Introduction

The regulatory currents in California are shifting—fast. The California Delete Act (SB 362), set for enforcement in August 2026, marks a paradigm shift for privacy, ushering in strict requirements for businesses that trade in personal data, especially those in the state’s cannabis and hemp retail sectors. The new rules challenge how dispensaries and brands manage loyalty, identity verification, and marketing technology vendors, many of which now risk classification as data brokers subject to rigorous consumer deletion requests via the new Data Broker Delete Requests Portal (DROP). This post unpacks what the Delete Act means for cannabis businesses, vendors, and the broader compliance landscape in 2025–2026.

What Is the California Delete Act?

Enacted as SB 362 and overseen by the California Privacy Protection Agency (CPPA), the Delete Act requires data brokers to:

• Register with the state by January 31 each year (if they meet the definition of a data broker).
• Comply with broad new obligations for data minimization, consumer control, and deletion of personal information.
• Integrate with the CPPA’s DROP platform, allowing Californians a one-stop shop for deleting their personal data from all registered data brokers (CPPA official site).

The enforcement clock starts August 1, 2026—meaning the 2025–2026 business year is all about preparation and transformation, with dispensaries squarely in the crosshairs due to their dependence on data-rich platforms.

Who’s a Data Broker? And Why Cannabis Loyalty Vendors Should Pay Attention

Data broker may sound like a term reserved for big tech, but the Delete Act’s definition is expansive: if your business sells or shares California consumer data collected from people with whom you don’t have a direct relationship, you’re likely classified as a data broker (Baird Holm LLP). The latest CPPA guidance and 2025 draft regulations expressly capture:

• Loyalty program vendors collecting and processing purchase histories and identities.
• Age verification providers processing IDs or biometric data to ensure age compliance on cannabis e-commerce platforms and at dispensary checkouts.
• Adtech, marketing, and identity-matching services that link profiles across online and in-store buyer behavior.

If these vendors aggregate, enrich, or sell data outside the direct dispensary-customer relationship, they risk full data broker status—triggering registration, ongoing compliance, and mandatory response to DROP deletion requests.

Timeline: Key Dates for Cannabis Businesses and Vendors

• Now: Inventory and map all vendors handling consumer data, especially those with access to age, geolocation, purchasing history, or ID scans.
• January 31, 2025: Deadline for data brokers to register or renew registration with the CPPA (CA Department of Finance).
• Throughout 2025: Follow CPPA’s evolving regulatory guidance as it finalizes definitions and compliance requirements. Attend relevant industry and CPPA sessions on the Delete Act and DROP (CPPA Announcements).
• January 1, 2026: DROP portal launches—California consumers can start requesting deletion statewide.
• August 1, 2026: Enforcement begins. Regulators expect all data brokers to integrate with DROP, process consumer deletion requests every 45 days, and demonstrate robust privacy controls.

DROP Portal: The New Front Line for Consumer Deletion Rights

The Data Broker Delete Requests Portal (DROP), operated by the CPPA, creates a groundbreaking "one-stop deletion" model. Through DROP, any Californian can request that their personal information be deleted from every registered data broker at once (CPPA official update).

Implications for cannabis businesses:

• Any vendor (loyalty platform, ID scan provider, age-verification service, etc.) that qualifies as a data broker must:
• Monitor DROP for new deletion requests at least every 45 days.
• Delete matching consumer records promptly, unless a specific CCPA/CPRA exception applies (e.g., compliance with legal obligations, anti-fraud).
• Maintain ongoing suppression lists to ensure records for deleted individuals are not re-added.
• Failure to honor DROP deletion requests exposes vendors—and potentially dispensaries contracting with them—to fines, audits, and litigation risk.

Compliance Steps: What Cannabis Businesses Should Do in 2025

1. Inventory Your Vendors and Data Flows

• Catalog all third-party platforms involved in loyalty, age verification, adtech, email/SMS marketing, and identity matching.
• Identify whether these partners aggregate, enrich, or share consumer data outside the dispensary-customer relationship.

2. Contractual Safeguards

• Update vendor contracts to require compliance with the Delete Act, CPPA DROP, and CPRA.
• Include obligations for timely data minimization, deletion, honoring consumer rights, and responding to audits.

3. Data Mapping and Minimization

• Map sensitive data: age, government ID scans, location, purchase histories, biometric or identity records.
• Limit the volume and retention period for sensitive data wherever possible.

4. Engage Vendors About Data Broker Obligations

• Directly ask your vendors if they are registered (or plan to register) as California data brokers.
• Request documentation on how they plan to comply with DROP, deletion timing, and suppression list requirements.

5. Update Consumer Notices & Internal Protocols

• Refresh privacy notices to explain loyalty, age-verification, and marketing data uses—especially sensitive data.
• Document how consumers may exercise their rights under the Delete Act and CPRA.

6. Prepare for Audit & Enforcement

• Expect audits from the CPPA and potential private right of action for failure to honor deletion rights starting in 2026 (NatLawReview).
• Create defensible records showing compliance with vendor mapping, deletion request processes, and mitigation of vendor risk.

Vendor Risk & Industry Penalties: Ongoing Enforcement and Litigation Exposure

Early CPPA actions show a zero-tolerance stance toward unregistered or noncompliant brokers—even those outside core tech sectors. Several fines and multi-year bans have already followed data broker investigation sweeps (CPPA fines example).

For the cannabis and hemp sector:

• Retailers and brands can face reputational and financial risk if vendors mishandle data or fail deletion requests, even when the retailer itself would not normally qualify as a broker.
• The hot spots include loyalty and CRM systems, integrations for age verification and e-commerce, third-party marketing, and any vendor storing ID scans or buyer profiles offsite.

Related CPRA Requirements and Consumer Rules

The Delete Act does not replace the California Consumer Privacy Act (CCPA) or its expansion under the California Privacy Rights Act (CPRA):

• Notice and consent: Dispensaries must provide clear, accessible notices regarding data collection and sharing, especially for sensitive information.
• Opt-out and sensitive data controls: Mechanisms for consumers to opt out of data sales/sharing and control the use of sensitive data (ID, medical info) are required.
• Security, breach response, and documentation: All privacy programs must be robust enough to withstand CPPA audit and potential litigation.

2025–2026: Strategic Takeaways for Cannabis Businesses

• Now is the time to build a defensible privacy and vendor management program. Waiting until the 2026 deadline will increase exposure to fines, private litigation, and bad press.
• Cannabis dispensaries, brands, and digital vendors should be ready to prove (with documentation) that they have mapped all data flows, updated vendor contracts, and tested deletion request mechanisms.
• The Delete Act’s broad data broker regime and statewide DROP platform are fast becoming compliance cornerstones—businesses must move quickly to adapt.

Looking Ahead: Build Privacy Resilience With Expert Support

Preparing for the Delete Act and related CPRA mandates can be daunting, but it’s essential for every business in California’s cannabis market.

Stay ahead of compliance risks and streamline your vendor management—reach out to CannabisRegulations.ai for real-time regulatory updates, expert guidance, and tools to ensure your privacy posture stands up to scrutiny in 2026 and beyond.