Deadline Data Broker 2026: Full Compliance Guide and Key Dates You Can't Miss
Data brokers face a torrent of 2026 compliance deadlines, from California's mandatory DROP registration and deletion processing to ongoing Colorado opt-outs, Virginia health data rules, and intensifying FTC scrutiny. Missing these can trigger fines exceeding €4 billion in GDPR precedents or CCPA settlements up to $1.55 million. This guide delivers a comprehensive breakdown of US state laws (CA, CO, VA), EU GDPR timelines, and federal enforcement risks--complete with actionable checklists, comparison tables, case studies, and best practices to lock in compliance before penalties strike.
Quick Answer: Top Data Broker Deadlines in 2026
For immediate action, here's the TL;DR on critical 2026 dates covering 80% of risks:
- California (CA): Register via DROP Jan 1-31 ($6,600 fee); process deletions starting Aug 1, every 45 days; update privacy policy by Jul 1 post-first year with sensitive data disclosures (e.g., sexual orientation).
- Colorado (CO): Universal opt-out mechanisms mandatory since Jul 1, 2024 (ongoing); list published Jan 1, 2024.
- Virginia (VA): SB 754 amendments effective, prohibiting sale of reproductive/sexual health data without consent (ongoing enforcement).
- EU GDPR: No new broker-specific deadlines, but ongoing compliance with fines totaling €4B+ (up to 4% global turnover).
- FTC: No fixed deadlines, but active enforcement (e.g., X-Mode's 10B location points, Avast trillions of sensitive data points).
- Other States: New privacy laws in KY, IN (Jan 1, 2026); amendments in CT, OR, UT, VA.
Jump to checklists | State comparison table
Key Takeaways: 2026 Data Broker Deadlines at a Glance
| Jurisdiction | Key Deadline | Requirement | Penalty Risk |
|---|---|---|---|
| CA (DROP) | Jan 1-31, 2026 | Annual registration ($6,600 fee) | $56k+ fines (e.g., marketing agency) |
| CA (Delete Act) | Aug 1, 2026 (every 45 days) | Process deletions via DROP | Enforcement Strike Force actions |
| CO (CPA) | Jul 1, 2024 (ongoing) | Universal opt-out processing | Threshold: 100k consumers |
| VA (SB 754) | Ongoing 2026 | No sale of reproductive health data sans consent | Up to 3x damages or $1k |
| GDPR (EU) | Ongoing | Data processing compliance | €20M or 4% turnover (€4B total fines) |
| FTC | Case-by-case | No misuse of location/sensitive data | Settlements (Avast, X-Mode) |
| CA SB 361 | Jan 2026 registration | Disclose sensitive data (e.g., union membership) | Expanded disclosures |
Reinforces: Act by Jan 31 for CA to avoid CalPrivacy's 9+ enforcement actions.
What Is a Data Broker? Definition and Who It Applies To
A "data broker" is a business that knowingly collects and sells personal information (PI) of consumers without a direct relationship, per California's CCPA/CPPA definition (Civ. Code § 1798.99.80(c)). This covers ~4,000 global firms in a $200B industry, profiling users via cookies, location data, purchases, and more--often including sensitive details like health inferences or political views.
Scope Expansion: CA's SB 361 mandates disclosures on sensitive data (sexual orientation, citizenship, union membership). Applies if you sold CA consumer PI in 2025 without direct ties. Compare states:
- CA: Broadest (any collection/sale).
- CO/VA: Threshold-based (e.g., CO: 100k consumers).
- TX/NV: Limited to principal revenue from data licensing.
Self-assess: If >50% revenue from data sales sans direct relationships, you're likely in scope.
Data Broker Exemptions and Edge Cases
Limited exemptions under CA Delete Act: e.g., financial institutions (GLBA), consumer reporting agencies. TX/NV use "principal revenue" test--exempt if data brokerage <50% revenue. Edge: Service providers reselling data may qualify; check CPPA registry for guidance.
US State Data Broker Deadlines: California Leads with Strictest Rules
California dominates with the Delete Act (SB 362), requiring DROP integration. 2026 Actions:
- Jan 1-31: Register/re-register via DROP account ($6,600 fee, up from prior hikes Nov 2025).
- Aug 1: Access DROP every 45 days to process deletions ("deleted," "opted out," "exempt," "not found"); direct contractors to comply.
- Jul 1 (post-first year): Privacy policy disclosures + DROP link.
- Enforcement: 9 actions by CalPrivacy Strike Force; $56k fine on marketing agency for non-registration.
Stats: Captures brokers selling to ICE/federal agencies (SB 361 focus).
California Delete Act (SB 362) vs CPRA: Key Differences
| Aspect | Delete Act (SB 362) | CPRA/CCPA |
|---|---|---|
| Core Req. | DROP deletions every 45 days | Opt-out notices |
| Fee | $6,600 one-time + annual | None specified |
| Timeline | Aug 1, 2026 start | Ongoing |
| Pros | Centralized mechanism | Broader rights |
| Cons | Integration burden | Notice fatigue |
| Conflicts | Fee hikes override prior regs | Harmonized via CPPA |
Federal and Other US Deadlines: FTC, Colorado, Virginia, and Beyond
- FTC: Targets mass collectors--no deadlines, but cases like X-Mode (10B inaccurate location points), Avast (trillions including breast cancer site visits). Risks: Downstream misuse despite contracts.
- CO CPA: Opt-outs via universal mechanisms since Jul 1, 2024; notices explain processing.
- VA SB 754: Bans reproductive/sexual health data sales sans consent; willful violations up to 3x damages.
- 2026 Amendments: CT, IN, KY, OR, UT, VA (e.g., KY/IN Jan 1 privacy laws).
Mini-case: FTC vs. Avast/X-Mode/InMarket--exposed sensitive inferences, prompting bans.
EU and Global: GDPR Data Broker Compliance Timelines
No 2026-specific broker deadlines, but ongoing: Fines €4B+ total (up to 4% turnover or €20M). 2025 SME simplifications continue. US brokers: Extraterritorial if targeting EU data subjects.
GDPR vs US Comparison:
| Metric | GDPR | US (CA/CCPA) |
|---|---|---|
| Fines | 4% turnover | $7,500/violation |
| Reporting | DPIAs ongoing | Annual registry |
| Enforcement | CNIL/SHEIN cookies | CalPrivacy strikes |
Penalties, Fines, and Enforcement Risks for Missing Deadlines
- CA: $56k (marketing agency); $1.35M-$1.55M CCPA settlements.
- GDPR: €4B total; Optimove (retention violations).
- DSA/X: Design flaws led to fines <6% turnover.
- Risks: Audits, downstream liability (FTC warns contracts insufficient).
Data Broker Deadline Compliance Checklist: Step-by-Step Best Practices
- Self-Assess: Collected/sold PI sans direct relationship in 2025? Check exemptions.
- CA Register: Create DROP account; pay $6,600 by Jan 31.
- Integrate DROP: Test deletions by Aug 1; automate every 45 days.
- Privacy Policy: Update by Jul 1 with disclosures, DROP link, sensitive data info.
- Audit Retention: Map data flows; opt-out universal mechanisms (CO).
- Train/Monitor: Contractors comply; audit for VA health data.
- Document: DPIAs for GDPR; prep for FTC inquiries.
US States Data Broker Regulations: Comparison Table 2026
| State | Deadline | Key Req. | Threshold | Burden |
|---|---|---|---|---|
| CA | Jan 31/Aug 1 | DROP reg/deletions | Any sale | High (fees/integration) |
| CO | Jul 1 2024 | Opt-out mechanisms | 100k consumers | Medium |
| VA | Ongoing | Health data consent | VCDPA thresholds | Medium (sensitive focus) |
| TX/NV | Varies | Revenue test | Principal revenue | Low |
| KY/IN | Jan 1 2026 | New privacy laws | TBD | Emerging |
Resolve: CA strictest; harmonize opt-outs.
Real-World Case Studies: Violations and Lessons Learned
- CalPrivacy vs. Marketing Agency ($56k, 2025): Failed registration despite CCPA sales--led to Strike Force.
- FTC vs. X-Mode/Avast: 10B locations (70% inaccurate), trillions sensitive (e.g., health sites)--highlight accuracy/retention risks.
- GDPR SHEIN/Optimove: Cookies/retention fines--US parallels in disclosures.
Lessons: Register early; audit downstream.
Upcoming 2026 Regulatory Changes and How to Prepare
- CA SB 361: Sensitive disclosures in registrations.
- New States: KY/IN Jan 1; systematization trend.
- 2027 Teaser: ADMT opt-outs Jan 1. Prep: Automate compliance; annual audits.
FAQ
What is the data broker registration deadline in California for 2026?
Jan 1-31 via DROP ($6,600).
When must data brokers start processing deletions via DROP?
Aug 1, 2026, every 45 days.
What are the penalties for missing data broker deadlines?
CA: $56k+; GDPR: 4% turnover; CCPA: $1.55M settlements.
Does the Colorado Privacy Act have specific data broker deadlines in 2026?
Ongoing since Jul 1, 2024 opt-outs.
How does GDPR apply to US data brokers?
If processing EU data; fines up to €20M/4%.
Are there exemptions from data broker registration deadlines?
Yes, limited (e.g., financials); TX principal revenue test.
What are examples of FTC enforcement against data brokers?
X-Mode (10B locations), Avast (trillions sensitive points).