The Delete Act: Your 2026 Right to Disappear from Data Brokers

Compliance Hub

28 Dec 2025 — 11 min read

Breaking: California's Revolutionary Single-Click Data Deletion Platform Goes Live January 1

California Privacy Protection Agency launches enforcement strike force as DROP platform fundamentally reshapes consumer privacy rights

December 28, 2025 — In what privacy advocates are calling the most significant consumer data protection advancement since GDPR, California's Delete Request and Opt-Out Platform (DROP) goes live January 1, 2026, giving California residents unprecedented power to erase themselves from the digital surveillance economy with a single click.

The regulations, approved by the Office of Administrative Law on November 6, 2025, create the nation's first state-operated deletion mechanism that allows consumers to request deletion of all personal information held by multiple data brokers simultaneously—fundamentally disrupting an industry that trades in the personal data of millions of Americans without their direct knowledge or consent.

The One-Click Privacy Revolution

Starting January 1, 2026, California residents will be able to access DROP at privacy.ca.gov and submit a single deletion request that automatically cascades to every registered data broker in the state. The platform represents a dramatic shift from the current fragmented system where consumers must submit individual deletion requests to hundreds of data brokers separately—a process so burdensome that it effectively nullified deletion rights for most people.

The California Privacy Protection Agency has designed DROP to function as a "National Do Not Call Registry" for personal data, but with significantly more teeth and enforcement mechanisms.

How DROP Works

When a consumer submits a deletion request through DROP:

Immediate Distribution: The request is made available to all registered data brokers
45-Day Retrieval Cycle: Data brokers must check DROP at least once every 45 days (starting August 1, 2026)
Automated Matching: Brokers must cross-reference the request against their databases
Comprehensive Deletion: If a match is found, brokers must delete ALL personal information, including inferences and derived data
Status Reporting: Brokers must report deletion status within 45 days of retrieving the request
Continuous Monitoring: Brokers must continue checking for and deleting that consumer's data every 45 days indefinitely

This continuous deletion requirement is particularly revolutionary—it means data brokers cannot simply delete current records and then re-acquire the same person's data from other sources. Every 45 days, they must purge any newly acquired information about consumers who have opted out.

Strike Force Signals Aggressive Enforcement

In a move signaling zero tolerance for non-compliance, the California Privacy Protection Agency announced the creation of a Data Broker Enforcement Strike Force on November 18, 2025. The specialized unit within the Enforcement Division will investigate violations of both the Delete Act and California Consumer Privacy Act.

"For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry," said Michael Macko, CalPrivacy's head of enforcement.

The Strike Force builds on CPPA's 2024 investigative sweep that has already resulted in what the agency describes as a "record-setting number of enforcement actions." Recent enforcement victories include:

Tractor Supply Company: $1.35 million fine for CCPA violations
Todd Snyder, Inc.: $345,178 fine and mandatory practice changes
American Honda Motor Co.: $632,500 fine and compliance overhaul
ROR Partners LLC: $56,600 in fines for failing to register as a data broker
Background Alert: Forced shutdown after promoting ability to uncover "scary" amounts of personal information

The Economic Impact: $200 Per Day, Per Violation

The Delete Act's penalty structure creates massive financial incentives for compliance:

Registration Failure: $200 per day for each day a data broker fails to register (doubled from previous $100/day penalty)
Deletion Request Failure: $200 per day for each request a broker fails to process
Compounding Exposure: For brokers handling thousands of requests, non-compliance costs can quickly reach millions

For a data broker receiving 1,000 deletion requests and failing to process them for 30 days, the potential fine would be $6 million (1,000 requests × $200/day × 30 days). This penalty structure makes non-compliance economically untenable for most businesses.

Who Must Comply: The Data Broker Definition

The Delete Act applies to "data brokers"—defined as businesses that knowingly collect and sell personal information of consumers with whom they have no direct relationship. However, the CPPA's regulations significantly expand this definition.

Expanded Direct Relationship Standard

Under the new regulations, a "direct relationship" requires the consumer to "intentionally interact with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business's products or services within the preceding three years."

This means businesses may be data brokers if they:

Maintain information about consumers who haven't interacted with them in over 3 years
Have direct relationships but also sell personal information not collected directly from the consumer

Key Exemptions

The Delete Act does NOT apply to entities regulated by:

Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Insurance Information and Privacy Protection Act (IIPA)
HIPAA and California's Confidentiality of Medical Information Act (CMIA)

However, these exemptions are narrowly construed to prevent abuse.

Registration Requirements: Enhanced Transparency

Data brokers must register annually by January 31 and disclose extensive information. These requirements were recently expanded under SB 361 (the "Defending Californians' Data Act"), which dramatically increased disclosure obligations.

Mandatory Disclosures

All trade names and website addresses through which they operate
Number of consumer deletion requests received and fulfilled
Number of requests denied (in whole or in part) and reasons for denial
Whether they collect personal information of minors
Collection of precise geolocation data
Collection of reproductive healthcare information
Average response time to deletion requests
Extent of regulation under FCRA, GLBA, IIPA, HIPAA, and CMIA

The CPPA makes this information publicly accessible through its website, creating unprecedented transparency into the data broker ecosystem.

Compliance Audit Requirements

Starting January 1, 2028, data brokers must undergo independent third-party audits every three years to assess compliance with the Delete Act. The audit requirements include:

Six-Year Retention: Audit reports must be maintained for at least six years
CPPA Access: Reports must be submitted to CPPA within five business days upon request
Public Disclosure: Starting January 1, 2029, brokers must disclose audit status and submission dates in annual registrations

These audits are in addition to existing CCPA risk assessment and cybersecurity audit requirements.

What Gets Deleted: Comprehensive Data Purge

When a data broker receives a verified deletion request, it must delete:

Covered Information

All personal identifiers (name, address, SSN, email, phone numbers)
Demographic information and characteristics
Commercial information and purchase history
Biometric data
Internet activity and browsing history
Geolocation data
Audio, electronic, visual, or similar information
Professional and employment information
Education information
Inferences drawn from any personal information (This is critical—it includes predictive analytics, behavioral profiles, and derived characteristics)

Limited Exemptions

Data brokers may retain information only if:

Required by law or regulation
Necessary to complete a transaction requested by the consumer
For internal use reasonably aligned with consumer expectations
For security purposes and fraud prevention
For scientific or historical research
Solely for legal compliance purposes

Service Provider and Contractor Obligations

The Delete Act extends deletion obligations beyond the data broker itself. When a consumer submits a deletion request, the data broker must:

Direct all service providers and contractors to delete the consumer's personal information
Share the minimum personal information necessary for providers/contractors to identify and delete the data
Ensure compliance throughout the data supply chain

This prevents data brokers from circumventing deletion requirements by maintaining data through third parties.

Technical Implementation: What Brokers Must Do Now

Data brokers face aggressive implementation timelines:

January 1, 2026

DROP platform launches
Consumers can begin submitting deletion requests
Registration system fully operational with enhanced disclosure requirements

August 1, 2026

Mandatory 45-day access cycle begins
Data brokers must implement systems to check DROP every 45 days
45-day deletion processing deadline takes effect
Continuous deletion obligations commence

January 1, 2028

First mandatory compliance audits begin
Three-year audit cycle commences

January 1, 2029

Audit disclosure requirements in annual registrations begin

Consumer Impact: What This Means for Privacy

For California residents, the Delete Act represents the most powerful privacy tool available in the United States. As data brokers continue to compile detailed profiles from various sources, this platform finally provides consumers with meaningful control.

Benefits

Single Point of Contact: One request reaches all registered data brokers
Zero Cost: DROP is free for consumers
Continuous Protection: Ongoing deletion prevents re-acquisition
Transparency: Public registry shows all registered brokers
Selective Control: Consumers can exclude specific brokers if desired
Request Modification: Ability to rescind or modify previous requests

Important Limitations

The Delete Act does NOT apply to:

First-Party Businesses: Companies you directly interact with (your bank, social media platforms, etc.)
Public Records: Certain government-accessible information
Exempt Data: Financial records subject to GLBA, credit reports under FCRA
Out-of-State Brokers: Only brokers meeting California's jurisdictional requirements

For businesses you have direct relationships with, you must still submit individual deletion requests under CCPA/CPRA.

Business Implications: Prepare Now

For organizations that may qualify as data brokers, immediate action is required. The Delete Act is just one component of an increasingly complex 2025 compliance landscape that demands comprehensive privacy program development.

Immediate Steps (Before January 31, 2026)

Status Assessment: Evaluate whether your business meets the expanded data broker definition
Direct Relationship Audit: Review all consumer relationships to determine if interactions occurred within 3 years
Registration Compliance: Complete enhanced registration with all required disclosures
Systems Integration: Prepare technical infrastructure to access DROP every 45 days

Technical Requirements

Develop automated systems to query DROP on 45-day cycles
Implement matching algorithms to identify consumers in deletion requests
Create deletion workflows that purge all personal information and inferences
Build reporting mechanisms to update DROP with deletion status
Ensure service provider contracts include deletion obligations

Documentation Requirements

Maintain logs of all DROP access dates
Document deletion request processing timelines
Track reasons for any request denials
Prepare for triennial compliance audits
Retain six years of audit documentation

The National Ripple Effect

While the Delete Act applies only to California residents, its impact will be felt nationwide:

Multi-State Coordination

The CPPA has established the bipartisan Consortium of Privacy Regulators to collaborate with states implementing similar laws. The agency has also partnered with data protection authorities in Korea, France, and the United Kingdom, signaling potential international coordination.

Industry Transformation

Data brokers operating nationally face a decision: implement separate systems for California residents, or adopt California-level deletion practices across all operations. The economic and operational complexity of maintaining dual systems may push many toward universal compliance.

Legislative Momentum

Other states are watching California's model closely. The success of DROP may accelerate similar legislation in states like Virginia, Colorado, Connecticut, and Utah, which have already passed comprehensive privacy laws.

What Consumers Should Know

Starting January 1, 2026

How to Use DROP:

Visit privacy.ca.gov
Create a verified account (authentication required to prevent abuse)
Submit a single deletion request
Optionally exclude specific brokers if desired
Track deletion status through the platform
Receive notifications as brokers process your request

What to Expect:

Data brokers have until August 1, 2026, to begin accessing DROP
Processing can take up to 45 days after a broker retrieves your request
Full deletion across all brokers may take several months
Continuous protection means ongoing deletion every 45 days

Complementary Actions:

Submit individual requests to first-party businesses (your bank, social media, etc.)
Use CCPA opt-out rights for businesses you interact with directly
Consider comprehensive privacy protection strategies across all digital domains
File complaints with CPPA if brokers fail to comply

The Road Ahead: Enforcement Priorities

The Data Broker Enforcement Strike Force has signaled several enforcement priorities:

High-Risk Targets

Hidden Operations: Brokers using trade names not disclosed in registration
Sensitive Data Traffickers: Special scrutiny for brokers handling minor's data, geolocation, and reproductive healthcare information
Consumer Profiling: Businesses creating inferences and behavioral profiles
Non-Registrants: Aggressive pursuit of brokers operating without registration

Investigative Tactics

Proactive monitoring of data broker industry
Undercover consumer testing
Cross-referencing of advertising platforms with registration database
Partnership with federal agencies and international regulators

Expert Perspectives

Tom Kemp, CalPrivacy Executive Director: "Data brokers pose unique risks to Californians through the industrial-scale collection and sale of our personal information. The widespread availability of digital dossiers makes it easier for our personal information to be weaponized against us, and even well-meaning data brokers can be victims of data breaches that leave all of us vulnerable. We must do everything we can to reduce these risks, bring transparency, and hold data brokers accountable."

Michael Macko, Head of Enforcement: "Data brokers pose unique risks to Californians through the industrial-scale collection and sale of our personal information. We will scrutinize any business that walks and talks like a data broker to make sure it's registered, and we will continue to examine businesses that create inferences about consumers to profile them."

Bottom Line

The California Delete Act represents a fundamental power shift in the data economy. For the first time, consumers have a realistic, streamlined method to opt out of the data broker surveillance ecosystem. The combination of the DROP platform, aggressive enforcement through the Strike Force, and severe financial penalties creates a new compliance reality for businesses trafficking in personal data.

Starting January 1, 2026, California residents gain the right to disappear—and data brokers face the obligation to make them vanish, completely and continuously, or face financially devastating consequences.

The age of friction-free data deletion has arrived.

Key Dates Summary

January 1, 2026: DROP platform launches; consumers can submit requests
January 31, 2026: Data broker registration deadline with enhanced disclosures
August 1, 2026: Mandatory 45-day DROP access cycle begins
January 1, 2028: First triennial compliance audits required
January 1, 2029: Audit disclosure in annual registrations begins

Resources

California Privacy Protection Agency: privacy.ca.gov
Data Broker Registry: cppa.ca.gov
File Complaints: Available through CPPA website
Delete Act Regulations: Full text at cppa.ca.gov/regulations/drop.html

This article covers breaking developments in California privacy law. Businesses should consult legal counsel to assess their specific compliance obligations. Regulations and enforcement actions continue to evolve.

About the Author: Analysis provided by CISO Marketplace, covering cybersecurity, compliance, and privacy developments affecting organizations globally.