CalPrivacy warns ad tech firms: you are likely data brokers
The executive director of the California Privacy Protection Agency (CPPA), Tom Kemp, stated that many ad tech firms qualify as data brokers under California law, contrary to their assumptions. This interpretation significantly expands the scope of privacy compliance for streaming professionals, particularly with the new DELETE Act and its DROP consumer portal. Over 300,000 Californians have already used DROP to send bulk data deletion requests.
Key Takeaways
- Over 300,000 Californians have registered for the DROP portal to send bulk data deletion requests since its launch.
- Companies collecting or selling personal information without a direct relationship with the consumer qualify as data brokers under California law.
- Affected entities include identity vendors, onboarders, and audience extension platforms, regardless of internal labeling.
- Registered data brokers must begin processing deletion requests from the DROP portal starting August 1, 2026.
Why It Matters
Ad tech companies can no longer rely on narrow internal definitions to avoid data broker compliance. As the CPPA (rebranded as CalPrivacy) aggressively expands the 'data broker' label, intermediaries must integrate with the DROP portal or risk significant operational friction and regulatory scrutiny. This shift forces a move from fragmented opt-out links to a centralized, high-volume deletion environment. Ecosystem-wide, this likely signals a forced transition away from third-party data reliance toward direct consumer relationships. Watch for the August 2026 enforcement deadline, when failure to process bulk requests every 45 days will become a major litigation target.
Additional Context
The California Attorney General has already begun signaling a new era of aggressive enforcement. Per Potomac Law and JD Supra, February 2026 saw a $2.75 million settlement with Disney involving its streaming ecosystem. The core allegation was that consumer opt-out signals, including Global Privacy Control (GPC), failed to propagate across all devices and services within the Disney DTC account. This underscores a growing regulatory demand for 'account-wide' consistency rather than siloed, device-specific privacy toggles. Simultaneously, CalPrivacy is targeting specific ad tech practices that bypass standard registration. In January 2026, the agency issued fines against multiple firms, including a $45,000 penalty for Datamasters, for selling 'custom audiences' based on sensitive health and racial data without registering as a broker, per official state releases. These actions indicate that regulators are looking past technical obfuscation, such as packaging data into value-added segments, to focus on the underlying exchange of personal information. Beyond California, the one-stop-shop deletion model is gaining traction. Per Wiley and IAPP reporting from May 2026, Connecticut has enacted a similar data broker law effective January 2027, while Vermont and Oregon maintain registries that require annual disclosures of consumer opt-out rights. As of June 2026, more than 580 data brokers have registered in California to avoid fines that can reach $200 per consumer per day of noncompliance. This regulatory pressure is coincides with new 2026 CCPA rules mandating that businesses explicitly display 'Opt-Out Request Honored' messages in real-time on their websites.
Read full article at adexchanger.com