Summary: Reklaim Protect Webinar - 2026 Data Broker Enforcement
On December 10, 2025, Reklaim Ltd. hosted a webinar with Liz Travis Allen, Attorney with the California Privacy Protection Agency (CPPA or CalPrivacy), Ben Isaacson, Principal, In-House Privacy, and Neil Sweeney, CEO, Reklaim. They provided a critical breakdown of California’s upcoming changes to the Delete Act, including implementation of the Delete Request and Opt-Out Platform (DROP). Starting in 2026, California is introducing a stringent statutory compliance era that is expected to set a new national standard for privacy-compliance.
The Legal Landscape & How We Got Here
The webinar kicked off with an ominous reminder that California’s privacy framework has always been the blueprint for the rest of the nation - so perhaps we’ll see other states mimic California’s newest obligations on data brokers.
Ben provided a history of data broker self-regulatory schemes, including referencing the ANA/DMA mail/email ‘preference services’, as well as the Digital Advertising Alliance ‘Adchoices’ cookie/addressable ID industry opt out tools.
Liz walked us through the evolution from the 2018 Data Broker Registry to the Delete Act, explaining how this new law closes the "first-party loophole" that previously prevented consumers from deleting data held by third-party brokers.
Liz also noted that while privacy legislation has been relatively self-regulated up to this point, the Delete Act (SB 362) fundamentally changes that dynamic by centralizing enforcement with CalPrivacy.
What Actually Constitutes a "Data Broker"
The group discussed the potential vagueness of definitions, warning that many companies, including service providers and first parties, may unknowingly fall into the "Data Broker" bucket.
Liz clarified that "selling" isn't just a monetary transaction; it includes renting, releasing, or even making inferences available.
Crucially, Ben pointed out that there is no B2B exemption under California law, meaning B2B marketers "walking the fence" of consumer marketing are liable to be data brokers.
They also emphasized that privacy rights requests and cookie consents do not constitute a "direct relationship," shattering a common assumption many businesses hold.
The "Eye-Watering" Fines & Enforcement
The conversation turned serious when the group discussed the enforcement reality.
Referencing Ben's recent article on "Anticipating The Largest U.S. Privacy Fines," Neil highlighted the mathematical terror of the statute: if ~2.5 million consumers sign-up for DROP, fines could quickly hit the billions ($53B potential liability was mentioned).
Liz made it clear that the era of "settling with a fine and remediation" is over. Unregistered brokers face immediate statutory penalties with no appellate process baked into the law. She put it bluntly: "The law is the law." We are entering a new era of US privacy enforcement that mirrors the strictness we've seen in Europe.
The Technical & Operational Reality
The webinar provided more perspective on what CalPrivacy has in store before the 2026 deadline.
Liz outlined the mechanics of DROP: a SHA-256 hash matching system where businesses must check for matches at least once every 45 days and report back one of four specific statuses. She informed viewers that CalPrivacy is already beta testing and preparing for a massive consumer push in the spring.
Neil stressed that this is not a trivial update. The cost of implementation over the next 9 months will be significant, involving complex "fuzzy matching" and mandatory suppression lists that Liz discussed in her summary for what’s required from data brokers.
They also clarified that while service providers can help, the liability stays with the business.
While wrapping up, Ben warned that there is no cure period—mistakes in the suppression list will be subject to immediate enforcement.
