august 1 is not a soft deadline: what the DROP program means for your data and your exposure
california's Privacy Protection Agency just opened the DELETE Request Operations Portal — DROP — and set the clock. starting august 1, 2026, every registered data broker in California must process deletion requests submitted through that portal. the penalty for ignoring one: $200 per request per day.
that's not a fine. that's a recurring liability that compounds until someone closes the ticket.
what DROP actually is
DROP is the state's centralized deletion request infrastructure. california consumers submit a single request and the CPPA routes it to every data broker on the registered list. the broker has to honor it, log it, and confirm closure. there's no opt-out from the routing mechanism.
if your business or any data vendor you work with appears on the CPPA's registered broker list — and there are more than 2,000 of them — you're in scope. this isn't hypothetical. august 1 is 82 days away.
why most businesses won't be ready
the SB 362 DELETE Act passed in 2023 and gave brokers two years to prepare. that window closes august 1. the problem is that "prepare" in practice means:
- identifying every broker that holds your customers' or employees' data
- having a deletion workflow that can respond to a routed DROP request
- maintaining a log of every deletion request received, actioned, and confirmed
- doing this across 48+ registered broker categories — people-search, marketing data, analytics, credit headers
most companies have addressed one or two of these. the ones that haven't built a systematic deletion workflow are now 82 days from the first penalty clock.
the $200/day math
a mid-size company receiving 50 deletion requests per month that it fails to process starts accruing $10,000/day in penalties on day one of non-compliance. that's $300,000/month. the statute doesn't cap it.
this is why the CPPA published DROP now rather than waiting until august: they want brokers and businesses to see the portal, understand the routing mechanism, and start testing their workflows before enforcement begins.
what you can do before august 1
the practical steps, in order:
1. audit your broker exposure. find out which of the 2,000+ registered data brokers hold your customers' or employees' personally identifiable information. this isn't a one-hour task — it requires systematic scanning across the 48 broker categories in the CPPA registry.
2. map your deletion workflow. once you receive a DROP-routed request, what happens? who owns it? what's the SLA? if you can't answer that today, you don't have a workflow.
3. build the confirmation log. DROP requests require documented closure. a spreadsheet doesn't survive a CPPA audit. you need a timestamped, auditable record.
4. set up monitoring. new brokers register with the CPPA continuously. your exposure map from today is stale in 30 days.
BizSuite's data removal product covers all four: broker scan across 48 registered categories, automated deletion submission, closure confirmation tracking, and re-scan on a monthly cadence. built specifically against SB 362 requirements. $497 + $49/month to maintain coverage as the broker registry changes.
the DROP portal is live. august 1 is the enforcement date. the window to get ahead of it is now.
Top comments (0)