Is Your Business a “Data Broker”?: California’s DROP Goes Live, and CALPrivacy Continues to Enforce Delete Act

Four states have adopted laws regulating data brokers, but only one – California – has established a universal deletion mechanism whereby consumers are able to request that all data brokers registered in the state delete their data. That mechanism – officially named Delete Request and Opt-Out Platform (“DROP”) – went live for consumers on Jan. 1, 2026, and results in a host of new compliance obligations for businesses that constitute “data brokers” under California’s Delete Act (SB 362 or the “Act”)’s expansive definitions. Regulated businesses must begin to retrieve and honor DROP requests beginning Aug. 1, 2026, which means businesses must work to evaluate whether they are in-scope for the Act now.

Only days after DROP was launched, on Jan. 8, 2026, CalPrivacy, as part of its recently-announced Data Broker Enforcement Strike Force, issued two new decisions against data providers for failure to register as data brokers under the Act:

• First, Rickenbacher Data LLC d/b/a/ Datamasters was fined $42,000 for failing to register as a data broker in violation of the Delete Act. According to CalPrivacy, Datamasters bought and resold the names, addresses, phone numbers and other personal information of millions of people with Alzheimer’s disease, drug addiction and other health problems for targeted advertising. Datamasters bought and resold lists of people based on age and race as evidenced by them offering “Senior Lists” and “Hispanic Lists,” as well as lists based on political views, grocery store purchases, health-related purchases and other identifiable means. Yet, Databrokers had never registered with the California Data Broker Registry despite these activities. The Agency further found that Datamasters “lacked sufficient written policies and procedures to ensure compliance with the Delete Act….”
• Second, S&P Global, Inc. was fined $62,000 for failing to register as a data broker. While this appeared to be an administrative oversight, CalPrivacy held that because S&P was unregistered for 313 days, the fine was warranted. Further, CAlPrivacy required S&P to adopt written policies and procedures to ensure timely registration as a data broker in compliance with the Delete Act and to review its procedures for auditing data broker registration status and update those audit procedures as the company deems appropriate to identify missing or incomplete registration.

These developments mark a major shift in how Californians can control their personal information and the policies, procedures and audit measures businesses must implement.

The Delete Act & DROP

The Delete Act (SB 362), signed into law in October 2023, enhanced California’s data broker regime by requiring annual registration, enhanced disclosures and beginning in 2026, mandatory participation in a centralized deletion-request platform administered by CalPrivacy, known as DROP.

Data Broker Definition

The Act includes expansive definitions including, primarily, of the term “data broker.” The Act defines a data broker as any “business that knowingly collects and sells the personal information of a consumer with whom the business does not have a direct relationship.”

Business that do not identify themselves as data brokers may nonetheles fall within the scope of the Delete Act definition.  This is especially so if they “sell” or “share” personal information collected outside a direct relationship or rely on data sourced from third parties. For example, many retailers sell audience segments to brand partners, lead providers offer targeted audiences built from third party data, and data or business intelligence companies sell enrichment attributes derived from non-customer information.

CalPrivacy has noted that businesses should not assume they are exempt from registration. Even consumer-facing companies may qualify as data brokers if they sell personal information collected outside a direct relationship.

Elsewhere, the Act incorporates core definitions from the California Consumer Privacy Act, including “consumer” as a California resident and “sale” as any exchange of personal information for monetary or other valuable consideration.

Throughout 2025, CalPrivacy conducted extensive rulemaking to clarify technical requirements, matching obligations and how data brokers must retrieve and process deletion requests through DROP.

Data Broker Requirements

Registration Requirements. Data brokers must register annually with CalPrivacy by Jan. 31, pay the required fee, and disclose the categories of identifiers they collect. These requirements come directly from the Delete Act and apply independently of DROP.

Retrieving and Processing Deletion Requests. Beginning Aug. 1, 2026, data brokers must:

• Retrieve DROP deletion requests at least every 45 days
• Evaluate and match requests using standardized identifiers
• Delete personal information unless a statutory exception applies
• Complete determinations within 90 days of retrieval
• Maintain suppression lists when required
• Document and retain records of all determinations
• CalPrivacy will provide an API and sandbox environment for engineering teams to integrate with DROP.

Penalties & Enforcement

• Registration Penalties. Data brokers who fail to register by the January 31 deadline face penalties of $200 per day, plus any expenses incurred by CalPrivacy in the investigation. These registration penalties have been in effect since the 2024 registration period.
• Deletion Request Penalties. Beginning Aug. 1, 2026, when data brokers must start processing DROP deletion requests, data brokers who fail to act on deletion requests may incur penalties of $200 per request per day. At the IAPP Privacy. Security. Risk. conference in October 2025, CalPrivacy staff discussed the implications of these penalties and the complications involved in processing deletion requests. Noncompliance could result in extensive financial exposure for large-scale data brokers.

Upcoming Deadlines

The following deadlines apply to DROP/Delete Act compliance:

• Jan. 1, 2026. DROP opens to California consumers, who can authenticate through the identity gateway or Login.gov and submit deletion requests to all registered data brokers.
• Aug. 1, 2026. Data brokers must begin retrieving DROP deletion requests at least every 45 days and finalize determinations within 90 days of retrieval. Penalties of $200 per request per day begin for failure to process deletion requests.
• Jan. 1, 2028. Data brokers become subject to independent privacy audits every three years.
• Jan. 1, 2029. Data brokers must submit their first audit results to CalPrivacy.

Businesses should evaluate whether they are engaging in lead generation or other activities which may render them a “data broker” under the Act. As shown from the recent enforcement actions, CalPrivacy’s initial focus has been on failure to register claims against businesses who the Agency believes constitute a data broker. Additionally, non-data broker businesses may wish to evaluate whether they will receive an influx of deletion requests from their data broker partners starting in August 1, 2026, and devise a strategy for honoring such deletion requests within their systems.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.