California Delete Act (SB 362): What Businesses Must Know Before August 2026
What Is the California Delete Act?
The California Delete Act (Senate Bill 362), signed by Governor Newsom on October 10, 2023, fundamentally changes how data brokers operate in California. The law builds on the state's existing data broker registration requirements by creating a first-of-its-kind centralized deletion mechanism — the Data Broker Registration and Opt-Out Platform (DROP) — that will allow California consumers to request all registered data brokers delete their personal information through a single request.
While some provisions are already in effect, the centerpiece of the law — the DROP platform — is set to launch on August 1, 2026. This deadline is fast approaching, and businesses that buy, sell, or license personal information need to prepare now.
Who Qualifies as a Data Broker?
Under California Civil Code Section 1798.99.80, a data broker is a business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The definition is broader than many businesses expect.
Key elements of the definition
| Element | What It Means |
|---|---|
| Knowingly collects | Intentional collection — not accidental or incidental data gathering |
| Sells to third parties | Includes selling, licensing, or trading personal information for monetary or other valuable consideration |
| No direct relationship | The consumer did not intentionally interact with or provide data directly to the business |
Businesses that only collect data from their own customers are generally not data brokers. However, companies that aggregate data from public records, purchase consumer lists, or collect data through third-party SDKs and then resell that data likely qualify. Use our Data Broker Classification Quiz to assess your status.
Data Broker Registration: Already in Effect
Since January 2024, all data brokers operating in California must register with the California Privacy Protection Agency (CPPA). Registration requirements include:
- Paying a $55.95 annual registration fee
- Providing the data broker's name, primary physical and mailing address, and website URL
- Disclosing whether the broker collects data on minors
- Providing a description of the categories of personal information collected and sold
- Including a link to the broker's privacy policy and opt-out mechanism
Failure to register carries penalties of $200 per day. The CPPA has already begun enforcing this requirement aggressively.
Enforcement Has Already Begun
The CPPA's Data Broker Enforcement Strike Force has not waited for the DROP platform launch to take action. In January 2026, the agency issued its first fines under the Delete Act's registration provisions:
| Company | Fine | Violation | Date |
|---|---|---|---|
| Rickenbacher Data LLC (Datamasters) | $45,000 | Failed to register; sold health-condition data (Alzheimer's, drug addiction) for targeted ads | Jan 8, 2026 |
| S&P Global, Inc. | $62,600 | Failed to register due to administrative oversight | Jan 8, 2026 |
The Datamasters case is particularly notable: the company was also ordered to stop selling all Californians' personal information — a remedy that goes beyond the registration fine itself. For a complete list of privacy enforcement actions, see our Penalties & Fines Tracker.
The DROP Platform: What's Coming August 1, 2026
The Delete Request and Opt-Out Platform (DROP) is the Delete Act's most impactful provision. Here is how it will work:
For consumers
- Visit the DROP platform operated by the CPPA
- Verify identity through the platform's authentication process
- Submit a single deletion request
- The request is automatically forwarded to all registered data brokers
- Data brokers must delete the consumer's personal information within 45 days
- Consumers can set requests to recur automatically every 45 days
For data brokers
- Must connect to the DROP platform's technical infrastructure by August 1, 2026
- Must process deletion requests received through DROP within 45 days
- Must provide the CPPA with metrics on requests received and processed
- Cannot charge consumers for exercising their deletion rights
- Must maintain audit trails of request processing
How DROP differs from individual opt-out requests
Before DROP, consumers who wanted to remove their information from data broker databases had to identify and contact each data broker individually — a process that could involve dozens or hundreds of separate requests. DROP consolidates this into one request that reaches every registered broker simultaneously. For more on current opt-out options, see our Data Broker Opt-Out Guide.
Compliance Checklist for Businesses
Whether you are clearly a data broker or are unsure about your classification, follow these steps before the August 2026 deadline:
Step 1: Determine if you are a data broker
Review your data practices honestly. Do you collect personal information about people who are not your direct customers and then sell, license, or share that data with other businesses? If yes, you likely qualify as a data broker under the Delete Act.
Step 2: Register with the CPPA (if not already)
If you meet the data broker definition, register immediately at the CPPA's data broker registry. Every day without registration carries a $200 penalty. The Datamasters and S&P Global cases show the CPPA is actively enforcing this.
Step 3: Inventory your data collection and sales
Document what categories of personal information you collect, from what sources, and to whom you sell or license it. This inventory will be essential for responding to DROP deletion requests.
Step 4: Build deletion infrastructure
Ensure your systems can process deletion requests at scale. When DROP launches, you may receive a large volume of requests simultaneously. Your systems must be able to locate and delete a specific consumer's data across all databases within 45 days.
Step 5: Prepare for DROP platform integration
Monitor the CPPA for technical specifications and API documentation for connecting to the DROP platform. The CPPA is expected to release detailed integration requirements in advance of the August 1 launch.
Step 6: Update your privacy policy
Disclose your data broker status, registration information, and how consumers can exercise their deletion rights through DROP. Ensure your retention practices align with prompt deletion — our data retention policy guide covers this in detail.
Step 7: Train your team
Ensure customer service, legal, and data engineering teams understand the Delete Act obligations, DROP request processing workflows, and 45-day response deadlines.
Step 8: Monitor compliance deadlines
Track the CPPA's regulatory calendar for DROP launch updates, new rulemaking, and enforcement guidance. Use our Privacy Law Calculator to assess which other state laws apply to your business alongside the Delete Act.
How the Delete Act Interacts With Other Laws
The Delete Act does not replace the CCPA/CPRA — it supplements California's privacy framework with data-broker-specific obligations. Businesses subject to the Delete Act likely also need to comply with:
- CCPA/CPRA — broader consumer privacy rights including right to know, delete, opt-out, and correct. See our California privacy law guide.
- Vermont Data Broker Act — similar registration requirement (Vermont was the first state to require data broker registration in 2019)
- Texas Data Broker Law — Texas requires data broker registration and compliance with the TDPSA. See our Texas privacy law guide.
- Oregon Data Broker Registration — effective since 2024
Use our State Law Comparison Tool to see how California's requirements compare across states.
Frequently Asked Questions
When does the California Delete Act take effect?
The Delete Act was signed into law on October 10, 2023. Data broker registration requirements have been in effect since January 2024. The DROP one-click deletion platform is set to launch on August 1, 2026. Businesses should be preparing now for the DROP integration requirements.
What happens if a data broker does not register?
Unregistered data brokers face penalties of $200 per day of non-compliance. The CPPA can also seek injunctive relief and additional penalties under the CCPA. As shown by the Datamasters case, the CPPA may also order the company to stop selling Californians' personal information entirely.
Can consumers use DROP to opt out of data sales rather than delete?
Yes. The Delete Act provides both deletion and opt-out rights through the DROP platform. Consumers can request that data brokers delete their data, stop selling their data, or both. The recurring 45-day request option is designed to prevent re-collection.
Does the Delete Act apply to out-of-state businesses?
Yes. Any business that qualifies as a data broker and collects personal information of California consumers must comply, regardless of where the business is physically located. The S&P Global enforcement action (a New York-based company) confirms that out-of-state businesses are subject to the law.
How is a "data broker" different from a regular business that sells some data?
The key distinction is the direct relationship requirement. If you collect data directly from consumers who intentionally interact with your service (e.g., your customers, registered users), you are generally not a data broker — even if you sell some of that data. A data broker collects and sells data about people who did not provide it directly to them. However, the line can be blurry; our Data Broker Classification Quiz can help you evaluate your specific situation.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.