California DELETE Act (SB 362): Erase Data Brokers

Step-by-step guide to using California’s DELETE Act (SB 362) and CPPA’s DROP tool to erase your data from brokers and stop identity scams.

California DELETE Act (SB 362): Erase Data Brokers

⏱ 10 min read

If you’ve ever Googled your own name and found your home address, phone number, relatives’ names, and even your approximate income listed on sites like Spokeo, MyLife, or Whitepages, you already know how exposed American consumers are. Data brokers buy, sell, and republish your personal information hundreds of times over — often without your knowledge or consent. That exposure isn’t just embarrassing; it fuels identity theft, stalking, SIM-swapping, and targeted phishing scams that drain bank accounts.

California’s Delete Act (Senate Bill 362), signed into law in October 2023, is the most aggressive consumer data-erasure law in the country. Unlike the CCPA/CPRA’s broker-by-broker opt-out model, the Delete Act creates a single, centralized “delete everything” button for every registered data broker in California — a tool called DROP, run by the California Privacy Protection Agency (CPPA). This guide walks you through exactly how the law works, how to use DROP, and what to do right now to lock down your personal data before it’s exploited.

What the California DELETE Act (SB 362) Actually Does

The Delete Act builds on California’s existing 2020 data broker registration law (AB 1202) but adds real teeth. Before SB 362, data brokers only had to register annually with the California Attorney General (registration moved to the CPPA in 2023). Consumers still had to individually contact each broker — sometimes 500 or more — to request deletion under the CCPA/CPRA. That process was so tedious that almost nobody completed it.

SB 362 changes the entire model. It requires:

  1. Mandatory annual registration — Every data broker operating in California must register with the CPPA by January 31 each year, disclosing what categories of personal information they collect (geolocation, biometric data, reproductive health data, etc.) and paying a registration fee. As of 2025, more than 500 data brokers were registered in the CPPA’s public database.
  2. A single deletion mechanism (DROP) — The CPPA must build and maintain the “Delete Request and Opt-out Platform,” a free, centralized tool that lets any California consumer submit one deletion request that applies to every registered broker simultaneously.
  3. Mandatory compliance timelines — Once a broker connects to DROP (required starting August 1, 2026), it must process every deletion request within 45 days, and then re-check the DROP system at least once every 45 days going forward to catch new requests and prevent re-collection of your data.
  4. Real penalties — Brokers that ignore deletion requests face fines of $200 per day, per violation, and the CPPA can conduct compliance audits at least once every three years starting in 2028.

This is a fundamental shift from “consumer must chase 500 companies” to “consumer submits one request, and the law forces the companies to come find it.” You can read the full bill text on the California Legislative Information site and track the CPPA’s rulemaking on the official CPPA website.

How the CPPA’s DROP Platform Works, Step by Step

DROP became accessible to California consumers beginning January 1, 2026, giving residents a direct portal into the state’s data broker registry. Here’s exactly how the process works once you access it.

Step 1: Verify your California residency. DROP is only available to consumers who can attest to being a California resident, since the Delete Act is a California statute (though its practical effects ripple nationally, since most brokers can’t easily segregate California data from everyone else’s).

Step 2: Create a verified consumer account. You’ll need to provide identity-verifying information — typically your name, email, and in some cases a government ID upload — similar to identity verification used by IRS.gov’s ID.me system. This step exists to prevent bad actors from submitting fraudulent deletion requests on someone else’s behalf, or from harvesting the tool for social engineering.

Step 3: Submit a single, universal deletion request. Instead of filling out 500 separate opt-out forms, you check a box that authorizes the CPPA to transmit a deletion request to every data broker currently registered in its database.

Step 4: The CPPA relays your request to all registered brokers. Brokers connected to DROP are legally required to check the system at least every 45 days and process any new requests within that window.

Step 5: Brokers must delete and stop re-collecting your data. This is the part that separates the Delete Act from ordinary CCPA opt-outs — brokers can’t simply suppress your listing and quietly re-acquire your data from a third-party source next quarter. They must also refrain from selling or sharing your data going forward unless you re-authorize it.

Step 6: You can submit a new DROP request periodically. Because new data brokers register every year, privacy advocates recommend resubmitting your DROP request annually, similar to how you’d renew a credit freeze check.

For the latest platform access instructions and verification requirements, monitor the CPPA’s consumer resources page directly, since implementation details were still being finalized through 2025 rulemaking.

What to Do Right Now, Before Relying Solely on DROP

Even with DROP live, you shouldn’t wait passively — the platform only covers brokers registered in California’s system, and enforcement takes time to bite. Here’s your action plan today.

Step 1: Search yourself on the top 10 broker sites. Manually check Spokeo, BeenVerified, Whitepages, MyLife, Radaris, PeopleFinders, Intelius, TruthFinder, US Search, and LexisNexis. Screenshot what you find — this becomes your baseline for confirming successful removal later.

Step 2: File CCPA/CPRA “Right to Delete” requests directly. Under the CCPA (as amended by the CPRA, Cal. Civ. Code § 1798.105), you have the legal right to request deletion regardless of DROP. Most large brokers post a “Do Not Sell or Share My Personal Information” link at the bottom of their homepage — this is required by law. Submit requests through that link or by emailing their designated privacy contact, and keep the confirmation email as proof.

Step 3: Use the CPPA’s public data broker registry to find every company, not just the famous ones. The registry, searchable on cppa.ca.gov, lists every broker required to register — many of which you’ve never heard of, like niche marketing analytics firms and background-check aggregators.

Step 4: Consider a paid removal service for continuous monitoring. Services like DeleteMe and Incogni automate ongoing opt-out requests across hundreds of brokers nationwide (not just California-registered ones), which matters because plenty of brokers operate outside California’s jurisdiction but still expose your data to anyone in the country. These services typically cost $80–$150 per year and provide removal reports every few months.

Step 5: Lock down your voter registration and property records exposure, two major feeder sources for brokers, by checking with your county registrar and assessor’s office about privacy redaction programs for domestic violence survivors or public safety officials, where applicable.

Real-World Example: How Broker Data Fuels Financial Scams

Understanding why this matters requires connecting data broker exposure to actual financial harm. Consider a documented pattern: scammers buy bundled “consumer profile” data from broker aggregators — often for less than a penny per record — that includes full name, date of birth, address history, phone number, and family relationships.

Here’s how it plays out in a typical case reported to the FTC and FBI’s IC3 unit. A scammer purchases a data broker profile showing that “Maria” in Sacramento is 68, owns her home, and has a son named “David” listed at a different address. The scammer calls Maria, spoofing a number to appear as if it’s coming from David’s cell phone, claiming he’s been in a car accident and needs $3,000 sent immediately via Zelle to cover bail or medical costs. Because the scammer already knows David’s name, Maria’s address, and personal details scraped from broker sites, the call feels legitimate. Maria sends $3,000 through Zelle — a payment method that, unlike a credit card, offers no chargeback protection once funds clear, per Zelle’s own security and scam disclosures.

This scenario is precisely what SB 362 targets: the raw material (your personal profile) that scammers weaponize. By deleting your footprint from data brokers, you remove the ammunition scammers need to make these calls convincing in the first place. If you ever send money to a scammer via Zelle or Venmo, report it immediately to your bank, file a complaint with the FTC at ReportFraud.ftc.gov, and file an IC3 report with the FBI — while recovery isn’t guaranteed, fast reporting occasionally allows for fund recalls before the receiving bank releases the money.

Combining the Delete Act With Credit Freezes and Fraud Alerts

Deleting your data from brokers reduces exposure, but it doesn’t erase what’s already sitting in your credit files. For full protection, pair your DROP request with credit freezes at all three bureaus.

Step 1: Freeze your credit with Equifax. Go to Equifax’s freeze portal, create an account, and request a freeze — it’s free under federal law (Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018).

Step 2: Freeze with Experian. Visit Experian’s freeze center and repeat the process; you’ll receive a PIN to lift the freeze later if you apply for credit.

Step 3: Freeze with TransUnion. Do the same at TransUnion’s freeze portal.

Step 4: Set up a fraud alert as a lighter-touch alternative if you don’t want a full freeze — a one-year fraud alert requires lenders to verify your identity before opening new credit.

Step 5: Monitor your Social Security account at SSA.gov to catch unauthorized changes to your earnings record or direct deposit information, a growing target for SSA-impersonation phishing scams.

Together, DROP plus credit freezes plus SSA/IRS account monitoring create layered protection: brokers can’t sell your identity, and even if criminals get partial data, they can’t open new credit lines in your name.

Maintaining Long-Term Privacy After You Opt Out

Data broker removal isn’t a “set it and forget it” task — brokers continuously re-scrape public records, purchase lists, and social media data. Here’s how to stay clean long term.

Step 1: Resubmit your DROP request annually, since new brokers register with the CPPA every January.

Step 2: Re-run manual searches on major broker sites every 3–4 months to catch re-listings.

Step 3: Use a paid monitoring subscription (DeleteMe or Incogni) if you don’t have time for manual checks — these services rescan and refile automatically.

Step 4: Freeze mail-based data leaks by opting out of prescreened credit offers at OptOutPrescreen.com, a joint service of the major credit bureaus.

Step 5: Review privacy settings on data-sharing apps — many broker feeds originate from public social media profiles and marketing consent boxes you unknowingly checked years ago.

Key Takeaways

  • SB 362 (the Delete Act) creates DROP, a single CPPA-run tool letting California consumers request deletion from every registered data broker at once.
  • Data brokers must register annually with the CPPA and, starting August 1, 2026, check DROP every 45 days to process deletion requests or face $200/day penalties.
  • You can act now using existing CCPA/CPRA rights by submitting direct opt-out requests to major brokers like Spokeo, MyLife, and Whitepages.
  • Broker data fuels real financial scams, including Zelle and Venmo impersonation fraud targeting family members using scraped personal details.
  • Pair data broker deletion with credit freezes at Equifax, Experian, and TransUnion for comprehensive identity protection.
  • Services like DeleteMe and Incogni provide ongoing, automated broker removal beyond California’s jurisdiction.
  • Privacy protection is ongoing — resubmit DROP requests annually and monitor for re-listings every few months.

Conclusion

The California Delete Act (SB 362) represents a genuine turning point in consumer privacy protection — for the first time, ordinary Americans have a legal mechanism forcing hundreds of data brokers to erase their information on a recurring, enforceable schedule. But no law works passively. Verify your CPPA DROP account, submit your deletion request, freeze your credit at all three bureaus, and revisit your exposure every few months. Start today: search your name on the major broker sites, file your CCPA opt-out requests, and bookmark cppa.ca.gov so you’re ready the moment new broker registrations post. Your data, your money, and your peace of mind are worth the hour it takes.


About the author

Ryan Mercer — covers digital privacy and consumer security — data broker removal, breach response, and protecting your money online — for everyday US internet users.

Disclaimer: The content on this site is for general informational purposes only and is not legal or professional security advice. Laws vary by state; verify current requirements for your situation.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *