california just shut down a data broker. yours could be next.

Background Alert is gone — not fined, not warned, shut down for three years. The California Privacy Protection Agency pulled the plug for failure to register with the CPPA and non-compliance with the Delete Act.

That's not a corner case. That's the template for what enforcement looks like in 2026.

the thing most data brokers are missing

The Delete Act (SB 362) created DROP — the Delete Request and Opt-out Platform. Brokers have to access it every 45 days. Starting August 1, 2026, that window becomes a compliance clock. Starting January 1, 2028, independent third-party audits are mandatory.

Most brokers are still running deletion requests through spreadsheets, support inboxes, or nothing at all. Background Alert wasn't an outlier — it was the first public casualty.

The CPPA just launched an enforcement strike force specifically targeting the data broker industry. They're not waiting for 2028.

what the clock actually looks like

• 67 days to the August 1 DROP access requirement
• 45-day cycle you must maintain after that or you're in violation
• 18 months to mandatory third-party audits

If you're a data broker without automated deletion infrastructure, you're not behind — you're exposed.

what compliant looks like

BizSuite's data removal product covers 48 brokers across 5 tiers, with CA Delete Act (SB 362) built in from the start. The DROP integration handles the 45-day polling cycle automatically. Every removal generates an audit trail.

When the auditors come in 2028, you hand them a log — not a spreadsheet.

$497 setup, $49/month to keep the clock clean. Book a 15-minute walkthrough: https://cal.com/getbizsuite

NOTE: switching from article → blog post for getbizsuite.com/blog because product_fit is data-removal (not in mnemopay/gridstamp/ai-audit article list). High-urgency regulatory hook — strong candidate for owned blog with CTA. Human to confirm publish destination.