California DROP Act (CPRA) 2026: Compliance Requirements and DSAR Automation

The California DROP Act CPRA 2026 framework isn't a compliance checkbox. It's an operational infrastructure requirement that exposes every gap in how your organization handles data subject requests today. This guide explains what the California Delete Request and Opt-out Platform (DROP) requires, how DSAR obligations have expanded under CPRA, why manual processes collapse under this framework, and how Secure Privacy DSAR closes the gaps regulators will be examining.

What Is the California DROP Act Under CPRA?

The California Delete Act—formally Senate Bill 362, signed into law October 2023—addresses a structural weakness in California's existing privacy framework. The CCPA and CPRA gave consumers the right to delete their personal information, but exercising that right meant contacting hundreds of individual businesses separately. The Delete Act fixes this by mandating the CPPA to build DROP: a centralized platform where California residents submit one verified deletion request that reaches every registered data broker simultaneously.

For businesses, this transforms deletion from an occasional inbound request into a recurring, state-orchestrated operational requirement.

The relationship between DROP and CPRA matters for understanding scope. CPRA establishes the consumer rights framework—the right to know, delete, correct, opt-out, and limit sensitive data processing. The Delete Act operationalizes deletion specifically for data brokers through a centralized mechanism. Both frameworks converge in 2026, creating layered obligations that share a common enforcement agency: the CPPA, which now holds full administrative power over California's privacy enforcement landscape.

Key 2026 milestones:

Who Must Comply

Data Brokers

The Delete Act defines a data broker as any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The critical phrase is "direct relationship"—established when a consumer intentionally interacts with a business to access its products or services within the preceding three years.

The CPPA has clarified that collecting information directly from a consumer doesn't automatically create a direct relationship. Consumer intent to interact with that specific business is the deciding factor. This brings many entities into data broker territory that wouldn't traditionally identify themselves as such—particularly businesses relying on third-party data sources or sharing information outside primary consumer interactions.

Service Providers and Contractors

Service providers processing personal information under restrictive contracts are generally exempt from data broker classification—but this protection is conditional. Contracts must include specific CPRA cooperation requirements, and service providers must assist with deletion and audit requests. Enforcement has specifically targeted contract gaps, with settlements exceeding $1.5 million for businesses whose vendor contracts lacked mandatory cooperation provisions.

SaaS Platforms and Marketing Agencies

SaaS companies operating B2B typically qualify as service providers—unless they aggregate client data and sell enriched insights or audiences to third parties. That activity strips the service provider exemption and triggers data broker obligations.

Marketing agencies face elevated risk. Any agency that buys, sells, or shares personal information collected outside a direct consumer relationship—through third-party datasets for audience targeting or list enrichment—likely qualifies as a data broker.

Broader CPRA Coverage

Organizations subject to general CPRA obligations must meet one of these thresholds: gross annual revenue exceeding $25 million, or processing personal information of 100,000 or more California consumers annually. These thresholds trigger expanded DSAR obligations, mandatory opt-out confirmation, and cybersecurity audit certification.

Consumer Rights Expanded in 2026

Extended Right to Know. Consumers can now request access to historical data collected as far back as January 1, 2022—or earlier if the business still holds it. Organizations can no longer limit responses to the previous 12 months. Archival databases, legacy CRM records, and backup systems must be included in discovery workflows.

Right to Correct with Propagation. Correction is no longer a simple data update. When a consumer corrects their information, the business must notify the original data source and implement technical controls preventing that source from overwriting corrected fields in subsequent automated data refreshes.

Right to Delete. Under DROP, deletion obligations extend to newly collected data about the same consumer, creating a continuous suppression requirement—not a one-time deletion event.

Right to Opt-Out of Sale and Sharing. Any pixel, tag, or API transferring personal information to advertising platforms constitutes "sharing" under CPRA, triggering opt-out rights. Global Privacy Control (GPC) signals function as a valid opt-out and require visible confirmation to the user when detected.

Right to Limit Sensitive Personal Information. Sensitive personal information—now including neural data and data from minors under 16—can only be used for essential business purposes unless the consumer opts into broader use.

Automated Decision-Making Technology (ADMT) Rights. Businesses using AI for significant decisions affecting financial services, housing, healthcare, education, or employment must provide pre-use notices explaining the system's logic, honor opt-out requests through at least two submission channels, disclose methodology on request, and provide a human review appeal process with authority to overturn automated decisions. This effectively ends black-box algorithmic decision-making for core consumer services in California.

DSAR Requirements in 2026

The 45-Day Cycle

Starting August 1, 2026, data brokers must access DROP at least once every 45 days to retrieve consumer deletion lists. Processing is not a one-time event—brokers must continue deleting newly collected data about the same consumer at each subsequent 45-day interval.

After processing, brokers have 45 days to report status back to DROP using four mandated codes: Record Deleted, Record Opted-out of Sale, Record Exempt, or Record Not Found. This reporting obligation requires automated status tracking and API integration with the CPPA platform.

Identity Matching Protocol

The DROP platform provides consumer identifiers—names, dates of birth, email addresses, phone numbers, or mobile advertising identifiers. Brokers must match these using a standardized hashing protocol: phone numbers stripped to 10-digit strings, identifiers normalized and cryptographically hashed, and multiple identifiers concatenated into composite matching keys.

Data brokers cannot contact consumers directly to verify requests. If a definitive match cannot be made but the DROP platform has verified the request, the broker must treat it as a global opt-out from sale and sharing.

Evidence Retention

Suppression lists storing minimal hashed identifiers must prevent deleted data from being re-acquired. DSAR logs must be retained for at least 24 months. Evidence must be objective—documented logs, test results, and audit trails. Management attestations are explicitly rejected under 2026 audit standards.

Why Manual DSAR Handling Fails at Scale

The enforcement record from 2025 is unambiguous: manual DSAR processes are incompatible with 2026 requirements.

Email-based intake misses requests. Investigations have identified non-functional submission pathways where web forms fail to submit or confirmation emails are never sent. Email workflows have no reliable audit trail and no mechanism for confirming receipt at the regulatory level.

Spreadsheet tracking lacks governance evidence. Regulators have explicitly identified spreadsheet-based DSAR management as inadequate. Spreadsheets don't generate self-explanatory documentation, can't handle concurrent requests at volume, and provide no immutable audit trail.

No automated vendor propagation. Manual processes routinely fulfill deletion within the organization's own systems while failing to propagate requests to service providers and contractors that also hold copies of the consumer's data. This vendor gap has driven the largest enforcement settlements in California privacy history.

Missed deadlines generate compounding penalties. The $200 per-request daily penalty compounds rapidly when manual processes fail to track the 45-day cycle across hundreds of simultaneous requests. A single missed batch of 500 requests costs $100,000 per day until resolved.

No identity verification infrastructure. Hash-based matching against internal records requires automated infrastructure that manual processes cannot provide at DROP's required technical standard.

What Regulators Expect Operationally

The CPPA has established a Data Broker Enforcement Strike Force and uses automated scanning technology to identify public-facing compliance gaps before complaints are filed. Organizations cannot rely on obscurity or the absence of consumer complaints.

Regulators consistently cite three core gaps in enforcement actions:

Inaccurate privacy policies that fail to disclose all categories of personal information collected, data sources, and purposes for ADMT use.

Inadequate risk assessments for high-risk processing—selling personal information, processing sensitive personal information, or using ADMT—without documented analysis weighing business benefits against consumer harms.

Lack of audit-ready evidence. The 2026 standards require objective documentation: system logs, testing results, configuration records. Management self-assessment carries no evidentiary weight.

Dark patterns in consent interfaces have generated penalties ranging from $345,000 to $632,500, targeting choice asymmetry where opt-out is significantly harder than opt-in.

Secure Privacy DSAR: Operational Compliance Infrastructure

Secure Privacy DSAR functions as compliance infrastructure — a workflow engine automating the full DSAR lifecycle from intake through evidence archival.

Centralized Request Intake

Secure Privacy consolidates DSAR submissions from all channels into a single workflow: web forms, email requests, GPC signals, and DROP API delivery. GPC signals receive automatic intake and processing, with visible confirmation generated for the consumer—meeting California's requirement that opt-out signals be acknowledged with displayed confirmation.

Automated Identity Verification

For DROP-originated requests, Secure Privacy applies the standardized hashing and matching protocol the CPPA requires: normalizing identifiers, applying cryptographic hashing, and executing matching against internal records. For non-DROP requests, verification workflows guide teams through steps proportionate to the sensitivity of the data requested.

Automated Routing and Discovery

Once verified, deletion or access commands are automatically routed to every connected system containing the consumer's personal information—CRM, marketing platforms, analytics tools, data warehouses, cloud storage. Data lineage tracking ensures deletion commands follow data paths automatically rather than stopping at the first system queried.

Vendor Propagation

Secure Privacy manages downstream notification to service providers and contractors through vendor risk management integration. Deletion commands are propagated with timestamps and confirmation tracking, generating documentation regulators require to verify deletion extends beyond the controlling business's own systems.

Deadline Tracking and Status Reporting

The 45-day cycle is tracked automatically with escalation notifications before breach windows open. For DROP, status codes are automatically compiled and submitted to the CPPA platform within required windows.

Evidence Logging

Every DSAR lifecycle action is captured in immutable audit logs: intake timestamps, verification results, search queries, deletion confirmations, vendor notifications, and status reports. These logs are structured for regulatory presentation—generating the objective evidence audit standards require.

DSAR Workflow Example

Step 1: Request Submission. Consumer submits via the Secure Privacy portal, GPC signal, or DROP API import. Intake is logged automatically with timestamp.

Step 2: Identity Verification. Automated hashing and matching executes using DROP protocol standards. Verification status is logged.

Step 3: Internal Routing. Verified request triggers automated discovery across all connected systems, with deletion commands dispatched concurrently.

Step 4: Vendor Notifications. Deletion requests propagate to all service providers and contractors via API connectors. Confirmation responses are tracked and logged.

Step 5: Fulfillment Confirmation. Deletion confirmations are collected from each system. The consumer's identifier is added to the suppression list.

Step 6: Status Reporting and Evidence Storage. Status codes are compiled and reported to DROP. The complete case record is archived in immutable storage with 24-month minimum retention.

Integrating DSAR With Broader Privacy Governance

Record of Processing Activities (RoPA). Accurate DSAR fulfillment requires knowing what data exists and where. Data mapping integration keeps the RoPA current, ensuring discovery queries reach all relevant systems.

Consent Management. When a consumer's consent record shows they've opted out of sale or sharing, that preference is enforced in real-time without requiring a separate request. The consent management platform and DSAR system share a unified view of consumer preferences.

Vendor Management. DSAR propagation depends on current vendor records, active Data Processing Agreements, and working API connections. Vendor management integration ensures deletion commands reach the right contacts and that expired agreements don't create propagation gaps.

GRC Integration. DSAR completion rates, deadline adherence, and vendor propagation success are KPIs feeding directly into governance reporting, ensuring DSAR performance is visible at the program level.

Common CPRA Readiness Gaps

No DSAR standard operating procedure. Informal DSAR handling without documented workflows, defined roles, deadlines, and evidence requirements makes fulfillment inconsistent and audit defense impossible.

No vendor integration for propagation. Organizations fulfill deletion internally but have no mechanism for extending it to service providers and contractors that also hold copies of the data.

No suppression list. Without suppression, deleted data reappears in databases when automated data feeds refresh from third-party sources.

No ADMT inventory. Organizations using automated systems for significant decisions haven't catalogued those systems or prepared pre-use notices and appeal workflows.

GPC signal not honored. Websites detect GPC but continue firing marketing tags, or honor the opt-out without providing the visible confirmation California requires.

No escalation paths. Complex requests—ADMT appeals, sensitive personal information requests—lack defined escalation procedures, creating response delays and inconsistent outcomes.

Practical CPRA DSAR Checklist

Intake:

• All submission channels active and tested (web form, email, API, GPC)
• GPC signal detection implemented with visible user confirmation
• DROP API integration configured and tested before August 1, 2026

Verification:

• Hashing protocol for DROP-originated requests implemented
• Identity verification proportionate to data sensitivity for non-DROP requests
• Verification records logged with timestamps

Tracking:

• 45-day cycle deadline tracking automated with escalation alerts
• Status reporting to DROP automated for all four mandated codes

Discovery and Fulfillment:

• All systems containing California consumer data mapped and connected
• Concurrent deletion routing to all connected systems
• Suppression list updated on every deletion

Vendor Propagation:

• All service provider DPAs include CPRA cooperation requirements
• Automated vendor notification with confirmation tracking
• Propagation confirmations logged for audit purposes

Documentation:

• Immutable audit logs capturing full case lifecycle
• 24-month DSAR log retention implemented
• Risk assessments documented for high-risk processing activities

Appeals:

• ADMT appeal workflow with human review capability established
• At least two opt-out submission channels available
• Appeal timelines and escalation paths defined

Preparing for CPRA Enforcement in 2026

Step 1: Map California data flows. Identify every system that collects, stores, processes, or shares California consumer personal information—including third-party sources, SaaS tools, and cloud environments.

Step 2: Assess data broker status. Evaluate your data collection and sharing model against the "direct relationship" test. If your organization sells or shares data about consumers you didn't acquire directly, register with the CPPA.

Step 3: Implement automated DSAR workflows. Configure intake channels, identity verification, automated routing, vendor propagation, and evidence logging before August 1, 2026.

Step 4: Audit vendor contracts. Review every service provider agreement for CPRA cooperation requirements. Update contracts lacking mandatory deletion cooperation provisions.

Step 5: Eliminate dark patterns. Audit consent and opt-out interfaces for choice asymmetry. Implement GPC detection with visible confirmation.

Step 6: Inventory ADMT systems. Catalogue all automated decision-making systems affecting significant consumer decisions. Draft pre-use notices and establish human review appeal workflows.

Step 7: Test response timelines. Conduct end-to-end testing under realistic request volumes. Verify that vendor propagation completes within 45 days and suppression lists prevent re-acquisition.

Step 8: Monitor continuously. Establish KPIs for DSAR fulfillment rate, deadline adherence, vendor propagation success, and suppression list integrity.

Key Takeaways

The California DROP Act CPRA 2026 framework transforms consumer data deletion from an occasional inbound request into a recurring, state-orchestrated operational mandate. The August 1, 2026 enforcement deadline carries $200 per-request daily penalties from day one.

DSAR handling in 2026 requires infrastructure, not process. The 45-day recurring cycle, hashed identity matching, concurrent vendor propagation, suppression list maintenance, and immutable evidence logging are technical requirements that manual workflows cannot fulfill at scale.

The CPPA's enforcement posture is proactive. Regulators use automated scanning to identify dark patterns, GPC non-compliance, and registration failures before complaints are filed.

Common failures—broken intake pathways, vendor propagation gaps, spreadsheet tracking, silent GPC rejection—have already produced settlements ranging from $345,000 to $5.1 million in 2025 enforcement actions. These failures are preventable with the right operational infrastructure.

Secure Privacy DSAR provides the workflow engine, evidence repository, and vendor propagation layer California's 2026 requirements demand. Organizations that treat DSAR automation as compliance infrastructure—not just a request management tool—will be positioned to meet the DROP mandate, survive regulatory audits, and scale consumer rights fulfillment as California's enforcement environment continues to mature.