California's DROP Portal Is Live: Is Your Lead Generation Business a "Data Broker"?

Written By John H. Henson

California's Delete Request and Opt-out Platform (DROP) went live on January 1, 2026, giving California residents a single portal to request deletion of their personal data from all registered data brokers with one click. (Well, in theory.  It's not that easy, but it's supposed to be, but that's a California problem, not a business problem.) For businesses in the lead generation, marketing technology, and data services industries, this marks a critical compliance milestone that demands immediate attention.

If your company operated as a "data broker" in calendar year 2025, you must register with the California Privacy Protection Agency (CPPA) by January 31, 2026. Failure to register exposes your business to administrative fines of $200 per day, plus investigation costs and potential enforcement actions.

But here's what many businesses miss: not every company that transfers consumer data is a "data broker" under California law. The definition contains important exceptions that may exempt compliant lead generation businesses from registration requirements. Understanding these nuances is essential before determining your company's obligations.

What Is a "Data Broker" Under California Law?

California Civil Code Section 1798.99.80 defines a "data broker" as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

Three elements must be present for a company to meet this definition:

1. Qualify as a "Business": The company must meet the CCPA's "business" threshold, which includes entities that either (a) annually buy, sell, or share the personal information of 100,000 or more California consumers or households, or (b) derive 50% or more of annual revenues from selling or sharing consumers' personal information.

2. "Sell" Personal Information: The company must "sell" personal information as defined under California law, which encompasses any disclosure for monetary or other valuable consideration.

3. No "Direct Relationship" with Consumers: The business must not have a "direct relationship" with the consumers whose data it collects and sells.

Each of these elements warrants careful analysis, because the exceptions embedded within them may determine whether your company must register.

The "Direct Relationship" Carve-Out Is Narrower Than You Think

Many companies assume that because they collect data directly from consumers (through web forms, for example), they automatically have a "direct relationship" and are therefore not data brokers. This assumption is incorrect under the CPPA's regulations.

The CPPA has clarified that "a business does not have a 'direct relationship' with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business."

Under the regulations, a "business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about that consumer it collected outside of a ‘first party’ interaction with the consumer.”  So, solely collecting information on a web form will not be sufficient to say the business has a direct relationship with the consumer.

Key implications:

Purpose Matters: The consumer must intend to engage with your products or services. Mere data collection does not establish a direct relationship.

Indirect Data Sales: Even if you have a direct relationship with a consumer for some data, you may still be a "data broker" for any personal information you sell that you did not collect directly from that consumer.  This includes potentially consumer information appended to the initial information provided by the consumer.

The Consent Exception: Why Compliant Lead Gen May Be Exempt

Here's the critical analysis that most commentary overlooks: the definition of "sell" under California privacy law contains an exception that may protect compliant lead generation businesses from data broker classification.

California Civil Code Section 1798.140(ad)(2) states that "a business does not sell personal information when: (A) A consumer uses or directs the business to intentionally: (i) Disclose personal information. (ii) Interact with one or more third parties."

In practical terms: if a consumer provides their information through your form and affirmatively consents to sharing that information with identified third parties, you are not "selling" their data under California law. The consumer has directed the disclosure.

This exception is particularly relevant for lead generation companies that use clear, conspicuous consent language identifying the third parties (or categories of third parties) who will receive the consumer's information. If your consent flow allows consumers to direct the disclosure of their own data, you may not meet the "sells" element of the data broker definition.

However, this exception requires careful implementation:

1. Affirmative Consumer Action: The consumer must take deliberate action to consent. Passive acceptance or pre-checked boxes may be insufficient.  Like other analysis of consent language, the whole consumer experience matters.  Does the consumer understand what they are agreeing to or not?

2. Clear Identification of Recipients: The consent must identify the third parties or categories of third parties who will receive the data.

Registration Requirements and Deadlines

If your company does meet the data broker definition for calendar year 2025, you must register with the CPPA by January 31, 2026. The registration process now occurs through the DROP system and includes:

Annual Registration Fee: $6,000 (plus a 2.99% processing fee), payable by credit card. This represents a significant increase from the previous $400 fee.

Disclosure Requirements: Data brokers must disclose the types of personal information they collect, whether they collect sensitive data (sexual orientation, union membership, citizenship status, etc.), and whether they share data with foreign actors, law enforcement, or AI system developers.

Deletion Request Processing: Starting August 1, 2026, registered data brokers must access DROP at least every 45 days to download and process consumer deletion requests.

Third-Party Audits: Beginning January 1, 2028, data brokers must undergo independent compliance audits every three years.

Enforcement Is Active and Aggressive

The CPPA has demonstrated a clear enforcement priority around data broker registration. In 2025 alone, the agency announced settlement agreements with companies including Growbots ($35,400), UpLead ($34,400), Accurate Append, Key Marketing Advantage, and ROR Partners for failure to timely register.

These enforcement actions signal that the CPPA is actively investigating the data broker ecosystem. The agency issued Enforcement Advisory No. 2025-01 in December 2025, specifically warning that some data brokers may be evading registration by using trade names or websites not disclosed in their registrations.

Strategic Takeaways for Lead Generation Companies

Conduct a Data Flow Analysis: Map how consumer data moves through your organization. Identify whether you collect data directly from consumers, purchase data from third parties, or both.

Evaluate Your Consent Practices: If you rely on consumer-directed disclosures, ensure your consent language is clear, specific, and documented. The consent exception only protects businesses with robust consent infrastructure.

Assess the "Direct Relationship" Element: Do not assume that data collection directly from consumer equals a direct relationship. Analyze whether consumers intend to engage with your business or merely provide information.

Review Third-Party Data Practices: Even if you have direct relationships with consumers, selling data you acquired from third-party sources may trigger data broker status for that data.

Calendar the January 31, 2026 Deadline: If you determine that registration is required, ensure you complete the process before the deadline to avoid per-day penalties.

Next Steps

If your company may be subject to California's data broker registration requirements, the time to act is now. The analysis requires careful review of your data practices, consent infrastructure, and business relationships.

Henson Legal provides compliance counsel to lead generation companies, technology platforms, and marketing services businesses navigating the intersection of TCPA, FCC rules, and state privacy laws. If you need to determine whether your company must register as a data broker, or if you need assistance implementing compliant consent practices, contact us to discuss your specific situation.

NEED TO DISCUSS DATA BROKER REGISTRATION?



John H. Henson

John Henson founded Henson Legal, PLLC in May 2025 after a career guiding household-name brands through TCPA, state privacy laws, and FTC regulations—including serving as interim General Counsel at LendingTree. He focuses on helping lead sellers and lead buyers manage TCPA vicarious liability risks, and advising AI voice product builders on FCC artificial voice compliance. John's clients span insurance, financial services, and technology companies on the leading edge of customer acquisition.

https://www.henson-legal.com/about
Previous

The SCAM Act: What Lead Generation Companies and Insurance Agents Need to Know About Social Media Advertiser Verification
Next

AI Voice TCPA Compliance: Platform Liability Lessons from Lowery v. OpenAI