Gavel on a desk symbolizing legal enforcement against data brokers

TL;DR: On November 19, 2025, the California Privacy Protection Agency (CalPrivacy) announced a dedicated Data Broker Enforcement Strike Force. The team will investigate whether data brokers are complying with registration requirements and the California Consumer Privacy Act. Their head of enforcement promises "the same level of intensity" as U.S. Attorney offices. Meanwhile, California's DELETE Request and Opt-Out Platform (DROP) launches January 1, 2026, letting residents delete their data from all registered brokers with one request. The state is finally putting teeth behind its privacy laws.

What's the Strike Force?

CalPrivacy's new Strike Force operates within its Enforcement Division. Its sole focus: hunting data brokers who violate California law.[1]

The targets:

  • Unregistered data brokers. California's DELETE Act requires data brokers to register with the state. Many haven't.
  • Registration violations. Brokers who registered but provided incomplete or false information.
  • CCPA violations. Failing to honor deletion requests, ignoring opt-outs, selling data without consent.
  • Sensitive data abuses. Under new 2025 amendments, brokers must disclose if they collect data about sexual orientation, citizenship status, or share with foreign actors.

Michael Macko, CalPrivacy's head of enforcement, made the stakes clear: the team will bring "the same level of intensity to investigations into the data broker industry" as seen in "U.S. Attorney and state Attorney General offices."[2]

That's prosecutor language. This isn't a slap-on-the-wrist regulatory body anymore.

The DELETE Act: Finally Getting Enforcement

California's DELETE Act (2023) was supposed to change everything. It required data brokers to register, transferred oversight to CalPrivacy, and created authority for the DROP platform.[3]

But laws without enforcement are just suggestions.

The Strike Force changes that equation. In 2024, CalPrivacy conducted an "investigative sweep" of data broker compliance. The results weren't public, but the agency referenced it when announcing the Strike Force, suggesting they found plenty of violations to pursue.[4]

October 2025 brought new teeth: Governor Newsom signed SB 361, expanding disclosure requirements. Data brokers must now report whether they:

  • Collect sensitive categories (sexual orientation, citizenship status, precise geolocation)
  • Share data with foreign actors
  • Provide data to government entities or law enforcement
  • Sell data to AI developers

Failure to disclose accurately? That's now enforceable. And the Strike Force is watching.[5]

DROP Platform: One Click, Every Broker

January 1, 2026: California's Delete Request and Opt-Out Platform goes live.

Here's how it works:

  1. California residents log into DROP (through the CalPrivacy website)
  2. Submit one deletion request
  3. That request goes to every registered data broker (currently 500+)
  4. Brokers must delete your personal information

No more hunting down 100 different opt-out pages. No more filling out forms that "accidentally" don't work. One request. Universal deletion.[6]

Of course, it only works if brokers actually comply. That's where the Strike Force comes in. Ignore a DROP request? Expect enforcement action.

Why This Matters

Data brokers have operated with impunity for decades. They collect your information from apps, public records, purchases, and online behavior. They sell it to anyone who pays: advertisers, insurance companies, employers, law enforcement, stalkers, scammers.

Federal law doesn't meaningfully regulate them. Most states don't either.

California is trying to change that. And it matters because:

  • 40 million Californians now have enforceable deletion rights against data brokers
  • Precedent setting. Other states watch California. Success here drives national change.
  • Corporate behavior change. Companies operating nationally often just apply California standards everywhere. It's easier than managing 50 different compliance regimes.

The FTC has taken action against a handful of data brokers (Gravy Analytics, X-Mode, Mobilewalla). But federal enforcement is limited. California is building its own enforcement apparatus.[7]

The Catch (There's Always a Catch)

California Residents Only

DROP only works for Californians. If you live elsewhere, you're still stuck with individual opt-out requests, unless other states adopt similar platforms.

Only Registered Brokers

Brokers who ignore registration requirements aren't in DROP's system. The Strike Force is supposed to catch them, but unregistered brokers may slip through.

New Data Accumulates

Deletion is a point-in-time action. You delete today; they start collecting again tomorrow. Consider using DROP periodically.

Doesn't Cover All Companies

The DELETE Act defines "data broker" specifically. Companies that collect data directly from you (like Facebook or Google) aren't covered. They're not brokers.

What You Can Do

Californians: Use DROP Starting January 2026

Submit your deletion request as soon as the platform launches. Then do it again every 6-12 months. Ongoing deletion is the only sustainable defense.

Everyone Else: Use Our Opt-Out Guide

We maintain a data broker opt-out guide covering 50+ major brokers. It's tedious, but it works.

Check the California Data Broker Registry

CalPrivacy publishes a list of registered brokers. Search for your name and submit CCPA deletion requests to those most likely to have your data.

Support State Privacy Laws

California leads because residents demanded it. Push for DELETE Act equivalents in your state. Contact legislators. Support privacy advocacy groups.

Key Dates

Date Event
October 2023 DELETE Act signed into law
October 8, 2025 SB 361 expands disclosure requirements
November 19, 2025 Strike Force announced
January 1, 2026 DROP platform launches

The Bigger Picture

The data broker industry is a $278 billion market built on trading your personal information. For years, they've operated in regulatory shadows: collecting everything, selling to anyone, ignoring deletion requests.

California is testing whether a state can actually force this industry to respect privacy rights. The Strike Force is the enforcement mechanism. DROP is the consumer tool. Together, they are the most serious attempt any jurisdiction has made to control data brokers.

Will it work? The next year will tell us. But for the first time, data brokers face real consequences for ignoring the law.

That alone is worth watching.

References

  1. CalPrivacy - Data Broker Enforcement Strike Force Announcement (November 2025)
  2. JD Supra - California Privacy Agency Forms Data Broker Strike Force (November 2025) (link removed 2026-06-30: pattern-fabricated slug; Macko quote is from the CalPrivacy announcement above)
  3. California Legislature - SB 362 (DELETE Act)
  4. Hudson Cook - California Data Broker Enforcement Analysis (2025) (link removed 2026-06-30: page returns 404; CalPrivacy investigative sweep was referenced in the November 19, 2025 announcement)
  5. California Legislature - SB 361 (Data Broker Disclosure Expansion, Chaptered October 8, 2025)
  6. CalPrivacy - About DROP and the Delete Act
  7. FTC - Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data (January 2025)