DEV Community

t49qnsx7qt-kpanks
t49qnsx7qt-kpanks

Posted on

California DROP Goes Live August 1 — What Data Brokers Actually Owe Consumers Starting in 38 Days

California DROP Goes Live August 1 — What Data Brokers Actually Owe Consumers Starting in 38 Days

the August 1 deadline is 38 days out. most companies still don't know if they qualify as a "data broker" under California law — and CalPrivacy has made clear they're not waiting.

here's what the California DELETE Act's Data Rights Opt-out Platform (DROP) actually requires, what the fines look like, and what "automation" needs to mean for your deletion pipeline before August 1.

what DROP requires

California SB 362 created a single opt-out portal — DROP — that all registered data brokers must integrate with. starting August 1, 2026, when a consumer submits a deletion request through DROP, registered brokers have 45 days to process it.

the Clark Hill analysis puts the penalty plainly: $200 per day, per unprocessed deletion request. if you're sitting on 500 unprocessed requests at day 46, that's $100,000 per day in liability — every day until you clear the queue.

most brokers aren't thinking about this as a per-request meter. they should be.

who qualifies as a data broker under California law

under SB 362, you're a data broker if you "knowingly collect and sell to third parties the personal information of a consumer with whom you do not have a direct relationship." that's broader than most companies expect.

it includes:

  • data resellers and list vendors
  • analytics platforms that license audience segments
  • background check services
  • marketing data aggregators
  • companies that broker identity data to advertisers

if your revenue model involves selling data on people who haven't directly handed you their information, you're likely in scope.

the deletion pipeline problem

the actual compliance challenge isn't the portal integration — it's the pipeline behind it. CalPrivacy requires that deletions propagate to all systems where the consumer's data lives: databases, backup systems, third-party processors, analytics platforms.

that's where most organizations stall. a human-driven deletion process that works at 50 requests/month breaks at 5,000 requests/month. DROP is designed to concentrate demand — a single consumer opt-out hits every registered broker at once.

the firms that are going to take the biggest hits in August aren't the ones who miss the portal integration. they're the ones who integrate the portal but don't have automation behind it.

what automated deletion actually looks like

for brokers managing data across 40+ third-party sources, manual deletion is not a compliance strategy. what works:

  • webhook-triggered deletion workflows tied directly to DROP API events
  • automated propagation across all data processors (not just your primary database)
  • SHA-256 audit logs with timestamps that survive regulatory review
  • a tiered approach by data sensitivity — some records need faster SLAs than the 45-day default

at BizSuite, the data removal service handles exactly this: 40+ data brokers across 5 tiers, with the CA Delete Act compliance baked in from the start. the setup is $497 + $49/mo — substantially less than a single day of non-compliance fines on a mid-size deletion backlog.

the 38-day window

CalPrivacy stated publicly that they're continuing active enforcement. the DROP portal is live. the question isn't whether enforcement will happen — it's whether your deletion pipeline is ready on August 1.

if you're a registered data broker and you don't have an automated deletion workflow in place today, 38 days is tight but workable. the first step is knowing exactly how many sources your consumers' data lives in — because each one is a propagation point the 45-day clock applies to.

if you want to audit your deletion surface before August 1, that's a fit call: getbizsuite.com/data-removal.html

Top comments (0)