California Delete Act: What Happens August 1, 2026

On August 1, 2026, the most significant data broker regulation in U.S. history takes effect. Every data broker registered with the state of California must begin processing deletion requests submitted through the DELETE Request Online Portal (DROP). Brokers that ignore those requests face fines of $200 per day per request. For the first time, there will be real financial consequences for companies that refuse to delete your data when asked.

That is the good news. The more complicated reality is that only 575 of the thousands of active data brokers have actually registered with California. The rest — including many of the most prolific people-search sites and background check companies — sit outside the system entirely. The August 1 deadline is a genuine turning point, but it is not the finish line.

What the Delete Act Actually Requires

California's Delete Act, formally known as SB 362, was signed into law by Governor Gavin Newsom in October 2023. It directed the California Privacy Protection Agency (CPPA) to build a free, centralized mechanism — DROP — where California residents could submit a single deletion request that would flow to every registered data broker in the state. DROP launched on January 1, 2026.

The law gave brokers a compliance runway. For the first seven months of DROP's existence, brokers were expected to connect to the platform, but there was no enforcement mechanism with teeth. That changes on August 1.

After August 1, 2026, the Delete Act requires every registered data broker to:

• Connect to the DROP platform and accept incoming deletion requests
• Process those requests within 45 days
• Delete the personal information of any California resident who requests it
• Refrain from selling or sharing that person's data after receiving a deletion request

Brokers that fail to comply face civil penalties of $200 per day for every unprocessed request. For a broker receiving even a few thousand requests, that number can reach seven figures within weeks. The CPPA has made clear that it intends to enforce this — the agency has established a dedicated enforcement strike force specifically for data broker compliance.

The Registration Gap Is the Real Problem

Here is where the math gets uncomfortable. California's data broker registry lists approximately 575 brokers. Industry estimates — including those from the data broker industry itself — suggest that thousands of companies meet the legal definition of a data broker in the United States. Many of them handle California residents' data.

The Delete Act requires data brokers to register with the CPPA. Failure to register carries its own penalties. But enforcement against unregistered brokers is a fundamentally different problem than enforcement against registered ones. The CPPA has to find them first, determine that they meet the legal definition, and then pursue them through an enforcement action — a process that takes months or years per company.

Meanwhile, the unregistered brokers continue operating. They are not connected to DROP. They do not receive deletion requests from the platform. They do not face the $200/day penalty because the penalty only applies to requests received through DROP — and they never receive those requests because they are not in the system.

This is not a hypothetical gap. In our six-month review of DROP, we found that some of the most aggressive data brokers — the ones most likely to have detailed profiles on you — had not registered with California. DROP cannot reach them, no matter how strong the August 1 enforcement becomes.

What the CPPA Strike Force Is Doing

The California Privacy Protection Agency is not ignoring the registration gap. CalPrivacy, as the agency is sometimes called, established an enforcement division specifically tasked with identifying unregistered data brokers and bringing them into compliance. The strike force has signaled that it will prioritize high-volume brokers — companies that process large quantities of personal data and have the most significant impact on consumer privacy.

The CPPA has also been working with other state agencies and consumer advocacy groups to identify brokers that should be registered but are not. The process is slow — regulatory enforcement always is — but the direction is clear. The agency is building the infrastructure for sustained, long-term enforcement rather than a single wave of actions on August 1.

For consumers, the practical implication is that August 1 is the beginning of an enforcement ramp, not a moment when everything suddenly works. Registered brokers will face real penalties. Unregistered brokers will face increasing pressure to comply. But the full impact of the Delete Act will take years to materialize as the CPPA works through the backlog of unregistered companies.

What DROP Does — and What It Doesn't

DROP is a genuinely important tool. If you are a California resident, you should use it. We said that in our initial review, and we stand by it. Submitting a single request that goes to hundreds of registered brokers is far better than contacting each one individually. After August 1, that request will have enforcement backing behind it.

But DROP has structural limitations that the August 1 deadline does not fix:

Why This Is Still a Big Deal

None of those limitations should diminish what August 1 represents. Before the Delete Act, there was no mechanism — anywhere in the country — for enforcing data deletion at scale. Consumers had to find each broker individually, submit individual requests, follow up individually, and hope the broker complied. There was no penalty for ignoring those requests beyond the theoretical possibility of a CCPA enforcement action, which the attorney general pursued sparingly.

After August 1, 575 data brokers will face a specific, per-request, per-day financial penalty for ignoring deletion requests. The CPPA has a strike force dedicated to enforcement. The Delete Act created a legal infrastructure that did not exist before — one that other states are now copying and, in some cases, strengthening.

The $200/day/request penalty structure is designed to make non-compliance economically irrational. A broker receiving 10,000 DROP requests that go unprocessed for 30 days faces $60 million in potential fines. Even if the CPPA negotiates that down significantly, the expected cost of non-compliance now exceeds the cost of building a deletion pipeline. That is how regulation is supposed to work.

What You Should Do Before August 1

If you are a California resident, sign up for DROP if you have not already. Over 215,000 people have registered since January, and every additional registrant strengthens the program by creating more requests that brokers must process. After August 1, your request will carry the force of law behind it in a way that it did not before.

If you are not a California resident, DROP is not available to you. But the patchwork of state privacy laws continues to expand. Check whether your state has a deletion mechanism, a data broker registry, or a consumer privacy law that gives you the right to request deletion.

Regardless of where you live, consider what DROP does not cover. Even for Californians, the 575 registered brokers represent a fraction of the companies that hold your personal data. The people-search sites that show your name, address, phone number, and relatives to anyone who searches for you are not all in the system. The background check aggregators, marketing data companies, and most dangerous data brokers that sell your data downstream may not be either.

How GhostVault Complements DROP

We have always been clear that DROP and data removal services serve different functions. DROP is a government-operated, free platform for California residents that sends deletion requests to registered brokers. It is a public utility, and it should exist. We wrote about this in detail in our DROP vs. data removal services comparison.

GhostVault covers the gaps that DROP does not reach. At $3.99/month, we submit deletion requests to 500+ data brokers and people-search sites — including the ones that are not registered with California. We monitor for re-listings and resubmit requests when brokers re-add your data. We provide a live dashboard showing the status of every request, broker by broker, so you know what has been removed and what is still pending.

If you are a California resident, the ideal approach is both: use DROP for its registered broker coverage, and use GhostVault for everything DROP does not reach. If you are not in California, GhostVault is the tool that covers you regardless of state lines or registration status.

August 1 is a milestone. It is the moment that data broker regulation moves from policy to enforcement. But the data broker industry is vast, fragmented, and adaptive. Regulation is catching up. In the meantime, the gap between what the law covers and what you are actually exposed to is where services like GhostVault do the most work.

Frequently Asked Questions

What happens on August 1, 2026 under the California Delete Act?

August 1, 2026 is the enforcement deadline for California's Delete Act (SB 362). Every data broker registered with the California Privacy Protection Agency must begin processing deletion requests submitted through the DROP platform. Brokers that fail to comply face penalties of $200 per day per unprocessed request. The CPPA has established a dedicated strike force to enforce compliance.

How much are the penalties for non-compliance with the Delete Act?

Data brokers that fail to process deletion requests through the DROP platform after August 1, 2026 face civil penalties of $200 per day per request. For a broker receiving thousands of requests, the fines can accumulate into the millions within weeks. The penalty structure is designed to make non-compliance more expensive than building a deletion pipeline.

How many data brokers have registered with California under the Delete Act?

Approximately 575 data brokers have registered with the California Privacy Protection Agency as of mid-2026. Industry estimates place the actual number of companies that meet the legal definition of a data broker in the thousands. The CPPA's enforcement strike force is working to identify and compel registration from brokers that have not yet complied, but the process takes time.

Does California's DROP platform work for people outside California?

No. The DROP platform is exclusively available to California residents. If you live in another state, you cannot submit deletion requests through DROP. Some states have their own privacy laws with deletion rights — see our state privacy law guide — but most do not have a centralized deletion mechanism comparable to DROP. A data removal service like GhostVault covers 500+ brokers across all 50 states for $3.99/month.

Is the DROP platform enough to remove all my personal data?

No. Even after August 1 enforcement begins, DROP only covers the roughly 575 data brokers that have registered with California. It does not cover unregistered brokers, many people-search sites, or background check companies that have not registered. It also does not monitor for re-listings — a common industry practice where brokers re-add your data from new sources after deleting it. A data removal service like GhostVault complements DROP by covering the brokers and sites the platform misses and monitoring for re-listings over time.