The Delete Act: CalPrivacy Seeks Input on Data Broker Audit Requirements
The California Privacy Protection Agency (CalPrivacy) is soliciting comments regarding data broker audit requirements under the Delete Act, as it considers adopting regulations to clarify and further specify the audit requirement for processing deletion requests. Starting in 2028, data brokers will be required to conduct an audit by an independent third party to determine compliance with the Delete Act every three years and report its results to CalPrivacy. CalPrivacy’s solicitation of comments signals that the agency intends to develop detailed, prescriptive standards—covering everything from how data brokers demonstrate deletion to auditor qualifications and reporting requirements—that could set a benchmark for data broker regulation nationwide.
Background on the Delete Act
In October 2023, California enacted the Delete Act, which requires data brokers to register with the state and mandated that CalPrivacy develop a universal data deletion mechanism by January 1, 2026. That tool, known as the Delete Request and Opt-Out Platform (DROP), enables California consumers to submit a single, verified request through the platform which directs all 500+ currently registered data brokers to (1) delete the consumer’s personal information and (2) cease selling or sharing that information, eliminating the need to contact hundreds of companies individually.
The implications of the Delete Act are significant. The $200-per-request-per-day fine structure means that a data broker sitting on even a modest backlog of unprocessed deletion requests can accumulate substantial liability over time. The Delete Act’s downstream deletion requirements expand a data broker’s compliance burden and legal risk beyond its own databases, effectively making each data broker responsible for policing its vendor chain. Taken together, these provisions make non-compliance a compounding liability rather than a one-time penalty, giving data brokers a strong financial incentive to build robust, timely deletion workflows from day one.
Current Requirements
Beginning August 1, 2026, data brokers must access DROP at least once every 45 days to process any relevant requests, and all requests must be processed within 45 days of receipt. Data brokers can only deny requests if the requestor’s identity cannot be verified, and, even still, denied requests must be processed as if the individual opted-out of the sale and sharing of their personal information. Unlike other state privacy laws which generally only require covered entities to review and delete the personal information they hold themselves, the Delete Act contains downstream requirements which instruct data brokers to direct related third parties, such as service providers or contractors, to also delete the consumer’s personal information in their possession.
With these stringent requirements, it is crucial for data brokers to stay abreast of DROP requests, as data brokers that fail to comply with the Delete Act face strict cumulative fines. Those who fail to register are fined $200 for each day the data broker remains unregistered, along with reasonable expenses incurred by CalPrivacy in their investigation and enforcement against the data broker. Additionally, data brokers are fined $200 per deletion request for each day the data broker fails to delete personal information as required.
Starting in 2028, data brokers will be required to conduct an audit by an independent third party to determine compliance with the Delete Act every three years and to report its results to CalPrivacy.
CalPrivacy Priorities and Future Regulation
CalPrivacy’s comment process is intended to assist the agency with its preliminary rulemaking process related to data broker audit requirements and indicate that further regulation and more detailed requirements for data brokers in their auditing and reporting processes are to come.
Questions posed by CalPrivacy when soliciting comments focus on:
- How data brokers may properly demonstrate that they have processed deletion requests;
- What requirements a third-party auditor must meet to be deemed qualified and independent;
- What methods and tools CalPrivacy should adopt as requirements for data broker audits; and
- What materials should be submitted when brokers report their audits. Currently, the Delete Act only requires that data brokers submit the “report resulting from the audit and any related materials” to CalPrivacy, “within five business days of a written request.”
These areas of focus signal CalPrivacy’s regulatory and enforcement priorities going forward. Data brokers and the service providers and contractors that support them should expect heightened scrutiny of their data practices as CalPrivacy moves toward formal rulemaking.
Conclusion
The Delete Act marks a meaningful shift in how California regulates the data broker industry. With DROP’s operative requirements taking effect on August 1, 2026, data brokers will need to establish reliable processes for accessing DROP, responding to deletion and opt-out requests within mandated timeframes, and communicating with their service providers and contractors to fulfill their downstream obligations. The Delete Act’s cumulative fine structure raises the stakes for noncompliance, making timely and thorough responses to deletion requests a business imperative rather than a best practice.
Looking further ahead, CalPrivacy’s solicitation of comments on audit requirements signals that the regulatory framework is still evolving, with additional guidance and more prescriptive standards likely on the horizon. Data brokers and the service providers and contractors that support them should use the time before these requirements take effect to evaluate their data practices, build scalable deletion workflows, and prepare for heightened regulatory scrutiny in the years to come.
