California’s DROP Goes Live: What August 1, 2026 Means If You Buy or Sell Consumer Data
If your business buys or sells consumer data you didn't collect directly, California just put a hard deadline on your calendar. The state's Delete Request and Opt-out Platform (DROP) is live, and on August 1, 2026, registered data brokers have to start honoring deletion requests that come through it.
This is an operator's read, not legal advice.
What the Delete Act and DROP do
The California Delete Act (SB 362, 2023) amended the state's data-broker law and moved registration to the California Privacy Protection Agency. Its centerpiece is DROP: a single platform where a consumer submits one request to have all registered data brokers delete their personal information.
The timeline that matters:
- January 1, 2026 — DROP launched; consumers can submit deletion requests.
- August 1, 2026 — registered data brokers must begin processing and honoring those requests, and thereafter must access DROP at least once every 45 days to handle accumulated requests.
The penalties are per-day, and they stack
Failure to register carries a penalty of $200 for each day you fail to register. Separately, failing to honor a deletion request carries $200 for each deletion request for each day you fail to delete. Those are two different penalties — keep them separate, and notice how fast a backlog compounds.
Are you even a "data broker"?
The trigger is California's definition: a business that knowingly collects and sells to third parties the personal information of a consumer with whom it does not have a direct relationship. A pure lead aggregator that buys and resells consumer data it didn't collect directly is squarely the target.
The most consequential carve-outs for lead-gen:
- Direct-relationship data — information you collected directly from the consumer through your own site or form — is generally outside the definition.
- GLBA- and FCRA-covered activity is exempt to the extent the information or activity is covered by those statutes.
The exemption attaches to the activity, not the company
A mortgage lead-gen company can have some activity that's GLBA- or FCRA-covered and other activity — like reselling third-party-sourced contact data — that isn't. The second kind can still pull you into registration. Don't treat the exemption as a blanket safe harbor; resolve it with counsel.
What to do before August
If there's any chance you meet the data-broker definition: confirm your registration status (the annual deadline is January 31), map which of your data flows are direct-relationship or GLBA/FCRA-covered versus genuinely brokered, and stand up a process to check DROP every 45 days and delete on time. The 45-day clock and the per-request penalties make a manual, ad-hoc approach risky.
Not Legal Advice
General information, not legal advice. Registration fees, exact statutory section numbers, and the final DROP regulations should be confirmed against the California Privacy Protection Agency (privacy.ca.gov / cppa.ca.gov) with counsel before you rely on specifics.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.
Sources
- About DROP and the Delete Act — California Privacy Protection Agency (accessed 2026-06-29)
- Data Broker Regulation Framework — CA, TX, VT, OR — California Lawyers Association (accessed 2026-06-29)
30+ years in lead gen · BRSG Founder
Bill Rice has spent 30+ years in mortgage, lending, and performance marketing — generating leads, buying them, and building the systems that route and work them. He founded a performance-marketing agency, owned a direct-to-consumer lender, and wrote The Lead Buyer's Playbook. He built Lead Compliance Hub to help operators navigate the legal landmines of online lead generation from an operator's seat, not a law firm's. Nothing he writes here is legal advice.
Key Terms to Know
California Delete Act
SB 362 (2023), which amended California’s data-broker law, moved registration to the California Privacy Protection Agency, and created DROP — a single platform for consumers to request deletion across all registered brokers.
DROP
California’s Delete Request and Opt-out Platform. It launched January 1, 2026 (consumers can submit requests); registered data brokers must begin processing deletion requests by August 1, 2026 and check the platform at least every 45 days.
Data Broker
Under California’s Delete Act (Civ. Code § 1798.99.80(c)), “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Many lead aggregators fall squarely within it.
GLBA
The Gramm-Leach-Bliley Act. To the extent information or activity is covered by GLBA (or FCRA), it is exempt from California’s data-broker definition — but the exemption attaches to the covered activity, not to the company as a whole.
The Operator’s Compliance Brief
What changed in lead-gen compliance, and what to do about it. Free, no spam.