Data Broker Registry and DROP decisions under the California Delete Act should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.
This page offers practical steps for implementation planning. Confirm legal and policy assumptions before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
California's Data Broker Registry lists businesses that meet the state's definition of a data broker, and DROP is the state's Delete Request and Opt-Out Platform for handling deletion requests. This page explains what the registry and DROP are, who must register, what the annual registration and deletion workflow looks like, and which deadlines, evidence records, and review steps teams should track.
Start by confirming whether the business is a data broker under the Delete Act, meaning a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. If so, the business must register with the California Privacy Protection Agency and use DROP for the deletion workflow that lets consumers send one request to all registered data brokers.
Keep the statutory/regulatory source, threshold calculation, data category, consumer-right workflow, opt-out signal handling, and contract evidence together so California privacy decisions are reviewable.
Ownership should sit with the team that can change notices, rights intake, consent/opt-out interfaces, data sharing, retention, vendor terms, or security evidence, with privacy counsel reviewing edge cases.
Evidence should show threshold calculations, privacy notice language, consumer request handling, GPC processing, sensitive-personal-information controls, service-provider/contractor terms, and risk/cyber/ADMT readiness where applicable.
Most CPRA mistakes happen at the boundary between CCPA and CPRA terminology, sale versus sharing, sensitive personal information, data-broker duties, and draft or phased regulatory requirements.
Review this section before launching a data flow, ad-tech integration, consumer interface, vendor contract, retention rule, risk assessment, or cyber audit control.
Use a CPRA workflow that captures threshold status, data categories, consumer rights, opt-out signals, vendor role, retention logic, risk/cyber/ADMT trigger, owner, and review date.
The output should be a threshold memo, notice update, DSAR workflow, opt-out/GPC implementation record, vendor clause map, risk-assessment intake, or audit evidence pack.
This California Delete Act guide turns turn Data Broker Registry and DROP obligations into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Data Broker Registry and DROP into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"Data brokers must register and pay the annual fee between January 1-31, 2026, through the Delete Request and Opt-Out Platform (DROP)."
"The CPRA amended the CCPA by adding additional consumer privacy rights and obligations for businesses"
"Data brokers must register and pay the annual fee between January 1-31, 2026, through the Delete Request and Opt-Out Platform (DROP)."
"DATA BROKER REGISTRY / DELETE ACT effective 01/01/2026"
"requires the Agency to establish an accessible deletion mechanism"