California Privacy Protection Agency outlines Delete Act operational requirements via DROP, including Aug 1, 2026 cadence to process deletion requests every 45 days and annual registration due Jan 31

California’s privacy.ca.gov data brokers page describes operational compliance obligations under the Delete Act, including use of the Delete Request and Opt-out Platform (DROP). It specifies that data brokers must register annually (registration due Jan 31 via DROP) and, starting Aug 1, 2026, must process DROP deletion requests on a 45-day cycle (e.g., download hashed identifier lists, delete matching personal information, and report status). The guidance also notes pass-through of deletion requests to contractors/service providers and maintaining suppression processes. This is directly relevant to vendor privacy governance where organizations operate as data brokers or contract with data brokers and need contractual/technical mechanisms for deletion request pass-through and periodic processing.