The California Delete Act: Is Your Business Considered a Data Broker?

The California Delete Act gives Californian residents greater control over the registered data brokers hold about them. The Act also requires data brokers to process data deletion requests submitted by consumers using a "one-stop" mechanism. This deletion mechanism, called the Delete Request and opt-out Platform (DROP), will be managed by the CPPA and will come into force on January 1, 2026.

Many companies don’t think of themselves as data brokers. However, if your business collects, shares, or monetizes personal data in ways that extend beyond a direct customer relationship, your business may be subject to the law.

This article explains what the California Delete Act is, who it applies to, and how to comply with it.

Key Takeaways for Businesses

The California Delete Act doesn’t replace existing California privacy laws, CCPA and CPRA, it builds on them.
The Delete Act sets new compliance obligations on businesses categorized as data brokers.
The definition of a data broker is wide: you don’t have to sell data to be classified as a data broker.
Early assessment is easier and less costly than retroactive cleanup.
Evaluate if your business meets the requirements and prepare for the California delete act compliance in advance.

What Is the California Delete Act?

The California Consumer Privacy Act (CCPA) was the first major privacy law in California, enacted to give California consumers greater control over the Personal Information that businesses collect about them. It went into effect in 2020.

In 2023, the CCPA was significantly amended and expanded by the California Privacy Rights Act (CPRA).

The California Delete Act (Senate Bill 362) is built on the CCPA and the CPRA, and specifically targets data brokers.

The California Delete Act is designed to give consumers a simpler, more effective way to request the deletion of their Personal Information. Instead of submitting deletion requests to dozens of separate businesses, consumers can use a single, centralized request mechanism. Data brokers are then required to process those data deletion requests within defined timeframes.

The California Delete Act has several key dates for implementation:

The California Privacy Protection Agency (CPPA) is required to establish the centralized deletion mechanism, called the Delete Request and opt-out Platform (DROP), by January 1, 2026.
Data brokers are required to begin accessing the DROP platform at least once every 45 days and processing consumer deletion requests beginning August 1, 2026.

Thus, the goal of the current California privacy law is to simplify consumer data deletion and increase accountability for companies that trade in personal data at scale.

How the Delete Act Fits Into California Privacy Law

The Delete Act doesn’t replace existing California privacy laws. It builds on them.

CCPA and CPRA protect user privacy and give consumers the right to delete personal information. The California Delete Act differs from CCPA and CPRA in the way how the deletion requests are exercised.

For most First-party businesses, individuals should send deletion requests directly.

For data brokers, however, the Delete Act introduces:

Centralized deletion requests.
Mandatory participation in the Delete Request and Opt-out Platform, managed by the CPPA.
Increased regulatory requirements.

The Delete Act incorporates many definitions from the California Consumer Privacy Act (CCPA).

For example, under the Delete Act, a consumer is defined as a California resident.

The term sell under the Delete Act is also defined similarly to the CCPA (the exchange of personal information for monetary or any valuable consideration).

What Is a Data Broker Under the California Delete Act?

Under California law, any company that sells personal data is not considered a data broker.

The Delete Act defines a data broker as any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

In other words, a data broker is a business that satisfies at least one of these:

Collects personal information from sources other than directly from the consumer.
Maintain records of consumers who have not interacted with the business for more than three years.
Shares or sells consumers’ personal data.
Have direct relationships with consumers but also share or sell personal information about the consumer outside of a “direct relationship” with a consumer (that was not collected directly from the consumer).

The Delete Act defines the term “direct relationship” to include a consumer who “intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.”

The California Act specifies that a business is also considered to be a data broker “if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.”

Is Your Business Considered a Data Broker?

Many organizations assume that they are not data brokers. However, regulators may assume you are a data broker even if your main business activity is not related to the selling of individuals’ personal data.

You may be considered a data broker if:

You collect personal data from third parties.
You combine datasets from multiple sources.
You provide insights, profiles, or targeting based on aggregated data.
You enable data sharing for advertising, analytics, or enrichment purposes.

In conclusion, the definition of a data broker is intentionally broad. The intent of data selling or sharing doesn’t matter as much as how data actually flows. If your business benefits from personal data without a clear, direct relationship with the individual, regulators may classify you as a data broker.

Business Types Most Commonly Considered as Data Brokers

Some industries are more exposed to the regulator’s scrutiny than others, but the list for data brokers is wider than many expect.

Businesses, commonly considered as data brokers, include:

Adtech and martech platforms.
Sales and CRM platforms (Salesforce, Microsoft Dynamics).
Email marketing (Mailchimp, ActiveCampaign).
Lead generation and data enrichment services (ZoomInfo, Apollo.io, Cognism).
Analytics and tracking providers (Google Analytics, Heap).
Social media management tools (Hootsuite, Sprout Social).
SEO & SEM tools (Semrush, Ahrefs, Google Ads).
People search, profiling, and background services.
Platforms that facilitate third-party data collection.

Even infrastructure and SaaS providers should evaluate their data flows, especially when at least some personal data passes through their systems.

Key features of the California Delete Act

The California Delete Act sets out responsibilities for both data brokers and the new California Privacy Protection Agency.

Key obligations for businesses include:

Centralized deletion platform
By January 1, 2026, the CPPA must create a centralized deletion platform, also known as the Data Broker Requests and Opt-out Platform (DROP). Consumers could request the deletion of any personal information held by all registered data brokers through this platform.
Registering as a data broker
All data brokers that handle the personal data of California residents must register annually with the CPPA. When registering, brokers must disclose detailed information about the data they collect. Data brokers are added to the CPPA’s public-facing Data Broker Registry. Annual registration costs $6,600.
Receiving and honoring deletion requests from the DROP
Data brokers must check the DROP for deletion requests at least every 45 days. Upon receiving, brokers must delete personal data across all systems and partners within 45 days. Once deleted, the data must not be sold, shared, or used, but the Act does not explicitly outline retention limits for personal data.
Exercising consumer privacy rights
Data brokers are required to create a dedicated page on their website explaining how consumers can exercise their privacy rights.
Disclosure of deletion requests
By July 1 of each year, data brokers must disclose details related to deletion requests received, their response times, and the percentage of requests accepted and denied.
Implementing audits
From January 1, 2028, data brokers must undergo an independent audit every three years to assess compliance. Brokers must submit audit reports upon the CPPA’s written request.

How to Register with the CPRA as a Data Broker?

Data brokers that reach the business threshold must register with the California Privacy Protection Agency (CPPA) as a data broker by January 31, 2026.

If data brokers have not registered by January 31, 2025, they may be liable for administrative fines for each day the data broker was unregistered.

To register with the CPRA, businesses must sign up for their mailing list to get the link to the online form, complete it, pay the annual fee, and set up an account in the Delete Request and Opt-Out Platform (DROP) system.

The annual data broker registration fee is $6,600.

Data brokers must disclose the following information to the CPPA on an annual basis:

The formal name of the data broker.
The data broker’s primary physical address, email address and website addresses.
An active link to a webpage that explains how consumers may exercise their rights under the CCPA.
The number of CCPA data subject requests and Delete Act deletion requests the data broker received in the prior calendar year. Businesses must also provide the number of processed requests, the number of denied requests, and the average number of days it took for the data broker to substantively respond to a data deletion request under the Delete Act.
Whether the data broker collects children’s personal data, the precise geolocation of consumers, or reproductive healthcare data of consumers.
Whether a data broker is regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, California’s Insurance Information and Privacy Protection Act, and/or California’s Confidentiality of Medical Information Act.
Whether the data broker has conducted an audit (starting January 1, 2028).

What Happens If You Don’t Comply with the California Delete Act?

Compliance with the California Delete Act is compulsory, not optional. If you don’t comply, you risk financial penalties and reputational risk.

Note that centralized deletion requests make it easier for regulators to identify non-compliance.

Non-compliance with the California Delete Act could lead to:

Administrative penalties.
Regulatory investigations.
Financial penalties.
Long-term reputational damage.

There are two types of financial penalties:

Failure to comply with deletion requests
Penalty is $200 per deletion request for each day the data broker fails to delete the information as required.
Failure to register as a data broker
Penalty is $200 per day for failure to register by the required deadline.

Note that the penalty can escalate rapidly because it is calculated per consumer and per day.

The CPPA has already demonstrated active enforcement of the deletion requests, even before the main deletion platform launches in 2026, by levying fines against data brokers who failed to register on time in previous years.

As of December 2025, the CPPA has taken at least eight public enforcement actions against data brokers.

Companies like Accurate Append, Key Marketing Advantage (KMA), Growbots, UpLead, and ROR Partners LLC have already paid fines ranging from approximately $34,400 to over $56,000. As an example, a $46,000 fine was sought against Jerico Pictures, Inc. for delayed registration and non-payment of the annual fee.

Additionally, the long-term compliance cost of waiting too long isn’t just a fine or a one-time cleanup, it will become more costly:

Operational cost
You must change your system’s design, allowing deletion at scale and rebuild data flows that were never documented.
Vendor and third parties’ liability
If you use third-party tools that weren’t vetted for deletion compliance early on, you may have to pay for higher-tier plans just to access compliance features, will be forced to switch vendors, or absorb liability for partners who can’t delete data properly.
Financial cost
You still have to pay all fines for non-compliance in the past.
Reputational cost
Public enforcement actions can undermine customer confidence or trigger contract reviews or terminations.

How to Prepare for California Delete Act Compliance

Since the major compliance deadlines for the centralized deletion platform begin in 2026, get ready for the California Delete Act compliance now.

Here is a comprehensive roadmap for data brokers to achieve compliance:

Map personal data
Start with your customer personal data mapping: where it comes from and where it goes, so you can later evaluate the status of your business.
Confirm your status as a data broker
Evaluate if your business meets the definition of a data broker and re-assess relationships with consumers to identify if you have a direct relationship with them. The regulations clarify that a "direct relationship" requires the consumer to intend to interact with the business.
Consent management
Obtain and record user consent to collect and process their personal data.
Register annually and pay fees
If you meet requirements as a data broker, register with the CPPA Data Broker Registry by January 31st of each year. Don’t forget the timely payment of the annual registration fee.
Update privacy disclosures
Ensure your publicly posted Privacy Policy or registration disclosure includes the required metrics from the prior calendar year. The mandatory metrics include the number of processed requests, the number of denied requests, and the average time taken to respond to those requests.
Set internal processes to meet the compliance
Align internal processes across legal, engineering, and marketing teams to comply with the California Delete Act.
Prepare for DROP platform access
By August 1, 2026, establish a DROP account on the DROP platform and select identifier lists (e.g., email address, phone number, name/ZIP code combinations, etc.)
Automate access to the DROP platform
While manual download of deletion requests is an option, it would take considerable amount of time and could lead to errors. Implement an automated API connection to the DROP platform for safer access.
Build and test deletion workflows
Set internal procedures for data deletion requests. Standardize and normalize the consumer identifiers received from the DROP to match your internal records. Upon request, delete all personal information associated with that consumer. Make sure the identifier set provided by the CPPA matches your records 100% before starting a deletion.
Ensure safe transfer of deletion requests
Identify whether deletion requests can be executed end-to-end.
Execute the 45-day cycle
Starting August 1, 2026, access the DROP platform at least once every 45 days to retrieve new deletion requests, and process these requests within the same 45-day window.
Keep records
Record all consumer data processing: the number of processed requests, the number of denied requests, and the average time taken to respond to those requests. Maintain detailed logs of consumer requests and their outcomes for at least six years.
Prepare for independent audits
Beginning in 2028, and every three years thereafter, undergo an independent, third-party audit to verify your compliance with the Delete Act's requirements.

This multi-stage preparation will ensure compliance with the California Delete Act, mitigating the risk of the daily $200 per-consumer fine.

How Cookie Consent and Data Controls Support the Delete Act Readiness

The California Delete Act (SB 362) builds directly upon the existing consumer rights established by the CCPA and CPRA, particularly the Right to Delete. While the Delete Act does not directly require obtaining Cookie Consent and general data control, they are essential prerequisites for technical and organizational architecture for compliance.

Properly implemented data controls and the Cookie Consent mechanism will help to solve technical challenges when asked to mass-delete a consumer's information.

Clear consent management and data controls help reduce exposure by:

Creating transparency around data collection and sharing.
Limiting unnecessary data collection.
Preventing unauthorized third-party tracking.

In principle, operational compliance with the CCPA/CPRA is the best possible preparation for the Delete Act's highly automated, high-frequency deletion requirements.

Use Consent Management Platforms (CMPs) to obtain cookie consent and properly implement data controls. Tools like CookieScript can help businesses to:

Understand what data is collected on their websites.
Obtain user consent for personal data collection and processing.
Identify third-party data collection.
Automatically block third-party data collection until consent is received.
Control tracking before data is shared.
Support broader privacy compliance efforts.

CookieScript CMP is one of the best CMPs, ensuring 100% compliance with existing and emerging privacy laws for 2026. In 2025, CookieScript received the fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year!

CookieScript CMP offers the following functionalities:

Google-certified CMP — CookieScript is a Google CMP partner, recommended by Google for the implementation of Google Consent Mode and Google Tag Manager.
Google Consent Mode v2 integration — allows tags like GA4, Ads, and Floodlight adjust automatically to each user’s consent status while preserving event modeling for accurate performance reporting.
IAB TCF 2.2 integration — implement IAB TCF v2.2, technical standard for publishers and ad tech vendors to manage user consent for data processing, ensuring compliance with GDPR.
Geo-targeting — automatically show the right banner, in the right format, for each region: GDPR in the EU, CCPA in California, LGPD in Brazil.
Privacy Policy generator — connected to your scan results, so disclosures stay aligned with your actual data use as new cookies or vendors appear.
Monthly scans and advanced reports powered by CookieScript’s cookie scanner — automated sweeps that detect new cookies, scripts, or third-party tools added by plugins. Reports track consent rates, banner performance, and compliance changes over time.
Automatic blocking for third-party scripts — analytics and marketing tags stay paused until valid consent is received. You don’t need to track down rogue pixels or rewrite snippets manually.
Banner sharing and self-hosted code — one setup that works across multiple sites or clients, with the option to host it yourself for full control and faster load times.
Consent logs — detailed, exportable records showing who gave consent, when, and for which purposes. They’re your evidence if an auditor or DPA ever asks for proof.
Available in 40+ languages — a Cookie Banner and a Cookie Policy are translated by professional translators into 40+ languages.

Frequently Asked Questions

What is the California Delete Act?

The California Delete Act is designed to give consumers a simpler, more effective way to request the deletion of their personal information. Instead of submitting deletion requests to dozens of separate businesses, consumers can use a single, centralized request mechanism. Data brokers are then required to process those data deletion requests within defined timeframes.

Does the California Delete Act apply outside California?

Yes, the California Delete Act applies to all businesses that collect, share, or monetize personal data of Californian residents in ways that extend beyond a direct customer relationship. Use tools like CookieScript to understand what data is collected on your website and obtain user consent.

Are First-party businesses exempt from data broker rules?

No. You, being a first-party business, may be considered a data broker if you collect personal data from third parties; supplement your customer profiles by purchasing or licensing third-party data; provide insights, profiles, or targeting based on aggregated data; or enable data sharing for advertising, analytics, or enrichment purposes.

How is a deletion request under the CCPA different from the Delete Act?

The CCPA deletion request and the Delete Act deletion request differ in how that right is exercised and enforced. Under the CCPA, the consumer submits a deletion request directly to each business, while under the Delete Act, the consumer submits one centralized request which is distributed to all registered data brokers. Under the Delete Act, consumers don’t need to know who has their data. Use CookieScript CMP to comply with California’s data privacy laws.

When does enforcement of the California Delete Act begin?

The California Privacy Protection Agency (CPPA) is required to establish the Delete Request and Opt-out Platform (DROP) by January 1, 2026. Data brokers must begin handling deletion requests through DROP by August 1, 2026.

GDPR & CCPA