The obligations apply to any business meeting California's definition of a data broker—broadly, any entity that knowingly collects and sells or licenses personal information of consumers with whom it has no direct relationship. Many companies that rely on third-party data or monetize consumer information outside a direct sales relationship may qualify without recognizing themselves as brokers. The DROP deletion portal opened to consumers on January 1, 2026, and data-broker registration is annual. SB-361 added new disclosure requirements about what data categories brokers collect and whether they have shared or sold data to government bodies, foreign actors, or AI developers.
Attorneys advising data-driven companies should treat the August 1 deadline as immediate. Businesses must determine whether they qualify as data brokers under California law, ensure correct registration, and build systems to receive and process deletion requests from DROP within 45 days. The state's broad definition of data broker and recent enforcement actions against registration failures make this a live compliance question for any company handling consumer data outside a direct customer relationship.