the CPPA's DROP portal goes live august 1 — here's what $200/request/day actually means for data brokers
the California Privacy Protection Agency's data broker registry page has the number that matters: starting august 1, 2026, non-compliant data brokers face $200 per deletion request per day.
the DROP portal (Data Rights Opt-Out Platform) centralizes California consumer deletion requests. a single consumer submission reaches all 545+ registered California data brokers simultaneously. once the request hits your registration, you have 45 days to retrieve it, match it against your database, delete it, and report the status back to CalPrivacy.
miss the 45-day window, and $200/request/day starts accumulating.
what brokers actually have to do
the DROP workflow isn't conceptually complex — it's operationally intensive at the volume that's coming.
every 45 days, registered brokers must access the DROP portal and download their deletion list. each record on the list is a consumer who submitted a request. the broker matches the record against their database, deletes matched records, and reports completion back to the portal.
the word "records" understates the data complexity. consumer records in broker databases aren't a single row. they're a cluster of records across multiple data types — email, phone, address, behavioral, demographic, inferred attributes — sometimes spread across multiple internal systems. a DELETE request that covers a consumer's record cluster requires touching every system that holds a matched record.
for a broker running manual deletion processes, that's a significant per-record cost at whatever volume DROP generates on august 1. the first submission day is going to be the highest-volume day many of these brokers have ever processed.
the re-accumulation problem DROP doesn't solve
DROP handles the initial deletion trigger. it doesn't handle re-accumulation.
data brokers continuously acquire data from public records, purchase transactions, list purchases, and third-party data providers. a consumer deleted from a broker's database in september 2026 can reappear in that same database by early 2027 as the broker processes new acquisition cycles.
DROP doesn't monitor for this. DROP processes the request that was submitted. the CPPA's enforcement mechanism is the initial request and the 45-day window. ongoing re-accumulation falls outside the DROP scope but inside the spirit of SB 362.
for consumers who submitted DROP requests — particularly those in executive or public-facing roles who are targeted for social engineering, doxxing, or competitive intelligence — the august 1 submission is not a one-and-done event. the deletion needs to be re-verified after each broker acquisition cycle.
what this means for the 545+ registered brokers
the $200/request/day fine isn't the only financial exposure. the operational cost of manual compliance at scale, the risk of re-accumulation discoveries triggering follow-on enforcement, and the reputational cost of being publicly non-compliant all compound on top of the direct fine exposure.
the brokers who have automated their DELETE matching and reporting workflows before august 1 are not just compliant — they've converted a per-request liability into a fixed infrastructure cost. the ones that haven't are absorbing a variable cost that scales with the volume of consumer submissions.
BizSuite's Data Removal service covers 48 brokers across 5 tiers with California Delete Act (SB 362) compliance built in — including continuous monitoring for re-appearing data after the initial deletion. $497 + $49/month.
Top comments (0)