Delete Request and Opt-Out Platform (DROP)

Under the Delete Act, beginning August 1, 2026, data brokers must access the “accessible deletion mechanism” at least once every 45 days and process consumer deletion requests, subject to limited exceptions (Cal. Civ. Code 1798.99.86(c)). The accessible deletion mechanism allows a consumer, through a single verifiable request, to direct every data broker that maintains any personal information related to that consumer held by the data broker or their service provider or contractor to delete such information.

The Agency has created a website application called the Delete Request and Opt-Out Platform (DROP). You can learn more about the DROP on https://privacy.ca.gov/data-brokers/.

Registration Requirements

The Delete Act requires a business to register annually starting the year after the business started to broker the data of California residents. The definition for “data broker” can be found in Civ. Code § 1798.99.80(c), which relies on the California Privacy Protection Act (CPPA) definition of “business” found in Civ. Code 1798.140(d), and the adopted regulations. To fall under the definition of data broker, a business must knowingly collect and sell to “third parties the personal information of a consumer with whom the business does not have a direct relationship.” The definition of “personal information” can be found in Civ. Code 1798.140(v).

A data broker that fails to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by the Agency (Civ. Code § 1798.99.82(d)).

To stay up to date with information from the Agency and receive information about the newest regulations, requirements, and system updates, sign up for the data broker mailing list.

Instructions on how to register in 2026

Data brokers must register and pay the annual fee between January 1-31, 2026, through the Delete Request and Opt-Out Platform (DROP).

Follow these steps to register:

• Step 1: Create an account in the DROP.
• Step 2: Wait for approval from CalPrivacy. This should take no longer than two business days. You will be automatically notified of your approval via email.
• Step 3: Fill out the registration form with information about your business. Last year the California Legislature expanded annual disclosure requirements with the passage of SB 361. The registration form consists of multiple steps, and your progress will be saved as you go.
• Step 4: Pay the annual registration fee. This year’s fee is $6,000 plus an associated third-party processing fee for electronic payments.

A data broker that fails to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by CalPrivacy (Civil Code § 1798.99.82(d)).

More information can be found on the CalPrivacy website.

After creating a DROP account, data brokers will be required to complete the registration form and remit this year’s fee of $6,000 plus an associated third-party processing fee for electronic payments. Registering data brokers will not be required to begin processing consumer deletion lists until August 2026.

Additionally, California has expanded transparency requirements with the passage of SB 361 in 2025. In addition to basic business information, SB 361 now requires brokers to disclose whether they collect additional sensitive data types—like sexual orientation, union membership, or citizenship status. It also requires data brokers to share what types of personal information they collect, such as mobile advertising identification numbers, basic identification information (like name, email, phone number), and login or account information. SB 361 also requires data brokers to disclose some information about their selling and/or sharing practices, such as whether they’ve shared data with foreign actors, law enforcement, or developers of generative AI systems.

For more information about registering as a data broker, see our recent enforcement advisory on the subject: https://cppa.ca.gov/pdf/enfadvisory202501.pdf

2026 Data Broker Registry

Will be posted after the close of the registration period.

2024, 2025 Data Broker Registry

Find the list of registered Data Brokers on the Data Broker Registry page.

2021, 2022, 2023 Data Broker Registry

The previous data broker registries can be accessed at the Office of the Attorney General's Data Broker webpage.

Important Upcoming Deadlines

By July 1 following the first year a business meets the definition of a data broker, data brokers must collect and report the following information on their website's privacy policy and include a link to this information in the privacy policy:

• The number of consumer requests described below that a data broker received, complied with in whole or in part, and denied during the previous calendar year (2024):
  • Requests to delete personal information;
  • Requests to know or access what personal information the data broker was collecting;
  • Requests to know what personal information the data broker was selling or sharing and to whom;
  • Requests to opt out of sale or sharing of personal information; and
  • Requests to limit the data broker's use and disclosure of sensitive personal information.
• The median and the mean number of days within which a data broker substantively responded to the above requests in the previous calendar year.

Please note that data brokers will need to report these metrics from 2024 to the Agency when they register in January 2026.

Beginning January 1, 2028, and every 3 years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with the requirements under the law and must submit the audit report to the Agency upon the Agency's written request. Beginning January 1, 2029, a data broker registering with the Agency must also disclose whether they have undergone the abovementioned audit and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the Agency.

Contact Us

Contact the Agency to join the data broker mailing list or to reach us with questions. We will respond in a timely manner.