The specific audit standards remain under development. CalPrivacy has not yet released detailed guidance on what constitutes adequate auditor qualifications, which audit tools will be acceptable, or how match rate improvements will be measured. The agency is actively soliciting input from privacy professionals, auditors, and consumer advocates to fill these gaps before the January 2028 deadline.
Attorneys advising data brokers should monitor this rulemaking closely. Brokers must begin processing DROP requests every 45 days starting August 1, 2026—just months away—and the audit framework being finalized now will determine compliance obligations for years to come. The Delete Act imposes $200-per-day penalties for noncompliance. With 242,000 deletion requests already submitted since DROP's January 2026 launch, the platform is seeing significant adoption, making audit standards a material operational and financial issue for any client handling California consumer data.