The California Delete Act puts a firm deadline on data broker operations in California. Beginning August 1, 2026, covered data brokers must access the Delete Request and Opt-Out Platform, known as DROP, and process consumer deletion requests sent through the system. For financial services companies, fintechs, lead generators, analytics providers, and service vendors, the first step is figuring out whether their data practices place them within California’s data broker definition.
The law took effect on January 1, 2024, and California built the Delete Request and Opt-Out Platform, known as DROP, to handle consumer deletion requests in one place. Covered data brokers are expected to connect to that platform and process requests sent through it. This is an ongoing workflow requirement, not a one-time project, and companies that wait until requests start piling up will have a harder time catching up.
What the California Delete Act does
The Delete Act gives California residents a single place to submit deletion requests to data brokers. Instead of sending separate requests to individual companies, a consumer can use the state system and have that request routed broadly across covered businesses. That changes the volume and speed of what a company may need to process.
For companies in scope, the core issue is operational readiness. You need a way to receive requests from DROP, identify the consumer across relevant systems, delete covered information where required, and keep records showing that your process works. If your data sits across multiple vendors, affiliates, lead sources, or archived environments, that work gets harder quickly.
The California Privacy Protection Agency, or CPPA, has taken an active role in implementing and enforcing these requirements. When a state agency creates a centralized request channel and a dedicated enforcement structure around it, businesses should assume the filing, registration, and response process will get attention. That is especially true for companies that move large volumes of consumer data through marketing, underwriting, servicing, collections, or analytics workflows.
Who may qualify as a data broker under the Delete Act
Most of the exposure under the California Delete Act starts with one question, whether the business meets California’s definition of a data broker. That definition has become a major pressure point because recent rulemaking has widened the scope beyond the classic image of a company that simply buys and sells lists. A business can fall into scope based on how it collects, transfers, licenses, or makes consumer data available to others.
Companies should take a close look at their data practices if they do any of the following on a regular basis. They license consumer information to third parties, aggregate data for outside use, support analytics or audience segmentation for external customers, or sit inside a broader adtech or lead distribution chain. Indirect involvement can still matter when the business helps move data from one party to another.
This matters for regulated financial services because data flows are often more complex than they look on an org chart. A lending platform may send applicant data to service providers, marketing partners, fraud tools, analytics vendors, and downstream purchasers. A debt collection or mortgage company may rely on skip tracing, lead sources, affiliate referrals, portfolio transfers, or servicing systems that create multiple copies of consumer information across separate environments.
A company does not need to call itself a data broker to attract scrutiny. California will look at what the business actually does with consumer information, how that information moves, and whether the company is making data available to another party in a way that fits the statute and rules. Titles and internal assumptions will not carry much weight if the workflow tells a different story.
August 1, 2026 DROP deadline and ongoing processing requirements
Beginning August 1, 2026, each covered data broker must access DROP at least once every 45 days and process deletion requests received through the platform, as required by the California Privacy Protection Agency’s regulations and California Civil Code § 1798.99.90. That means covered data brokers need a working intake and deletion process before requests start coming through. If consumer data sits across vendors, archived systems, lead platforms, or affiliate workflows, those gaps need attention now.
The challenge is scale. A single deletion request process may sound manageable when viewed in isolation, but a centralized state platform can send requests at a much higher volume than a business has handled in the past. Once requests come through DROP, companies need a repeatable method for identifying records, handling exceptions, coordinating with vendors, and documenting completion.
For firms with fragmented systems, this is where problems surface first. Consumer data may sit in CRM tools, loan origination systems, servicing platforms, collections software, archived exports, marketing databases, call center tools, and vendor environments. If the business cannot identify all the places where the data lives, it will struggle to process deletion requests accurately and on time.
Enforcement risk and penalty exposure
California has attached meaningful enforcement risk to these obligations. The article’s original reference to penalties of up to $200 per day, per violation captures why volume matters. When a company misses one request across multiple records, systems, or days, the total exposure can grow quickly.
The CPPA has also signaled that data broker activity is an enforcement priority. That matters because centralized request systems create a cleaner trail for regulators to review. If a business should have registered, should have connected to DROP, or should have processed requests and failed to do so, the agency has a clearer path to identify the gap.
For financial services companies, enforcement risk often starts with classification mistakes. Teams may assume they are outside the data broker definition because they view themselves as lenders, servicers, collectors, platforms, or software providers. If the business shares or licenses consumer information in a way California treats as data broker activity, that assumption can become expensive.
Where companies are getting tripped up
Most problems start with incomplete data mapping. A company knows where consumer data enters the business, but it does not have a full inventory of where that data goes next. Once information moves into vendor systems, reporting tools, affiliate workflows, archived files, or purchased lead environments, internal visibility drops.
Vendor coordination is another common gap. If a deletion request reaches the company through DROP, the company still needs a process for handling data held by outside providers where required by the law and the underlying business arrangement. That means your team needs clear ownership, documented workflows, and a current list of systems and vendors that receive California consumer data.
Registration and classification issues also create trouble. Some businesses focus on the deletion workflow and overlook the separate question of whether they need to register as a data broker with California. Others register too late, or they delay internal review because nobody owns the issue across legal, privacy, operations, marketing, and technology teams.
Financial services firms face an added layer of complexity because data often moves for legitimate business reasons that can still create registration and deletion obligations. Lead exchanges, portfolio acquisitions, fraud screening, affiliate marketing, skip tracing, and analytics support all deserve a close review. If your company handles California resident information anywhere in that chain, document the flow and test whether the activity fits the state’s definition.
August 1, 2026 DROP deadline and ongoing processing requirements
With the August 1, 2026 DROP deadline in place, companies should finish their scope review, confirm whether they qualify as a data broker, and test their deletion workflow well before the platform becomes a live operational requirement.
Next, confirm whether the business has any California data broker registration obligations and whether the team is prepared for DROP intake and deletion processing. Assign owners across operations, technology, privacy, and vendor management so requests do not stall between departments. A requirement like this breaks down when everyone assumes someone else is handling it.
Then test the workflow before volume hits. Make sure your team can receive a request, verify the data subject where required, locate records across systems, carry out deletion steps, and document the result. If your company works in lending, mortgage, collections, money transmission, or fintech, include the systems and vendors that sit outside the core platform, because those are often the first places teams miss.
The California Delete Act is already moving from policy discussion into daily operations. Companies that review their data broker status early and build a working process for DROP will be in a far better position than those still treating this as a narrow privacy issue. For businesses in regulated financial services, the safer approach is to assume the agency will look closely at how data actually moves, then build your registration and filing process around that reality.
