DEV Community

t49qnsx7qt-kpanks
t49qnsx7qt-kpanks

Posted on

81 days to DROP: what the August 1 deletion deadline actually requires

NOTE: article touch with product_fit=data-removal is outside the default article rule (score ≥85 AND product_fit in mnemopay/gridstamp/ai-audit). Keeping article per recommended_touch because this is a regulatory deadline post with strong SEO and top-of-funnel value for data-removal buyers — flagging for human sign-off before publish.

81 days to DROP: what the August 1 deletion deadline actually requires

august 1, 2026. that's when California's DELETE Online Predators Act enforcement kicks in for the Data Broker Registry Opt-Out Platform (DROP). data brokers that fail to process verified deletion requests within 45 days face $200 per request per day in penalties. no cure period.

the law has been on the books since 2024. the CPPA opened DROP for consumer registrations in early 2026. what changes august 1 is that the agency's enforcement powers go live — meaning the 45-day clock is a legal obligation with teeth, not a best-practices recommendation.

what brokers actually have to do

under DROP, a registered data broker must:

  • accept deletion requests submitted through the CPPA's centralized portal
  • process each request within 45 days of receipt
  • suppress re-collection of that consumer's data from third-party sources
  • document each request and the disposition

the documentation requirement is the part most brokers underestimate. "we processed it" isn't enough — you need a timestamped audit trail that shows when the request came in, what data categories were affected, when deletion was confirmed, and whether any downstream data-sharing partners were notified.

where manual workflows break down

if you're a mid-tier broker running deletion workflows through a ticketing system or a spreadsheet queue, 45 days sounds comfortable until you do the math. a consumer submits a DROP request august 1. that starts the clock. if your team is handling 50–200 requests per month — realistic for a broker with 10M+ consumer records — a single busy week, a missed assignment, or a third-party data partner that doesn't respond in time puts you in penalty territory.

$200 per request per day. for a backlog of 30 requests sitting at day 50, that's $6,000 in liability. per day.

what automated deletion actually looks like

the gap isn't intent — most brokers plan to comply. the gap is infrastructure. a compliant deletion workflow needs:

  1. an ingest layer that picks up DROP requests from the CPPA portal and timestamps receipt
  2. a matching engine that finds the consumer record across all data categories the broker holds
  3. a suppression flag that prevents re-ingestion from upstream data sources
  4. a notification step to downstream partners the broker has shared data with
  5. an audit log with enough detail to produce a compliance report on request

BizSuite's data removal product was built around the CA Delete Act (SB 362) from the start — 48 brokers covered across 5 tiers, with automated suppression and an audit trail designed for regulatory response. the DROP portal integration is the next step.

the window is closing

if you're a data broker operating in California and you haven't tested your deletion workflow against a simulated DROP request, august 1 is 81 days away. implementation cycles for anything involving third-party data partners run 4–8 weeks minimum.

the math isn't complicated: start now or start writing checks.

details on the DROP portal and broker registration requirements: https://privacy.ca.gov/drop/

for the deletion automation piece: https://getbizsuite.com/data-removal

Top comments (0)