Beginning August 1, 2026, data brokers must begin accessing California’s Delete Request and Opt-Out Platform (“DROP”) at least once every 45 days to retrieve and process consumer deletion requests, as the consumer-facing launch transitions to operational obligations for data brokers. DROP allows California residents to submit a single deletion request to hundreds of registered data brokers through the platform rather than contacting each broker individually. California consumers have been able to submit requests to DROP since January 1, 2026.
California’s Delete Act, signed into law in October 2023, directed the creation of DROP. It requires data brokers to register with the California Privacy Protection Agency (“CPPA”) and pay an annual registration fee. Registered data brokers must also provide certain disclosures about their data collection and sale practices to the CPPA through DROP.
DROP is designed to allow a consumer to make a single verifiable request asking every data broker that maintains personal information about that consumer to delete that personal information or direct its associated service provider or contractor to do so. Starting on August 1, data brokers must access the platform at least every 45 days and process these requests. Data brokers must also report the status of each deletion request in DROP within 45 days of retrieving it and maintain a list of deletion requests to help ensure that personal information remains deleted going forward.
Companies should also pay close attention to requests that cannot be verified. The Delete Act provides that, where a data broker denies a deletion request because it cannot be verified, the data broker must process the request as an opt-out of sale or sharing and direct associated service providers or contractors to do the same. This means DROP readiness is not only a deletion workflow issue; it also implicates opt-out, suppression-list, vendor-management, and downstream-use controls. Failure to comply with deletion requirements may lead to fines of $200 (plus expenses) per request per day for each day of noncompliance, with the same $200 penalty for each day of failure to register when required.
California defines a “data broker” as a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Notably, the definition is broad enough to capture many companies that do not view themselves as traditional data brokers. Businesses that collect consumer data from third-party sources and then enrich, license, append, segment, resell, or otherwise transfer that information may fall within the statutory definition, even if data brokerage is not their primary line of business. Adtech platforms, analytics providers, audience-segment sellers, people-search services, marketing vendors, and companies that monetize aggregated consumer datasets should evaluate whether the definition applies to them. However, note that businesses subject to the Fair Credit Reporting Act, covered entities and business associates under HIPAA, and financial institutions subject to the GLBA are not considered data brokers under the Delete Act.
Ahead of August 1, companies should consider confirming their data-broker status, mapping the personal information they collect and sell without a direct consumer relationship, identifying relevant service providers and contractors, and testing whether deletion and opt-out signals can be matched and propagated across internal and downstream systems. They should also assess whether existing data-retention, suppression, and vendor-contracting practices are sufficient to keep deleted data from reappearing in active datasets after a DROP request is processed.
DROP may be marketed to consumers as a simple one-stop deletion tool, but for covered data brokers it is likely to function as a recurring operational compliance program. With processing obligations beginning August 1, 2026, companies in and around the data broker ecosystem should use the remaining runway to confirm whether they are in scope and whether their deletion, opt-out, and vendor workflows are ready for California’s next privacy milestone.
If you have questions about whether the Delete Act will apply to your organization or need assistance with compliance, feel free to reach out to Alston & Bird’s Privacy, Cyber, & Data Strategy team.
