Data Broker Registration Requirements To Be Expanded by Californi

If you’ve ever wondered how your phone number found its way into a “Congratulations, you’ve won a free roof inspection!” text message… congratulations: you’ve met the modern data broker ecosystem. And California, being California, is responding the only way it knows how: with a bigger, sharper, more detailed rulebook (and a platform with a very dramatic name).

Thanks to the California Delete Act (SB 362) and a newer set of amendments (SB 361), data broker registration requirements are expandingnot just in who must register, but in what they must disclose and how they must operationalize deletion requests through a statewide system called DROP (Delete Request and Opt-out Platform). Translation: if you sell consumer personal data you didn’t collect directly from the consumer, California wants your name, your paperwork, your disclosures, and eventually your deletion workflow on a recurring schedule.

This article breaks down what’s changing, why it matters, and what both businesses and consumers should do nextwithout the legalese hangover.

What Is a “Data Broker,” Really?

In California’s privacy world, a data broker is generally a business that knowingly collects and sells personal information to third parties about consumers it doesn’t have a direct relationship with. That “no direct relationship” part is the tell: the consumer didn’t sign up, buy something, or open an account with the broker. The broker obtained the data elsewhere, packaged it, and sold access to it.

Common (real-world) data broker flavors include:

• People-search and “background” sites that list addresses, relatives, phone numbers, and more.
• Ad-tech and identity graph vendors stitching together device IDs, browsing signals, and inferred interests.
• Lead-gen and marketing list companies that sell “high intent” consumer segments to brands.
• Data enrichment services that append profiles to lists (income bands, household composition, or “likely to buy a jet ski”).

Not every company that touches data is a data broker. The “selling to third parties” plus “no direct relationship” combo is what triggers the label.

California’s Registry: From “Sign Up” to “Show Your Work”

California has required data brokers to register for years, but the model is evolving fast. The Delete Act shifted key responsibilities to the California Privacy Protection Agency (also branded publicly as “CalPrivacy”) and laid the foundation for centralized deletion via DROP. In other words, registration is no longer just a checkboxit’s becoming the on-ramp to a recurring compliance machine.

Two major shifts are driving the expansion:

1. SB 362 (Delete Act) modernized the registry and created DROP (a one-stop deletion mechanism).
2. SB 361 expanded what brokers must disclose when they register, especially around sensitive data and who receives it.

The Expansion: What Data Brokers Must Disclose Now

Here’s the heart of the change: California is asking data brokers to be far more transparent about what they collect and where it goes. The goal is to make the registry more meaningful to consumers, regulators, and journalists who don’t want to play “Guess Who’s Selling My Data?”

1) Expanded “What Do You Collect?” Disclosures

Beyond the earlier focus on especially sensitive areas (like minors, precise geolocation, and reproductive health data), expanded registration disclosures now reach into categories that make privacy pros sit up straight because they’re useful for identity verification, targeting, or harm:

• Basic identifiers (name, date of birth, ZIP code, email, phone)
• Account access data (login/account number plus required security code/access code/password)
• Government-issued IDs (driver’s license, state ID, SSN, passport, military ID, tax ID, or similar)
• Device & household identifiers (mobile advertising IDs, connected TV IDs, vehicle identification numbers)
• Citizenship / immigration status
• Union membership status
• Sexual orientation
• Gender identity and gender expression
• Biometric data
• Precise geolocation
• Reproductive health care data

And if a broker doesn’t collect the “usual suspect” identifiers (like names, DOB, emails, phone numbers, mobile ad IDs, connected TV IDs, or VINs), it must still disclose at least one, and up to three, of the most common types of personal information it does collect. That closes the loophole where a broker could basically register as “We collect vibes” and call it a day.

2) Expanded “Who Did You Sell/Share To?” Disclosures

SB 361 adds a “follow the money (and the data)” element. Brokers must disclose whether, in the past year, they sold or shared consumer data to categories that raise elevated risk and public concern:

• Foreign actors (as defined in the law)
• The U.S. federal government
• Other state governments
• Law enforcement (outside subpoena/court order situations)
• Developers of generative AI systems/models (GenAI)

This is a big deal from a privacy governance perspective: California is effectively turning registration into a structured public accountability moment. If your business model touches sensitive attributes or sensitive recipients, the registry becomes a spotlightby design.

3) A “Transparency, But Not Too Much” Tradeoff

California also acknowledges that making some disclosures fully public could create security or targeting risks. So while brokers must provide expanded disclosures to the agency, certain high-signal identifier disclosures are restricted from public posting. In practice, that means the regulator can see more than the casual web browser, balancing transparency with risk.

DROP: The Platform That Turns Registration Into Ongoing Obligations

Registration is the headline, but DROP is the plot twist. DROP is California’s statewide system that lets consumers submit a single request to require deletion (and related opt-out effects) across registered data brokers.

Key timeline milestones (yes, you’ll want to screenshot this part):

• January 1, 2026: DROP launches for consumers to start submitting requests.
• January 1–31, 2026: Data brokers must register and pay the annual fee through DROP (for brokers that met the definition in 2025).
• August 1, 2026: Data brokers must begin retrieving and processing DROP deletion requests at least every 45 days.
• January 1, 2028 (and every three years): Independent audit requirements begin (with retention and submission obligations when requested).

Also worth noting: if a business begins operating as a data broker during 2026, it generally isn’t required to register until 2027but it may still need to pay a one-time access fee to integrate with DROP and process deletion requests starting August 1, 2026. California is essentially saying: “Welcome to the party. Here’s your wristband. The DJ starts at 8.”

Registration Mechanics: What It Looks Like in Real Life

Based on current CalPrivacy instructions, the 2026 process is more structured than older “send your info to a registry” models:

1. Create a business account in DROP.
2. Wait for approval (CalPrivacy indicates this should be quick).
3. Complete the registration form with your required disclosures.
4. Pay the annual registration fee (CalPrivacy has publicly stated a $6,000 fee for the 2026 registration window, plus payment processing costs).

Operationally, this pushes data brokers into a single system of record that supports both registry visibility and future deletion workflows.

What Happens Starting August 1, 2026: The “Every 45 Days” Reality

Beginning August 1, 2026, registered data brokers must:

• Access DROP at least every 45 days to retrieve consumer deletion requests.
• Match against standardized (often hashed) identifiers such as email, phone, date of birth, mobile ad IDs, connected TV IDs, and more.
• Delete matched personal information unless a legal exception applies.
• Delete associated inferences tied to the consumer (yes, inferences count).
• Direct service providers/contractors to delete as well when applicable.
• Report status back through DROP within required timeframes using standardized outcomes (e.g., deleted, opted out, exempt, not found).
• Maintain a suppression-style record so deleted data stays deleted in the future (the “please don’t respawn my profile” requirement).

In plain terms: California isn’t just asking for one deletion. It’s pushing for ongoing deletion hygienelike brushing your teeth, but for consumer profiles you don’t want to get fined over.

Penalties: California Brought a Calculator

Expanded requirements come with enforcement teeth. The law authorizes administrative fines and cost recoverymeaning failures can become expensive in a very “per day” and “per request” kind of way.

Examples of penalty concepts you should take seriously:

• Failure to register can trigger per-day administrative fines (plus fees and enforcement costs).
• Failure to comply with deletion obligations can trigger per-request, per-day administrative fines (plus enforcement costs).

If you’re in a leadership meeting trying to decide whether registration is “worth it,” remember: California has essentially created a daily meter that keeps running while you debate.

Who Needs to Re-Check Their Status (Even If They Don’t “Feel” Like a Broker)?

One of the most common compliance surprises is a company that doesn’t identify as a data brokerbut whose revenue model behaves like one.

You should re-check your status if you do any of the following:

• Buy consumer data from multiple sources and resell or license it to clients.
• Provide data enrichment where the output is personal information about people you don’t directly serve.
• Offer audience segments or identity products sold to third parties, especially if you didn’t collect the data directly from those consumers.
• Operate a marketplace where third parties can purchase or access consumer data you assembled.

Concrete example: If your company aggregates mobile ad identifiers and location patterns to sell “frequent traveler” segments to multiple brands, you’re not just doing marketingyou’re brokering personal information. If you can’t point to a direct consumer relationship for the records you’re selling, your risk profile goes up fast.

Practical Compliance Checklist for Businesses

If you’re staring at these expanded registration requirements and thinking, “So… where do we start?”here’s the practical, non-fluffy list.

Step 1: Confirm Whether You Meet the Definition

Start with two questions:

• Do we collect personal information about consumers we don’t directly interact with?
• Do we sell (or functionally sell by licensing/monetizing access) that information to third parties?

If the answer is “yes” to both, assume you need a deeper legal analysis. The cost of being wrong is rarely “a stern email.”

Step 2: Map Your Data Categories to the New Disclosures

SB 361-style disclosures are only hard if your data inventory is a mystery novel with missing pages. Build a clean map:

• Identifiers collected (names, emails, phones, DOB, ZIP, MAIDs, CTV IDs, VINs)
• High-risk categories (biometric, geolocation, reproductive health, immigration status, union membership)
• Account credential handling (especially riskylock this down)
• Data recipients and buyer types (including government and GenAI-related buyers, if any)

Step 3: Prepare DROP Operations Before It’s Mandatory

Even though deletion processing requirements begin August 1, 2026, you don’t want to “learn DROP” in July 2026 the way people learn taxes in April. Design the workflow:

• Who retrieves DROP lists?
• How do you match hashed identifiers reliably?
• What systems hold the data (and what does “delete” mean in each one)?
• How do you handle exemptions without turning exemptions into “we kept it for marketing anyway”?

Step 4: Make Your Consumer Rights Page Not Terrible

Your registration requires a link to a page explaining how consumers can exercise rights, and California explicitly hates “dark patterns.” So don’t hide the opt-out link in 7,000 words of legal soup or behind a scavenger hunt. Make it findable, readable, and functional.

Step 5: Plan for Audits and Recordkeeping

Audits are coming on a recurring schedule. The companies that handle this best treat it like a security program:

• Document workflows and decisions
• Log deletion outcomes and exceptions
• Retain required records
• Test controls and remediation

What Consumers Should Know (And Actually Do)

For Californians, DROP is meant to make privacy rights usable without requiring a second job as a “professional opt-out form filler.”

How it works (high level)

• You create a profile and verify California residency.
• You submit a deletion request that goes to registered data brokers.
• You can add more identifiers over time (for example, old emails or phone numbers).
• Data brokers begin processing these requests starting August 1, 2026, on a repeating 45-day cycle.

What it may (and may not) cover

DROP primarily targets registered data brokers. Certain types of data may be exempt (for instance, categories tied to public records or regulated credit reporting contexts). That said, it’s still one of the most aggressive “make deletion possible at scale” efforts in the U.S.

Why This Expansion Matters Beyond California

California’s privacy laws tend to become the template everyone else copies (sometimes with tweaks, sometimes with groans). Expanded data broker registration requirements matter because they:

• Increase transparency around sensitive data categories that can enable fraud, stalking, discrimination, or profiling.
• Create public accountability for high-risk recipients (including foreign actors and some government sharing scenarios).
• Push companies toward repeatable deletion operations, not one-off manual handling.
• Raise the compliance bar for data brokers in a way that can influence national standards and buyer expectations.

Even if your company doesn’t operate in California, if you buy data from companies that do, you may see changes in contracts, data availability, and documentation requirements. Privacy regulation spreads like glitter: it gets everywhere and it’s hard to pretend you don’t see it.

Conclusion: Registration Is Now the Beginning, Not the Finish Line

California’s expansion of data broker registration requirements isn’t just more paperworkit’s a structural change in how data brokers must operate. Through SB 362 and SB 361, the state is demanding deeper disclosure, clearer accountability, and a working mechanism (DROP) that turns consumer deletion from a theoretical right into an operational expectation.

If you’re a business: treat this as a program, not a form. If you’re a consumer: keep an eye on DROP and be ready to use itbecause fewer spam calls and less exposure of sensitive data is a quality-of-life upgrade we can all get behind.

Field Notes: of Experience From the Data Broker Compliance Trenches

I’ve watched privacy teams go through data broker registration like it’s a casual DMV visitonly to realize it’s closer to a three-season TV arc with plot twists, cliffhangers, and a surprise cameo from Engineering.

Lesson #1: “We’re not a data broker” is not a strategy. It’s a feeling. And feelings are greatuntil you discover your “audience insights product” is literally a bundle of consumer attributes sold to third parties you don’t have a direct relationship with. The fastest way to clarity is to map: (1) where the data comes from, (2) who you sell it to, and (3) whether those consumers ever knowingly interacted with you. If the consumers never met you and you’re still monetizing their profiles, you might be the villain in someone’s privacy story.

Lesson #2: Inventory beats heroics. Teams that try to “just answer the registration questions” without a data inventory end up in a loop of Slack messages like: “Do we collect DOB?” “Sometimes.” “Is ‘sometimes’ a yes?” “Depends.” SB 361-style disclosures don’t tolerate vibes. Build a simple spreadsheet: identifiers, sources, storage systems, and whether each is collected directly or indirectly. Suddenly, the registration form becomes a data-entry projectnot a philosophical debate.

Lesson #3: The scary stuff is often sitting in the corner. Many companies don’t realize they touch categories like biometric data (face templates in an “identity verification” product), union membership (in HR datasets), or immigration status (in compliance screenings). These aren’t always collected because the business is creepy; sometimes they’re collected because the business is complicated. Either way, California wants disclosure, and your internal controls should match the sensitivity of the data.

Lesson #4: DROP readiness is a workflow, not a button. I’ve seen teams assume DROP will be like email: “We’ll get a request, we’ll handle it.” But the recurring cycle changes the math. You need a repeatable pipeline: download identifiers, match, delete, confirm deletions across systems, and report status back. And because identifiers may be hashed, matching isn’t “CTRL+F”; it’s careful engineering. The companies that win here are the ones that design the process early, test matching logic, and define what “delete” means in every environment (data lakes, backups, analytics marts, vendor platforms, and that one legacy server nobody admits exists).

Lesson #5: Don’t make consumers hunt. When reporters found opt-out pages hidden from search engines, the reputational damage was immediate. Even if something is “technically accessible,” burying it is a trust-killer and a regulatory invitation. Your consumer rights page should be easy to find, plain-English, and free of dark-pattern nonsense. If a normal human can’t locate it in 30 seconds, you’ve built a privacy escape roomand nobody wants that.

Final takeaway: Expanded registration requirements are the warning shot. DROP is the operational reality. The sooner you treat this as an ongoing privacy operations program, the less likely you are to end up paying “per day” penalties while explaining to your CEO why a platform named DROP just dropped into your roadmap.