California's DROP Portal Goes Live August 1: What the $200/Day Penalty Means for You
california just built the most aggressive data broker enforcement mechanism in the country. it's called DROP — the Data Broker Registration and Opt-Out Platform — and starting August 1, 2026, data brokers must check it every 45 days and process every deletion request in it.
the penalty for missing a request: $200 per request per day.
if you're not already off the major data brokers before that deadline, your personal information becomes subject to that penalty structure — which means brokers have a very strong financial incentive to process those requests fast and thoroughly. that's good for removal coverage. but it only applies to brokers registered in the DROP system, and it only works if you've actually submitted your deletion request.
what DROP actually is
the California Delete Act (SB 362) required the California Privacy Protection Agency to build a one-stop portal where consumers can submit a single deletion request that covers all registered data brokers simultaneously. that portal launched January 1, 2026.
the enforcement half goes live August 1. from that date, every data broker registered with the CPPA must:
- access the DROP portal every 45 days
- process all pending deletion requests
- document compliance
brokers that miss the 45-day window or fail to process requests face $200 per violation per day. for a broker sitting on thousands of unprocessed deletion requests, that math gets bad fast.
the gap in coverage
DROP is powerful, but it has a ceiling. it covers California-registered data brokers — currently around 500 companies registered with the CPPA. the actual data broker ecosystem runs 4,000+ companies by some estimates, with a significant chunk operating without California registration, outside California jurisdiction, or under a parent company that obscures the actual data controller.
the $200/day penalty only reaches the registered ones. the unregistered ones — the People Finders, the Spokeo clones, the background check aggregators running on AWS with a Delaware LLC — don't answer to DROP.
which means manual opt-outs are still the move for the long tail.
what this means in practice
the effective removal strategy post-August 1 combines two approaches:
first, submit your DROP request before August 1. with the penalty structure kicking in, registered brokers will be processing aggressively. requests in the system before the deadline are most likely to be handled in the first cycle.
second, handle the unregistered long tail separately. that means manual opt-outs to the 40+ brokers outside DROP's scope, done systematically, with follow-up verification.
the BizSuite data removal service does both: submits DROP-compatible deletion requests for the registered CA brokers, runs manual opt-outs against 40+ additional brokers not covered by the portal, and monitors for re-listings on a $49/month basis after the initial $497 removal.
61 days to the enforcement deadline. the brokers that see the penalty clock are about to process a lot of deletion requests fast. the window to be in that first cycle is closing.
Top comments (0)