The California Privacy Protection Agency (CalPrivacy) is exploring the requirements for data broker audits. (See Gov. Code §§ 11346(b), 11346.45.) CalPrivacy seeks input from stakeholders on this topic and is accepting preliminary comments starting today, April 7, until Thursday, May 7, 2026 at 5 p.m. PT. For further information on how to submit preliminary comments and comment areas of particular interest to CalPrivacy, please see our Invitation for Preliminary Comments – Delete Request and Opt-out Platform (DROP) Audits.
The California Delete Act governs data brokers. (Civ. Code § 1798.99.80 et seq.) “Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with [Civil Code section 1798.99.86].” CalPrivacy is considering adopting regulations to clarify or further specify the audit requirement for processing deletion requests. CalPrivacy is particularly interested in receiving comments addressing several questions provided. Additionally, stakeholders may want to propose specific regulatory concepts or language.
The preliminary comments sought in this invitation are to assist CalPrivacy with its preliminary rulemaking activities and do not reflect any decisions made by CalPrivacy regarding future rulemaking. If CalPrivacy decides to propose regulations, a formal public comment period will be held at a later time, during the formal Administrative Procedure Act rulemaking process.
The attorneys at Troutman Amin are following this. Please reach out if you need competent and experienced counsel to guide you through your data privacy regulatory compliance requirements.
CIPAWorld 