleted. A match was found and the non-exempt data was erased.
4	Opted out. One identifier matched several consumers, all opted out of sale or sharing.
5	Not found. No match after the full matching process.

You report by uploading a simple file that pairs each request ID with its status code, reusing the filename you downloaded. Status reporting starts from the second pull onward, and the window is 45 days from retrieval.

Penalties and enforcement

The number to remember is $200. That is the fine for each deletion request you fail to honor, for each day you fail to honor it. The math gets ugly fast. One missed cycle with a few dozen matches can run into thousands of dollars a day.

This is not hypothetical. CalPrivacy set up a Data Broker Enforcement Strike Force and has already fined companies for failing to register, including one penalty of $55,400. Registration failures carry their own $200-per-day fine plus the cost of the agency's investigation. Enforcement was running before the deletion duty even switched on, which tells you how the agency plans to treat the deadlines.

The 2028 audits

Starting in 2028, every registered data broker has to undergo an independent audit, and again every three years after that. The auditor will want to see that you ran the cycles, deleted who you were supposed to, and kept those people deleted. That evidence is the record you build now.

You cannot reconstruct two years of compliance after the fact. Whatever you plan to show an auditor in 2028, you are creating it in 2026. A deletion log that only you control, with nothing to back it up, is weak evidence. A record that is timestamped against an outside source, so it cannot be quietly rewritten later, is the kind that holds up. That gap is worth closing early.

Where brokers get it wrong

Treating it as a one-time deletion instead of a standing process that runs every 45 days.
Keeping an add-only suppression list that never handles withdrawals.
Forgetting to direct service providers and contractors to delete.
Letting the 45-day clock slip because nobody owns the calendar.
Running the cycle but keeping no evidence they could hand an auditor.
Assuming they are exempt without checking the definition.

How to prepare before August 1

A short list to work through:

Confirm whether you are a data broker. Start with the five-question check.
Register with CalPrivacy and pay the fee if you have not already.
Work out which of the six identifier lists match the data you hold.
Set up a way to retrieve, hash, match, delete, and report on a 45-day loop.
Stand up a suppression record, and a plan to keep it safe.
Decide how you will produce audit evidence for 2028.

Items 1, 3, and 6 are where most brokers stall. A readiness assessment covers them in about a week and leaves you with a written assessment of where you stand.

Common questions

Is the California Delete Act the same as the CCPA?

No. The CCPA gives consumers rights they exercise company by company. The Delete Act builds on it but adds one central platform, DROP, where a resident can request deletion from every registered broker at once. The obligations and deadlines are different, and DROP requests are broader than a standard CCPA deletion request.

How often do I have to check DROP?

At least once every 45 days. Run the full cycle — report each status and complete the deletions — on that same 45-day clock. Some sources read the deletion-completion window as longer (up to 90 days), but it is unsettled, so a 45-day whole-cycle clock keeps you safe under either reading.

What is the penalty for not complying?

$200 for each deletion request you fail to honor, for each day you fail to honor it. Failing to register carries a separate $200-per-day penalty plus the agency's investigation costs. CalPrivacy has a strike force and has already issued five-figure fines.

Do I have to delete data I am legally required to keep?

No. Information covered by exemptions such as the FCRA, GLBA, or HIPAA can be carved out. You still process the request and report it, but you mark those records exempt (status code 2) rather than deleting them. Confirm which of your data is exempt with counsel.

How much does registration cost?

The annual fee is $6,000 plus processing, due by January 31 each year. Missing the deadline carries a $200-per-day penalty, and registration enforcement is already active.

Can a consumer cancel a deletion request?

Yes. A consumer can withdraw a request. DROP signals the withdrawal, and you have to stop treating that person as deleted. A suppression process that only ever adds people will get this wrong.

Find out where you stand before the deadline.

Two ways to start. Check your scope in five questions, or get a written readiness assessment that maps your obligations, exposure, and gaps in about a week.

Request a readiness assessment Am I a data broker?

This guide is general information about California's Delete Act, not legal advice, and it does not create an attorney-client relationship. The data broker remains the regulated party and filer of record. Confirm your obligations with qualified counsel. Regulatory details are current as of the last review date above and were checked against CalPrivacy's published materials; the agency revises its specification over time.