Privacy & Information Security Law Blog

On December 17, 2025, the California Privacy Protection Agency (“CPPA”) announced the release of its Enforcement Advisory No. 2025-01 (“Advisory”), reminding data brokers of their obligations under California’s Delete Act. The advisory serves as a reminder of data broker registration requirements and identifies emerging compliance issues.

Under California’s Delete Act, data brokers must register with the CPPA each year and pay an annual fee. Those fees fund California’s Delete Request and Opt-Out Platform (“DROP”). As of January 1, 2026, DROP allows consumers to use a single deletion request to ask registered data brokers to delete their personal information.

Key reminders in the Advisory include:

• Separate Registration of Each Data Broker Entity. Each data broker must register, including subsidiaries of parent companies. Data brokers cannot rely on a parent or affiliated entity’s registration to “cover” them.  
• Trade Names and Websites. Data brokers must list all websites and trade names as part of their DROP account and verify their accuracy as part of registration. They must also ensure the provided website link(s) are accurate and functional, and provide a link to a page on their website (without dark patterns) detailing how consumers can exercise their privacy rights.
• Penalties for Non-Compliance. Data brokers that fail to register may face administrative fines of $200 per day in addition to registration fees and expenses the CPPA incurs in the investigation and administration of the enforcement action.

Data broker businesses can help ensure compliance by taking the following steps:

• Update Trade Names and Website Links. Check that all trade names and website links listed in your registration are up to date and active.
• Entity Structure Audit. Confirm that each legal entity operating a data broker business is registered individually with its own DROP account.
• Review Consumer Rights Page. Ensure the webpage provided at registration is operational and provides an explanation for how consumers can exercise their privacy rights, as required under the law.
• Deadlines. Set internal reminders for the annual January 31 registration deadline.

For more information on California’s data broker registration requirements, see California Expands Data Broker Registration Requirements. For more on California’s Delete Request and Opt-Out Platform, see California’s New Delete Request Tool Impacts Data Brokers and Residents.