California probes data brokers

California just opened the next phase of its privacy crackdown: not just making data brokers register, but asking how to inspect their systems and prove they actually delete people’s records. The California Privacy Protection Agency said on April 8 it is taking comments through May 7, 2026, as it drafts audit rules for the state’s Delete Request and Opt-out Platform, or DROP. (cppa.ca.gov) A data broker is a company that collects information about people from many sources and sells or shares it even when those people never used the company’s product. California’s registry says that information can include precise geolocation, health-related data, browsing history, and Social Security numbers. (cppa.ca.gov) California already built a one-stop delete button for this market. Since January 1, 2026, California residents have been able to use DROP to send one deletion request to all active registered data brokers at once. (cppa.ca.gov) The brokers do not have to start processing those requests until August 1, 2026. From that date, they must check DROP at least every 45 days, download deletion lists, erase matching personal information, and report status back to the agency. (privacy.ca.gov, cppa.ca.gov) The new fight is over proof. In its questions to the public, the agency asks what records should show that a broker standardized and hashed its data, matched it against California’s lists, deleted matched records, and kept any remaining “suppression list” only for blocking future collection. (cppa.ca.gov) That sounds technical, but the idea is simple: if a broker buys a location trail under one identifier, enriches it under another, and resells it in a third format, California wants an audit trail that follows the record through each step. The agency is also asking what evidence would show whether different consumer identifiers, including a full address or Internet Protocol address, would produce more matches than the zip code it currently collects. (cppa.ca.gov) California is also focusing on who does the checking. The agency asked what credentials and independence rules third-party auditors should have, and whether it should borrow audit methods from banking or cybersecurity, including data analytics and code-review tools. (cppa.ca.gov) The deadline with real teeth comes later. State law says that beginning January 1, 2028, and every three years after that, each data broker must undergo an audit by an independent third party to test compliance with the deletion rules. (cppa.ca.gov, privacy.ca.gov) That shifts the burden for firms that buy, clean, combine, and resell data. A broker will need more than a privacy policy and a web form if an auditor can ask for match logic, deletion logs, retained suppression files, and evidence about where the data went downstream. (cppa.ca.gov) California has been tightening this market for years. The agency’s regulations page shows the Delete Act rules took effect on January 1, 2026, and the state now runs a public registry where brokers disclose what categories of data they collect and who they sell or share it with. (cppa.ca.gov, cppa.ca.gov) So this is no longer just a disclosure regime where a broker lists its business model once a year. California is building a system where a resident can press one button, the broker has 45-day processing cycles, and an outside auditor can later test whether the deletion really traveled through the broker’s pipelines. (privacy.ca.gov, cppa.ca.gov)