Calif. Privacy Agency Plans 'A Lot of Testing' on Data Deletion Mechanism
The California Privacy Protection Agency will soon take 15 days of comments on revised draft rules for implementing a data-deletion mechanism under the California Delete Act, the five-person CPPA board decided unanimously during a partially virtual meeting Thursday. The agency expects to extensively test the system to work out any kinks before data brokers start accessing it in August 2026, said General Counsel Philip Laird.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Earlier in the day, CPPA Executive Director Tom Kemp said the agency aims to make its upcoming Delete Request and Opt-Out Platform (DROP) a model that other states could adopt. The CPPA Board also unanimously approved rules on automated decision-making technology (ADMT) and other subjects (see 2507240070).
The CPPA posted the new draft of DROP rules on Tuesday (see 2507220043). In addition, the agency released a grid explaining staff-proposed changes after reviewing feedback from an initial 45-day comment period that concluded last month. The next round of comments will begin when the agency formally issues the revised comments for notice. A CPPA spokesperson said the agency expects to open the comment period "in the next couple of weeks."
DROP is expected to open to consumers Jan. 1 and data brokers on Aug. 1, 2026. To meet the Jan. 1 deadline, the agency must approve final proposed rules and submit them to the California Office of Administrative Law in early November, Laird said at the meeting. The general counsel later added that he expects “a lot of testing” of DROP from Jan. 1 to Aug. 1. “We're going to … open doors to data brokers to start working with them.”
Board member Alastair Mactaggart asked about how to ensure a match is made between a consumer requesting deletion and what is in the data broker database, considering that the data broker might have outdated or slightly incorrect information about a consumer. For example, said Mactaggart, “Everybody misspells my last name.”
At the meeting, Laird noted “the complexity of how we're trying to make the system both nimble [and] accurate,” while seeking to “encourage the highest chance of a match between a data broker's records and what a consumer provides us through the state portal.”
“There's a lot of characters [in names] where, if there's an error or a slight difference based on the data broker's records, there may not be a match,” said Laird. However, consumers will also be able to provide an email address as a separate deletion identifier, he said. “So, if I'm a data broker” that possesses names and email addresses, “maybe I didn't get a match on your name because I had a wrong letter or something, but if I have your email address, it'll match, and that deletion request will still have to be fulfilled.”
Laird added that “something as unique as an email address or a telephone number that the consumer will be able to demonstrate through multi-factor authentication” is truly their account will likely be “a reliable indicator that you've matched to that consumer, and therefore you should delete their information.”
Board member Jeffrey Worthe asked how consumers would know if there is or isn’t a match. Laird said DROP will have a “status reporting function” that will allow consumers to come back to check on their deletion request. Requests could be pending for up to 45 days due to the deadline for data brokers to check DROP under the proposed rules, he said. But after that, each broker will report one of multiple possible statuses: (1) they found a match and deleted the consumer’s personal information; (2) they didn’t find a match; (3) they made a match, but the information is exempt under the law, and therefore they didn’t delete anything; or (4) that they found multiple matches, “in which case the obligation under the [proposed] requirements is just to opt them out of sale or sharing instead of fully deleting that information,” said Laird.
Worthe followed up, “How do we check that they’re really deleted?” Laird answered that audit requirements will kick in under the Delete Act in 2028. An upcoming CPPA rulemaking before then will address rules to implement the requirement that data brokers engage independent auditors every three years to ensure compliance, the general counsel said.
Earlier this week, Privacy Rights Clearinghouse -- a consumer advocacy group that sponsored the original California Delete Act -- praised the proposed rules’ level of detail about how DROP will function. However, its associate director of policy, Emory Roane, told Privacy Daily that there remain lingering concerns that data brokers could try to shirk deletion requirements (see 2507230033).
The CPPA Board next plans to meet Sept. 26 in San Francisco, members agreed Thursday.