One form, all 500+ California-registered data brokers. It's the biggest privacy change since CCPA, and it has three gaps that broker-removal services need to close. Here's what's actually in the law and what to do about it.
Plain-English breakdown below. Not legal advice, this is a compliance reference.
500+
CA-registered data brokers
45
days to action per deletion request
$200
per-violation civil penalty
1
portal submission covers all
0
non-CA brokers covered
SB 362 was signed in October 2023. The CPPA has been building the delivery mechanism for two and a half years. This is what flips on.
The mechanism
A state-run portal where a California resident submits one deletion request. Every data broker registered in California must check the DROP list at least every 45 days and delete matching records. That's the entire mechanism, one list, pulled regularly, by every broker, for every Californian who signs up.
Who must comply
Brokers registered with the CPPA, LexisNexis, Acxiom, Experian's marketing side, Spokeo's parent, most people-search aggregators. They pay a registration fee ($6,600/yr) and are legally bound. Non-registered brokers are a separate category, see the "what it doesn't cover" section below.
Timelines
Upon receiving your DROP-list entry, a broker has 45 days to delete and confirm. After that they must re-check the list every 45 days and re-delete anyone who was re-collected (e.g., from a fresh public-records sweep). Re-listing is prohibited without re-collecting consent.
Penalties
The CPPA can fine a broker $200 for each deletion request they fail to honor. If they miss 1,000 California residents at $200 each, that's $200,000. The CPPA also has audit authority, they can demand records showing the broker checked the DROP list.
DROP is a big win, but it's not total coverage. If you rely on DROP alone, these are the holes your data will keep pouring out of.
Any data broker that doesn't register with California isn't bound by DROP. That includes offshore aggregators, many smaller people-search sites, and brokers that claim the "publisher" or "news archive" exemption. Plenty of the sites listing your address right now fall outside the registry. DROP will not touch them, you still need per-site opt-out filings.
DROP is a California-resident right. Texas, New York, Florida, everyone else, this law does not apply to you. Some states have their own privacy laws (TX SB 2105, VA CDPA, CO CPA), but none have a single-portal equivalent. If you're outside California, the 48-broker manual removal process is still the only reliable option.
DROP requires re-checks every 45 days, but brokers interpret "re-collected from a new source" generously. Voter rolls, deed transfers, utility records, court filings, and a hundred other public databases keep dumping your name back into the pipeline. Without active monitoring, you'll re-surface. The law assumes compliance; reality requires enforcement.
A four-step compliance pattern that assumes DROP works perfectly and still closes the gaps.
Step 1 · Now
Before DROP, do the manual sweep, Spokeo, BeenVerified, Whitepages, Radaris, MyLife, Intelius, PeopleFinder, and the long-tail aggregators. Ship the removal filings now so they clear by August.
Step 2 · Aug 1, 2026
CA residents: submit through the CPPA portal when it opens. One entry covers every registered broker going forward, and starts the 45-day compliance clock on all of them simultaneously.
Step 3 · Post-Aug 1 monthly
DROP doesn't hit offshore or unregistered sites. Re-scan the longtail every 30 days. Re-file any re-listings. If you don't, you'll be clean on the majors and leaking from the minors.
Step 4 · Escalation
CA residents have standing under SB 362 to report non-compliant brokers to the CPPA directly. $200/violation is a real number, brokers will move if enforcement is pursued. We file these for every client whose listing doesn't clear within the 45-day window.
Compliance reference
For the actual statute, see SB 362 on leginfo.legislature.ca.gov. For the CPPA's implementation rules, see the CPPA Regulations page. For the registered-broker list, see the CPPA Data Broker Registry. Consult a California-licensed attorney for any action with material legal consequence.
BizSuite operates the practical side: scan + opt-out + monitoring across registered and non-registered brokers, both inside and outside California. If you want DROP handled alongside the rest, that's what /data-removal.html is for.
Start the manual sweep now, fire the DROP entry on day one, and stay covered on the longtail for the $49/mo monitoring fee. That's the full playbook.
Start Removal, $497 setup$49/mo monitoring keeps the longtail clean. Cancel any time.