the aug 1 drop portal deadline is 74 days away — here's what data brokers actually have to do

california's DELETE Act (SB 362) created the Data Rights Operations Platform — DROP — and august 1, 2026 is when enforcement bites. data brokers who don't comply face $200 per unfulfilled deletion request per day. not a one-time fine. per request, per day.

the number of registered data brokers in california is somewhere north of 500. a lot of them are scrambling.

what the law actually requires

the DELETE Act is often described as "consumers can delete their data with one request." that's the consumer-facing framing. the broker-facing reality is more operationally specific:

poll DROP at least every 45 days — brokers must check the portal on a 45-day cycle and retrieve all pending verified deletion requests
process those requests within the same 45-day window — retrieval and processing aren't separate phases with separate deadlines; you get one window for both
document what you did and when — the california privacy protection agency (CPPA) has a strike force standing by and they're not going to take "we processed it" on faith

that last requirement is the one most brokers are underestimating. you need an audit trail. not just logs — a chain of evidence that can show an investigator exactly when you pulled the request, what record was matched, what action was taken, and when it completed.

where the ops problem lives

the deletion workflow itself isn't complicated. match a consumer identity to a record, delete or suppress the record, flag the request fulfilled. what's complicated is doing that at scale, reliably, inside a 45-day window that resets every 45 days forever, across every consumer record you hold.

say a broker has 200,000 consumer records. a typical month might bring in several hundred deletion requests — some verified directly through DROP, some re-requests for records that were re-listed after a previous deletion (which happens more than people admit). each of those requests needs to be:

retrieved from DROP on a scheduled pull (not a manual login)
matched against the broker's identity graph
processed with a timestamped action record
confirmed as fulfilled before the window closes
logged in a format that can be exported if CPPA asks

manual workflows don't survive this. a spreadsheet and a calendar reminder will fall apart on the third cycle.

what the penalty math looks like

$200 per unfulfilled request per day is the number in the statute. if a broker has 50 requests sitting in DROP unprocessed and misses the 45-day window by 10 days, that's $100,000 in penalties from a single cycle's failures. if that pattern repeats quarterly, the exposure compounds.

the CPPA's Data Broker Strike Force isn't just a press-release vehicle — they've shown they'll pursue violators. and the penalty structure is designed to be painful: it accrues daily, it's per-request, and "we didn't know" is not a defense once the enforcement date has passed.

the compliance infrastructure play

the businesses that are well-positioned for august 1 are the ones treating DROP compliance as a scheduled automation problem rather than an ad-hoc ops task. that means:

a service or system that polls DROP on the 45-day cycle automatically
a matching pipeline that processes retrieved requests against the record database
a timestamped, exportable audit trail for each request from retrieval to fulfillment
alerts when a request is within 5-7 days of the processing deadline

this is exactly what BizSuite's data removal module was built for. the compliance layer handles DROP polling, request queuing, and generates the audit trail in a format that maps to what CPPA would ask for in an enforcement inquiry. 48 brokers across 5 tiers already covered, CA Delete Act (SB 362) built-in. it starts at $497 with a $49/mo compliance tier.

if you're a data broker and you haven't wired up DROP polling yet, the time to do it is now — not july 28. the first cycle starts the moment enforcement goes live.

more on the data removal compliance stack: https://getbizsuite.com/data-removal