California Privacy Policy Update: Required DROP Disclosure Language for 2026
What the Law Requires in Your Privacy Policy
The California Delete Act requires registered data brokers to include specific disclosures in their website privacy policies about the DROP platform and consumer rights. At minimum, your privacy policy must inform consumers about the existence of the DROP platform, explain how consumers can submit deletion and opt-out requests through DROP, describe how your business processes these requests, state your response timeline (within 45 days), and list any exemptions that may apply to certain types of data.
Key Sections to Add or Update
Most businesses will need to add a new section titled something like Your Rights Under the California Delete Act to their existing privacy policy. This section should explain what the DROP platform is and how it works, provide the URL or directions for consumers to access the DROP portal, describe your internal deletion and opt-out procedures, explain downstream notification (that you notify third parties who received the data), list exemption categories (employee data, B2B contacts, legal holds, active transactions), and provide contact information for your privacy officer or compliance team.
Annual Reporting Disclosure
Your privacy policy should also note that you file an annual report with the CPPA by January 31 of each year, disclosing the number of deletion requests received and processed, the number denied with reasons, and your average response time. While you do not need to publish the actual report on your website, disclosing that you file it demonstrates transparency and compliance commitment.
Common Mistakes to Avoid
The most common mistake is using generic privacy policy language that does not specifically reference the DROP platform or SB 362. Another mistake is burying the DROP disclosure deep in a lengthy privacy policy where consumers cannot find it. The disclosure should be clearly labeled and easy to locate. Do not use language that discourages consumers from exercising their rights, such as suggesting that deletion will result in negative consequences. And ensure your privacy policy is updated before the August 1, 2026 enforcement date.
Get the exact privacy policy disclosure language, ready to paste, in our compliance kit.