California Advances Delete Act Regulation to Bring One-Click Data Deletion to Millions

Key Takeaways

• New State Tool: Californians will soon be able to delete personal data held by multiple data brokers through a single request via the new state-run Delete Request and Opt-out Platform (DROP).
• Regulations Approved: The Office of Administrative Law has formally approved regulations implementing the Delete Act, effective January 1, 2026.
• Broker Obligations: Starting August 1, 2026, data brokers must check DROP at least every 45 days, delete matching consumer data—including inferences—and report the status within 45 days.
• Long-Term Deletion Duties: Data brokers must maintain an internal record of all deletion requests to ensure permanently deleted data does not re-enter their systems.
• Compliance Impact: The DROP rollout will require significant updates to data governance practices, deletion workflows, and monitoring systems across the data broker sector.

Deep Dive

Californians are about to gain one of the most sweeping digital privacy tools in the country. The California Privacy Protection Agency (CalPrivacy) confirmed at last week’s Board meeting that the state’s Office of Administrative Law has approved regulations to implement the Delete Act, a move that paves the way for a single-click mechanism allowing residents to wipe their personal information from hundreds of data brokers.

The newly approved rules take effect on January 1, 2026, and lay out how consumers will submit data deletion requests through CalPrivacy’s forthcoming Delete Request and Opt-out Platform, or DROP. The agency describes the DROP as a first-of-its-kind, state-run web portal where Californians can request deletion of all personal data held by multiple data brokers at once, rather than navigating dozens or even hundreds of separate opt-out processes.

CalPrivacy says the DROP will open to consumers in January 2026, giving Californians a centralized way to remove personal information and associated inferences collected and sold across the data broker ecosystem.

For the data brokers themselves, obligations begin soon after. Starting August 1, 2026, data brokers will be required to access the DROP at least every 45 days to retrieve and process incoming deletion requests. If they find a match in their records, they must delete all linked personal data unless a statutory exemption applies. They will then have 45 days to report the status of each request back into the DROP.

The regulations also include a future-facing requirement, meaning data brokers must maintain an internal record of all deletion requests to ensure that once information is deleted, it stays deleted. This includes preventing the re-collection or re-introduction of removed data unless the consumer later chooses to provide it again.

Tom Kemp, Executive Director of CalPrivacy, called the regulatory approval a landmark moment for consumer privacy in the state.

“Adoption of these regulations is a major milestone. Californians will soon be able to delete their data from hundreds of data brokers with one simple action,” he said, encouraging consumers to use the tool once available.

The rollout of DROP is a major operational shift ahead of 2026, one that will require updates to data intake, deletion workflows, monitoring processes, and long-term governance of opt-out records. It also marks another example of state-level privacy enforcement continuing to evolve ahead of any federal standard.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.