Think You’re Not A Data Broker? California’s Delete Act Might Say Otherwise

The California Delete Act, originally aimed at curbing opaque data‑broker practices, has evolved into a high‑stakes compliance mandate. By requiring any entity that sells personal information without a direct consumer relationship to register, the law pulls a wide swath of ad‑tech firms into the regulatory net. The CPPA’s DROP platform, launched in early 2024, centralizes deletion requests, reducing consumer effort from weeks to minutes. With an anticipated one million registered Californians by August 2026, the volume of requests will surge, forcing brokers to automate compliance or face daily penalties.

Financial exposure under the new regime is unprecedented. While current fines sit at $200 per day for failure to register, the post‑August 2026 structure imposes $200 per day for each unfulfilled deletion request. In a worst‑case scenario—one million consumers each filing a request—a single missed day could generate a $200 million fine. This risk calculus compels companies to reassess data‑collection practices, especially those relying on third‑party pixels that may lack a bona fide consumer relationship. The broadened definition of "direct relationship" means many firms previously unaware of broker status must now audit their data flows and contractual arrangements.

To mitigate exposure, the CPPA offers a sandbox environment where brokers can test DROP integration against technical guidelines. Early adopters can refine automated workflows, ensuring they meet the 45‑day processing window. Industry groups are already advising members to map data sources, document consent mechanisms, and establish rapid response teams for deletion requests. Companies that invest in robust privacy infrastructure now will avoid the existential threat of massive fines and preserve brand trust in an increasingly privacy‑conscious market.