In-House Privacy’s Comments to the CPPA Re: SB 362 ‘Delete Act’ Rulemaking on the Subject of the Accessible Deletion Mechanism

In-House Privacy, Inc Comments to the California Privacy Protection Agency (CPPA) Regarding SB 362 ‘Delete Act’ Rulemaking Regarding the Data Broker Registration and Accessible Deletion Mechanism (DROP) 

Introduction: In-House Privacy, Inc (“IHP” or “We”) is a law firm that serves many companies in the advertising and marketing industry. These comments are our own, and do not reflect the opinions of any specific client.  

We respectfully urge the CPPA to consider the following changes to its proposed DROP rulemaking.  

Index 

1. General Policy Considerations 

2. General Technical Considerations 

3. Specific Rulemaking Comments   

I . General Policy Considerations 

These comments encompass areas for the CPPA to consider in conjunction with the rulemaking that are not expressly stated in the rulemaking itself.  

A. Introduce a ‘cure period’ or ‘warning system’ for erroneous  implementation of DROP

Neither the text of SB 362 nor any existing rulemaking indicates whether the CPPA will consider notifying a data broker of an error in its application of the DROP. As the DROP is anticipated to include numerous operational and technical challenges for data brokers as indicated in the comments below, the CPPA should consider a policy to enable data brokers to correct any such errors with its application. These corrections could take the form of either a formal ‘cure period’ which would be a designated period of time, such as the standard 45 days allocated for regular DROP access, and/or a ‘warning’ policy that the CPPA delivers to data brokers who incorrectly applied the DROP with compliance information how to avoid statutory penalties. 

For example, the California Consumer Privacy Act (CCPA) originally required the Attorney General to issue a 30 day cure period during the first two years in which the CCPA was in effect. This cure period was later amended by the California Privacy Rights Act (CPRA) ballot measure, yet still enables the Attorney General to issue any such cure period notices (Stats. 2024, Ch. 121, Sec. 7. (AB 3286)). 

IHP recommends a similar cure period regulation whereby the CPPA will introduce a one year or more cure period and enable data brokers at least 45 days to apply any indicated DROP-related errors following the enactment of the DROP on August 1, 2026.  

B. Exempt Select Data Broker Intermediaries 

The definition of data broker in SB 362 and subsequent regulations does not explicitly exempt business intermediaries that support data brokers where they engage in ‘making available’ third-party data to other businesses.  

In the context of this rulemaking, the CPPA should exempt intermediary businesses that operate under the following criteria: 

1. The business contracts with their clients as designated ‘service providers’ in compliance with the requirements set forth in the CCPA and subsequent rulemakings. In that role, they are instructed by their clients to procure third-party data from data brokers on their behalf.  

2. They do not create or provide any proprietary ‘data products’ that combine or otherwise utilize any data procured on behalf of clients in a manner that gives their business any independent use of the data.  

3. They may receive monetary or other benefits from their services in support of procuring the data broker data, such as fees associated with purchasing media utilizing the data, their labor procuring the data, or payment for services that integrate the data with internal or external applications. However, these intermediaries should not receive a paid commission from data brokers as a ‘reseller’ of the data.

As long as the items above are satisfied, exempted intermediaries would be empowered to procure data broker data on their clients behalf without requiring their clients to execute purchase agreements directly with data brokers, nor would these intermediaries be required to contract with data brokers as their ‘service providers.’      

Below are three potential categories of intermediary businesses: 

1. Advertising or marketing agencies that assist advertisers or marketers with identifying, distributing, and measuring advertising or marketing campaigns. They may procure third party data on behalf of their clients to create lists of prospects to engage with, append demographic information to their client information, or engage in media planning, measurement or market research on their clients behalf.  

2. Software as a Service (SaaS) platforms that provide the software and operational mechanisms to procure and enable their clients to utilize third-party data in conjunction with their SaaS platform, such as cloud hosting, call centers, email or postal service providers, and digital advertising services that do not directly engage in cross-contextual behavioral advertising, such as with data clean rooms, measurement, or media planning activities.      

3. Data marketplaces that are not commissioned ‘resellers’ themselves, but rather promote data broker offerings and are paid to integrate or otherwise use the third party data in conjunction with their SaaS or other services.  

C. Consider Additional Regulations For Newly Acquired Consent

SB 362 does not describe a process where data brokers may continue to process the personal information of DROP-registered CA consumers following their initial application of the DROP, but where the consumer has subsequently re-consented for their data to be sold to data brokers. For example, many consumers enter sweepstakes where the terms of the sweepstakes explicitly require their affirmative consent for the sponsor to sell their personal information to data brokers. Under the existing text of SB 362 and these proposed regulations, there is no express exemption for a new sweepstakes entry or other form of affirmative consent for third party data use to override their DROP registration.

There are numerous regulatory examples where such consent can override previous privacy choice registrations, such as with the federal Telephone Consumer Protection Act (TCPA) and FTC ‘Do Not Call’ (DNC) list where an express written consent for telemarketing (or SMS) can override their DNC registration (47 CFR §§ 64.1200(a)(1)-(3); 16 C.F.R. § 310.4(b)(1)(iii)(B)).

California law includes such a ‘consent override’ with the CCPA and subsequent rulemakings around the personal information use associated with minors, sensitive information, financial incentives, and opt-out preference signals (Cal. Civ. Code § 1798.120(c); Cal. Civ. Code § 1798.121(b); Cal. Civ. Code § 1798.123(b)(3); Cal. Civ. Code § 1798.135(b)(2)).  

A new regulation should be established that in the event that a data broker receives new personal information based on affirmative consumer consent to sell their data to data brokers, that any existing DROP deletion or suppression is inapplicable insofar as the data broker can provide evidence that such consent took place following the consumers DROP registration.  

II. General Technical Considerations 

A. Small Business Considerations 

Many data brokers are small businesses and the current rulemaking imposes significant technical and operational burdens. While we identify many of these technical limitations below, it may be helpful for the CPPA to understand that many of the registered data brokers do not ‘compile’ data themselves, but rather ‘pass through’ data from other data brokers to their clients. They merely source lists on behalf of their clients, potentially combine lists together to create an aggregated audience from multiple sources, and then deliver the list to their clients and/or their representatives. In these situations, these data brokers do not store third-party data for a lengthy period of time, but rather only so long as is necessary to complete their delivery or measurement activities. In many cases, they may not even store the data beyond the 45 day period in which they are required to apply the DROP updates to these lists. As a result, many of the burdens being placed on these entities to access and combine data from the DROP to each of their ‘passed through lists’ every 45 days where they do not maintain any centralized ‘database’ in which to apply the DROP deletions will lead to their creation of a very large suppression file of every DROP registered user that they will store in perpetuity and apply against every new list they procure on their clients behalf. In essence, the ‘DROP’ will not operate as intended to ‘delete’ data, but rather as a suppression file.  

As a result, the regulations should be amended to address ‘pass through’ data brokers who are not ‘compilers’, and consider separate processes for those entities to be exempt from many of the technical requirements in the regulations as indicated below. In summary, the CPPA should strongly consider enabling data brokers to access and apply a simple ‘Do Not Sell’ suppression list instead of requiring the comprehensive ‘deletion’ process specified in the regulations.    

B. Data Broker Representative Agent Designations/Services  

The draft regulations assume that registered data brokers will exclusively process the DROP updates on their own behalf. However, many data brokers utilize service providers to assist with managing their data services. These service providers could be given the DROP account credentials by data brokers to process these updates on data brokers behalf. Further, some data brokers may provide these updates on behalf of other data brokers with whom they sell or manage data on their behalf. 

The CPPA should specify in the DROP account management process an option for data brokers to delegate access to other entities to manage the DROP updates on their behalf.   

C. Pre-Implementation Test Environment 

At least ninety (90) days prior to the August 1, 2026 implementation date, the CPPA should make the DROP available to data brokers in order to test its operational capabilities in advance of the official implementation date. This could be deemed a ‘beta test’ with actual Californians data, or be a ‘test environment’ where synthetic (not actual) data is loaded into the DROP in order for data brokers to attempt to apply it to their systems and provide feedback to the CPPA on operational performance.

D. Explicit Right To Forward Suppression List

SB 362 does not explicitly grant data brokers the right to forward the suppression lists. In order for data brokers to comply with CPRA’s requirement to notify all third parties to whom the business has sold/shared the consumer’s personal information, of the consumer’s request to opt out (Cal. Code Regs. tit. 11, § 7026(f)(2)) or request to delete (Cal. Code Regs. tit. 11, § 7022(b)(3)). 

The CPPA should amend the rules to explicitly grant data brokers the right to pass along suppression lists in order to comply with law. Moreover, passing entire lists would better facilitate consumer wishes. 

E. Limit Data Hygiene and Combination Requirements  

As noted in the comments below, the draft regulations assume that data brokers have the technical capability to modify and match data across disparate data sets. In other words, the CPPA is proposing that data brokers engage in ‘ID Graphing’ or ‘ID Resolution’ services in order to effectuate the DROP updates. The technical requirements for applying the DROP should be designated for the lowest common denominator of data brokers, and not the most sophisticated larger businesses that are capable of such modifications and combinations of data. 

The CPPA should amend some of the requirements requiring data brokers to perform technical data hygiene, data modification, and combinations of data that would be a burden on small businesses and less sophisticated data brokers. In the least, these regulations should be delayed for at least one year following the DROP enactment to give these data brokers time to invest in the necessary technology requirements to comply with these compliance obligations, and/or outsource these technical operations to data service providers or other data brokers on their behalf.

Moreover, requiring data brokers to engage in data combinations may be contrary to the privacy preserving intent of this law because it requires data brokers to be provided with and to process or store more personal information than they otherwise would.

III. Specific Rulemaking Comments

To enhance the proposed regulation and address potential vulnerabilities, we submit the following important considerations for the upcoming discussions.

ARTICLE 2. DEFINITIONS AND REGISTRATION REQUIREMENTS

§ 7601. Definitions.

As previously discussed, we find that the proposed language does not properly contemplate the potential effects on the wide range of businesses that will fall under the regulations:

§ 7601(a). “Access the Delete Request and Opt-out Platform (“DROP”)” 

1. As noted, the CPPA should include the term “or their agent” in association with all references to “data broker” in conjunction with access rights to the DROP.  In addition, the concluding statement “and does not include signing into a data broker’s DROP account without retrieving a consumer deletion list” is potentially misaligned with situations where the DROP may be accessed simply to check on the status of newly updated lists and should be removed for simplicity purposes. 

§ 7601(c). “Consumer deletion list”

1. The title ‘deletion list’ may also be deemed a ‘suppression list’ should the list not be matched, and the CPPA should consider expanding the scope of this definition to include the specific reference to such use as ‘Consumer deletion or suppression list.’.  

2. This definition could be simplified to remove the final sentence “When made available…” which should separate and specifically define each term used, notably ‘hashed format’, ‘transaction identifier’, and hashing algorithm’ separately and each with their own regulatory applications in the mechanism in which the ‘Consumer deletion list’ must be applied. As written, the combination of the definition of the ‘list’ with the extra terminology around the ‘mechanism’ in which the list will be applied adds complexity and confusion.  

3. Privacy-by-design principles indicate that “date of birth” may not be a necessary attribute to be shared in conjunction with the ‘Consumer deletion list’. While it may be necessary for California residency verification, it is not a widely used attribute by the majority of data broker activities and could lead to widespread distribution of additional personal information that a consumer would not expect to be shared by their state privacy agency with hundreds of data brokers on a regular basis.

§ 7601(d). “Direct relationship”

1. This statement should be further clarified with specific exemptions; “A business does not have a “direct relationship” with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business.” 

   (i) “Intent” must be accompanied by objective variables that a business can use to defend against potential compliance violations, namely; 

   a) Was the consumer presented with adequate notice and choices about sharing personal information with ‘another business’ that may be operating in conjunction with the website or business owner, notably; 

   i) Through a ‘consent management platform’ (aka; ‘cookie banner’) that presents all of the third party advertising services that may use the visitors’ data for cross-contextual behavioral advertising or other purposes in compliance with a CCPA ‘sale or share’. 

   ii) Through a browser extension or ‘widget’ that presents incentives, coupons or other options for the consumer to interact with while sharing that information with the third party business for monetization purposes. 

   b) Did the consumer sign up for an incentive program, sweepstakes, contest or other third party benefit through the website or business, such as at/following an ecommerce checkout page.  

   c) Did the consumer affirmatively check a box as part of a marketing subscription that included consent for specifically named third party marketing offers with a link to the privacy policy with adequate disclosures about such use. 

§ 7601(g). “Extraneous or special characters”

1. As noted below, this definition should be removed from the regulations at this time. Data brokers should not be required to conduct forensic analysis and data hygiene in their application of the DROP as it is an unnecessary technical burden on small businesses and unsophisticated data brokers. In the least, this requirement should be pushed out a year or more for data brokers to technically prepare for such a requirement.   

§ 7601(i). “Personal information associated with a matched identifier”

1. The reference to ‘inferences’ should be clarified to apply exclusively to ‘individual identifiers associated with the DROP’ and not all ‘personal information’ which could include ‘households’ or other more aggregate associations such as geographic representations. 

§ 7601(j). “Register”

1. The terms include “or its agent” but “Agent” is not defined nor does the regulations describe the scope that an Agent can operate on behalf of a data broker to access and manage DROP updates.  

§ 7601(k). “Registration period”

1. The CPPA should clarify that the ‘registration period’ definition pertains to DROP renewals, and the CPPA should enable new registrants to register at any time, pursuant to the prorated periods and costs indicated in Section 7611.

§ 7601(l). “Reproductive Health Care Data”

1. Point (2) and Point (3) by reference includes the term “or desire to have children” which is quite broad and could mistakenly include behavioral activities or casual correspondence between app users and unknowingly implicate the business or third party advertising services. This reference should be removed or include the terms “knowingly” in conjunction with this data use.     

§ 7602. Registration Submission Requirements.

§ 7602(b). “[Registration must be completed by one with] sufficient knowledge of the data broker’s practices to provide accurate information and otherwise comply with the requirements in section 7603. The employee or agent who registers the data broker must certify under penalty of perjury that to the best of their knowledge the information they submit is true and correct.”

The regulation mandates that the registering party possess both comprehensive knowledge of the data broker's practices and the operational capacity to execute the registration. We recommend separating these requirements by replacing "and" with "or," thereby enabling multiple individuals to contribute to the registration process, provided that the combined knowledge and operational capacity requirements are met. 

Again, as previously stated, the reference to ‘agent’ is not defined nor the scope of the agent’s role in assisting the data broker accessing and managing the DROP updates. 

§ 7602(c). “A data broker cannot amend or withdraw a completed registration after January 31, except as set forth in section 7604.”  

We request the Agency establish clear guidelines for amending completed registrations. Given the complexity of these compliance requirements, particularly for data brokers operating in conjunction with multiple data source partners, the ability to adjust registration details to accurately reflect evolving business practices is crucial. This is especially pertinent considering Section 7603(d), which necessitates granular information regarding personal data categories and specific products or services. Emerging businesses, for instance, may undergo significant business model transformations during their development.

As previously stated, a reference to ‘or agents’ should be added to this section.

§ 7603. Registration Information Requirements.

§7603(b). “All website links and email addresses provided in the registration must be accurate and functioning.”

Website links and email addresses are liable to change as business conditions and strategies change, or as employees join or leave the organization. Data brokers must be required to represent their information only at the time of registration, although the Agency may consider conditioning the limitation with a requirement to amend registrations, when necessary, within a specified period.

(b) All website links and email addresses provided in the registration must be accurate and functioning at the time of submission.

ARTICLE 3. DELETE REQUEST AND OPT-OUT PLATFORM REQUIREMENTS

§ 7610. Delete Request and Opt-out Platform Account Creation.

§ 7610(a)–(a)(2).

The proposed regulations require data brokers to restrict account credentials and access to DROP to persons, including employees, contractors, or other agents, authorized to act on behalf of the data broker. We urge the CPPA to consider enabling business to register as agents to act on the data broker’s behalf by adding “or agents” before “authorized to act on the data broker’s behalf” in Sections 7610(a)(1)(A) and 7610(a)(1)(B). Permitting businesses to act as an agent on behalf of the data broker would ease the burden of compliance for many small businesses or ‘pass through’ data brokers which do not have the resources to manage all DROP requirements. In conjunction with enabling business agents, data brokers should be required to disclose said business agent prior to accessing DROP for the first time; a requirement that could be added in Section 7610(a)(2).

• (a) Prior to accessing the DROP for the first time, a data broker or agent shall utilize the Agency’s website found at www.cppa.ca.gov to create a DROP account. To create an account, a data broker or agent must: 

  • (1) Establish a secure username and password ("credentials") and maintain its account security using reasonable security procedures and practices. At minimum, data brokers must: 

    • (A) Maintain confidentiality of account credentials, and restrict access to its credentials to only persons or businesses authorized to act on the data broker’s behalf;  

    • (B) Restrict access to the DROP, and information derived from the DROP, to persons or businesses authorized to act on behalf of the data broker;

§ 7610(a)(3)–(a)(3)(A).

The regulations as currently drafted contain inherent ambiguities that could lead to the unwarranted penalization of data brokers. Specifically, a contradiction exists between Sections 7610(a)(3) and 7610(a)(3)(A). The former provision states that data brokers need only select a minimum of one consumer deletion list to establish an account, while the latter mandates the selection of all consumer deletion lists that could potentially contain identifiers matching personal information within the data broker's systems. Furthermore, the regulations operate under the assumption that a consumer deletion list will exist for every category of identifiers collected by data brokers. Consequently, data brokers could face penalties for non-compliance in situations where the DROP system fails to provide a relevant deletion list.

To rectify this ambiguity and prevent potential unfair penalties, we recommend that the CPPA consolidate these two sections. The revised provision should explicitly require data brokers to select consumer deletion lists available through the DROP that contain consumer identifiers that they reasonably believe may match with personal information held within the data broker's records. 

Moreover, IHP is concerned that an obligation to select all consumer deletion lists that contain a consumer identifier or identifiers that match to personal information about the consumer within the data broker’s records will be a burdensome obligation for many data brokers who process a wide range of consumer personal information. If a data broker can process the requests from DROP by only accessing a couple of consumer deletion lists then this obligation should be narrowed and data brokers should only be required to access one or two consumer deletion lists.

§ 7610(a)(3)(B).

Additionally, there is significant ambiguity in a data broker’s ‘collection’ of consumer identifiers. The term “collects” could refer to the initial gathering of data, its ongoing storage, or its active processing, and the ambiguity makes it unclear which specific instances the regulations intend to cover. Rather, we propose that in instances where “collects” is used in Section 7610(a)(3)(B), the draft regulations address consumer identifiers as maintained in systems. By specifying this change, the regulations would clarify that they apply to identifiers actively held within a data broker's operational databases, rather than just the initial collection phase.

§ 7610(a)(3)(C). “A data broker may only change its consumer deletion list selection once every forty-five (45) days.”

Mandating rigid limitations with access to consumer deletion list selection, while simultaneously restricting the ability to modify these selections, may result in unnecessary complications when a data broker needs to re-access a list within the 45 day period. Data brokers should have the flexibility to revise consumer deletion list choices as often as necessary to ensure their compliance obligations.

Alternatively, a clear cure period or exemption should be provided for scenarios where personal information matching attempts within the forty-five day window were erroneously omitted from a list.

§ 7611. Data Brokers Who Begin Operating After Registration Period.

We recommend that this Section 7611 be amended to apply to all data brokers under the purview of the regulations, regardless of when they begin operations as a data broker. The current drafted title of this section implies that the section applies only to data brokers that begin operations after January 31 of a given year. However, the proposed language does not support this implication (Cal. Code Regs. tit. 11, § 7611(a)(3)(A) (proposed)), and as such the proposed regulations should be amended accordingly.

§ 7611(a).  

The language ‘Prior to operating as a data broker’ is quite broad, and should be narrowed only to ‘after data broker sales activities have commenced’. As written, any data services business that ‘intends’ to sell data must register even before they actually ‘sell’ any data that they did not collect directly. This could lead to the unintended consequence of many companies being labeled as data brokers prior to registration, with statutory penalties for non-compliance. Moreover, the clause “prior to operating as a data broker” is in conflict with Cal. Civ. Code § 1798.99.82(a) which requires companies to register as a data broker in January where in the preceding year the company met the definition of data broker (“On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the Attorney General pursuant to the requirements of this section.”) 

§ 7611(a)(2).

Similar to §7611(a), this section should be rephrased to require data brokers to register and access the DROP only after they engage in data broker ‘sales activities’.  

§ 7611(a)(3).

We also urge the Agency to reconsider or clarify that the first-time access fees are exclusively applicable to the year 2026, and that the fee structure for 2027 is subject to review and potential change. Specifically, once the DROP is fully operational, consideration should be given to the possibility of reverting these fees back to their original 2024 fee structure and/or creating a ‘sliding scale’ price structure based on the annual revenue of the business or otherwise in conjunction with the Delete Act enforcement budget necessities.

§ 7611(b).

Moreover, a clear provision needs to be included to exempt data brokers from Section 7611(b) who were operating during 2025 from any retroactive enforcement actions related to unregistered or other potential violations in 2025. This exemption specifically applies to enforcement actions that might be pursued in 2026. This “grace period” ensures that businesses are not penalized for actions taken before the full implementation and understanding of the DROP requirements, particularly in its initial phase.

§ 7612. Delete Request and Opt-out Platform Access.

§ 7612(a). “A data broker must access the DROP to download its selected consumer deletion list(s) at least once every 45 calendar days.”

The term “at least” potentially conflicts with 7610(3)(C) in compliance with maintaining and responding to consumer deletion lists while simultaneously limiting the data broker’s access to such consumer deletion lists. 

(a) A data broker or agent must access the DROP to download its selected consumer deletion list(s) at least once every 45 calendar days. 

§ 7613. Processing Deletion Requests.

§ 7613(a)(1)(A). “Prior to comparing consumer identifier information between a consumer deletion list and a data broker’s records, a data broker must standardize the applicable personal information from the data broker’s records . . . .”

The regulations require that data brokers reformat or create secondary databases to meet the formatting requirements prescribed by the Agency: “use all lowercase letters, including changing names to lowercase” and “remove extraneous or special characters” (Cal. Code Regs. tit. 11, §§ 7613(a)(1)(A)(i)–(ii) (proposed)). The former ‘lower case’ requirement requires minimal effort as it does not change the nature of the email address, but modifying or otherwise removing characters from an email or postal address would impose an undue burden on data brokers, shifting data matching efforts that increase storage, inconsistencies, and security risks. It may also conflict with standard data security practices and existing commercial terms that prohibit data alterations. Moreover, this standardization increases the risk of incorrect data points which may, in turn, decrease match rates. It is recommended to minimize this burden by removing any standardization requirements that would materially change the nature of the consumer information.  

§ 7613(a)(2)–(a)(2)(A).

Section 7613(a)(2) includes a 50% rule that is unduly complicated and that may result in reduced privacy for consumers and unnecessary confusion. For simplicity, a data broker should be able to match any ‘deterministic’ data that precisely matches the data in its systems, but not ‘probabilistic’ data that may be associated with additional records. 

Furthermore, the proposed regulations mandate “the data broker must delete all personal information associated with a matched identifier” (Cal. Code Regs. tit. 11, § 7613(a)(2) (proposed); see also, Cal. Code Regs. tit. 11, § 7613(b)(1) (proposed)). We recommend that, following our previous recommendation, the Agency clarify that such personal information does not include inferences made based on personal information, and instead delete only the specifically enumerated data included in lists. Further, some personal information will be associated with multiple consumers, so the rule should specify deletion of personal data ‘solely or primarily associated’ with the individual on the DROP file.

§ 7613(b)(2).

The regulation mandates forwarding of requests for deletion to all service providers and contractors, but does not require (or enable) the same forwarding to third party businesses including other data brokers.

§ 7613(c).

Section 7613(c) codifies the need for data brokers to maintain a suppression list to run against future consumers in their systems. To comply, data brokers need to continuously maintain and update consumer deletion lists for indefinite periods, as a consumer that submitted a deletion request in 2026 would need to be deleted by the data broker when that consumer’s personal information is collected in 2027. This requirement offers significant data retention, maintenance, and security issues, and directly contradicts principles of data minimization. The Agency presumes that all data brokers will retain consumer deletion lists in a centralized database, which is unlikely for those data brokers that do not maintain such a centralized system. As a result, many data brokers will be required to manually and regularly check the suppression list in perpetuity. Data brokers become responsible for the maintenance and security of another database provided by DROP, and in doing so, become a target for further cybersecurity threats. This may not be such an issue for large enterprise data brokers, but for small businesses, the threat of a cybersecurity event becomes greater. Through the combination of this mandate for the maintenance of a suppression list and the broad definition of a data broker, the Agency risks the antithesis of DROP’s goals: exposing all consumers’ personal information listed in DROP. Since the Agency manages this list in perpetuity, would it not be more reasonable for the Agency to be tasked with managing the suppression list?

Finally, as previously noted, the CPPA should draft regulations that enable data brokers to override the DROP based on affirmative consent of the consumer.  

§ 7614. Reporting Status of Deletion Requests.

Section 7614 of the draft regulations involves mandatory status reporting of deletion requests which creates a significant and material cost burden on data brokers with uploading proof of each deletion before permission to download the most recent consumer deletion list. In practice, this requirement may be so costly and burdensome that it substantially delays data brokers ability to access the next file within the required 45 days. The CPPA should not need specific proof in order to establish that data brokers are in compliance with each record shared, which could come in the form of any complaints and or enforcement actions. More importantly, the Delete Act specifically requires all data brokers systems to be audited for compliance with the DROP in 2028 which will clearly satisfy this requirement.  

We recommend that the CPPA eliminate this requirement from the final regulations, or delay any such reporting requirement to be in conjunction with the Delete Act auditing requirements beginning in 2028. Requiring auditable records associated with DROP reconciliation would be much more manageable for companies and more consistent with analogous regulatory regimes (as with the GDPR, for example), rather than requiring a direct and record level integration with the regulator.

§ 7615. Requirements to Stop Accessing Deletion Requests from the DROP.

Regarding Section 7615, the current draft regulations are ambiguous and appear to contradict earlier provisions. There should be a clear mechanism for an entity to cease utilizing the DROP upon affirming that they no longer qualify as a data broker, without necessitating notification and detailed explanation. Specifically, a straightforward procedure should be established to terminate their DROP account after attestation confirming the cessation of data broker activities.

§ 7616. Additional Data Broker Requirements.

§ 7616(a). “A data broker must only use consumer personal information provided by the Agency, through a consumer deletion list or otherwise, for purposes of complying with Civil Code section 1798.99.86. Selling or sharing consumer personal information provided by the Agency is prohibited.”

This section confusingly contradicts Section 7612(b)(2) which requires that data brokers forward consumer deletion requests to service providers and contractors. While there is a strong public policy that data gathered from DROP should not be sold or shared, we recommend a carve out for compliance with earlier sections.

§ 7616(c). “A data broker shall not contact consumers to verify their deletion requests submitted through the DROP.”

As noted, the CPPA should consider exempting situations where a consumer provides affirmative consent for their personal information to be sold to data brokers, which could include verification of their submission.  

ARTICLE 4. CONSUMER AND AUTHORIZED AGENT DELETE REQUESTS

§ 7620. Consumer Deletion Requests.

§ 7620(a).

The current draft regulation text states “Consumers may be required to have their California residency verified by the Agency prior to submitting a deletion request.” It is imperative that consumers submitting deletion requests in the DROP must be verified as current California residents. Data brokers should have no requirements to verify or determine the residency status of consumers, and the draft regulations do not provide any feedback mechanism for data brokers to question the residency of consumers. The CPPA should revise this draft regulation to ensure that all consumers' residency is verified, and updated each year as well as at any time upon a consumer's request should they forfeit their residency. 

§ 7620(b).

Further in Section 7620(b), the draft regulations inform that consumers “may add personal information to their deletion requests, including date of birth, email address, phone number, and pseudonymous identifiers, such as a Mobile Ad Identifier (MAID).” However, the stated text further states “The Agency may verify such personal information at any time.” The Agency should clarify that consumers may submit multiple email addresses when consumers own and maintain multiple email addresses, but that each email address must be verified through the DROP system before it is available for data brokers to process. 

§ 7621. Authorized Agents.

Much like our prior comments about verifying consumers, we request that the Agency strongly consider that authorized agents must provide written authorization for their agency, and that the CPPA verify such authorizations. Moreover, requiring the authorized agent be verified aligns with the CPPA § 7026(j) “A business may deny a request from an authorized agent if the agent does not provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”