The California Delete Act & iDox.ai: Simplifying Compliance for a New Era of Data Privacy

In an era where personal data is routinely collected, sold, and reused without clear consent, California has taken another bold step toward empowering consumers with their data. The California Delete Act (SB362), signed into law on October 10, 2023, introduces a powerful mechanism to let individuals request the deletion of their personal data from all registered data brokers through a single portal. Building on the legacy of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), this legislation cements the state’s leadership in data privacy and may soon influence nationwide norms.

What Is the California Delete Act?

The Delete Act requires data brokers who buy, sell, or share personal data on more than 100,000 consumers or derive more than 50% of their revenue from selling such data to register annually with the California Privacy Protection Agency (CPPA). They must now comply with new transparency, audit, and deletion requirements that go way beyond previous privacy laws.

The law rolls out in stages:

• January 2024: Mandatory broker registration started.
• By January 1, 2026, CPPA must launch the Data Broker Request and Opt-Out Platform (DROP).
• By August 1, 2026, all registered brokers must start honoring consumer deletion requests submitted through DROP.

How DROP Works

DROP is designed to give consumers control over their data. Instead of navigating dozens or hundreds of separate opt-out processes, Californians will soon be able to submit one universal deletion request that data brokers are required to act on. Brokers must:

• Check DROP every 45 days for new requests.
• Delete personal data not just from their own systems but from their service providers’ systems as well, within 45 days of receiving a request.
• Report annually on their compliance efforts.
• Undergo independent audits starting in 2028 to ensure the integrity of their deletion processes.

This proactive enforcement model aims to eliminate the performative opt-outs that many privacy advocates have criticized in the past.

Exemptions and Broker Responsibilities

Not all data is subject to deletion. The Delete Act includes exemptions like the CCPA, such as:

• Data for completing transactions,
• Legal compliance,
• Security and fraud prevention,
• Employment data in some cases.

But failure to honor valid requests can result in big penalties up to $200 per day per violation. Brokers must also provide details of their compliance practices, including audit results, to the CPPA.

Industry Pushback and Real-World Challenges

While privacy advocates are celebrating the law, many data brokers are concerned. Critics argue the DELETE Act will impose too much cost, especially on smaller data brokers with limited compliance infrastructure. Others are worried about identity verification and impersonation risks; how can the system be sure a deletion request is legitimate?

High-profile cases have added to the debate. When 23andMe experienced a massive data breach and faced bankruptcy rumors, questions emerged about whether affected users could still exercise their deletion rights and whether a company in financial collapse would have the means to comply.

The Broader Impact: A Shift in Privacy Expectations

Despite the operational challenges, the Delete Act is a significant cultural and regulatory milestone. It shifts the default dynamic from “opt-out-if-you-can-find-how” to “you’re protected unless you say otherwise.” This empowers consumers to:

• Reclaim agency over their digital identity,
• Limit profiling and targeted advertising,
• Reduce the risk of data leaks, misuse, or identity theft.

For businesses, the message is clear: privacy compliance is no longer optional. With DROP, California not only raises the bar for transparency, but it also encourages innovation in privacy infrastructure. Other states may soon follow suit, especially as consumers grow more conscious of data rights.

Preparing for Compliance: Best Practices for Businesses

Any company meeting the definition of a data broker should take proactive steps now:

• Confirm registration with the CPPA.
• Build internal workflows to ingest, validate, and fulfill deletion requests in alignment with DROP timelines.
• Automate compliance with tools for identity verification, data mapping, and deletion auditing.
• Maintain detailed logs of request handling and service provider coordination.
• Prepare for annual disclosures and audits, ideally supported by third-party assessments.

Early adoption of these practices not only reduces regulatory risk, it builds consumer trust and can serve as a differentiator in competitive markets.

Conclusion: A New Era for Data Privacy

The California Delete Act signals a transformative moment for digital privacy. It arms consumers with real tools to manage their online presence and challenges data brokers to evolve. With the DROP platform, the state has reimagined privacy enforcement, moving from fragmented opt-out procedures to a centralized, enforceable deletion system.

While businesses may initially view the new requirements as burdensome, forward-thinking organizations will recognize them as an opportunity. Compliance isn’t just about avoiding fines; it’s about leading with integrity, building trust, and respecting the digital autonomy of individuals in a data-saturated world.

As DROP’s 2026 launch approaches, now is the time for companies to get ahead and for consumers to prepare to take back control.