How do data broker 'Delete Act' mechanisms work and who is exempt from them?

1. How the one‑stop mechanism (DROP) routes deletion requests and creates auditable records

The CPPA is required to operate DROP as an online, accessible mechanism so a single verifiable consumer request can be transmitted to every registered data broker; brokers must then report a transaction identifier and the action taken—such as “record deleted,” “record opted out of sale,” “record exempt,” or “record not found”—creating a standardized, auditable trail for regulators and consumers ^{[1] [7] [3]}. DROP is designed both to accept individual submissions or submissions by authorized agents, and to let consumers selectively exclude specific brokers from a universal deletion request or later modify or rescind opt‑out choices ^{[1] [4]}.

2. Broker obligations, timing, and the verification fallback

Registered data brokers must register annually with CalPrivacy, access DROP at least once every 45 days, and process all verifiable deletion requests within 45 days of receiving them; if a broker cannot verify a request through the mechanism, it must treat the request as an opt‑out of sale or sharing under California privacy law and instruct service providers/contractors to do the same ^{[3] [2] [8]}. Brokers must maintain suppression lists of consumers who submitted deletion requests—even if no current match exists—and compare new collections against those lists before selling or sharing the data ^{[3] [6]}.

3. What must be deleted, what’s retained, and statutory exemptions

When a broker finds a match, it must delete personal information associated with the matched identifier—including inferences derived from third‑party collection—or, if multiple consumers share an identifier, opt those consumers out of sale/sharing while retaining minimal compliance data; however, the statute explicitly exempts personal information that is “reasonably necessary” to fulfill enumerated purposes or that falls under other federal/state laws such as the FCRA, GLBA, IIPPA, or HIPAA‑covered activities, meaning much financial, credit, insurance, or health‑regulated information can be withheld from deletion ^{[9] [6] [4] [10]}. The regulations also permit a broker to remove someone from a suppression list if the consumer rescinds the deletion request ^[3].

4. Enforcement, penalties, and practical burdens on brokers

CalPrivacy can audit compliance using DROP’s standardized reporting; civil penalties can accrue per day for failures to register, process deletion requests, or maintain DROP access, and brokers face obligations to direct service providers to delete information and to log actions back into DROP, creating significant operational and compliance costs that industry advisors emphasize—while some firms warn about verification burdens and residual liabilities when data flows across contractors and foreign systems ^{[11] [2] [12]}. The Agency may charge brokers fees to fund the registry and mechanism, and failure to register or to respond to DROP can trigger administrative fines and investigatory costs ^{[3] [13]}.

5. Competing perspectives, gaps and likely next fronts of dispute

Proponents frame DROP as a necessary consumer remedy to the fragmented broker ecosystem, arguing a one‑stop deletion mechanism reduces friction and increases oversight ^{[13] [14]}, while business and legal commentators stress practical limits—verification difficulties, the retention of exempt data under other statutes, and cross‑border/contractor deletion challenges—that could blunt the law’s privacy gains ^{[5] [9]}. The reporting establishes what must happen under the Delete Act and DROP, but it does not fully resolve how cumbersome verification or complex service‑provider chains will play out in enforcement actions; those operational details and any future litigation will determine how complete or symbolic the deletions are in practice ^{[8] [11]}.