If you have been following privacy law this summer, July was about what you can sell. August is about what has to come out.
Connecticut and New Jersey already tightened the rules around sensitive data. Now California is turning on the deletion engine.
On August 1st, 2026, registered data brokers must start using DROP, the Delete Request and Opt-Out Platform, on a fixed schedule. That does not mean every brokered record disappears overnight. It means deletion stops being optional and starts becoming routine.
If your media plan still depends on brokered SPI or third-party segments, this is the deadline worth paying attention to.
What DROP actually does
DROP gives California residents one place to ask registered data brokers to delete their personal information.
Consumers have been able to submit requests since January 1st, 2026. August 1st is when brokers have to start acting on them.
From that date, covered data brokers are expected to:
- Access DROP at least once every 45 days
- Download deletion lists and match them against their own records
- Finalize determinations within 90 days of retrieval
- Delete matched personal information, including associated data and derived inferences, unless a statutory exception applies
- Keep suppression in place so deleted consumers are not quietly re-collected and resold
- Report the status of each request back through the platform
This is not a one-time cleanup. It is an ongoing obligation.
What August 1st is, and what it is not
What it is: the start of mandatory DROP processing. If brokers fail to act on deletion requests after August 1st, penalties can run $200 per day, per request, with no cure period.
What it is not: a guaranteed overnight collapse of every brokered audience file. How quickly any given segment thins depends on how many DROP requests match a broker’s records, how exemptions are applied, and how fast that broker works through the 45-day retrieval cycle and 90-day determination window.
The practical takeaway for brands is still clear: brokered supply becomes less dependable over time. The legal takeaway is more precise. August 1st starts the clock. It does not trigger an instant purge.
Connecticut and New Jersey are already in effect
One thing worth keeping straight: the Connecticut and New Jersey changes below are already live. They are not part of the August 1st DROP deadline.
Connecticut, effective July 1st, 2026
The amended CTDPA now requires opt-in consent before sensitive data can be sold. That includes categories such as driver’s license numbers, passport numbers, financial account details, and Social Security numbers. A privacy notice and an opt-out are not enough for those sales.
Connecticut also has separate data-broker registration and deletion requirements on a later timeline, landing in 2027 to 2028. That is different from the July 1st opt-in-for-sale rule and is not what this piece is covering.
New Jersey, effective June 30th, 2026
A.5328 bans the sale of sensitive personal data, and the prohibition is broader than brokers alone. It can reach virtually any entity selling sensitive data, regardless of consumer consent. Covered brokers and collectors also face a major registration and fee regime, though the public registry is delayed into 2027. The sensitive-data sale ban itself is already in force.
Same direction as California. Different mechanism. Different date.
Why brands should care, even if they are not brokers
Because your audience supply chain might be.
Health, finance, multicultural, lifestyle, and purchase-intent segments often still move through brokers or broker-adjacent files somewhere in the stack. When matched records are deleted, those audiences do not stay frozen in place as if nothing happened.
Three things to watch:
1. Reach becomes less reliable.
As DROP determinations finalize across repeated 45-day cycles, brokered universes can shrink. Not all at once. Not evenly. But in one direction.
2. Vendor risk goes up.
If a supplier cannot show DROP readiness, or cannot explain how they comply with Connecticut’s July 1st opt-in rules and New Jersey’s sensitive-data sale ban, your brand carries the downside when segments degrade mid-flight.
3. “We will deal with it later” stops working.
The Delete Act is built for continuous compliance. After August 1st, failure to act on deletion requests can trigger per-request, per-day penalties immediately. Registration penalties are separate. Do not mix them up. The processing clock is what reshapes inventory.
Questions to ask your vendors this week
Before August 1st, every data vendor, reseller, and enrichment partner in your stack should be able to answer these in writing:
- Are you a registered California data broker?
- Do you have a DROP account and a process to retrieve deletion lists every 45 days?
- How do you match DROP identifiers against the audiences you sell us?
- What is your timeline from retrieval to final determination within the 90-day window?
- What happens to in-market segments when matched records, including inferences, are deleted?
- Can you show continuity of consent for any sensitive attributes still in those files, including under Connecticut’s July 1st opt-in rules and New Jersey’s sensitive-data sale ban?
If the answers are vague, delayed, or “legal is reviewing,” treat that as a warning.
The timeline, in plain terms
- June 30th, 2026 (already live): New Jersey bans sensitive-data sales broadly, not just for traditional brokers
- July 1st, 2026 (already live): Connecticut requires opt-in before sensitive data can be sold
- August 1st, 2026 (upcoming): California DROP starts a recurring deletion cycle brokers cannot ignore
July made sensitive-data sales harder. August makes brokered inventory harder to hold onto.
The old playbook of collect, infer, sell, and refresh is getting squeezed from both sides.
Where Reklaim fits
Reklaim was built for this kind of environment.
Consumers declare their data directly. They opt in to share specific attributes for marketing. They get compensated. They can revoke access. Brands activate consented audiences across programmatic, social, CTV, and direct deals without depending on a broker file that may disappear after the next DROP cycle.
That is not a compliance retrofit. It is a different supply model.
Bottom line
August 1st is not just another privacy headline.
It is the start of continuous deletion pressure on brokered data: 45-day retrieval, 90-day determination, $200 per day for failure to act, and no cure period.
Connecticut and New Jersey already changed the rules of sale. California is about to change how durable the inventory itself is.
Brands still renting third-party SPI are planning against supply that can erode over time. Brands moving to declared, consented, first-party consumer insights are building audiences that do not depend on a broker’s next DROP batch.
The deletion era does not wait for your next media brief.
Want to activate privacy-compliant, opt-in audiences before DROP reshapes your Q3 and Q4 reach?
