California built something no other state has: one button that erases your data from hundreds of data brokers at once. It's called DROP, and it went live for consumers in January 2026. If your business buys or sells personal data about people it has no direct relationship with, the Delete Act behind DROP is now one of the busiest enforcement areas in US privacy law.
Here's what the Delete Act requires, how DROP actually works, the deadlines landing in 2026, and how to tell whether your business is caught by it.
What the Delete Act is
The Delete Act, passed in 2023, built on California's existing data broker registration law and handed oversight to the California Privacy Protection Agency (CPPA). It does two things: it tightens the registration rules for data brokers, and it creates a state-run platform that lets consumers opt out of every registered broker in one step.
A "data broker" under California law is a business that knowingly collects and sells the personal information of consumers it does not have a direct relationship with. That direct-relationship carve-out is what separates a broker from an ordinary retailer selling its own customers' data. If you're aggregating and reselling data about people who never interacted with you, you're probably a broker.
Registration: annual, with real fees
Data brokers have to register with the CPPA every year by January 31, disclose specified information about their practices, and pay an annual fee (about $6,600) that funds the state's Data Broker Registry. Miss the deadline and the penalty accrues for each day you're late, so an unregistered broker racks up liability continuously instead of facing a single fine.
A 2025 amendment, SB 361, expanded what brokers must disclose starting January 1, 2026. Brokers now have to say whether they collect extra sensitive categories such as sexual orientation, union membership, or citizenship status, and whether they've shared data with foreign actors, law enforcement, or developers of generative AI systems. The disclosure list keeps getting more granular for a reason: regulators want to see where sensitive data ends up.
How DROP works
The Delete Request and Opt-out Platform (DROP) is a first-of-its-kind, state-hosted site where a California resident files one deletion request that reaches every registered broker. The consumer confirms California residency, gives basic identifying details (name, date of birth, phone, email), and submits. California consumers have been able to file through DROP since January 2026.
For businesses, the timeline steps up in August. Starting August 1, 2026, every registered data broker has to check DROP at least once every 45 days, match incoming requests against their records, and delete all personal information tied to a match, inferences included, unless a legal exemption applies. Then they report the status of each request back in the platform. The CPPA has said plainly that failing to check DROP on the 45-day cycle is its own violation. The CPPA's DROP regulations spell out the system requirements.
Enforcement is already active
None of this is theoretical. In November 2025 the CPPA stood up a dedicated Data Broker Enforcement Strike Force to go after brokers that fail to register and comply, building on an earlier investigative sweep. In January 2026 it announced a fresh round of actions against unregistered brokers. Registration is one of the easiest violations to prove: you're either on the public registry or you're not, and the Delete Act sets a penalty of $200 for every day a broker fails to register. Those daily amounts pile up fast, which is why the agency treats non-registration as low-hanging fruit and keeps landing settlements rather than fighting one-off cases.
How this connects to your website
Even if you're sure you're not a data broker, DROP shifts the ground under your ad tech. A lot of the third-party vendors that read data from your site, the ones your consent banner governs, are registered brokers, and they now have to honor mass deletion requests. That raises the stakes on where your visitor data ends up. Share data with a partner that turns out to be an unregistered broker and you inherit the reputational and contractual fallout when the CPPA comes knocking. So check that your advertising and analytics partners are properly registered. Tighten the contracts that govern what they can do with the data you send them. That's ordinary consent hygiene now, not a separate legal project.
Are you a data broker?
Plenty of businesses are surprised to learn they qualify. Ask three questions. Do you collect personal information about people? Do you sell or share it? Do at least some of those people lack a direct relationship with you? Three yeses and you probably meet the definition. Lead-generation companies, ad tech intermediaries, list vendors, and analytics firms that resell data commonly land in scope. Selling your own customers' data doesn't make you a broker on its own, but mixing in data about non-customers can.
If you're unsure, lean cautious. The CPPA's data broker registry page spells out the criteria, and registering costs far less than the penalty that accrues while you skip it.
What to do now
- Determine your status against the direct-relationship test, and write down the analysis.
- Register by January 31 if you're a broker, and budget for the annual fee.
- Build a DROP workflow that pulls requests at least every 45 days from August 1, 2026, deletes matches including inferences, and reports status back.
- Map your data flows so you know what SB 361 now makes you disclose, especially any sharing with AI developers or foreign recipients.
- Tighten your upstream consent. Honoring opt-outs and Global Privacy Control at the point of collection cuts how much broker-eligible data you hold in the first place.
For the wider enforcement picture, see our California enforcement guide, and for how deletion fits into consumer rights generally, our guide on handling data subject requests.