$200 per day, per request — the CalPrivacy enforcement math your team needs to run right now
California's DROP portal went live for consumers on January 1, 2026. Data brokers have been required to check it every 45 days and process deletion requests since then. As of the CPPA's enforcement advisory, the penalty for non-compliance is $200 per deletion request for each day the broker fails to delete.
that's not a fine. that's a compounding liability.
run the math before you dismiss it
if your company has 500 consumer records in the DROP system and you miss the August 1, 2026 processing deadline by 30 days, the exposure is $3,000,000. miss it by 60 days: $6,000,000. the math is linear and the deadline is fixed.
the CPPA has been explicit that enforcement is active, not pending. the $200/day/request penalty structure was confirmed in their December 2025 advisory. this is not draft guidance.
what "data broker" actually means
the common misread is that only companies whose core business is selling data are covered. that's not how SB 362 (the CA Delete Act) reads. a "data broker" under California law is any business that knowingly collects and sells or shares consumer personal information, where the consumer isn't a customer of that business.
that definition catches:
- advertising technology platforms
- analytics and attribution vendors
- background check integrations
- lead generation services
- insurance underwriting data suppliers
- HR screening vendors
if your platform sells or shares data about people who didn't directly sign up with you, you may be a covered data broker under California law. the CPPA has issued registration requirements and the DROP portal is the deletion mechanism.
why manual compliance doesn't scale
DROP requires brokers to check the portal every 45 days and process all pending requests. for a company with 10,000 California records in the system, that's potentially hundreds of deletion requests per 45-day cycle — each requiring identity verification, cross-system deletion (not just flagging), and confirmation logging.
doing that manually across 5 internal systems is a 2-person-week sprint per cycle. in perpetuity.
BizSuite's data removal service covers 48 brokers across 5 regulatory tiers, with California SB 362 compliance built in. the DROP integration handles the portal check-and-process cycle. the audit trail it generates is the documentation you need if the CPPA questions your compliance record. 48-hour delivery on the initial audit, $497 upfront + $49/month for ongoing monitoring.
the August 1 deadline is 82 days out as of today. the $200/day penalty clock starts the moment a request goes unprocessed past the deadline. the work to get compliant takes weeks, not days.
if your company has any California consumer data and hasn't confirmed your DROP compliance posture, that's the thing to do this week.
Top comments (0)