California's DELETE Act DROP Portal Opens August 1: What It Means for Anyone With California Residents' Data
California launched a Data Broker Strike Force last week. The timing isn't coincidental — August 1, 2026 is the date the DROP (Data Removal Order Portal) goes live, and it changes the deletion compliance landscape in ways that most privacy teams haven't fully modeled yet.
Here's what's new, what the penalties look like, and what automation actually needs to do to stay compliant.
What the DROP portal changes
Under SB 362 (the California Delete Act), data brokers have been required to register with the California Privacy Protection Agency since January 2024. The DELETE Act mandated a centralized opt-out portal — DROP — that goes live August 1. When a California resident submits a deletion request through DROP, it propagates to every registered data broker simultaneously.
Before DROP, individuals had to submit deletion requests to each broker individually. That meant dozens or hundreds of separate requests, each with its own process, timeline, and non-compliance risk. DROP collapses that to one request — and creates one enforcement vector.
The penalty structure: $200 per unprocessed deletion request, per day. Not per incident, not per batch — per request, per day, starting from the 45-day compliance window. A data broker sitting on 500 unprocessed requests for 30 days past deadline is looking at $3M in accrued penalties.
California's Strike Force is specifically tasked with identifying data brokers who aren't processing DELETE Act requests.
What "processed" actually means
This is where most automated deletion tools fall short. "Processed" under SB 362 means:
- The deletion request was received and acknowledged within a defined window
- The personal information was deleted from the broker's own systems
- The deletion was propagated to any downstream data recipients (data buyers, licensees)
- A deletion confirmation record was retained
That last point is frequently missed: you need a record proving you processed the deletion, not just that you deleted the data. If an enforcement action comes, "we deleted it" with no audit trail is not a defense.
What BizSuite Data Removal covers
We built Data Removal around the SB 362 compliance requirements from the start — not retrofitted to meet them. The product covers:
- 48 data broker sources across 5 tier classifications (by reach and data sensitivity)
- Automated deletion propagation for downstream recipients
- CA Delete Act SB 362 built-in compliance flows, including the DROP portal integration
- Deletion confirmation records retained per the regulation's audit requirements
- $497 setup, $49/month for ongoing monitoring and re-deletion (brokers re-populate data — one-time removal doesn't hold)
The re-deletion piece matters more than most people realize. Data brokers routinely re-aggregate personal data from public records and other sources. A one-time deletion has a half-life. Our monitoring catches re-appearances and triggers re-deletion automatically.
62 days and counting
The DROP portal goes live in 62 days. If you're a California-registered data broker and you're not processing DROP requests from day one, you're accumulating $200/day/request penalties from August 1.
If you're a company that uses data broker data (for marketing, lead generation, background screening, credit assessment) — your vendors are now on a 45-day deletion clock for any California resident who submits through DROP. That affects your data pipeline.
Top comments (0)