As with many other areas of privacy law, it is not surprising that California continues to lead the nation in regulating data brokers – from promulgating new regulations to issuing a cluster of recent settlements. Therefore, it is crucial for companies to confirm whether they are subject to the Delete Act and pay careful attention to the registration and other regulatory requirements.
In addition, with the Delete Act’s requirements related to the DROP (Delete Request and Opt-out Platform) mechanism coming into effect on Jan. 1, 2026, companies need to begin preparing now to intake requests.
What is the Delete Act?
Since 2019, California has required data brokers to register with the attorney general. In 2023, the Delete Act was passed, modifying the data broker registration law and imposing additional requirements. Specifically, the Delete Act requires data brokers to (1) provide additional information regarding their collection of three highly sensitive data types (minors’, precise geolocation and reproductive healthcare), (2) compile and provide metrics regarding opt-out requests received, and (3) participate in a new deletion mechanism. This mechanism will allow consumers to submit an opt-out request to all registered data brokers simultaneously.
Effective Jan. 1, 2024, the Delete Act also shifted the responsibility of maintaining and administering, as well as rulemaking authority over, the California data broker registry to the California Privacy Protection Agency (CPPA).
Settlements
As of March 10, the Enforcement Division of the CPPA has announced six different data broker settlements as part of the ongoing investigatory sweep announced last October. At that time, former CPPA Executive Director Ashkan Soltani had forewarned: “It’s crucial for data brokers to register with our agency so the public can be informed and empowered to exercise their rights. And starting in 2026, these rights will be even stronger with the new deletion mechanism.”
All the settlements to date have focused on a failure to timely register; however, the latest settlement, approved on Feb. 26, included additional findings and involved a data broker, Background Alert, that allegedly drew inferences from public records to identify people who “may somehow be associated with” a searched-for individual and identified patterns to generate profiles about consumers. While this is the first time “inferences” has been the subject of a settlement by the CPPA, the interpretation that “inferences” could be personal information – even if derived from publicly available information – is not new. This categorization is consistent with previous guidance from California Attorney General Rob Bonta regarding disclosing inferences in response to a right-to-know request. Significantly, as part of the settlement, Background Alert must cease operating as a data broker for three years – the most severe penalty to date in this recent string of data broker enforcement actions.
Rulemaking and CPPA board meeting
Along with the slew of settlements, the CPPA has been busy proposing amendments to the Delete Act’s regulations. These changes include:
During the CPPA board meeting, board members indicated that they were on track to meet the Jan. 1, 2026, rollout date for the DROP mechanism and that the board was exploring using login.gov as the verification provider (the same verification provider for other California agencies, such as the Department of Motor Vehicles). Lastly, the CPPA board voted in favor of moving the latest Delete Act draft amendments to formal rulemaking.
Current industry landscape
On March 3, the CPPA released the 2025 data broker registry list. Notably, the number of registered data brokers is slightly down compared to last year, due perhaps in part to the recent increase in the registration fee (previously $400, currently $6,600). During the CPPA board meeting, attorneys for the agency explained that businesses provided different possible reasons for no longer registering: (1) They sold or shuttered that part of their business, (2) they no longer broker personal information in California, or (3) they had originally registered out of an abundance of caution but reevaluated their position in light of the fee increase.
At the Annual California Lawyer’s Association Privacy Law Summit (CLA Privacy Summit) held Feb. 27 and 28 and during the March 7 CPPA board meeting, commentators raised scrutiny and discussion about the higher registration fee (which agency attorneys assert is necessary to fund development of the DROP mechanism). In particular, public comments and CLA Privacy Summit panelists echoed concerns that (1) data brokers cannot necessarily afford such a high fee, and (2) the broad definition of “data broker” ensnares a variety of businesses, including companies that purchase data and further sell that data downstream, that would not traditionally be viewed as data brokers.
Looking forward
Data brokers will continue to receive scrutiny from both regulators and consumers. Businesses should determine whether they need to register as a data broker, register as a data broker (if applicable) or document why they are not required to register, and take steps to prepare for compliance with the DROP mechanism.
