California Delete Act: What You Need to Know for Compliance

Data privacy laws used to move slowly.

Then California decided consumers should be able to delete their data everywhere… with one request.

That is the reasoning behind the California Delete Act. And if your business touches consumer data in any indirect way, this policy deserves attention.

What Is the California Delete Act?

The California Delete Act (S.B. 362) expands on the foundation set by CCPA and goes straight at one of the biggest gaps in privacy enforcement: data brokers operating behind the scenes.

At the center of the law is a new system called the Data Broker Requests and Opt-Out Platform (DROP).

Instead of submitting deletion requests one company at a time, consumers will be able to:

• Submit a single request
• Send it to every registered data broker
• Keep that request active over time
  
  

Instead of merely handling occasional request, the Delete Act operates in a world where deletion is continuous and centralized.

The DROP System: What Actually Changes

Starting January 1, 2026, consumers can submit requests through DROP.

By August 1, 2026, data brokers must begin processing them.

From that point forward, brokers must:

• Check for new requests at least every 45 days
• Delete consumer data (when applicable)
• Treat requests as opt-outs of sale/sharing, even if identity cannot be verified
• Push those requests downstream to service providers and contractors

The key detail most teams miss is that unverified requests still carry obligations.

Even when deletion cannot be confirmed, the opt-out requirement still applies.

Timeline: What Happens and When

Here is how the rollout has unfolded so far, and what is yet to come:

• October 10, 2023 – Law signed
• January 1, 2024 – Data broker registry opens
• July 1, 2024 – Expanded disclosure requirements begin
• Fall 2025 – Public awareness campaign begins
• January 1, 2026 – Consumers can submit DROP requests
• Spring 2026 – API access becomes available
• August 1, 2026 – Mandatory request processing begins (every 45 days)
• January 1, 2028 – First third-party audit (recurs every 3 years)

This staggered rollout gives companies time while giving regulators a clear runway to enforce.

Who Counts as a Data Broker?

The definition of a data broker is broader than most may think.

A data broker is any business that collects and sells personal data about consumers without a direct relationship.

There is:

• No revenue threshold
• No carve-out for “partial” data sales
• No protection for companies that also collect first-party data

If your business sources data externally and shares or sells it downstream, there is a strong chance it qualifies.

Many companies that never labeled themselves as data brokers are about to discover they are.

Is a DROP Request a Deletion or an Opt-Out?

Both. At the same time.

When a consumer submits a request, data brokers must:

• Delete the data (if eligible)
• Treat it as a Do Not Sell or Share request
• Pass that requirement to vendors and partners

Even if identity verification fails, the opt-out requirement still stands. That alone introduces a new level of operational friction.

What Compliance Looks Like in Practice

This is where things get real.

Compliance is comprehensive. Here’s what both sides need to know. 

For consumers:

• One request replaces dozens (or hundreds)
• Requests stay active over time
• Data brokers can be selected individually or all at once

For data brokers:

• Register every year (January 1–31)
• Monitor DROP continuously
• Process requests within 45 days
• Report outcomes for every request:
  • Deleted
  • Opted-out
  • Exempt
  • Not found

And one important constraint is that you cannot contact the consumer to verify the request. Everything must be handled through the system.

There Is No Grace Period

Most privacy laws give companies time to fix mistakes. This one does not.

Which means:

• No cure period
• No warning requirement
• Enforcement can begin immediately

Enforcement Has Already Started

Even before DROP goes live, regulators have been active:

• Accurate Append fined $55,400 for failing to register
• National Public Data fined $46,000 for registration failures
• Background Alert ordered to shut down operations or pay $50,000

The message is clear: registration and compliance are being monitored now, not later.

Why This Law Hits Harder Than CCPA

CCPA gave consumers rights. The Delete Act gives them scale.

Instead of:

• One request per company
• Manual tracking
• Limited follow-through

We now have:

• One request across the ecosystem
• Persistent enforcement
• Built-in accountability

This turns deletion into a system-level expectation, not a case-by-case workflow.

What This Means for Your Data Strategy

Companies must shy away from referring to this compliance as a “legal team problem” and focus more on the data visibility problem.

To keep up, companies need to answer three questions fast:

• Where is personal data stored?
• Who has access to it?
• Where is it being shared or sold?

Without that, responding to DROP requests every 45 days becomes far too difficult.

How Concentric AI Helps You Keep Up

The Delete Act raises the bar on precision and speed. But Concentric AI Semantic Intelligence helps teams respond without scrambling.

Companies defined as data brokers can now: 

Find the data first
Locate personal data across cloud apps, SaaS platforms, AI tools, and internal systems.

Understand what it is
Classify data by type and sensitivity so deletion decisions line up with regulatory requirements.

Respond accurately
Quickly match consumer requests to the right data across environments.

Automate the process
Apply rules to handle deletion and opt-out requirements without manual effort.

Reduce risk
Limit human error and avoid missed records that lead to penalties.

Save time
Handle high volumes of requests without adding operational overhead.

Don’t Underestimate the California Delete Act

The California Delete Act is easy to underestimate because it sounds like just another privacy update.

The fact is, it rewires how deletion works at scale.

And once DROP goes live, the question shifts quickly: Can you keep up with requests every 45 days… across data you may not fully see yet?