DROP enforcement is 83 days out. here's what 500 data brokers are actually required to do by August 1.
most compliance write-ups on the California Delete Act (SB 362) describe the consumer rights angle. the operational mechanics for data brokers are harder to find.
here's the actual requirement:
starting August 1, 2026, every registered data broker must access the DROP portal every 45 days. pull all verified deletion requests submitted since the last access. process each request within 45 days of the access date. repeat. the penalty for each unprocessed request, per day: $200.
there are over 500 registered data brokers. the volume of deletion requests is not small. and "process" doesn't mean acknowledge — it means verify the identity, confirm the data exists in your systems, delete it across all your internal systems, and document that you did.
the practical problem: most data brokers don't have a deletion workflow. they have a privacy@ inbox that a paralegal checks when the volume gets uncomfortable.
the companies that are moving now share a few characteristics. they've already mapped their data assets well enough to know what they'd need to delete. they have a process owner for privacy requests. and they've found or built tooling that makes the 45-day cycle repeatable rather than heroic.
BizSuite Data Removal handles the operational layer: 48 brokers across 5 tiers, SB 362 compliance built in, $497 setup + $49/month. the catalog covers the data brokers that account for the overwhelming majority of consumer records — People Finder, Spokeo, Intelius, and the long tail.
if you're a data broker operator or a company with consumer data on those brokers and you haven't mapped your DROP exposure yet, August 1 is close enough that the window for a comfortable rollout is narrowing.
Top comments (0)