Privacy Insights That Matter

California DROP Act (CPRA) 2026: Compliance Requirements and DSAR Automation

California just made consumer privacy deletion requests unavoidable at scale. Starting August 1, 2026, every registered data broker must connect to a state-operated platform, retrieve consumer deletion requests every 45 days, and process them—automatically, verifiably, and repeatedly. Miss a deadline and face $200 per-request daily penalties. Fail to propagate deletions to vendors and face enforcement scrutiny that has already produced settlements exceeding $1.5 million.