S&P Global is a Fortune 500 company with thousands of lawyers and compliance professionals. On January 8, CalPrivacy fined them $62,600 for failing to register as a data broker. The cause? An administrative error that left them unregistered for 313 days.
If S&P Global can miss this, so can you.
California's Delete Request and Opt-out Platform, known as DROP, went live on January 1, 2026. It lets California residents submit a single deletion request to every registered data broker in the state. The registration deadline for 2026 is January 31, just 15 days away. And CalPrivacy's newly formed Data Broker Enforcement Strike Force is actively hunting for companies that should have registered but haven't.
What Happened
A Brief History: Registration Came First
Here's what confuses many companies: DROP launched on January 1, 2026, but S&P Global was fined for being unregistered for 313 days. How?
The answer is that California's data broker registration requirement isn't new. It dates back to 2019 when California passed AB 1202, becoming the first state to require data brokers to register with the government. From 2020 through 2023, the California Attorney General maintained the registry.
In 2023, California passed the Delete Act (SB 362), which did two things: it transferred registry oversight from the Attorney General to the California Privacy Protection Agency (CalPrivacy), and it created the new centralized deletion mechanism, DROP.
So the registration requirement has been in effect for years. What's new in 2026 is DROP, the platform that lets consumers submit deletion requests to all registered brokers at once. Companies like S&P Global weren't fined for failing to comply with DROP. They were fined for failing to register as data brokers, a requirement that's been on the books since 2019.
The January 31 deadline isn't a new obligation. It's the same annual registration deadline that's existed for years. What's changed is that CalPrivacy now has a dedicated enforcement strike force, and they're actively pursuing companies that should have registered but didn't.
DROP Goes Live
On January 1, California launched the most ambitious consumer privacy tool in U.S. history. DROP allows any California resident to authenticate through Login.gov or the state's identity gateway and, with a single click, demand that all registered data brokers delete their personal information.
Approximately 500 companies are currently registered. Starting August 1, 2026, every registered data broker must check DROP at least every 45 days and process deletion requests. Failure to do so triggers penalties of $200 per request, per day.
The Enforcement Blitz
CalPrivacy isn't waiting for companies to figure this out. In the last two months, the agency's Data Broker Enforcement Strike Force has issued three significant fines:
ROR Partners (November 2025): $56,600
A Nevada-based marketing firm that built custom audience lists for fitness and wellness brands. ROR Partners used "billions of data points" to create profiles on 262 million Americans. They didn't think they were a data broker. CalPrivacy disagreed.
Datamasters (January 8, 2026): $45,000
A Texas-based company that bought and resold personal information of millions of people with health conditions for targeted advertising. They weren't registered.
S&P Global (January 8, 2026): $62,600
The New York-based data and analytics giant was unregistered for 313 days due to an administrative oversight. CalPrivacy didn't care about the reason. They required S&P Global to pay the fine and adopt new written policies to prevent future lapses.
The message is clear: size doesn't matter, intent doesn't matter, and administrative errors aren't a defense.
Are You a Data Broker?
The statutory definition catches more companies than most people realize.
A "data broker" is any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."
Two terms in that definition trip up most companies:
"Sell" Means More Than You Think
Under California law, "sell" includes disclosure for non-monetary consideration. If you share personal data with a partner and receive anything of value in return, including data, services, or business benefits, that can qualify as a sale. You don't have to receive cash.
"Direct Relationship" Is the Key
If you're a B2B SaaS company and your customers' employees use your product, you likely have a direct relationship with those users. You're probably not a data broker.
But if you collect data about people who have never interacted with your company and then share or license that data downstream, you might be.
Examples: Probably NOT a Data Broker
- Salesforce collects data about users who create accounts and use its CRM. Those users signed up, agreed to terms, and interact with the platform directly. Direct relationship exists.
- Shopify processes data about merchants who register for its e-commerce platform. The merchants chose to use Shopify. Direct relationship exists.
- A corporate HR software provider collects employee data, but those employees were onboarded by their employer through the platform. The employees know the system exists and interact with it. Direct relationship exists.
Examples: Probably IS a Data Broker
- A lead generation company that scrapes professional profiles from public sources, enriches them with employment history and contact information, and sells the compiled lists to sales teams. The people in those profiles never interacted with the company. No direct relationship.
- An audience data provider that collects browsing behavior through tracking pixels embedded on thousands of websites, builds interest-based profiles, and licenses those profiles to advertisers. The consumers being profiled have no idea the company exists. No direct relationship.
- A location data aggregator that purchases GPS data from mobile apps, analyzes foot traffic patterns, and sells insights to retailers and hedge funds. The people whose movements are tracked never agreed to share data with this specific company. No direct relationship.
- A "people search" website that compiles public records, social media data, and data broker purchases into searchable profiles, then charges for access. The people being profiled didn't provide their information to this company. No direct relationship.
The pattern is clear: if the consumer would say "I've never heard of that company" when asked about you, you probably don't have a direct relationship with them.
Companies That Often Qualify
Based on CalPrivacy's enforcement actions and guidance, these business models frequently trigger data broker status:
- Marketing agencies that license third-party audience data for client campaigns
- Advertising services that build interest-based targeting profiles across websites and apps
- Companies that aggregate data from multiple sources and resell it
- Custom audience providers that build profiles for advertising targeting
- Data enrichment services that append third-party data to customer records
If your business model involves collecting information about people you've never directly served and then monetizing that information, start your analysis from the assumption that you're a data broker.
What If You Have a Direct Relationship But Still Sell Data?
Here's a question that trips up many companies: what if you have a direct relationship with consumers but still sell their data to third parties?
The short answer: you're not a data broker. You don't need to register with DROP or pay the $6,600 annual fee.
But you're not off the hook.
The CCPA's broader "sale" provisions still apply. If you have a direct relationship with consumers and sell their personal information, you must:
- Provide a "Do Not Sell My Personal Information" link on your website, giving consumers the ability to opt out
- Honor opt-out requests and stop selling that consumer's data once they exercise their right
- Disclose at collection that you sell personal information and explain what categories of data are sold
- Recognize Global Privacy Control signals as valid opt-out requests under California regulations
Consider a hypothetical: a CRM platform has a direct relationship with its users who create accounts and interact with the system daily. If that platform sells user data to advertising networks, it doesn't need to register as a data broker. But every user can demand that the platform stop selling their specific data, and the platform must comply.
Why does this distinction matter? If you're a data broker, you pay $6,600 per year to register and must process deletion requests through DROP. If you're not a data broker but still sell data, you skip the registration but must still give consumers a way to say "stop selling my data" and honor those requests when they come in.
What It Means
The January 31 Deadline Is Real
If you operated as a data broker at any point in 2025, you must register by January 31, 2026. The process requires:
- Creating a DROP account
- Completing the registration form
- Paying the $6,600 annual fee (plus a 2.99% processing fee)
Each legal entity must register separately. Parent company registration doesn't cover subsidiaries. If you have multiple entities that independently qualify as data brokers, each one needs its own registration and DROP account.
The August 1 Operational Deadline Is Harder
Registration is the easy part. Starting August 1, you'll need to actually process deletion requests. That means:
- Downloading hashed consumer identifiers from DROP (manually or via API) at least every 45 days
- Matching those identifiers against your systems
- Deleting or opting out matching records
- Reporting the status back to DROP within 45 days: "record deleted," "record opted out of sale," "record exempt," or "record not found"
- Maintaining a suppression list of all deletion requests, even if no initial match exists
This isn't a one-time compliance exercise. It's an ongoing operational requirement that needs to be built into your data management processes. Our regulatory compliance practice helps companies navigate these complex requirements.
The 2028 Audit Requirement Is Coming
Starting January 1, 2028, data brokers must undergo independent third-party audits every three years to verify compliance with deletion requirements. If your deletion processes aren't actually working, an auditor will find out.
Practical Takeaways
Run the data broker analysis now. Don't assume you're not covered because you don't think of yourself as a data broker. Map your data flows. Identify where you collect information about consumers you don't directly serve. Trace where that data goes. If it's shared with third parties for any form of consideration, you may be a data broker.
Check your subsidiaries and affiliates. S&P Global's fine resulted from an administrative oversight, likely a gap in tracking which entities needed to register. If you have multiple legal entities, confirm each one has been assessed independently.
Don't wait until January 30. The registration process requires creating a DROP account, and technical issues happen. Give yourself buffer time. If you file late, penalties start accruing at $200 per day.
Budget for August. The registration fee is $6,600 per entity. But the operational compliance costs for August 1 will be higher. You'll need technical resources to integrate with DROP (or manual processes if you don't automate), legal review of exemption claims, and ongoing staff time to manage the 45-day processing cycle.
Consider the downstream implications. If you're an enterprise customer of companies that might be data brokers, you should be asking them about their DROP compliance. When you receive a deletion request under CCPA, you need confidence that your vendors can actually honor it.
Document your analysis. If you conclude you're not a data broker, write it down. Explain why you have a direct relationship with the consumers whose data you handle, or why your data sharing doesn't constitute a "sale." CalPrivacy is scrutinizing companies that "walk and talk like a data broker" but haven't registered.
Other States Are Following
California isn't alone. Three other states already have data broker registration laws on the books, and four more are in development.
Vermont (2018): The first state to require data broker registration. Annual registration with the Secretary of State, $100 fee, and fines of $50 per day up to $10,000 annually for non-compliance.
Texas (2023): Registration required before operating as a data broker. Civil penalties up to $10,000 per year, enforced by the Texas Attorney General.
Oregon (2024): Took effect January 1, 2024. Fines of $500 per day, up to $10,000 annually.
In Development: New Jersey, Delaware, Michigan, and Alaska have passed data broker registration bills that haven't yet become law.
The key difference with California is DROP. While Vermont, Texas, and Oregon require registration and basic compliance, California is the only state with a centralized deletion mechanism that lets consumers submit one request to all brokers simultaneously. Other states may follow California's lead. If you're already building compliance infrastructure for DROP, you'll be better positioned when similar requirements emerge elsewhere. Companies in the enterprise tech sector should be especially attentive to these developments.
What We're Watching
January 31, 2026: Data broker registration deadline
August 1, 2026: DROP deletion processing requirement takes effect
Ongoing: CalPrivacy Data Broker Enforcement Strike Force actions
January 1, 2028: Third-party audit requirement begins
The Delete Act represents a significant expansion of California's privacy enforcement infrastructure. Companies that collect and monetize consumer data need to assess their status now, not after they receive an enforcement notice.