Think You’re Not A Data Broker? California’s Delete Act Might Say Otherwise

The California Delete Act marks a watershed moment for data‑driven advertising, introducing the first statewide registry that treats any entity selling consumer information without a direct relationship as a data broker. By mandating registration and linking it to the Delete Request and Opt‑Out Platform (DROP), the CPPA is shifting the burden of data deletion from consumers to firms. The platform, launched in January, already hosts over 250,000 registered Californians, with a target of one million by August 2026. This centralized system compresses what used to be a multi‑step, weeks‑long process into a matter of minutes, fundamentally altering how privacy compliance is operationalized.

The compliance timeline is unforgiving. Beginning August 1 2026, data brokers must honor every deletion request within a 45‑day cycle, or face a $200 daily fine per missed request. In a worst‑case scenario where a broker ignores just one request for a single day, the penalty could balloon to $200 million, dwarfing the current $200‑per‑day registration fine that caps at roughly $73,000 annually. The law’s definition of a "direct relationship" is narrowly construed, meaning firms that merely embed third‑party pixels on their sites may be classified as brokers despite no explicit consumer interaction. This broad interpretation threatens a swath of ad‑tech players, from DSPs to analytics providers, who have traditionally viewed themselves as service platforms rather than data sellers.

To mitigate risk, firms should engage early with the CPPA’s sandbox environment, which offers technical guidelines and a testbed for integrating with DROP. Building automated pipelines for request ingestion, verification, and deletion will be essential to avoid manual bottlenecks. Moreover, companies must audit their data flows to determine whether they meet the broker criteria and, if so, update privacy disclosures and opt‑out mechanisms accordingly. As California sets a precedent, other states may adopt similar frameworks, making proactive compliance a strategic imperative for any business that monetizes consumer data.