CPPA Proposes Accessible Deletion Mechanism Regulations for Data Brokers

The Delete Act, enacted in 2023, required that the CPPA establish regulations related to a deletion mechanism that allows a California consumer to request that data brokers delete all non-exempt personal information related to that consumer via a single deletion request to the CPPA.

California consumers must be able to access the DROP by January 1, 2026, and starting August 1, 2026, data brokers will be required to access the DROP every 45 days to obtain and act on consumers’ requests. Where data brokers deny a deletion request because it cannot be verified, they must process the request as an opt out of the sale or sharing of the individual’s personal information.

The proposed regulations would require data brokers (including those not yet registered but required to register) to create a DROP account prior to operating as a data broker, pay a first-time access fee, and access the DROP within 45 days of commencing operation as a data broker, as well as every 45 days thereafter.

Under the proposed regulations, in order to process deletion requests, a data broker will have to download consumer deletion request lists and:

• Compare the consumer identifier information in each consumer deletion list with the applicable consumer personal information in the data broker’s own records.
• Prior to this comparison, standardize the applicable personal information from the data broker’s records.
• After completing the standardization, use the same hashing algorithm provided in the consumer deletion list to hash the consumer personal information within the data broker’s records.

When comparing the data broker’s records to the consumer deletion list, if more than 50% of the unique identifiers match with the same consumer records in the data broker’s records, the data broker must delete all personal information associated with that consumer. The proposed regulations state as an example that if a data broker compares its records with a consumer deletion list that includes name, date of birth, and zip code and only finds a match for the name and zip code with a particular consumer record, the data broker must delete that consumer’s associated personal information because approximately 67% of the individual identifiers match with the consumer deletion list. Based on this example, if a data broker only maintains a consumer’s name, zip code, and date of birth in its records, and there happen to be two California residents who have the same name and reside in the same zip code but have different birth dates, a deletion request from one of those individuals would require the data broker to delete the personal information of the other individual, unless an exemption applies, such as the data was collected directly from the consumer (i.e., is first-party data). If the data broker associates multiple consumers with a matched identifier from the consumer deletion list, the data broker must opt each associated consumer out of the sale or sharing of their personal information, unless an exemption applies.

The proposed regulations also require a data broker to immediately inform the CPPA in writing through the DROP if there is unauthorized use of the data broker’s credentials or account or a breach of security related to the data broker’s account, the DROP, or information derived from the DROP.

WHAT’S NEXT?

During its board meeting on March 6 and 7, 2025, the CPPA will provide an update on the development and implementation of the DROP and discuss the proposed DROP regulations. Although the agency has yet to initiate the formal rulemaking process for these proposed regulations, companies currently in or planning to enter the data broker space should carefully evaluate their readiness to comply with these proposed regulations.

If you have questions or would like to discuss any issues addressed in this client alert, contact your regular McDermott lawyer or one of the article’s authors.