top of page
Search

California’s 2026 Data Broker Registry is live

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 2 days ago
  • 2 min read

California just made one of the most practical moves in U.S. privacy enforcement: the 2026 Data Broker Registry is now live, with searchable entries, broker contact details, and more detailed disclosures about data broker practices.

 



Photo: Freepik


 

For anyone doing business in California, or for any organization that depends on adtech/data brokers, this is not a “nice-to-know” update.

 

The registry is an operational transparency tool

CalPrivacy publishes the information brokers submit during registration, making it easier for individuals (and businesses) to identify who is brokering data and how to contact them.

 

DROP enables deletion at scale (one request to hundreds of brokers)

Through the Delete Request and Opt-Out Platform, California residents can submit one deletion request that goes to all registered data brokers.

 

This is a major shift from the traditional “one broker at a time” burden placed on consumers.

 

Processing timeline

CalPrivacy notes that while DROP is available now, data brokers are required to begin processing requests on August 1, 2026, and the DROP site explains brokers must delete within 90 days starting then.

 

Data broker ecosystems are closely linked to:

➡️ identity theft and fraud (data aggregation, enrichment, profiling),

➡️ account takeover (targeting and credential stuffing enablement),

➡️ and higher blast radius when breaches occur (because brokers often hold broad, cross-context data).

 

Reducing broker-held data can lower downstream exposure when:

➡️ a broker is breached,

➡️ data is resold to malicious actors,

➡️ or your personal details are used for social engineering.

 

If you operate in California or handle consumer data at scale:

➡️ Expect regulators to evaluate whether consumer rights work in practice, not just whether you mention them in a policy.

➡️ If you are (or might be) a data broker, you must understand registration duties and the operational obligations connected to DROP.

➡️ If you rely on third-party data sourcing, this introduces a new layer of TPRM and compliance risk: your marketing/data supply chain may be impacted by deletion requests routed through DROP.


 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page