What is the California Delete Act?
Senate Bill 362 — the California Delete Act — was signed into law in October 2023. It amends California's existing data broker registration law (AB 1202) and creates something new: a single, state-operated deletion portal that all registered data brokers must connect to.
The law has been in preparation since passage, with the California Privacy Protection Agency (CPPA) building the required infrastructure. The enforcement date is August 1, 2026.
Before SB 362, California already required data brokers to register with the state and offer opt-out mechanisms. But each broker had its own process — different forms, different timelines, different verification requirements. Getting yourself removed meant submitting separate requests to hundreds of different companies. The Delete Act changes that.
The DROP platform: one portal, all brokers
The centerpiece of SB 362 is DROP — the Delete Request and Opt-Out Platform. DROP is a state-operated system managed by the CPPA. When a California resident submits a deletion request through DROP, that request is automatically forwarded to every data broker registered under California law.
This is a fundamental shift. Previously, opting out was an individual negotiation with each broker. DROP turns it into a broadcast: one request, every broker obligated to act.
How to use DROP: The CPPA is building a consumer-facing portal at the California Privacy Protection Agency website. California residents submit their information, verify their identity, and the request is distributed to all registered brokers. You can repeat the request — and should, since new brokers register regularly.
What data brokers are required to do
Under SB 362, registered data brokers have specific legal obligations once they receive a DROP deletion request:
- Check DROP at least every 45 days — brokers must actively monitor the platform, not wait for direct consumer contact
- Delete all personal information within 45 days of receiving the request — not just suppress or deactivate, but delete
- Direct service providers to delete — if the broker shares your data with downstream vendors, those vendors must also receive deletion instructions
- Maintain suppression records — once your data is deleted, brokers must ensure it isn't re-added from new scrapes
- Confirm deletion to the CPPA upon request
The suppression requirement is critical. Without it, the deletion cycle would be endless: brokers remove your data, re-scrape public records, and re-add it three months later. The law explicitly requires brokers to maintain suppression lists so previously deleted records stay deleted — even when new data is collected.
Non-compliance carries serious consequences. Brokers that fail to process deletion requests face fines of $200 per deletion request per day of violation. At scale, this creates real financial liability for companies that treat opt-outs as optional.
What it means for you as a consumer
If you're a California resident, the Delete Act gives you a meaningful, legally-backed tool for the first time. The practical implications:
- One request covers hundreds of brokers. Instead of submitting 50–200 individual opt-out forms, a single DROP request triggers obligations across every registered broker simultaneously.
- It's not a one-time action. You can and should resubmit through DROP every 45 days — new brokers register, existing brokers add new data sources, and your information resurfaces over time.
- The suppression requirement provides durable protection. Unlike traditional opt-outs that expire, SB 362's suppression mandate means brokers must maintain a record that your data should not be re-listed even after future data collection.
- Enforcement has teeth. The $200/day per-request penalty is high enough to deter non-compliance among larger, registered brokers. This is meaningfully different from states with no penalty structure.
For people who work in law enforcement, healthcare, or advocacy — or for anyone dealing with a stalker or abusive relationship — this is a significant shift. Concentrated removal requests that carry legal weight are a different tool than hoping a broker honors a voluntary opt-out.
What it doesn't cover
SB 362 is the strongest data deletion law in the US. It also has real limits. Understanding them prevents overconfidence in what a DROP request actually accomplishes.
Out-of-state and unregistered brokers
DROP only reaches brokers that have registered with the California state registry. As of early 2026, that's roughly 545 companies. But the broader data broker ecosystem has an estimated 4,000+ operators globally. Many are incorporated outside California, operate internationally, or simply ignore registration requirements. A DROP request does not reach them.
Social media platforms
Facebook, Instagram, X/Twitter, LinkedIn, TikTok — these platforms are not data brokers under California law. They're covered by different sections of CCPA, but SB 362's deletion framework does not apply to them. Your social media data, targeted advertising profiles, and platform-held behavioral data are entirely outside DROP's scope.
Government and public records
Data brokers largely acquire your information from public sources: property records, voter registrations, court filings, business registrations. Those underlying public records are not erased by a deletion request. A broker can be required to remove your data from their product while the underlying county assessor record remains fully public — and available for the next scrape.
Re-scraping from non-registered sources
The suppression requirement helps, but it depends on broker compliance. An unregistered broker — or a registered broker that acquires data through a subsidiary or affiliate — can still re-scrape your information. The suppression mandate is as strong as the enforcement behind it.
The bottom line on scope: A DROP request is a powerful first step for California residents. It won't give you complete erasure. The brokers it doesn't reach — international operators, unregistered companies, social platforms — are often the ones holding the most sensitive data.
How to protect yourself now
The California Delete Act changes the baseline. It doesn't solve the problem. The practical approach for 2026:
- Submit a DROP request as soon as the consumer portal launches (August 1, 2026). Set a reminder to resubmit every 45 days.
- Know your current exposure. Before you do anything else, find out which brokers actually have your data. A free scan gives you a realistic picture of where you stand today — not where you'll be after a theoretical request goes through.
- Don't rely on DROP alone. The 3,500+ brokers outside California's registry still need individual opt-outs or automated removal. DROP handles the registered layer; the unregistered layer requires separate action.
- Plan for re-scraping. Data brokers re-index public records on 45–90 day cycles. Even after a successful deletion, your information will reappear unless you have ongoing monitoring and re-removal in place.
The Delete Act is a genuine improvement. It raises the cost of non-compliance for California-registered brokers and gives consumers a centralized lever they didn't have before. But it's one piece of a larger picture — and removing yourself from the internet in 2026 still requires persistent, automated action beyond what any single law provides.
See where your data is right now.
Run a free scan across 20 data broker and people-search sites. No signup required. Know your exposure before August 1.
Run Your Free ScanThe bottom line
SB 362 is the most consequential consumer data privacy law passed in the United States. For California residents, it creates a single deletion mechanism with legal weight behind it — something that didn't exist before.
What it doesn't do: cover the majority of data brokers operating globally, reach social media platforms, erase underlying public records, or eliminate the re-scraping cycle that brings your data back every few months.
Use the DELETE Act. Submit through DROP. Resubmit regularly. And pair it with continuous monitoring, because the brokers outside California's registry aren't going anywhere.