the CPPA DROP mandate goes live in 44 days — what it actually requires
August 1, 2026 is not a soft launch date. it's the day the California Privacy Protection Agency's deletion mechanism becomes mandatory for every registered data broker in the state. the requirement from the CPPA site is direct: brokers must access the DROP (Data Rights and Opt-Out Platform) at least once every 45 days and process all deletion requests, no exceptions.
that's not "respond to individual requests within 30 days." that's: connect to the state system, pull the batch, and process every request in the queue — on a 45-day cycle, permanently.
what the 45-day cycle actually requires operationally
the legal language reads simple. the operations are not.
a deletion request flowing through DROP needs to propagate to every system holding that consumer's data. at most companies operating in the broker space, that means:
- the primary production database
- the warehouse (which probably has the same consumer under a different ID from a data union or enrichment provider)
- downstream syndication partners who received the record
- backup systems — the ones that get restored during outages and silently re-seed the primary after a deletion
that last point is the chronic problem. brokers continuously re-scrape public records: county assessor files, court records, voter rolls, social graphs. a deleted profile gets reconstructed from public sources within 3-6 months. the 45-day cycle means automated re-check, not one-time purge.
the CPPA also flagged the 2028 audit requirement: starting January 1, 2028, independent third-party audits of compliance every 3 years. auditors need a timestamped trail, not a spreadsheet of "we ran deletions manually."
the compliance gap most companies won't catch until August
most companies in the broker-adjacent space — lead gen, identity verification, background check, people-search — have deletion workflows that are manual, fragmented, or both. a request comes in, someone exports a CSV, someone runs a delete query, a manager approves a ticket. that works at low volume. it breaks under a mandatory 45-day batch system where the state is the intake mechanism, not individual consumers emailing you.
what actually satisfies the DROP mandate:
- automated connection to the CPPA mechanism — they run the portal, you connect to it programmatically
- propagation across every system holding the record, not just the primary database
- verification that the deletion completed, with a timestamp that a third-party auditor can examine
- re-scan every 45 days to catch records that got reconstructed from re-scraped public sources
the difference between a compliant workflow and a non-compliant one isn't the intent — it's whether the propagation and verification are automated with an audit trail, or manual with a spreadsheet.
what BizSuite's data removal service covers
BizSuite's data removal service ($497 + $49/mo) was built around exactly the re-acquisition problem — brokers that rebuild deleted profiles from public records within months. the service covers 48 data brokers across 5 tiers with automated re-scan, not a one-time opt-out.
for individuals: automated removal across 48 brokers, with re-checks on the cycle that matches how brokers re-scrape. CA Delete Act (SB 362) compliance is built in — not a checkbox added after.
for businesses with compliance obligations: the automated removal trail is what privacy counsel and CPPA auditors can actually examine. the August 1 deadline is 44 days out. if you're running a manual deletion workflow and haven't mapped what 45-day batch compliance looks like at your data volume, that's the thing to scope this week.
Top comments (0)