CCPA's DELETE Act Goes Live in 2026: How to Document Your Privacy Compliance as PDF

TL;DR

California's DELETE Act created a first-of-its-kind consumer data deletion platform that went live January 1, 2026. Data brokers must check the platform every 45 days starting August 1, 2026, and process deletion requests. For businesses navigating CCPA/CPRA compliance, documentation is everything — and Convert: Anything to PDF makes it easy to convert compliance records from any file format — spreadsheets, HTML reports, markdown notes, privacy assessment files — into clean, archivable PDFs without uploading sensitive data to a third-party server.

What the CCPA DELETE Act changes in 2026

The California DELETE Act (Data Elimination and Limiting Extensive Tracking) created something unprecedented: a centralized data deletion platform managed by the California Privacy Protection Agency (CPPA). Instead of consumers submitting individual deletion requests to every data broker separately, they submit one request through the CPPA's platform, and data brokers are required to honor it.

Here are the key dates and obligations for 2026:

Milestone	Date	Obligation
Consumer platform opens	January 1, 2026	Consumers can submit deletion requests
Data broker access required	August 1, 2026	Data brokers must check the platform every 45 days
Process deletion requests	Within 45 days of each check	Honor all valid deletion requests
Risk assessment documentation	Prior to new high-risk activities	Document before starting
Opt-Out Preference Signal (OOPS) comment period	Closed April 6, 2026	Rulemaking continues

What has changed in 2026 CCPA/CPRA beyond DELETE

The DELETE Act is one piece of a broader CCPA/CPRA update in 2026:

Automated Decision-Making Technology (ADMT) — New rules require businesses to provide consumers with the right to opt out of certain automated decision-making, including profiling. Businesses must document their ADMT practices.

Risk assessments for high-risk activities — Before starting new data processing activities that pose a significant risk, businesses must complete and document risk assessments. While the deadline to assess ongoing activities extends to 2027, new activities require pre-initiation documentation.

Contractor obligations — Businesses that use service providers and contractors have new documentation requirements around how personal data flows to these third parties.

Opt-Out Preference Signals (OOPS) — The CPPA has been developing rules for global opt-out signals (like GPC). Businesses need to honor these signals and document how they do so.

State privacy laws that activated in January 2026

California is not alone. Several state privacy laws became effective or were amended effective January 1, 2026:

• Connecticut — Privacy law amendments
• Indiana — Comprehensive privacy law amendments
• Kentucky — Comprehensive privacy law took effect
• Oregon — Privacy law amendments
• Rhode Island — Data transparency and privacy protection act

If your business operates across states, you are likely tracking obligations under multiple frameworks simultaneously. Documentation is how you manage this complexity.

Why privacy compliance documentation needs to be in PDF

Privacy compliance documentation faces specific requirements that make PDF the right format:

Immutability and tamper evidence

Regulators expect compliance records to be preserved as-is from the time they were created. A Word document or spreadsheet can be edited after the fact. A PDF, especially when digitally signed or certified, is much harder to alter without detection. For audit purposes, PDF is the preferred format for compliance records that need to demonstrate what you knew and did at a specific point in time.

Consistent rendering across systems

Privacy compliance documentation is shared between legal teams, IT, business stakeholders, regulators, and sometimes courts. PDF renders identically on every device and platform. A spreadsheet with custom formatting may look completely different when a regulator opens it on a different system.

File archiving for retention requirements

CCPA/CPRA does not specify explicit document retention periods for all compliance records, but legal best practice is 3-7 years for privacy documentation, and potentially longer for records that could be relevant in litigation. PDF is the most universally supported archival format — your compliance documents from 2026 need to be readable in 2036.

Professional presentation for regulators

When the CPPA or another regulator requests your compliance documentation, PDFs present professionally and signal that your compliance program is organized. Submitting a folder of mixed Excel files, Word documents, and notes is not the impression you want to make.

How to convert privacy compliance documentation to PDF

Convert: Anything to PDF handles every file format your privacy compliance program might generate:

Supported file types for compliance documentation

File type	Common use in compliance	Conversion quality
CSV / spreadsheet exports	Data inventory, ROPA records, vendor lists	Tables auto-formatted
HTML reports	Compliance tool exports, assessment outputs	Rendered as-is
Markdown files	Documentation, runbooks, policies	Clean formatted output
Images (PNG, JPG)	Screenshots of tool configurations, evidence	Embedded in PDF
Text files	Notes, correspondence, memos	Formatted text output
Existing PDFs	Already in PDF format	Can be merged with other files

The drag-and-drop workflow

1. Open Convert: Anything to PDF in Chrome
2. Drag your compliance files into the upload area — multiple files at once
3. Arrange the order if creating a combined document
4. Convert — all processing happens locally in your browser
5. Download the PDF to your compliance archive

No file leaves your device. No account required. No size limits that would truncate your records.

Merging a compliance package

For a complete DELETE Act compliance submission or internal audit, you might combine:

• Your current privacy policy (exported from your website)
• Your data broker registration confirmation (HTML or PDF)
• Your ROPA (Records of Processing Activities) extract from your privacy management tool (CSV)
• Your ADMT inventory (markdown or spreadsheet)
• Risk assessment notes (text or markdown)
• Evidence of your global opt-out signal implementation (screenshot)

Drag all of these into Convert: Anything to PDF, set the order, and generate one merged document. That is your complete compliance package for the period.

Building a DELETE Act compliance workflow

Here is a practical workflow for data brokers and businesses subject to the DELETE Act:

Step 1: Register with the CPPA data broker registry

Data brokers must register annually with the CPPA. Save your registration confirmation as PDF and archive with date.

Step 2: Establish a 45-day review cadence

Starting August 1, 2026, you must check the DELETE platform every 45 days. Create a calendar series for these reviews. Each review should produce:

• A record of when you checked
• A list of deletion requests received
• Confirmation that requests were processed within the required window
• Any exceptions or issues

Convert these records to PDF at each review and archive them with consistent naming: 2026-08-01_DELETE-platform-review_requests-processed.pdf

Step 3: Document your deletion process

Before August 1, document your internal process for honoring DELETE requests:

• Which systems contain the data
• How data is identified for deletion
• How deletion is confirmed
• Who is responsible at each step

This documentation, converted to PDF and archived, demonstrates that you have a compliant process — not just that you responded to individual requests.

Step 4: Track your ADMT practices

If your business uses automated decision-making technology for consequential decisions (credit, employment, housing, education, healthcare, or insurance), document:

• What ADMT you use
• What decisions it informs
• What the opt-out mechanism is
• How opt-out requests are honored

This documentation becomes the evidence that your ADMT practices are compliant.

Step 5: Vendor audit documentation

The CPRA's contractor obligations require you to ensure your service providers and contractors have appropriate data use limitations. Document your vendor review process:

• Inventory of vendors processing personal data
• Contracts or DPAs in place
• Annual review evidence

How this intersects with other privacy frameworks

GDPR Article 30 (Records of Processing Activities)

If you process EU personal data, GDPR Article 30 requires a Record of Processing Activities (ROPA). The CCPA/CPRA risk assessment requirements are complementary. Many organizations maintain a single unified ROPA covering both GDPR and CCPA obligations. Converting this record to PDF provides a point-in-time snapshot for audits.

The EU AI Act data obligations

If you use AI systems that process personal data, the EU AI Act's documentation requirements overlap with CCPA/CPRA obligations around ADMT. The same underlying documentation (data flows, decision-making processes, human oversight) serves both frameworks. Maintaining a unified PDF archive simplifies compliance across both regimes.

FTC regulations and state AGs

Beyond the CPPA, the FTC and multiple state attorneys general enforce privacy obligations. Having a well-organized PDF compliance archive that demonstrates systematic compliance is your best defense if you face a regulatory inquiry from any direction.

Comparing PDF conversion approaches for compliance teams

Tool	Local processing?	Multi-file merge?	Free?	Account required?
Convert: Anything to PDF	Yes	Yes	Yes	No
Adobe Acrobat	Partially (desktop)	Yes	No	Yes
Smallpdf	No (cloud)	Yes (paid)	Limited	For merge
iLovePDF	No (cloud)	Yes (paid)	Limited	For merge
LibreOffice	Yes (desktop app)	Partial	Yes	No

For compliance documentation, the "local processing" column matters most. Uploading privacy records — data inventories, risk assessments, vendor lists — to a cloud PDF service creates a data handling issue of its own.

Frequently asked questions

Who does the DELETE Act apply to?

The DELETE Act primarily applies to data brokers — companies that collect and sell personal information about individuals they do not have a direct relationship with. However, if your business purchases consumer data from data brokers or uses data-broker-sourced lists for marketing, you may have indirect obligations to ensure your vendors are compliant.

What is the penalty for missing a DELETE Act deadline?

The CPPA can issue civil penalties. Failure to register as a data broker is $200 per day. Failure to honor deletion requests can result in much higher penalties under the broader CCPA enforcement framework — up to $7,500 per intentional violation.

Do small businesses need to comply with CCPA in 2026?

CCPA/CPRA applies to businesses that meet certain thresholds: annual gross revenue over $25 million, buy/sell/share personal data of 100,000+ consumers annually, or derive 50%+ of annual revenue from selling personal data. If you are below all three thresholds, CCPA may not apply, but check the state privacy laws for states where you operate — some have lower thresholds.

How long should I keep DELETE Act compliance records?

California regulations do not specify an explicit retention period, but legal best practice is to retain compliance records for at least 3 years, and many practitioners recommend 5-7 years. Retain records documenting your response to deletion requests for at least as long as the statute of limitations for related claims.

Can I use Convert: Anything to PDF for files containing personal data?

The tool processes files locally on your device — no content is transmitted to external servers. If you are converting files that contain personal data, this local processing approach is far more appropriate than cloud-based tools that upload your files to their servers. That said, review your own data minimization practices — does the compliance document actually need to contain personal data, or can it be anonymized before conversion?

Is a PDF audit trail sufficient for demonstrating CCPA compliance?

A PDF audit trail is an important component, but full compliance requires active operational practices: honoring deletion requests within required timeframes, maintaining required notices, and implementing technical controls. The PDF archive documents that you are doing these things; the doing itself requires operational procedures, trained staff, and technical systems.

Bottom line

The DELETE Act's 2026 implementation, combined with CCPA/CPRA's evolving ADMT and risk assessment requirements, has made privacy compliance documentation more important than ever. The organizations that will demonstrate compliance under regulatory scrutiny are those that have systematic, date-stamped records of their compliance activities. Convert: Anything to PDF makes it easy to convert compliance records from any format — spreadsheets, HTML, markdown, images — into archivable PDFs, locally, without transmitting sensitive privacy documentation to third-party servers. Build the audit trail now, while the compliance activity is happening.