Pryvii
All Posts
Regulatory Updates
February 18, 2026

California's DROP Act Kicks Off August 1: Delete Request Automation

California's new data broker deletion law requires automated processing of consumer deletion requests every 45 days starting August 2026, with $200/day penalties per missed request. Website owners handling California traffic need to understand vendor propagation requirements now.

Share:

California's DROP Act Kicks Off August 1: Delete Request Automation

Imagine a California resident frustrated with their personal data circulating endlessly across data brokers—profiles built from online shopping habits, browsing history, and inferred interests. With a single request through the state's new Delete Request and Opt-Out Platform (DROP), they can demand deletion from hundreds of brokers at once. Starting August 1, 2026, data brokers must automate this process every 45 days or face steep penalties, reshaping how businesses handle consumer data.1 2

This isn't just a California issue. If your website serves California users and involves data collection, sharing, or sales—even indirectly—you could be affected. The Delete Act (SB 362), signed in October 2023, mandates this centralized system to empower consumers while imposing strict operational requirements on data brokers.3 2 With DROP live for consumer requests since January 1, 2026, and processing obligations kicking in soon, now's the time to assess compliance.4 5

What Is the Delete Act and DROP?

The Delete Act builds on California's 2019 data broker registry by introducing DROP, a first-of-its-kind platform administered by the California Privacy Protection Agency (CalPrivacy). It allows consumers to submit one verifiable request to delete their personal information from all registered data brokers, plus opt out of future sales or sharing.1 6 7

Key timelines:

  • January 2024 onward: Annual data broker registration with CalPrivacy, including fees to fund the registry and DROP.6 3
  • January 1, 2026: DROP opens for consumer submissions; data brokers create accounts and complete registration by January 31.4 5 2
  • Spring 2026: API integration available for automated access.4
  • August 1, 2026: Data brokers must retrieve and process requests every 45 days.1 4 5
  • January 2028: Triennial independent audits begin.3

DROP uses standardized identifiers and a specified hashing algorithm for matching requests to records, ensuring precise deletions.1 4 Regulations finalized in 2026 require data brokers to direct service providers, contractors, and affiliates to delete data too.1

This echoes broader privacy trends, like CCPA's right to deletion (Civil Code § 1798.105), but scales it via automation for data brokers.1

Who Counts as a Data Broker?

California defines a data broker broadly: any entity that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."4 5 This includes aggregators, enrichers, and resellers of data gathered outside direct consumer interactions, such as from public sources or third-party purchases.4 7

  • Websites or apps that sell or share user data for profiling, advertising, or enrichment—even if not your core business—may qualify.4 5
  • Exemptions apply to public government data, FCRA-covered credit reporting, HIPAA health data, and businesses already compliant under those laws.7
  • If you share data downstream (e.g., with analytics vendors), check if that triggers broker status.4

Website owners: Traffic from California users doesn't automatically make you a broker, but if you handle personal info (e.g., emails, IPs, behavior data) and sell/share it, register now. Non-California businesses are in scope if they target or process California data.4 5

Core Compliance Requirements Starting August 1, 2026

From August 1, data brokers must check DROP at least every 45 days via the CalPrivacy website or API.1 4 5 Here's the step-by-step process:

  1. Account Setup: Register a secure DROP account, select relevant consumer deletion lists (avoiding duplicates), and maintain access controls. Notify CalPrivacy immediately of breaches.1
  2. Retrieve Requests: Download lists matching your data identifiers (e.g., hashed emails, names).1 4
  3. Match and Delete: Use standardized hashing to confirm matches. Delete all associated personal information, including inferences, from your systems, service providers, and contractors. Direct them to comply.1 4 5
  4. Timeline: Finalize within 90 days of retrieval. No contacting consumers for verification—prohibited under Section 7616.1 5
  5. Record-Keeping: Document determinations, maintain suppression lists, and retain records. Report status back via DROP.4 5
  6. Ongoing: Update account details, delete DROP-provided data if exiting broker status (within 30 days post-registration/audit), and deactivate account.1

Automation is key: Manual checks risk missing the 45-day cycle. API integration, available since spring 2026, enables programmatic pulls, matching, and propagation.4

Penalties are severe: $200 per missed request per day. A single overlooked request could snowball quickly.1

Vendor Propagation: The Hidden Challenge for Websites

Data brokers often rely on vendors for storage, analytics, or marketing. DROP requires propagating deletions to all service providers and contractors holding the data.1 4 This mirrors GDPR's processor obligations (Article 28) and CCPA's service provider rules (Civil Code § 1798.140(v)).1

Practical tips for compliance:

  • Map Your Ecosystem: Inventory all vendors touching California personal data. Classify as service providers (limited use) vs. those enabling sales/sharing.4
  • Contract Updates: Amend agreements to mandate DROP compliance, automated deletion APIs, and audit rights. Include indemnity for penalties.1
  • Technical Implementation:
    • Integrate DROP API for request ingestion.
    • Build internal deletion workflows: Hash matching → Data scan → Propagation via vendor APIs.
    • Use suppression lists to block re-acquisition.
  • Testing: Leverage CalPrivacy's sandbox for API trials before August 1.5
  • Exceptions: Don't delete if data is public government info or exempt under other laws (e.g., financial records).7

For websites: If you're not a broker but use data brokers (e.g., for ad targeting), ensure your contracts require DROP compliance to avoid indirect liability.

Actionable Steps for Website Owners and Businesses

With six months until enforcement (as of February 2026), prioritize these:

  • Self-Assess (Now): Review data flows against Delete Act definitions. Use CalPrivacy's registry to check peers.5 2
  • Register if Needed (January 2026): Annual fee-based process; include enhanced disclosures per SB 361 amendments.6 2
  • Build Automation:
    StepActionTimeline
    1. Account CreationVia CalPrivacy siteJan 1-31, 20264
    2. API SetupIntegrate sandboxSpring 20264 5
    3. Deletion PipelineHash, scan, propagateTest by July 2026
    4. First CheckRetrieve/processAug 1, 20261
  • Audit Prep: Plan for 2028 audits; document everything.3
  • Train Teams: Educate legal, engineering, and ops on prohibitions (e.g., no consumer contacts).1
  • Monitor Updates: Regulations evolved from 2024 proposals; watch CalPrivacy for clarifications.3 2

Compare to other laws:

LawDeletion MechanismFrequency/Automation
CCPA §1798.105Individual requests45-90 days, manual1
GDPR Art. 17Right to erasurePrompt, processor propagation
DROP (Delete Act)Centralized, automatedEvery 45 days1 4

This automation reduces consumer friction but demands robust tech stacks.

Potential Challenges and Risks

  • Scale: High-volume brokers face thousands of requests; manual processes won't scale.4
  • Matching Accuracy: Hashing errors could lead to over- or under-deletion, inviting fines or lawsuits.1
  • Vendor Resistance: Non-compliant partners expose you to liability.1
  • Enforcement: CPPA's recent actions signal aggressive oversight; audits start 2028.6 3

Businesses exiting broker status must notify within 45 days and purge data.1

Key Takeaways

  • August 1, 2026, is go-live: Automate 45-day DROP checks or risk $200/day per request fines.1 5
  • Broad Scope: Any California-data seller/sharer may qualify as a broker—assess now.4 5
  • Automation Wins: API integration and vendor propagation are non-negotiable for efficiency.4
  • Plan Ahead: Self-audit, update contracts, test pipelines, and document for audits.5
  • Consumer Power: DROP simplifies deletions, aligning with CCPA/GDPR but uniquely centralized.7 2

Compliance isn't optional—it's a competitive edge in privacy-first California. Stay vigilant as CalPrivacy refines implementation.1 2

Sources

Footnotes

  1. troutmanprivacy.com

  2. privacy.ca.gov

  3. en.wikipedia.org

  4. onetrust.com

  5. clarkhill.com

  6. bairdholm.com

  7. bytebacklaw.com

Share:

Related Posts

Regulatory Updates

HIPAA Part 2 Deadline MISSED: What Happens to Your SUD Records Now

The February 16, 2026 deadline for HIPAA Part 2 compliance just passed. This post covers what healthcare websites and covered entities should do immediately if they haven't updated their Notice of Privacy Practices for substance use disorder records, including remediation steps and penalty risks.

Regulatory Updates

Connecticut Lowers Privacy Law Threshold to 35,000: Your Site Now Applies

Effective mid-2026, Connecticut's privacy law dramatically expands its reach from 100,000 to 35,000 customers, plus new restrictions on selling minor data. Smaller websites that thought they were exempt may now need to comply.

Regulatory Updates

EU-US Data Transfer Framework: What 2026 Compliance Looks Like

With the latest EU-US data transfer agreement facing scrutiny and potential invalidation, explain how website owners can prepare for uncertainty and ensure lawful cross-border data flows.

Stay Compliant with Pryvii

Scan your website for privacy compliance issues across 17 regulations including GDPR, CCPA, and UK GDPR. Get actionable recommendations and fix problems before regulators find them.