California's DELETE Act enforcement starts August 1 — what the $200/day penalty actually means for your data

California's Data Broker Registration and Enforcement for Deletion (DROP) platform goes live August 1, 2026. After that date, every data broker registered under the California Delete Act (SB 362) must process deletion requests submitted through the state's platform every 45 days.

The penalty for non-compliance: $200 per deletion request per day of delay. No cure period.

What DROP is and who it covers

DROP is a centralized deletion request portal managed by the California Privacy Protection Agency (CPPA). Consumers submit one deletion request to the CPPA. The CPPA forwards it to every registered data broker simultaneously. Brokers have 45 days to process and confirm deletion.

California defines "data broker" broadly: any business that knowingly collects and sells or shares personal information of consumers with whom the business does not have a direct relationship. That includes people-search sites, background check services, marketing data companies, lead generation firms, analytics platforms, and identity resolution providers.

If you're not sure whether this covers you: the CPPA's registered data broker list had over 500 companies as of late 2025. Many didn't realize they qualified.

The math on the penalty

$200 per request per day. If a data broker has 1,000 consumer deletion requests outstanding at Day 1, and they haven't processed them by Day 46, that's $200,000 in fines — per day of continued delay. There's no cap in the statute.

Clark Hill's legal analysis (published June 25, 2026) is direct: enforcement begins immediately, no cure period. The CPPA has made clear it plans to use its enforcement authority.

The practical gap for individuals

DROP closes a real problem: before SB 362, consumers had to submit opt-out requests to each data broker individually. Some brokers had non-functional opt-out pages. Some processed requests for the required 12-month period and then re-listed the data. The 45-day cycle under DROP makes non-compliance visible and measurable.

But the individual still has to know their data is out there, know which brokers have it, and trust the DELETE request was actually processed.

What BizSuite Data Removal does differently

The BizSuite Data Removal service runs continuous removal requests across 40+ data brokers — not just California-registered ones — including the long-tail sites that don't appear in the CPPA registry. At $497 + $49/month, it covers the initial sweep (which takes 2–6 weeks to propagate) and the monthly re-check that catches re-listed data.

The August 1 deadline is a good forcing function for anyone who's been meaning to get this done. Data brokers will be processing a high volume of DROP requests starting that day — which means consumer requests submitted independently (outside DROP) may fall lower in the queue.

Starting the removal now means the first sweep completes before the DROP-driven processing backlog builds.

Details and what's included: https://getbizsuite.com/data-removal.html