The California Privacy Protection Agency (CalPrivacy) has declared open season on non-compliant data brokers with the formation of its Data Broker Enforcement Strike Force. This is a critical development for all business owners and large corporations, regardless of their location, because it signals a fundamental shift from passive regulation to aggressive, proactive enforcement of the California Consumer Privacy Act (CCPA) and the revolutionary Delete Act (SB 362). The Strike Force’s primary mandate is to ensure the functional rollout of the Delete Request and Opt-out Platform (DROP), which, starting in January 2026, will allow consumers to delete their data from all registered brokers with a single click.
This initiative, backed by a recent string of high-profile fines and regulatory coordination with states like Connecticut, makes clear that the era of treating data privacy as a secondary legal concern is over. Companies must now view compliance—especially the technical infrastructure for mass deletion and transparent data mapping—as a core, existential operational imperative. Failure to register as a data broker, or failure to comply with deletion requests, now carries explicit, escalating daily financial penalties and the heightened risk of being targeted by a dedicated, high-intensity regulatory unit.
The New Sheriff in Town: CalPrivacy’s Strike Force and the Era of Proactive Data Broker Enforcement
The California Privacy Protection Agency (CalPrivacy) has dramatically shifted the enforcement landscape with the launch of its Data Broker Enforcement Strike Force. This is not merely an incremental increase in regulatory oversight; it is a structural, philosophical pivot toward proactive, high-intensity investigations targeting a sector—the data broker industry—that has long operated in the shadows. For any business that relies on consumer data, whether as a data broker, a customer of one, or a corporate entity managing consumer rights requests, this development heralds a new, more stringent era of compliance.
This “Strike Force” is explicitly tasked with reviewing compliance with both the foundational California Consumer Privacy Act (CCPA) and the groundbreaking Delete Act (SB 362). The move underscores CalPrivacy’s commitment to making the state’s “one-click” data deletion mechanism—the Delete Request and Opt-out Platform (DROP)—a reality. By dedicating resources to this specialized unit, CalPrivacy is signaling to the industry that registration and compliance are no longer negotiable, but mandatory obligations subject to a new level of scrutiny.
The Strike Force builds directly on an ongoing, record-setting investigative sweep that has already resulted in significant enforcement actions, including millions in fines against large retailers and other corporations for CCPA violations related to honoring opt-out requests and dark patterns. The Head of Enforcement for CalPrivacy has likened the Strike Force’s approach to the intensity seen at U.S. Attorney and state Attorney General offices, emphasizing that the focus is on the unique risks posed by the industrial-scale collection and sale of personal information.
A business may not self-identify as a traditional “data broker,” but the increasing scope of CalPrivacy’s enforcement actions suggests a broad interpretation of who falls under the CCPA’s jurisdiction. The definition of a “data broker” is key: a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The Strike Force’s mandate is to find both those who fail to register and those who register but fail to comply with the Delete Act’s stringent requirements.
The Anatomy of the Delete Act and the Threat of the Strike Force
The Delete Act, which mandates the creation of the DROP platform, is arguably the most aggressive consumer-rights legislation in the US to date. It flips the burden of data management, demanding verifiable compliance on a continuous basis. The Strike Force’s creation, launched in the lead-up to the DROP platform’s consumer availability date of January 1, 2026, indicates that the Agency is putting resources in place to ensure compliance from day one.
Here is the phased timeline and the compliance deadlines that the Strike Force will enforce:
-
January 1, 2026: DROP Platform Launch. CalPrivacy will launch the Delete Request and Opt-out Platform (DROP), making the centralized deletion mechanism available for consumers to submit a single request.
-
August 1, 2026: Broker Deletion Compliance Begins. Registered data brokers must begin accessing the DROP platform at least once every 45 days. They must process and honor the bulk, verifiable deletion requests, and direct their service providers and contractors to do the same, all within 45 days of receiving the request.
-
January 1, 2028: Mandatory Third-Party Audits Begin. Data brokers must undergo an audit by an independent third party every three years to determine compliance with the Delete Act. Audit records must be maintained for at least six years.
-
January 1, 2029: Audit Disclosure. Data brokers will be required to disclose their audit results to CalPrivacy when registering.
This timeline creates immediate pressure. Businesses that are currently non-compliant with the fundamental requirement—annual registration—face explicit and mounting penalties. Failure to register under the Delete Act incurs administrative fines of $200 per day, plus unpaid registration fees and the expense of the investigation. The Strike Force is laser-focused on these simple, high-impact violations.
Immediate Compliance Focuses for Data-Centric Businesses
The Strike Force has clear, immediate targets that businesses must proactively address to mitigate their risk of investigation and substantial fines. This is the new minimum bar for data governance, moving beyond simple website disclosures to systemic operational change. This is certain to change as the years go on but for now enforcement is targeting data brokers.
-
Accurate Classification and Registration: Businesses must accurately assess if they meet the revised and expanded definition of a data broker and ensure continuous annual registration with CalPrivacy. The increased scrutiny means unregistered but qualifying entities are the primary targets of the Strike Force.
-
Architectural Readiness for DROP: Companies must prepare their privacy software and data governance architecture to interface with the DROP system. This is a technical integration project requiring the ability to ingest mass, verifiable deletion requests from an API, distribute those requests, and log the deletion status across all internal and contracted systems.
-
Meticulous Data Flow Mapping: Compliance requires a meticulous, verifiable map of where consumer data resides within the extended enterprise ecosystem. This is necessary to satisfy the law’s requirement that data brokers direct their service providers and contractors to also comply with a consumer’s delete request.
-
Vetting Downstream Partners: Due to the cascading deletion obligation, companies must audit their vendor and third-party contracts to ensure they include the necessary legal and technical mandates to honor Delete Act and CCPA requests, and that the partners have the technical capability to comply within the 45-day window.
The State-Level Privacy Wave: California’s Regulatory Domino Effect
The Strike Force and the Delete Act are not isolated Californian phenomena. They represent the leading edge of a national trend toward “Californication” of state-level data privacy. The prompt mentions efforts in Connecticut to introduce legislation modeled on California’s Delete Act, which highlights a crucial regulatory domino effect.
California’s ability to create a functional, centralized deletion mechanism—the DROP—provides a compelling template for other states. If California proves that mass consumer deletion is technically and logistically feasible, it becomes significantly harder for industry to argue against similar centralized mechanisms in other jurisdictions. This is reinforced by the Consortium of Privacy Regulators, where CalPrivacy actively collaborates with enforcement bodies in Connecticut, Colorado, and other states to coordinate privacy investigations and sweeps, particularly concerning the honoring of opt-out signals like the Global Privacy Control (GPC). The Strike Force’s mandate will feed directly into these interstate enforcement efforts.
| Framework | California Delete Act (via DROP) | Connecticut Data Privacy Act (CTDPA) | GDPR (EU) |
| Deletion Mechanism | Centralized, state-mandated platform (DROP) for all registered data brokers. | Individual request mechanism (Right to Delete); No centralized, government-mandated platform. | Individual request mechanism (Right to Erasure); No centralized, government-mandated platform. |
| Data Broker Registration | Mandatory annual registration and fee with CalPrivacy, with specific data type disclosures. Fines for non-registration are $200 per day. | No separate Delete Act-style mandate, but recent legislative efforts seek to add data broker registration requirements. | No separate data broker registration mandate. |
| Mandatory Audits | Required independent third-party audits every three years, starting January 1, 2028. Brokers must disclose results. | No mandatory third-party audits, but Data Protection Assessments (DPAs) are required for high-risk processing. | Data Protection Impact Assessments (DPIAs) required for high-risk processing. |
| Scope of Deletion | Deletion request applies to all non-exempt personal information held by the broker. Broker must continue deleting data every 45 days. | Deletion right for data provided by the consumer and data obtained about the consumer. Compliance can be met by opting the consumer out of sale/sharing for third-party data. | Deletion of personal data where conditions (e.g., no longer necessary for purpose, consent withdrawn) are met. |
This comparison chart reveals the unique regulatory burden created by California. The Delete Act goes beyond granting a right; it mandates the infrastructure—the DROP—and the verification—the third-party audits—to make the right effective at scale. This proactive, infrastructure-based approach is what jurisdictions like Connecticut are watching closely and beginning to model.
The Strategic Imperative for Corporate Compliance Teams
The CalPrivacy Strike Force and the rise of Delete Act-modeled laws transform data privacy from a legal review function into a core operational and software engineering challenge. For business owners and large corporations, the path to compliance runs directly through their data privacy software solutions. The days of manual, siloed compliance responses are over.
The shift is from reactive compliance to proactive data governance integration.
The Strike Force is not waiting for consumer complaints; they are actively investigating and building cases now. The time to prepare the organizational and technological infrastructure is before the DROP platform goes live.
-
Re-Assess “Data Broker” Status and Registration: Do not assume you are exempt. The CCPA/CPRA and Delete Act definitions are complex, and the Agency is targeting entities that collect and sell non-directly-collected data. The annual registration fee is significant, and the fines for non-registration are severe.
-
Invest in Scalable Privacy Request Management (SRM): Compliance cannot be handled via manual processes. Your solution must be able to:
-
Intake a high volume of deletion requests from the DROP platform’s API.
-
Verify the consumer’s identity (where required).
-
Distribute the request across all internal data systems (data warehouses, marketing databases, backups) and external service providers.
-
Log and Audit the deletion status—all within the 45-day window.
-
-
Establish Continuous Data Inventory and Mapping: The core challenge of deletion is knowing where the data is. Privacy software must provide a live, dynamic inventory of all data systems and map the flow of consumer personal information, especially sensitive data. This is foundational to demonstrating auditable compliance for the mandatory triennial audits starting in 2028.
-
Develop an Enforcement Response Playbook: The Strike Force’s high-intensity approach means a greater likelihood of receiving an enforcement inquiry or subpoena. Companies need a documented, tested plan for data gathering, internal investigation, and legal response, ensuring they can produce the necessary audit trails from their compliance software to mitigate potential fines.
The CalPrivacy Data Broker Enforcement Strike Force is not a warning shot; it is the arrival of the cavalry for consumer privacy rights. It provides the teeth and the resources to enforce a regulatory framework designed for the age of industrial-scale data trade. For businesses, the time to view data privacy compliance as an optional cost is definitively over. It is now a critical business continuity measure that demands investment in sophisticated, integrated, and auditable software solutions capable of navigating this new, high-enforcement regulatory reality. The compliance solutions that thrive in this environment will be those that embrace automation, transparency, and a deeply embedded, verifiable culture of data stewardship.
