Data Broker Compliance Is Moving From Registration to Operational Deletion
Operational Compliance Intelligence for Internet Businesses.
Welcome to the CLICBrain Weekly Briefing — operational compliance intelligence for internet businesses from CLIClaw.com. Each week, we break down significant privacy, AI, advertising, data governance, email marketing, and regulatory enforcement developments affecting online businesses and explain what they mean operationally. Our focus is not simply on what changed, but on what systems, workflows, governance controls, and audit-readiness practices organizations should review in response. Here is what changed this week, why it matters, and what businesses should operationally do next.
Data broker compliance is changing quickly. The focus is no longer limited to registration. Regulators are now looking at deletion workflows, sensitive data controls, consumer request systems, consent verification, and evidence of operational compliance.
KEY DATES THIS WEEK.
California’s Delete Request and Opt-Out Platform, known as DROP, is now active for consumers. Beginning August 1, 2026, registered data brokers are required to access DROP at least every 45 days and process deletion requests, subject to statutory exceptions and any future regulatory guidance.
Texas also expanded its data broker law through amendments effective September 1, 2025. The revised law broadened the definition of “data broker,” including entities that collect, process, or transfer personal data not collected directly from the individual, and organizations should review the statutory language to determine whether their activities are in scope.
LAW & REGULATION SPOTLIGHT.
California is moving data broker compliance into a more operational phase. DROP creates a centralized deletion system that requires brokers to retrieve, process, report, and document consumer deletion activity on a recurring basis.
That means affected companies need more than a privacy notice or registration filing. They need:
-
DROP access procedures,
-
Request intake workflows,
-
Identity and matching logic,
-
Deletion execution controls,
-
Exception handling,
-
Vendor coordination,
-
Status reporting,
-
Retention/deletion evidence, and
-
Audit-ready logs.
LAWSUIT & ENFORCEMENT TRACKER.
The FTC’s May 2026 settlement with Kochava is a major enforcement signal for the data broker and location data industry. The FTC announced that Kochava and subsidiary Collective Data Solutions would be prohibited from selling, sharing, or disclosing sensitive location data without affirmative express consumer consent.
The FTC alleged that the companies sold location data from hundreds of millions of mobile devices that could reveal visits to sensitive locations, including reproductive health clinics, places of worship, addiction recovery centers, homeless shelters, and domestic violence shelters.
FTC ACTION OF THE WEEK.
The Kochava matter shows that regulators are scrutinizing sensitive location data, mobile advertising identifiers, commercial surveillance, consent verification, data suppliers, and downstream data sharing.
The operational lesson is direct: if a company collects, licenses, enriches, shares, monetizes, or receives third-party data, it should be able to prove:
-
where the data came from,
-
What consent or permission supports the data,
-
Whether the data is sensitive,
-
Who receives it,
-
How consumers can opt out or request deletion, and
-
How deletion or suppression is executed.
WHAT CHANGED & WHAT TO DO.
Data broker compliance is becoming workflow-based.
Businesses should review:
-
Whether they qualify as a data broker in California, Texas, Oregon, Vermont, or other states,
-
Whether indirect data collection triggers registration or disclosure duties,
-
Whether they process data obtained from third parties,
-
Whether they share data with ad-tech or analytics partners,
-
Whether they maintain deletion workflows,
-
Whether vendor contracts support deletion execution, and
-
Whether they can produce audit-ready evidence.
Texas is especially important because the amended definition may capture broader ad-tech, analytics, enrichment, identity resolution, and third-party data ecosystems than traditional “data broker” models, depending on how particular activities fit within the statutory text.
Ask CLICBrain.
Q: “What happens if we miss a DROP deletion request?”
CLICBrain: A missed deletion request is not just a customer service issue. It may indicate that the company lacks an operational deletion system. Regulators may ask whether the business had assigned responsibility, monitored DROP access, documented request retrieval, processed deletion across systems, coordinated with vendors, and retained proof of completion.
The key question is not only whether deletion occurred. It is whether the company can prove the deletion workflow operated correctly.
Have a compliance question? Ask CLICBrain on CLIClaw.com – available 24/7.
Related CLIClaw Operational Compliance Solutions.
Subscribers can review related resources inside the CLIClaw Operational Compliance Solutions Library, including:
-
California Data Broker Compliance Toolkit.
-
DROP Workflow SOP.
-
Data Broker Applicability Checklist.
-
Deletion Request Tracking Log.
-
Data Retention & Destruction Compliance Program.
-
Vendor Deletion Coordination Tools.