CalPrivacy Seeks Stakeholder Feedback on DROP Audits for Data Brokers

The California Privacy Protection Agency (CalPrivacy) has issued an invitation for preliminary stakeholder comments on proposed regulations governing audits of data brokers’ compliance with the Delete Request and Opt-Out Platform (DROP) under the California Delete Act.

The agency is preparing for mandatory independent third-party audits that begin January 1, 2028, and recur every three years thereafter. These audits will verify that data brokers are properly processing consumer deletion requests submitted through DROP.

Background on the California Delete Act

Under the California Delete Act (Civ. Code § 1798.99.80 et seq.), registered data brokers must undergo an audit by an independent third party to demonstrate compliance with deletion request obligations. CalPrivacy is now seeking early stakeholder input to shape clear and effective audit regulations.

Key Questions for Stakeholder Comments

CalPrivacy is particularly interested in feedback on the following areas:

1. Auditor Qualifications: What credentials, certifications, or independence requirements should third-party auditors possess to ensure they are qualified and sufficiently independent?
2. Evidence of Proper Deletion Processing: What records, documentation, or evidence should data brokers maintain to demonstrate they have standardized and hashed data, matched it against CalPrivacy’s lists, deleted matching records (while retaining only allowable data), and used suppression lists correctly?
3. Audit Practices and Tools: What audit methods, standards, or technical tools (e.g., data analytics or code-review software) should be required? Should requirements differ when data brokers use artificial intelligence or agentic AI systems? Should practices from cybersecurity or banking sectors be adopted?
4. Improving Match Rates: What audit requirements would help determine whether CalPrivacy should collect additional consumer identifiers (beyond zip code) — such as full address or IP address — to generate higher match rates between DROP data and brokers’ databases?
5. Submission Requirements: When submitting an audit report to CalPrivacy, what additional materials should be provided at minimum?
6. Other Considerations: What else should CalPrivacy take into account when developing data broker audit regulations?

How to Submit Comments

Stakeholders have until 5:00 p.m. PT on May 7, 2026 to submit preliminary comments.

• Email: regulations@cppa.ca.gov (Subject line: “Preliminary Comment – DROP Audits”)
• Mail: California Privacy Protection Agency
  Attn: Legal Division – Regulations
  400 R St., Suite 350
  Sacramento, CA 95811

All comments submitted will become public records and may be used in future formal rulemaking.

DROP Act Updates

DROP is the nation’s first state-run centralized deletion platform, allowing Californians to submit one request to delete their personal information across hundreds of registered data brokers. The upcoming audit framework will ensure meaningful compliance and help prevent consumer data from lingering in broker databases after a deletion request.

This preliminary comment period is an important opportunity for data brokers, auditors, privacy professionals, AI governance experts, and consumer advocates to help shape practical and effective audit standards.

Give CalPrivacy Your Feedback

CalPrivacy encourages stakeholders to review the full Invitation for Preliminary Comments on the CalPrivacy website. A formal rulemaking process with an additional public comment period will follow if regulations are proposed.