California is turning up the heat on the companies that buy and sell consumer data, pairing a new statewide “one-stop” deletion system with early enforcement actions that signal regulators are ready to name names.

The state’s new Delete Request and Opt-Out Platform, or DROP, opened to consumers on Jan. 1, 2026, and the California Privacy Protection Agency (CalPrivacy) quickly followed with penalties against firms it says should have registered as data brokers.

That’s the backdrop for a new client alert from Clark Hill that walks businesses through what changed, who’s in scope, and what comes next under California’s Delete Act (SB 362). The firm notes that while multiple states now regulate data brokers, California is the only one with a centralized mechanism that lets consumers submit deletion requests to all registered data brokers at once. And the clock is already ticking: covered businesses must begin retrieving and honoring DROP requests starting Aug. 1, 2026.

CalPrivacy’s enforcement push arrived within days of DROP’s launch. On Jan. 8, the agency’s Data Broker Enforcement Strike Force issued two decisions focused on a basic compliance step: registration. Rickenbacher Data LLC, doing business as Datamasters, was fined $42,000 for failing to register, with the agency alleging the company bought and resold sensitive personal information for targeted advertising. S&P Global, Inc. was fined $62,000 for being unregistered for 313 days, and was also directed to adopt written policies and procedures aimed at preventing a repeat.

Clark Hill’s key message is that many companies may be closer to the “data broker” line than they think, especially if they monetize information gathered outside a direct customer relationship. The post points to an expansive definition in the statute: “business that knowingly collects and sells the personal information of a consumer with whom the business does not have a direct relationship.”

Related: Congress, White House Try to Get Ahead of the Growing Local Backlash to Data Centers

That definition matters because the Delete Act layers new operational demands on top of California’s existing privacy framework. Data brokers must register annually by Jan. 31, pay a fee, and disclose what categories of identifiers they collect. Starting Aug. 1, 2026, they also need a repeatable process to pull DROP requests at least every 45 days, match requests using standardized identifiers, delete data unless an exception applies, and complete determinations within 90 days.

CalPrivacy has said it will provide an API and a sandbox environment to support integration work, which means the compliance lift will land with both legal and engineering teams.

What’s next, according to Clark Hill, is a steady march of deadlines and escalating exposure. Companies that miss registration face penalties of $200 per day, plus the agency’s investigation costs. Once deletion processing goes live in August, the penalty framework shifts to $200 per request per day for failures to act, a structure that could add up quickly for high-volume firms. Longer term, California is also building an audit regime: independent privacy audits begin Jan. 1, 2028, with the first audit results due to CalPrivacy in 2029.

The practical takeaway is simple: businesses should assess now whether any lead-generation, audience-segmentation, or data-enrichment activity could trigger the “data broker” label, and they should prepare for an influx of deletion requests and related downstream demands from partners once DROP enforcement ramps in August.