California approves regulations for data broker deletion platform

The California Office of Administrative Law approved regulations on November 6, 2025 that establish operational requirements for the (DROP) Delete Request and Opt-out Platform, a state-hosted system where California consumers can delete their personal information from multiple data brokers simultaneously. According to the California Privacy Protection Agency, the regulations take effect January 1, 2026, with data broker compliance mandatory starting August 1, 2026.

The Delete Request and Opt-out Platform represents the first state-administered mechanism allowing consumers to submit a single deletion request that reaches all registered data brokers. California residents will gain access to the platform in January 2026 to initiate deletion requests without contacting individual companies. Data brokers must access the platform at least once every 45 calendar days to retrieve consumer deletion lists and process requests.

The regulatory framework defines data brokers as businesses that collect and sell personal information about consumers with whom they have no direct relationship. According to Civil Code section 1798.99.80, businesses meeting this definition must register annually with the California Privacy Protection Agency during January and pay registration fees. The regulations exclude entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Insurance Information and Privacy Protection Act, Confidentiality of Medical Information Act, and Health Insurance Portability and Accountability Act.

Data brokers beginning operations after the registration period must create platform accounts within 45 calendar days of commencing data broker activities. The regulations establish tiered one-time access fees based on when businesses first access the platform during their initial year of operation. A data broker accessing the platform for the first time in January faces a $6,000 fee, while access in December costs $500. These fees include associated third-party payment processing charges not exceeding 2.99 percent.

The platform delivers consumer deletion lists containing hashed identifiers such as email addresses, phone numbers, dates of birth, and mobile advertising identifiers. Data brokers must select all deletion lists containing consumer identifiers that match personal information types they regularly collect. The regulations permit list selection changes only once every 45 calendar days unless the data broker begins collecting additional categories of personal information.

When consumer identifiers match data broker records, businesses must delete all associated personal information, including inferences derived from that information. The deletion requirement encompasses information collected directly from consumers and data obtained from third parties or through "first party" interactions as defined in California Code of Regulations, title 11, section 7001. Data brokers facing multiple consumers matched to a single identifier must opt all associated consumers out of the sale or sharing of their personal information.

Data brokers must standardize consumer personal information before comparing deletion lists to their records. The standardization process requires converting all names to lowercase, removing extraneous or special characters except for non-English language characters and email addresses, formatting dates of birth as eight-digit strings, formatting zip codes as the first five characters, and formatting phone numbers as the last 10 digits without dashes or country codes.

The regulations mandate that data brokers hash consumer personal information using the same hashing algorithm provided in each deletion list. When deletion lists include multiple identifiers, data brokers must hash each applicable identifier from their records separately, then combine the hashed identifiers into a single identifier without adding spaces or characters before comparing to the deletion list.

Data brokers must report one of four status codes for each deletion request within 45 calendar days: "record deleted" when the identifier matched and the data broker deleted associated personal information, "record opted out of sale" when multiple consumers matched the identifier and the data broker opted them out, "record exempted" when all personal information related to the matched consumer qualifies for exemptions under Civil Code section 1798.99.86, or "record not found" when no match occurred.

The regulations require data brokers to maintain suppression lists containing all consumer deletion requests, regardless of whether initial matches occurred. This requirement ensures ongoing compliance when data brokers later acquire information about consumers who previously submitted deletion requests. Data brokers may remove consumers from suppression lists only if the consumer later cancels their deletion request.

Businesses that no longer meet the data broker definition must notify the California Privacy Protection Agency through their platform account within 45 calendar days and explain why they should be removed from the registry. These businesses must delete personal information provided by the Agency through the platform within 30 calendar days after completing registration for the last calendar year they operated as a data broker, or after completing their final audit required by Civil Code section 1798.99.86, whichever occurs later.

The California Privacy Protection Agency transferred administration of the Data Broker Registry from the Office of the Attorney General on January 1, 2024 under Senate Bill 362. Data brokers failing to register by the January 31 statutory deadline face civil penalties of $200 per day for each day they fail to register. Failing to delete consumer information results in penalties of $200 per day per consumer plus enforcement costs.

Starting January 1, 2028, data brokers must undergo independent third-party audits every three years to verify compliance with consumer deletion requirements. Data brokers must retain audits and related materials for at least six years and submit reports to the California Privacy Protection Agency within five business days of written request.

The regulations specify that data brokers cannot sell or share consumer personal information provided by the Agency through the platform. Data brokers must implement reasonable security procedures appropriate to the nature of personal information provided by the Agency to protect against unauthorized access, destruction, use, modification, or disclosure. The regulations prohibit data brokers from contacting consumers to verify deletion requests submitted through the platform.

Tom Kemp, Executive Director of the California Privacy Protection Agency, stated in the November 13, 2025 announcement that adoption of these regulations represents a major milestone. Californians will soon delete their data from hundreds of data brokers with one simple action, according to Kemp's statement.

The Healthline settlement in July 2025 demonstrated enforcement priorities around data sharing practices. The Attorney General's March 2025 investigative sweep into location data industry practices sent letters to advertising networks, mobile app providers, and data brokers appearing to violate the California Consumer Privacy Act.

California consumers can request residency classification review if the Agency cannot verify their residency status. Consumers must submit explanations of how they meet California's resident definition as defined in California Code of Regulations, title 18, section 17014 within 10 calendar days of classification. The Agency may request substantiating documentation demonstrating California residency status.

The regulations establish that consumers consent to disclose their personal information to data brokers for deletion request processing purposes unless they cancel their deletion request. This consent mechanism enables the platform to distribute consumer identifiers to data brokers for matching against their records. Consumers may amend or cancel deletion requests within 45 calendar days after submission.

Authorized agents may assist consumers with deletion requests after consumers verify their residency. The consumer or authorized agent must disclose the authorized agent's full name, email address, and trade name if the agent operates as a business. Authorized agents cannot cancel consumer deletion requests unless expressly directed by the consumer.

The Delete Request and Opt-out Platform differs from deletion requests under the California Consumer Privacy Act in scope and business obligations. Platform deletion requests through Senate Bill 362 are broader than individual deletion requests under the California Consumer Privacy Act and carry distinct requirements for data broker compliance.

The regulations define "direct relationship" to clarify data broker status. A consumer has intentionally interacted with a business for purposes of accessing, purchasing, using, or requesting information about the business's products or services. A business does not have a direct relationship with a consumer simply because it collects personal information directly from the consumer. The consumer must intend to interact with the business.

Business operating as data brokers must comply with all registration requirements during the registration period following the year they begin operating as data brokers. Data brokers cannot amend or withdraw completed registrations after January 31 except as specified in section 7604. Data brokers must confirm at registration that information provided pursuant to section 7610(a)(2) in their platform account is correct or update entries with correct information.

The regulatory text defines reproductive health care data as information about consumers searching for, accessing, procuring, using, or interacting with goods or services associated with the human reproductive system. This includes contraception, pre-natal and fertility treatments, menstrual-tracking applications, hormone-replacement therapy, abortion care, vasectomies, sexual health counseling, treatment for sexually transmitted infections, erectile dysfunction, reproductive tract infections, and precise geolocation information about such treatments. The definition also encompasses information about consumers' sexual history and family planning.

Timeline:

• January 1, 2024: California Privacy Protection Agency assumes administration of Data Broker Registry from Office of the Attorney General under Senate Bill 362
• March 2025: California Attorney General announces investigative sweep into location data industry targeting advertising networks, mobile app providers, and data brokers
• July 1, 2025: California announces $1.55 million Healthline settlement, marking largest CCPA monetary penalty to date
• September 22, 2024: Governor Newsom vetoes AB 3048 requiring opt-out settings in browsers and mobile operating systems
• November 6, 2025: California Office of Administrative Law approves Delete Request and Opt-out Platform regulations
• November 13, 2025: California Privacy Protection Agency announces regulatory approval
• January 1, 2026: Delete Request and Opt-out Platform regulations take effect
• January 2026: California consumers gain access to Delete Request and Opt-out Platform to submit deletion requests
• August 1, 2026: Data brokers must begin accessing platform every 45 days to retrieve and process consumer deletion requests
• January 1, 2028: Data brokers must begin undergoing independent third-party audits every three years to verify deletion compliance

Summary

Who: The California Privacy Protection Agency approved regulations affecting data brokers operating in California and California residents seeking to delete their personal information. Data brokers are businesses that collect and sell personal information about consumers with whom they have no direct relationship. Tom Kemp serves as Executive Director of the California Privacy Protection Agency.

What: The California Office of Administrative Law approved regulations establishing operational requirements for the Delete Request and Opt-out Platform on November 6, 2025. The regulations require data brokers to access the platform at least every 45 calendar days starting August 1, 2026 to retrieve consumer deletion lists and process requests. Data brokers must delete all personal information associated with matched consumer identifiers unless legal exemptions apply. The platform delivers hashed consumer identifiers including email addresses, phone numbers, dates of birth, and mobile advertising identifiers. Data brokers face civil penalties of $200 per day for registration failures and $200 per day per consumer for deletion failures.

When: The regulations take effect January 1, 2026. California consumers can submit deletion requests through the platform starting January 2026. Data brokers must begin platform compliance on August 1, 2026. Independent third-party audits become mandatory starting January 1, 2028 on a three-year cycle. Data brokers must register annually during January with the California Privacy Protection Agency.

Where: The Delete Request and Opt-out Platform operates through www.cppa.ca.gov and applies to data brokers conducting business in California. The regulations implement Senate Bill 362, which transferred Data Broker Registry administration from the Office of the Attorney General to the California Privacy Protection Agency. The California Office of Administrative Law reviewed and approved the regulations. California residents submit deletion requests through the state-hosted platform.

Why: The Delete Act establishes the deletion mechanism to simplify consumer privacy rights exercise. Previously, consumers needed to submit individual deletion requests to each data broker, creating significant barriers to privacy rights enforcement. The centralized platform reduces consumer burden by enabling single deletion requests that reach all registered data brokers. The California Privacy Protection Agency aims to protect consumer privacy rights under the California Consumer Privacy Act. Data brokers collect and sell personal information about consumers without direct relationships, creating privacy concerns that the deletion mechanism addresses. The regulations ensure consistent deletion practices across the data broker industry.