United States of America: California Privacy Protection Agency proposed rules on data broker registration and accessible deletion mechanism

On 27 February 2025, the California Privacy Protection Agency (CPPA) proposed amendments to data broker regulations, focusing on the Delete Request and Opt-out Platform (DROP). The proposed rules would revise data broker registration procedures and the management of consumer deletion requests. Under these changes, data brokers would be required to create a DROP account, establish secure login credentials, and follow account security protocols. They would also have to implement security measures and comply with data handling requirements. Consumers would be able to submit deletion requests through the DROP, with residency verification provisions and the ability for authorised representatives to act on their behalf. Data brokers would be expected to update and process consumer deletion lists at least every 45 days to comply with Civil Code section 1798.99.86 and privacy requirements.