Data Broker Audits Are Coming—And CalPrivacy Wants Your Input

The California Privacy Protection Agency (“CalPrivacy”) has issued an Invitation for Preliminary Comments on a key upcoming requirement under the Delete Act: independent audits of data brokers’ deletion practices. CalPrivacy is accepting comments through May 7, 2026.

While the audit requirements do not come into force until 2028, CalPrivacy is shaping the audit rules now, and data brokers, consumers, and other stakeholders have the opportunity to weigh in on this process.

Delete Act Audit Requirements

Starting January 1, 2028, the California Delete Act will require each data broker registered in California to undergo an audit by an independent third party to assess the broker’s compliance with deletion obligations under the Act. Among other issues, the audits will examine how data brokers respond to requests that consumers will be able to submit through the Delete Request and Opt-Out Platform (“DROP”). This is a centralized system being established by California, pursuant to the Delete Act. DROP will provide consumers the ability to make a single request to delete their personal information across all data brokers registered in California.

CalPrivacy Regulatory Process

Established in 2020, CalPrivacy has the authority to adopt and amend regulations through the California Administrative Procedure Act (“CA APA”) rulemaking process.

CalPrivacy recently finalized regulations implementing key aspects of the DROP system, including data standardization procedures, an exact consumer identifier match requirement for deletion requests, recordkeeping obligations related to such requests, and clarification that the system applies to California residents and requires appropriate verification. The current invitation for preliminary comments builds on this prior rulemaking activity.

If, following this pre-rulemaking process, CalPrivacy opens a formal rulemaking and public comment period under the CA APA, it must complete the rulemaking and submit the regulation to the California Office of Administrative Law within one year from when the notice of proposed rulemaking is published in the California Regulatory Notice Register.

Invitation for Preliminary Comments

In the current request, CalPrivacy is asking stakeholders to weigh in on a number of issues that will shape the audits and will have a significant impact on data brokers’ compliance burden, including creating and maintaining records. The questions include, among others:

1. What credentials, certifications, or independence requirements should third-party auditors possess to ensure they are qualified and sufficiently independent?
2. What records, documentation, or other evidence would demonstrate in an audit whether a data broker has properly processed consumer deletion requests?
3. What records should data brokers be required to maintain to explain how they: standardize their data; match their data to requests submitted through DROP; delete information when finding a match while only retaining allowable data; and use the deletion lists solely to compare with any new records to ensure suppression of information about individuals whose data was previously deleted?
4. What audit practices, methods, standards, or technical tools should CalPrivacy consider adopting to facilitate data broker audits?  
5. Should there be additional audit requirements for data brokers that use AI or agentic AI systems?

These questions provide an important opportunity for data brokers and others to shape the audit process. CalPrivacy is accepting comments through May 7, 2026.