CA SB 362 DROP enforcement starts August 1. here's the 45-day deletion clock data brokers have to beat

starting August 1, 2026, data brokers must access the DELETE Rights and Opt Out Platform (DROP) at least every 45 days to retrieve and process consumer deletion requests. upon receiving a match, the broker must delete all associated personal data — including inferences — within 45 days.

noncompliance: $200 per request, per day.

that's not a one-time penalty. it compounds. a data broker who ignores 500 deletion requests for 30 days owes $3 million before anyone asks about inferences. this is the California Privacy Protection Agency enforcing SB 362, and the DROP system is live now.

who this actually affects

545+ data brokers registered with the CPPA. not all of them are the obvious targets — Spokeo, Whitepages, BeenVerified. that's the visible tier. the registered broker list includes background check providers, marketing data resellers, insurance underwriters, recruitment screening services, and dozens of companies that don't self-identify as data brokers but legally are.

the structural problem: most of these companies don't have deletion infrastructure. they have a data team and a pile of customer records in relational tables that were never designed for targeted deletion. when a DROP request comes in, processing it manually — finding the right records across tables, deleting inferences, confirming completion — takes hours per request at current staffing levels.

at $200/day/unprocessed request, manual processing doesn't work.

the automation gap

consumer data removal services have been solving the individual-facing version of this problem for years. Optery covers 630+ broker sites. Incogni runs $7.99/month. DeleteMe covers 750+ brokers with human assistance.

what those services don't provide: a B2B deletion-at-source API for the brokers themselves. the DROP system creates a new demand — data brokers need to process deletion requests programmatically, not just receive them. they need to:

• poll DROP every 45 days
• match incoming requests against their records
• trigger deletion workflows across their data stores
• confirm completion to the CPPA within the 45-day window
• log the deletion for audit purposes (the CPPA can inspect records)

that's a workflow, not a button. and it's a workflow that 545+ companies need to stand up by August 1.

the infrastructure play

BizSuite's data removal product is positioned on this side of the market — automation infrastructure for the deletion workflow, not just the consumer-facing removal service. 48 brokers across 5 tiers currently covered, with CA Delete Act (SB 362) built-in as a compliance primitive.

the pricing: $497 setup, $49/month for ongoing monitoring and compliance automation.

details at getbizsuite.com.

the 65-day window

64 days until DROP enforcement begins. data brokers who haven't started building deletion infrastructure are already behind — the integration, testing, and confirmation workflow takes time to stand up, and $200/day/request means day-1 failures are expensive.

the right move is to start the integration now, not the day the first DROP request arrives.