(a) Prior to accessing the DROP for the first time, a data broker shall utilize the Agency's website found at www.cppa.ca.gov to create a DROP account. To create an account, a data broker must:
(1) Establish a secure username and password (“credentials”) and maintain its account security using reasonable security procedures and practices. At minimum, a data broker must:
- (A) Maintain confidentiality of account credentials, and restrict access to its credentials to only persons authorized to act on the data broker's behalf;
- (B) Restrict access to the DROP, and information derived from the DROP, to persons authorized to act on behalf of the data broker;
(C) Inform the Agency immediately in writing through its DROP account or by emailing [email protected] if any of the following occur:
- (i) Unauthorized use of the data broker's credentials or account; or
- (ii) A breach of security related to the data broker's account, the DROP, or information derived from the DROP.
- (D) Assume responsibility for all actions taken through its DROP account.
(2) Provide the following information:
- (A) The data broker's business name and, if applicable, trade name(s) (i.e., “DBA”);
- (B) A point of contact for the data broker, including name, email, and phone number;
- (C) The data broker's public-facing contact information, including email and phone number;
- (D) The data broker's public-facing website address(es), including any website address through which it offers or provides data broker services; and
- (E) The data broker's Employer Identification Number (“EIN”) or Taxpayer Identification Number (“TIN”), as applicable, for its business.
(3) Select at least one consumer deletion list that the data broker will retrieve through the DROP to process deletion requests in accordance with Civil Code section 1798.99.86 and this Chapter.
- (A) A data broker must select all consumer deletion lists that contain a consumer identifier or identifiers that match to personal information about the consumer within the data broker's records.
- (B) Notwithstanding subparagraph (A), a data broker may select fewer lists if the consumer identifiers used across multiple lists will result in matches to a completely duplicative list of consumers within the data broker's records. For example, if a data broker collects both email addresses and telephone numbers for every consumer in its records, then the data broker may select only the email address or telephone number consumer deletion list. If, however, a data broker collects email addresses for some consumers and telephone numbers for other consumers, then the data broker must select both lists.
- (C) A data broker may change its consumer deletion list selection by adding or subtracting a list or lists through its DROP account. A data broker is only able to retrieve a consumer deletion list it has currently selected in its DROP account when it accesses the DROP pursuant to section 7612. A data broker must maintain compliance with subparagraph (A) of this section at all times by selecting additional consumer deletion lists before next accessing the DROP if the data broker begins collecting additional categories of personal information about consumers that match to identifiers under previously unselected consumer deletion lists. A data broker may only change its consumer deletion list selection once every 45 calendar days.
Note: Authority cited: Section 1798.99.87, Civil Code. Reference: Sections 1798.99.82 and 1798.99.86, Civil Code.
History
1. New article 3 (sections 7610-7616) and section filed 11-6-2025; operative 1-1-2026 (Register 2025, No. 45).