California privacy rights for data broker removal

In short

California has the strongest data-broker privacy law in the United States. The combined CCPA + CPRA + Delete Act (SB 362) framework gives residents universal deletion rights backed by a dedicated enforcement agency (the CPPA).
DROP is live. The Delete Request and Opt-out Platform, operated by the CPPA, lets you submit one deletion request that every registered data broker must honor. Details at privacy.ca.gov/drop.
If a broker ignores you, file a CPPA complaint at privacy.ca.gov. The agency has fining authority up to $7,500 per intentional violation.

7 min read Last reviewed May 2026 Free scan available

The four California privacy laws you need to know

Most people lump everything into "CCPA," but California's data-broker framework is four interlocking laws. Each plays a specific role.

California Consumer Privacy Act (CCPA)

Cal. Civ. Code §1798.100 to §1798.199 · Effective Jan 1, 2020

The foundation. Established the right to know what personal information businesses collect about you, the right to delete that information, the right to opt out of its sale, and the right to non-discrimination for exercising those rights.

California Privacy Rights Act (CPRA)

Cal. Civ. Code §1798.100 et seq. (as amended) · Effective Jan 1, 2023

Amended and expanded the CCPA. Added the right to correct inaccurate information, the right to limit use of sensitive personal information (precise geolocation, race, religion, sexual orientation, health data), and created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.

Delete Act (SB 362)

Cal. Civ. Code §1798.99.80 et seq. · Signed Oct 2023, registration began 2024

Requires every data broker doing business in California to register annually with the CPPA. Authorized the CPPA to build DROP (the Delete Request and Opt-out Platform). With DROP, one consumer request reaches every registered broker. The first universal-deletion mechanism in the United States.

California Privacy Protection Agency (CPPA)

Established by CPRA §1798.199.10 et seq.

Not a law per se, but the enforcement body the CPRA created. The first dedicated state privacy agency in the United States. Investigates complaints, issues fines (up to $7,500 per intentional violation), and publishes the broker registry that DROP runs against.

What you can demand of any business that holds your data

Under the combined CCPA + CPRA framework, every California resident has the right to:

Know. What personal information has been collected. Categories, sources, business purposes, third parties shared with. (Cal. Civ. Code §1798.110)
Access. A specific copy of the personal information collected about you in the past 12 months. (§1798.110)
Delete. Have the business delete your personal information, with limited exceptions. (§1798.105)
Correct. Inaccurate personal information. (§1798.106)
Opt out of sale or sharing. Including cross-context behavioral advertising. (§1798.120)
Limit use of sensitive personal information. Precise geolocation, race, religion, health, etc. (§1798.121)
Non-discrimination. Businesses cannot deny goods or services, charge different prices, or provide lower quality because you exercised your rights. (§1798.125)

Response timeline is fixed: businesses must acknowledge a verified consumer request within 10 business days and complete the response within 45 calendar days, extendable once by 45 days with notice. (§1798.130)

DROP: one request, every broker

Before SB 362, exercising your CCPA deletion right against the data-broker layer meant filing 100+ individual requests — one per company. The Delete Act fixed that with DROP.

The way it works:

Every business that meets the SB 362 definition of "data broker" must register annually with the CPPA. The registry is public at privacy.ca.gov.
You go to privacy.ca.gov/drop and submit a single deletion request via the CPPA's DROP portal.
The CPPA forwards your verified deletion request to every registered data broker.
Each broker is legally required to honor the request and delete your data within the CCPA's 45-day window.
Brokers that ignore the request face CPPA enforcement.

DROP is the operational mechanism that makes universal deletion practical instead of theoretical. As of 2026 it is the only such mechanism in the United States. Other states have privacy laws; only California has a one-stop-shop.

DROP handles registered brokers. The unregistered ones are a separate problem. Delist scans both layers.

Run my free exposure scan →

What DROP doesn't cover

DROP is excellent for what it does. It does not cover:

Search engines. Google, Bing, etc. are not data brokers under SB 362 (different statutory definition). Use Google's own removal process — see our Google removal tool.
Brokers that haven't registered. Smaller or non-California-focused brokers may not have registered yet. The CPPA is actively building enforcement, but registration is not 100% in early years.
Non-broker businesses. Companies that hold your data but aren't classified as "data brokers" (e.g., your bank, your former employer) still take individual CCPA requests, not DROP.
Federal-law-protected uses. FCRA-permitted uses (tenant screening, employment background checks, insurance underwriting) continue regardless of CCPA deletion. Use the credit-freeze and FCRA-disclosure rights for those.

How to file a CPPA complaint when a broker ignores you

If a broker misses the 10-business-day acknowledgment or the 45-day fulfillment, or denies a valid deletion request without legal basis, file a complaint.

Go to privacy.ca.gov and find the consumer-complaint form.
Include the business name, the date you submitted your CCPA request, what you requested, and what (if any) response you received.
Attach any documentation — confirmation emails, denial letters, screenshots of the broker's response page.
The CPPA investigates and may open an enforcement action. Fines range up to $2,500 per unintentional violation and $7,500 per intentional violation.

The CPPA has issued enforcement actions and posts press releases on agency activity. Brokers that ignore California residents are increasingly being penalized rather than getting away with it.

How Delist uses California's framework

Delist files CCPA-compliant deletion requests against every broker the scan identifies, escalates to CPPA complaints when brokers miss legal deadlines, and uses DROP for the universal-deletion layer.

For California residents specifically:

We submit your DROP request as part of the standard onboarding flow.
We file individual CCPA requests against non-DROP brokers (unregistered ones, search engines, etc.).
We escalate to CPPA when brokers miss deadlines — with documentation of dates and broker responses.
We monitor re-listings continuously and re-file as needed under the same legal framework.

You can do all of this yourself for free. California's framework is the most consumer-friendly in the US. The whole point of SB 362 was to make exercising these rights feasible. If you want the work handled, that's what we're for.

Frequently asked questions

What is the California Delete Act (SB 362)?

Senate Bill 362, signed into law in 2023, requires every data broker doing business in California to register annually with the California Privacy Protection Agency. The signature provision is a one-stop deletion mechanism called DROP (Delete Request and Opt-out Platform) operated by the CPPA. Any California resident can use DROP to submit a single deletion request that all registered data brokers must honor — instead of opting out individually from 100+ brokers.

How is DROP different from the CCPA?

The CCPA (and CPRA) gives every consumer the right to demand deletion from each business that holds their data, but you have to file separately with each one. DROP is the universal version: one request, all registered brokers must comply. DROP is the operational mechanism that makes SB 362's deletion right scalable.

How do I file a CCPA complaint with the CPPA?

Go to privacy.ca.gov and use the consumer-complaint form. The CPPA accepts complaints when a business has missed CCPA deadlines (10 business days to acknowledge, 45 days to fulfill), refused a valid request, or violated other CCPA provisions. The agency investigates and can issue fines.

What's the difference between CCPA and CPRA?

The CCPA (California Consumer Privacy Act, effective 2020) was the original. The CPRA (California Privacy Rights Act, effective 2023) amended and expanded it: added the right to correct, the right to limit use of sensitive personal information, established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and tightened opt-out language. People say "CCPA" colloquially to mean the combined CCPA + CPRA framework.

What if a broker just ignores my CCPA request?

File a CPPA complaint at privacy.ca.gov. The agency has fining authority — up to $2,500 per unintentional violation and $7,500 per intentional violation. The CPPA has issued fines and is actively enforcing. Brokers that ignore CCPA risk substantial liability.