Privacy Advocate 'Optimistic' About Calif. Agency's Revised Data Deletion Draft
A consumer advocacy group that sponsored the California Delete Act offered a mostly positive assessment of the California Privacy Protection Agency’s latest draft of rules for implementing a data deletion mechanism. Concerns linger that data brokers may try to shirk the requirements, said Emory Roane, Privacy Rights Clearinghouse associate director of policy, in an email to Privacy Daily. However, the CPPA’s new draft answers key questions about ensuring the Delete Request and Opt-Out Platform (DROP) will work effectively when it opens to consumers Jan. 1 and data brokers on Aug. 1, 2026.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The CPPA posted the new draft of DROP rules on Tuesday (see 2507220043). In addition, the agency released a grid explaining the changes proposed after the initial 45-day comment period that concluded last month. The CPPA Board plans to consider the new DROP draft at its meeting Thursday.
“The agency is getting to the real nuts and bolts of how the brokers will be interacting with the mechanism, how they will be matching consumers that have signed up for the DROP system to their own databases and how they will be effectuating those deletions -- technical challenges that have been a specter of sorts for the system since the original proposal,” said Roane.
However, the consumer advocate said "there's definitely lingering concern that brokers will shirk their requirements, or game the system, or continue to use information that nominally should be retained only for effectuating future deletions … for other uses.”
For instance, he cited a recent Clearinghouse report with the Electronic Frontier Foundation that found many brokers don't register with states (see 2506240069). Still, Roane said Clearinghouse remains “hopeful and optimistic that the additional third party audit requirements and uncapped stipulated damages will empower” the CPPA to “take full advantage of its enforcement responsibilities.”
On the positive side, the new draft addresses one big question about “how the regulations and the mechanism will require that data brokers know who has signed up to be deleted in a way that doesn’t leak the entire sign-up list to every registering broker,” said Roane. “It's been presumed from the start essentially that the solution would require some combination of hashing the consumer information on the DROP mechanism side and the brokers checking those hashes against their own records; but the problem with this approach is that any difference in how the broker stores the consumer information from how the information was given to the agency will cause the hashes to not match."
For example, said the consumer advocate, if a person's last name contains an accent over one letter, but a data broker stores it without the accent, the hash won't match. In that case, a data broker might argue that he lacks the person's information and can't delete it. "We noted early in the process that something would have to be done to make sure that brokers don't game this to avoid their deletion obligations, so it's good to see that the current draft of the regulations has clarified specifically how brokers will be required to standardize their own data so that it is more likely to match with the consumer submitted information.”
On that point, the new CPPA draft clarifies: “If the consumer deletion list that the data broker is comparing to its own records includes multiple identifiers, the data broker must hash each applicable identifier from their records, then combine the multiple hashed identifiers for each consumer into a single identifier, and then hash the combined identifier before comparing to the consumer deletion list. … After hashing each of the identifiers separately, the data broker shall combine the hashed identifiers for each consumer into a single new identifier, without adding spaces or other characters, before applying the hashing algorithm pursuant to (a)(1)(B) of this section to the combined identifier.”
However, Clearinghouse is "less thrilled" about a change that says consumers "will" have their California residency verified by the CPPA before they can submit a request to delete data, said Roane. The previous draft said consumers “may be required" to have that verification.
Changing it to “will” seems to contradict another proposed requirement that the agency "may request substantiating documentation that demonstrates the consumer is a California resident,” said Roane. Besides, he said, it runs counter to "the spirit" of the California Delete Act, "which is designed to be a 'one-click' deletion process that specifically avoids the onerous amount of back-and-forth communications consumers face when attempting to effectuate their [California Consumer Privacy Act] rights with a business directly."