LexLogo

DROP Is Launching

A person analyzing graphs on a laptop screen, showcasing insights.
California's DROP platform affects your data vendors and marketing operations. ESPs: you might be a data broker without knowing it. Here's what to do.

You Think DROP Doesn’t Apply to Your Business? Think Again.

On January 1, 2026, California activated DROP – a platform allowing consumers to delete their data from 500+ data brokers with one click. You’re probably thinking “we’re not a data broker, so this doesn’t affect us.”

Maybe. But consider these scenarios:

Your marketing agency buys lead lists, enriches them with demographic data, and resells them to clients. You’re trading in consumer data without direct relationships. That’s the textbook definition of a data broker.

Your SaaS company purchases intent data to score leads. You’re not a data broker. But your data vendor probably is, and DROP is about to affect your lead quality, pricing, and data availability.

This article is for businesses who think DROP is someone else’s problem. It’s not. Either you’re accidentally a data broker and don’t know it, or your entire marketing operation depends on vendors who are about to face massive compliance obligations.

Let’s figure out which category you’re in, and what you need to do about it.

Part 1: Are You Accidentally a Data Broker?

The Legal Definition (It’s Broader Than You Think)

California defines a data broker as any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Three critical elements:

  1. Collects: Buying, scraping, receiving from partners – any acquisition method counts
  2. Sells to third parties: Includes licensing, sharing for consideration, or making available – not just direct sales
  3. No direct relationship: You didn’t collect the data directly from the consumer whose data you’re handling

Critical Detail for ESPs: There’s no revenue threshold, no small business exemption, and no limitation to California-based companies. If you handle California residents’ data and meet the definition, you’re subject to DROP requirements regardless of where your Houston office is located.

Self-Assessment for Email Service Providers

ESPs occupy a unique gray area. Ask yourself these questions:

Question 1: Do you offer “data enrichment” or “append services”?

  • Taking client email lists and adding demographic information
  • Appending firmographic data to B2B contact lists
  • Adding social media profiles or phone numbers to email addresses

If you’re sourcing that enrichment data from third parties and reselling it to clients, you may be a data broker.

Question 2: Do you monetize “engagement data” or “deliverability data”?

  • Selling lists of “engaged subscribers” identified across multiple clients
  • Offering “suppression lists” of complainers or inactive users
  • Providing “validated email lists” based on deliverability performance

If you’re creating data products from consumers who didn’t sign up with your business directly, you may be a data broker.

The “Direct Relationship” Test

The key question: Did the consumer whose data you’re monetizing have a direct relationship with YOUR business, or with your CLIENT’s business?

If a consumer subscribed to your client’s newsletter, they have a relationship with your client, not with you. When you monetize that consumer’s data (even in aggregated form), you’re operating as a data broker.

Self-Assessment for Marketing Agencies

Marketing agencies face similar gray areas:

You’re probably a data broker if you:

  • Purchase lead lists and resell them to clients (with or without enrichment)
  • Aggregate data from multiple clients and create “lookalike audiences” sold to other clients
  • Buy intent data, append contact information, and license the combined data
  • Scrape public sources (LinkedIn, company directories) and sell the resulting databases

You’re probably NOT a data broker if you:

  • Create marketing campaigns using client-provided first-party data
  • Buy data on behalf of clients but don’t take ownership or resell it
  • Analyze your client’s own customer data and provide strategic recommendations
  • Use your client’s CRM data to execute campaigns under their direction

The distinction turns on whether you’re monetizing data that originated from someone else’s consumer relationships.

Part 2: What DROP Means for Your Data Supply Chain

Even if you’re not a data broker, DROP affects you if your marketing operations depend on businesses that are.

The Vendor Compliance Question

If you purchase:

  • Lead lists for outbound sales
  • Intent data for lead scoring
  • Demographic enrichment for segmentation
  • Deliverability validation services
  • Industry benchmark data
  • Competitive intelligence reports

…your vendor is likely a data broker subject to DROP requirements starting August 1, 2026.

Here’s what that means for your business:

1. Data Quality Degradation As California consumers submit DROP deletion requests, your vendor’s database shrinks. If 5-10% of California records disappear from your purchased lists, you’re paying the same price for less coverage.

2. Price Increases Data vendors facing deletion compliance costs will pass those costs to customers. Expect higher prices for the same data products, or new “compliance fees” added to invoicing.

3. Delivery Delays
Vendors must process deletion requests every 45 days. During processing windows, data delivery may be delayed or list availability may be restricted.

4. California Exclusions Some vendors may simply stop selling California consumer data rather than deal with DROP compliance. Your “national” data purchases may suddenly exclude 12% of the U.S. market.

Questions to Ask Your Data Vendors NOW

Don’t wait until July to have this conversation. Ask your data providers:

Compliance Status:

  • “Have you registered with the California Privacy Protection Agency as a data broker?”
  • “When is your DROP account setup complete?”
  • “Have you tested your deletion systems ahead of the August 1 deadline?”

Business Continuity:

  • “What percentage of your database is California residents?”
  • “What’s your projected deletion rate based on initial DROP submissions?”
  • “How will deletion volumes affect data availability and delivery timelines?”

Contract Protection:

  • “What happens if you fail to process DROP requests and face CPPA penalties?”
  • “Do you provide indemnification if you deliver data containing DROP-deleted consumers?”
  • “What’s your suppression list management process to prevent re-selling deleted data?”

Pricing Impact:

  • “Are you planning price increases to cover DROP compliance costs?”
  • “Will you adjust pricing based on actual database size after deletions?”
  • “What’s your policy on refunds or credits when California data is excluded?”

The Red Flags That Should Trigger Legal Review

Schedule a call with counsel immediately if your vendor:

  • Hasn’t registered with the CPPA as a data broker (you can verify at privacy.ca.gov/data-brokers)
  • Claims DROP “doesn’t really apply” to their business model
  • Can’t articulate their suppression list strategy
  • Refuses to discuss deletion impacts on data quality or pricing
  • Hasn’t updated contracts to address DROP compliance obligations

Part 3: Contract Protection You Need In Place By August 1

Whether or not you’re a data broker yourself, your data vendor contracts need to be updated before DROP processing begins.

Critical Contract Provisions

1. Compliance Warranty “Vendor warrants it is in full compliance with the California DELETE Act, including timely registration with the CPPA, implementation of DROP request processing systems, and maintenance of suppression lists.”

2. Deletion Flow-Through “Upon notice from Customer that Customer has received a deletion request (including via DROP) concerning data provided by Vendor, Vendor shall delete such data from all systems within 30 days and confirm deletion in writing.”

3. Suppression List Guarantee
“Vendor warrants that all data provided to Customer has been cross-referenced against Vendor’s DROP deletion suppression list and does not include any consumers who have submitted DROP deletion requests.”

4. Indemnification “Vendor shall indemnify Customer for all penalties, costs, and damages arising from Vendor’s failure to comply with DROP requirements, including penalties assessed against Customer for processing data subject to DROP deletion requests.”

5. Price Adjustment “If California resident data represents [X]% or more of delivered records, pricing shall be adjusted proportionally to reflect deletion-driven database reductions exceeding [Y]% annually.”

6. Audit Rights “Customer may audit Vendor’s DROP compliance procedures annually, including review of deletion processing logs, suppression list accuracy, and CPPA registration status.”

Part 4: Business Implications

Beyond legal compliance, DROP affects your marketing operations and business strategy.

For Marketing Teams Dependent on Purchased Data

Scenario Planning Exercise: Run projections assuming 5%, 10%, and 15% annual deletion rates for California data. Model the impact on:

  • Lead generation volume
  • Cost per lead (if vendor pricing increases)
  • Geographic coverage gaps
  • Campaign targeting accuracy

Diversification Strategy: Reduce dependency on purchased third-party data by:

  • Investing in first-party data collection (you own the consumer relationship)
  • Building direct consumer relationships through opt-in programs
  • Developing proprietary data assets that aren’t subject to DROP
  • Testing vendors from multiple suppliers to reduce concentration risk

For ESPs Navigating the Gray Area

If your business model includes data monetization, that might trigger data broker classification:

Option 1: Restructure to Avoid Data Broker Status

  • Sell insights and analysis rather than raw data or aggregated datasets
  • Ensure all monetized data comes from consumers with direct relationships to your business
  • Limit “benchmark reports” to your own customer data only
  • Position append services as referrals to third-party providers rather than direct sales

Option 2: Embrace Data Broker Status and Compete on Compliance

  • Register with the CPPA and build robust DROP infrastructure
  • Market your DROP compliance as a competitive advantage
  • Charge premium pricing for “deletion-compliant” data products
  • Position yourself as the privacy-forward ESP in the market

Both strategies are viable. The wrong strategy is to ignore the question and hope the CPPA doesn’t notice.

Frequently Asked Questions

Q: Our data vendor is based in Texas. Does California law really apply to them? A: Maybe. The DELETE Act applies based on the consumer’s residence, not the vendor’s location. If your Texas-based vendor handles California residents’ data and meets the data broker definition, they’re subject to DROP requirements regardless of where their headquarters are located.

Q: We only buy aggregated, anonymized data. Does DROP still affect us? A: It depends. If your vendor created that aggregated data from personally identifiable information (even if they anonymized it before selling to you), DROP applies to the source data. Your vendor must process deletion requests for the underlying PII, which may affect the statistical validity of the aggregated datasets you receive.

Q: What if our vendor fails DROP compliance and we unknowingly use deleted consumer data? A: This is exactly why you need indemnification provisions in your contracts. The CPPA may pursue penalties against your vendor, but you face business disruption and potential customer complaints. Strong vendor contracts shift that risk back to the non-compliant vendor.

Q: Can we just exclude California from our marketing operations? A: You can, but California represents 12% of the U.S. market and outsize share of certain industries (tech, entertainment, finance). Plus, other states are studying similar deletion mechanisms – this problem will spread beyond California. Better to build scalable deletion infrastructure now than repeatedly retrofit systems state by state.

Q: We’re a small business – surely this doesn’t apply to us? A: The DELETE Act has no small business exemption. If you meet the data broker definition, you’re subject to compliance requirements regardless of revenue, employee count, or business size. The $6,600 annual registration fee and deletion infrastructure costs may disproportionately impact smaller businesses, but the law doesn’t exempt you.

Legal Disclaimer: This article provides general information about the California DELETE Act, DROP platform, and data broker compliance requirements. It does not constitute legal advice and should not be relied upon as such. Whether a business meets California’s definition of “data broker” is a fact-specific determination that requires individual legal analysis. Privacy and data protection laws are complex and rapidly evolving. The information presented is current as of January 8, 2026, but regulatory requirements may change. No attorney-client relationship is created by reading this article. For specific guidance on how the DELETE Act applies to your business operations and vendor relationships, consult with a qualified attorney who can evaluate your particular circumstances.

Share the Post:

Related Posts