California Delete Act: How to Erase Your Data from 500+ Brokers Before August 2026
Privacy Ops
California Delete Act: How to Erase Your Data from 500+ Brokers Before August 2026
Published on February 28, 2026 by Vizava.pro
There are hundreds of companies that know your name, address, phone number, family members, income estimate, political leaning, and browsing habits — and you never signed up for a single one of them. They're called data brokers, and until recently, opting out of each one meant sending hundreds of individual deletion requests and hoping for the best.
That changed. The California Delete Act — officially SB 362 — is now operational, and it gives California residents a single trigger to fire at every registered data broker in the state at once. As of January 1, 2026, the platform is live. Here's everything you need to know to use it before enforcement teeth kick in on August 1.

What the California Delete Act Actually Does

The Delete Act (California SB 362) was signed into law in October 2023. Its core mandate: force the California Privacy Protection Agency (CPPA) — now called CalPrivacy — to build a centralized, government-administered deletion platform.
Before this law, California residents had the California Consumer Privacy Act right to delete, but exercising it was brutally manual. The CCPA gave you the right to request deletion from individual companies, but nothing compelled those requests to be unified. Each data broker had its own opt-out form, its own verification hoops, and its own timeline for honoring (or ignoring) your request. The Delete Act California changes this by creating one mechanism to reach all of them simultaneously.
The law doesn't just target obvious surveillance firms. Any business that collects and sells personal information about consumers it doesn't have a direct relationship with qualifies as a data broker under the Act's definitions — and that net is wide. In January 2026, CalPrivacy's newly formed Data Broker Enforcement Strike Force already issued decisions against two companies for failure to register as required.

The CPPA Regulations Approved November 2025

To understand where things stand right now, it helps to know the regulatory history. On September 26, 2025, CalPrivacy formally adopted the technical regulations governing the deletion platform. Shortly after, the California Privacy Protection Agency Delete Act regulations were sent to the Office of Administrative Law for final review.
On November 6, 2025, the Office of Administrative Law officially approved the regulations, filing them with the California Secretary of State. CalPrivacy publicly announced the approval on November 13, 2025. This is the California Delete Act regulations approved November 2025 milestone that privacy advocates had been tracking all year.
The California Delete Act regulations approved November 2025 CPPA package established the technical and operational specifications for the platform — now branded DROP — including how data brokers must authenticate into it, how identity matching must work, how deletion request outcomes must be reported, and what constitutes a legal exemption. The regulations took effect January 1, 2026.

What Is DROP?

DROP stands for Delete Request and Opt-Out Platform. It's the government-built system that gives California residents a single access point to delete their personal information across all registered data brokers. You can access it at privacy.ca.gov/drop.
As of January 1, 2026, DROP is live and accepting consumer submissions. Over 500 registered data brokers are enrolled. A single DELETE request through DROP is routed to all of them — without you needing to locate, contact, or track each one individually. It also functions as an ongoing suppression mechanism: brokers are required to maintain records of deletion requests to prevent your data from being re-collected or resold after the fact.

How to Submit Your DROP Request: Step-by-Step

The process is straightforward.

Step 1 — Verify Your Eligibility

DROP is available to California residents only. You'll need to confirm residency through the California Identity Gateway, the state's secure digital verification system. You can also authenticate through Login.gov if you have an existing federal account.

Step 2 — Create Your Profile

Provide basic identifying information — name, address, date of birth, and similar details. You control how much you share; the platform is designed to match your identity against broker records without requiring you to hand over more data than necessary.

Step 3 — Submit Your Deletion Request

Once your profile is live, you submit a single deletion request. That request propagates to all 500+ registered data brokers. You can return to the platform at any time to check deletion status or update your information if your profile details change.
Time estimate: The full process takes under 15 minutes. The harder wait is for enforcement to kick in — which brings us to the most important date.

The August 1, 2026 Enforcement Deadline

While consumers have been able to submit DROP requests since January 1, data brokers weren't required to process them until August 1, 2026 — the California Delete Act effective date for mandatory compliance.
Starting August 1, every registered data broker must:
  • Access DROP at least once every 45 days to retrieve pending deletion requests
  • Match incoming requests against their records using reasonable identity-matching procedures
  • Delete all associated personal data — including inferences drawn about you — unless a specific legal exemption applies
  • Process and finalize each request within 90 days of retrieval
  • Report compliance status back into the DROP system for each request
Non-compliance carries real financial exposure. Data brokers that fail to process deletion requests face penalties of $200 per request, per day. For large-scale brokers holding data on millions of Californians, that exposure compounds fast. CalPrivacy has made enforcement a stated priority — the Data Broker Strike Force isn't a symbolic gesture.

What Data Gets Deleted?

The scope of what brokers must delete is broader than most people expect. When a valid DROP request is matched, brokers must delete:
  • Identifiers — name, address, phone number, email, IP addresses, device IDs
  • Demographic data — age, gender, race, religion, political affiliation
  • Financial data — income estimates, credit-related information
  • Location data — precise and approximate geolocation records
  • Relationship data — inferred family connections, social network graphs, contact frequency
  • Inferences and profiles — any conclusions drawn about your lifestyle, habits, beliefs, or behavior
That last category — inferences — is significant. Brokers don't just hold raw data points; they build behavioral profiles. The California Consumer Privacy Act data deletion rights under DROP extend to those derived profiles, not just the raw inputs that generated them.

What DROP Can't Do

A few limitations worth knowing before you assume you've gone dark:
California residents only. If you live in another state, DROP is not available to you. No other state has a centralized deletion mechanism equivalent to this one — California passes the Delete Act and stands alone in the US for this kind of systemic enforcement.
Legal exemptions apply. Brokers can refuse deletion if the data is subject to legal holds, required for fraud prevention, or covered by other exemptions written into the regulations. They must document every invoked exemption, but exemptions exist.
First audits are in 2028. The first independent compliance audit cycle under the Delete Act doesn't begin until January 1, 2028. There will be a window between August 2026 enforcement and 2028 audits where self-reported compliance is the norm.
Re-collection is a risk. While brokers must maintain suppression lists, the data broker ecosystem is dynamic. New data points can be collected from third-party sources after deletion. Repeated DROP submissions over time are a stronger long-term strategy than a single request.

If You're Not in California

The honest answer: you don't have the same weapon available to you yet. Other states — like Texas, Montana, and Oregon — have passed data broker registration laws, but none have built a centralized deletion platform. The Delete Act California news has attracted attention from privacy advocates in other states lobbying for similar frameworks, but legislative timelines are slow.
In the meantime, manual opt-out through services like DeleteMe or Privacy Bee, combined with limiting data inputs at the source — using masked emails, privacy-focused browsers, and client-side encrypted tools — remains the operational baseline for non-California residents.
If you're in California, use DROP now. Get your request in the queue. When August 1 arrives, every registered broker is legally obligated to act on it. That's not a right you had two years ago.

Frequently Asked Questions

What is the 72 hour rule in California?

The 72-hour rule in California refers to the data breach notification requirement under the California Consumer Privacy Act (CCPA). Businesses must notify affected California residents within 72 hours of discovering a data breach that exposes their personal information. This is separate from the California Delete Act, which focuses on giving consumers the right to delete their data from data brokers.

What is the new law to delete data in California?

The California Delete Act (SB 362) is the new law that allows California residents to delete their personal data from data brokers. Signed into law in October 2023, it created DROP (Delete Request and Opt-Out Platform), a centralized system where residents can submit one request to delete their data from over 500 registered data brokers. The platform went live January 1, 2026, with mandatory enforcement beginning August 1, 2026.

Is CA DROP legitimate?

Yes, CA DROP is completely legitimate. DROP (Delete Request and Opt-Out Platform) is the official government-built system administered by CalPrivacy (California Privacy Protection Agency). It is accessible at privacy.ca.gov/drop and provides California residents with a single access point to delete their personal information across all registered data brokers in the state.

Did CPRA replace CCPA?

The California Privacy Rights Act (CPRA) did not fully replace the CCPA; instead, it amended and expanded it. Effective January 1, 2023, the CPRA added new consumer rights, created the California Privacy Protection Agency (CalPrivacy) for enforcement, and introduced new requirements for businesses handling sensitive personal information. The CCPA still forms the foundation of California's privacy law, with the CPRA building upon it.

Final Note

Last updated: February 2026. DROP is live at privacy.ca.gov/drop.