Written by: Haim Ravia, Dotan Hammer
The California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law has formally approved the regulatory package implementing the Delete Act.
The regulations, effective 1 January 2026, operationalize the California-managed Delete Request and Opt-out Platform (DROP), a centralized mechanism enabling consumers to issue a single deletion request to all registered data brokers. The framework represents a significant evolution in U.S. state-level privacy enforcement, combining individual rights, technical standardization, and supervisory oversight in a manner closer to GDPR-style systemic regulation.
Under the rules, every registered data broker must authenticate into the DROP portal at least every 45 days, retrieve any consumer deletion requests that match their records, and process them within 45 days unless a statutory exemption applies. The broker must delete all personal information associated with the individual, including derived data and inferences, whether obtained directly, acquired from third parties, or generated through profiling. In addition, brokers must maintain internal suppression systems ensuring that once a deletion request has been honored, the individual’s information is not re-collected or repopulated without a new lawful basis.
The regulations impose robust compliance duties: maintaining detailed logs of deletion requests and outcomes; implementing reasonable identity-matching procedures; documenting exemptions invoked; and ensuring vendors or service-providers acting on behalf of brokers also honor DROP-originating requests. The CPPA emphasizes that failure to check the platform within the mandated 45-day intervals constitutes an independent violation, signaling a shift toward continual supervisory expectations rather than episodic enforcement.
For privacy, advertising, analytics, and data-broker stakeholders, the DROP regime materially reshapes operations. It accelerates the transition away from opaque cross-broker data-sharing ecosystems, increases consumer visibility and control, and elevates deletion-governance into a high-frequency operational requirement. Organizations relying on broker-sourced datasets should reassess data-supply continuity, retention schedules, record-keeping, and suppression workflows to ensure contractual and technical alignment with the Delete Act’s requirements.
Click here to read the official CPPA announcement on the Delete Act and DROP Platform regulations.
Click here to read the new Data Broker Registration and Accessible Deletion Mechanism Regulations.
