Table of Contents >> Show >> Hide
- What Is the California Delete Act?
- What Changes in 2026?
- Who Counts as a Data Broker?
- How DROP Works for California Residents
- Key Data Broker Deletion Rules by 2026
- Why the Delete Act Matters
- What the Delete Act Does Not Do
- How Businesses Should Prepare
- Consumer Tips for Using DROP
- Examples of How the Delete Act Could Help
- The Bigger Privacy Trend
- My Experience and Practical Perspective on Data Deletion
- Conclusion
- SEO Tags
For years, asking data brokers to delete your personal information felt a little like yelling “unsubscribe” into a haunted filing cabinet. You could send one request, then another, then another, only to discover that your name, address, phone number, shopping habits, inferred income bracket, and suspiciously accurate interest in discount patio furniture had already been copied, sold, repackaged, and resold somewhere else.
The California Delete Act is designed to change that. By 2026, California’s privacy system has moved from a scattered, company-by-company opt-out maze to a centralized deletion tool called the Delete Request and Opt-Out Platform, better known as DROP. The idea is simple: a California resident can submit one deletion request, and registered data brokers must process it under state rules.
This is a big deal for consumer privacy, data broker compliance, digital identity protection, and the future of privacy regulation in the United States. It does not erase every scrap of information about you from the internet. Sadly, it cannot delete that embarrassing high school poetry blog either. But it does give Californians a powerful new way to reduce the amount of personal information circulating in the data broker economy.
What Is the California Delete Act?
The California Delete Act, passed as SB 362, expands California’s existing data broker registration law. It requires data brokers to register with the California Privacy Protection Agency, disclose more about their data practices, participate in a centralized deletion system, and follow ongoing deletion rules beginning in 2026.
The law builds on the California Consumer Privacy Act and the California Privacy Rights Act, but it focuses specifically on a stubborn privacy problem: companies that collect and sell personal information about people with whom they do not have a direct relationship. These companies are commonly known as data brokers.
A data broker might collect information from public records, apps, websites, loyalty programs, surveys, location signals, marketing lists, or other commercial sources. The broker may then sell, license, share, analyze, or package that information for advertisers, insurers, landlords, background check services, political campaigns, analytics firms, fraud prevention vendors, or other buyers.
Some of these uses are ordinary commercial activities. Others can feel downright creepy. When a person receives a spam text five minutes after researching moving companies, or sees ads that seem to know too much, the data broker ecosystem may be one of the invisible pipes behind the curtain.
What Changes in 2026?
The major 2026 change is the launch and enforcement of DROP. California residents can use DROP to submit one request asking registered data brokers to delete personal information associated with them. Instead of contacting hundreds of companies individually, consumers can use one state-operated platform.
DROP became available to California residents on January 1, 2026. Data brokers must begin processing deletion requests on August 1, 2026. After that date, data brokers must access DROP at least once every 45 days, retrieve deletion requests, match them against their own records, delete covered personal information where required, and report request status through the platform.
That 45-day rhythm is important. The Delete Act is not just a one-time “please remove me” button. Once a consumer submits a deletion request, brokers are expected to continue deleting matching information in future cycles and avoid selling or sharing new personal information about that consumer unless an exemption applies.
Who Counts as a Data Broker?
Under California law, a data broker is generally a business that knowingly collects and sells personal information of consumers with whom it does not have a direct relationship. That phrase matters. If you buy shoes from a retailer, the retailer has a direct relationship with you. But if another company collects your purchase pattern, combines it with location or demographic data, and sells it to third parties, that company may fall into data broker territory.
The law also includes important exemptions. Certain entities or activities covered by laws such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, insurance privacy laws, and some health privacy rules may be excluded to the extent those laws apply. In plain English: not every company with data is automatically a data broker, and not every type of data must be deleted through DROP.
Still, the definition captures a large and influential part of the personal data marketplace. California’s registry includes hundreds of data brokers, making DROP one of the most ambitious privacy tools in the United States.
How DROP Works for California Residents
For consumers, the process is meant to be straightforward. A California resident verifies eligibility, creates a profile, provides identifying information, and submits a deletion request through DROP. The platform can include information such as name, address, date of birth, phone number, email address, and other identifiers that help data brokers match records accurately.
Some identifiers are optional. For example, consumers may be able to provide mobile advertising IDs, connected TV identifiers, or vehicle identifiers. The more accurate the identifiers, the better the odds that brokers can match and delete the right records. Think of it like giving the system a flashlight instead of asking it to search a warehouse during a power outage.
DROP is designed to protect the information consumers submit. Instead of simply handing raw personal details to every data broker, the system relies on standardized formats and secure matching methods. Data brokers must compare deletion lists against their own databases and process matches according to the law.
Key Data Broker Deletion Rules by 2026
1. Annual Registration
Data brokers must register with the California Privacy Protection Agency every year by the required deadline. Registration includes business information, contact details, data practice disclosures, and required fees. California publishes registry information so the public can see which companies identify as data brokers.
2. Expanded Disclosures
The Delete Act requires more transparency about what data brokers collect and how they handle privacy rights. Brokers may need to disclose whether they collect sensitive categories of information, such as minors’ data, precise geolocation, reproductive health data, or other high-risk personal information.
3. Access to DROP Every 45 Days
Beginning August 1, 2026, data brokers must access DROP at least once every 45 days. This is not optional homework. It is a recurring compliance duty. Brokers must retrieve pending deletion requests and process them according to the statute and regulations.
4. Deletion of Covered Personal Information
If a broker finds a match for a consumer who submitted a DROP request, it must delete covered personal information unless a legal exception applies. That may include not only obvious identifiers, such as names and contact details, but also related profiles and inferences built from personal information.
5. Ongoing Suppression
A major feature of the California Delete Act is continuing deletion. Brokers are expected to prevent the consumer’s data from simply reappearing in the next batch of purchased records. If a broker reacquires covered personal information connected to a consumer who has submitted a deletion request, the broker must delete it again in future cycles.
6. Status Reporting
Data brokers must report the status of deletion requests in DROP. This gives consumers and regulators more visibility than the old “we sent an email and hope someone reads it” method.
7. Independent Audits
Beginning in 2028, data brokers are required to undergo independent audits every three years to assess compliance with the Delete Act. This adds an accountability layer beyond self-reporting.
8. Penalties for Noncompliance
Data brokers that fail to register or fail to process deletion requests can face administrative fines. The law authorizes significant daily penalties, including fines tied to each deletion request that a broker fails to handle properly. In other words, ignoring DROP could become expensive very quickly. Privacy compliance is cheaper than regulatory whack-a-mole, and it comes with fewer headaches.
Why the Delete Act Matters
The data broker industry has long operated in the background. Most consumers do not know which brokers have their information, where the information came from, who bought it, or whether it is accurate. That opacity creates practical and personal risks.
Personal data can fuel spam, scams, identity theft, doxxing, stalking, discriminatory profiling, unwanted targeted advertising, and manipulative marketing. Sensitive data can reveal health interests, financial stress, family status, religious interests, political leanings, location habits, or other intimate details. Even when individual data points seem harmless, combining them can create a surprisingly detailed portrait.
The Delete Act matters because it reduces friction. Before DROP, a privacy-conscious consumer had to find brokers, locate opt-out pages, verify identity repeatedly, track responses, and repeat the process when data reappeared. That system favored companies with lawyers, forms, and patience. Consumers had, at best, a spreadsheet and a slowly fading will to live.
DROP flips the burden. Californians can make one request through a public platform, and registered brokers must do the repetitive work.
What the Delete Act Does Not Do
The California Delete Act is powerful, but it is not magic. It does not delete data held by every company in the world. It does not apply to all first-party businesses. It does not erase public records that remain legally available. It does not necessarily remove data covered by specific exemptions. It also does not stop every form of data collection at the source.
For example, if you have an account with a bank, retailer, streaming service, fitness app, or employer platform, those organizations may still retain information under their own legal obligations and privacy policies. DROP mainly targets registered data brokers that collect and sell information without a direct consumer relationship.
Consumers should also understand that deletion requests may affect personalization. Less data circulating may mean fewer targeted ads, fewer oddly specific offers, and perhaps fewer “we know you just moved” promotions. For many people, that sounds less like a drawback and more like a spa day for the inbox.
How Businesses Should Prepare
Businesses that may qualify as data brokers should not wait until enforcement arrives with a clipboard and a bad mood. The 2026 rules require operational preparation, technical matching, legal review, vendor coordination, and documentation.
A practical compliance plan should begin with a data broker assessment. Companies should ask whether they knowingly collect and sell personal information about California residents with whom they do not have a direct relationship. They should review revenue streams, data licensing arrangements, lead generation programs, audience segments, enrichment services, analytics products, and third-party sharing practices.
Next, brokers should map data systems. If deletion requests arrive through DROP, the company needs to know where consumer identifiers, inferred profiles, historical records, and downstream copies are stored. A deletion rule that exists only in a policy document is like a gym membership bought on January 2: admirable, but not necessarily effective.
Businesses should also update vendor contracts. Service providers and contractors may hold copies of brokered data, and the Delete Act expects brokers to coordinate deletion obligations with associated parties. Companies should build processes for matching hashed identifiers, preserving suppression lists, documenting exemptions, and reporting status within required timelines.
Consumer Tips for Using DROP
California residents who want to use DROP should provide accurate identifying information and keep their profiles updated. If you move, change phone numbers, use multiple email addresses, or have past names, adding those details may improve matching. Data brokers can only delete what they can confidently connect to the right person.
Consumers should also continue practicing basic privacy hygiene. Use strong passwords, enable multifactor authentication, limit app permissions, opt out of unnecessary tracking, reject nonessential cookies when practical, and be cautious with online quizzes that ask for your first pet, childhood street, favorite teacher, and possibly your mother’s maiden name while pretending to reveal which potato chip flavor matches your aura.
DROP is a strong tool, but privacy works best in layers. Legal rights, technical safeguards, careful sharing habits, and account security all work together.
Examples of How the Delete Act Could Help
Imagine a California resident who recently moved. Within weeks, they begin receiving moving-related spam, home warranty offers, insurance solicitations, and suspicious texts. Some of that activity may come from data brokers that bought or inferred address-change information. A DROP request could reduce future circulation of that brokered profile.
Or consider a parent concerned about minors’ personal information. If registered brokers hold data connected to a child, a parent may be able to submit a request on the child’s behalf where permitted. That matters because children’s data can be especially sensitive and long-lasting.
Another example: a person leaving an abusive relationship may want to reduce the availability of location-related or contact information. While DROP does not remove every public record, it can help reduce exposure through commercial data broker channels.
The Bigger Privacy Trend
California often acts as a privacy laboratory for the rest of the United States. The CCPA influenced privacy laws in other states, and the Delete Act may do the same for data broker regulation. Other states have explored or passed privacy laws, but California’s centralized deletion mechanism is unusually direct.
The broader lesson is clear: privacy rights are only useful when people can actually exercise them. A right buried behind 500 separate forms is technically a right, but practically a scavenger hunt. DROP turns deletion from a personal research project into a standardized process.
My Experience and Practical Perspective on Data Deletion
Anyone who has tried to remove personal information from data broker sites knows the experience can feel like playing an arcade game where every level is named “Please Verify Your Identity Again.” One broker asks for an email. Another wants a scanned ID. Another hides the opt-out form behind three menus, two policy pages, and a button that appears to have been designed by a raccoon with a law degree.
The most frustrating part is repetition. You remove your profile from one site, then find it copied somewhere else. You delete an old address, then a new listing appears with the same information plus a bonus phone number you forgot existed. The process is not merely annoying; it can be risky. Every new opt-out form asks consumers to provide more personal information to prove they are the person whose personal information they want removed. That irony is so thick it should come with a seatbelt.
This is where the California Delete Act feels different. Its value is not only the legal right to deletion. California consumers already had privacy rights under earlier laws. The real improvement is centralization, standardization, and recurring deletion. A one-stop request reduces the burden on individuals. A 45-day broker processing cycle reduces the chance that deleted information simply boomerangs back into circulation. Required status reporting creates more accountability. Future audits add pressure for brokers to build real systems instead of decorative compliance wallpaper.
From a consumer experience standpoint, DROP also changes the psychology of privacy. People are more likely to use a tool when it is official, free, and relatively simple. Most consumers do not have the time to maintain a data broker opt-out spreadsheet. They are busy working, caring for family, paying bills, and deleting suspicious emails claiming their package is waiting in a warehouse in a state they have never visited.
For businesses, the experience is more serious. The Delete Act turns privacy operations into a recurring compliance function. Data brokers need clean data maps, consistent matching logic, audit trails, exemption workflows, vendor instructions, and response systems. The companies that treat DROP as an annual legal chore may struggle. The companies that treat it as a data governance program will be better positioned.
The practical takeaway is that deletion is no longer just a customer service issue. It is a trust issue, a security issue, and a regulatory issue. Consumers want fewer surprise profiles floating around the marketplace. Regulators want evidence that brokers are honoring the rules. Responsible companies should want cleaner, more accountable data practices because sloppy personal data creates legal risk and reputational risk.
Will the California Delete Act solve every privacy problem? No. Data collection is still everywhere, from mobile apps to loyalty programs to connected devices. DROP cannot stop every leak, scrape, sale, or inference. But it gives Californians a meaningful tool against one of the messiest parts of the data economy. That is progress. Not perfect progress, not superhero-cape progress, but the kind of practical progress that makes privacy rights easier to use in real life.
Conclusion
The California Delete Act marks a major shift in how consumers can control personal information held by data brokers. By 2026, DROP gives California residents a centralized way to request deletion from registered data brokers, while requiring brokers to process requests, maintain ongoing deletion cycles, report status, and prepare for audits.
For consumers, the law offers a simpler path to reducing spam, scams, unwanted profiling, and unnecessary exposure. For businesses, it raises the bar for data governance and privacy compliance. For the rest of the country, it provides a model worth watching closely.
The internet may never forget everything. But thanks to the California Delete Act, at least some data brokers now have to try harder to remember less.
SEO Tags
Note: This article is based on current public information from California privacy authorities, legislative materials, privacy advocacy resources, legal analysis, and major U.S. reporting available as of June 29, 2026.
