CCPA Compliance for B2B Data Teams in 2026

If you work with person or company data in a B2B context, 2026 is the year where CCPA compliance stops being something you can defer to legal and forget about. Multiple new obligations took effect on January 1 alongside the DELETE Act's DROP platform, and the data broker compliance deadline hits August 1. The California Privacy Protection Agency (CPPA) has real enforcement muscle now, and they've been using it.

This article breaks down what actually changed, what's coming in the next few months, and what B2B data teams should be doing about it. Not a general CCPA primer. Specifically the 2026 changes that affect teams buying, enriching, and operationalizing person and company data.

The DELETE Act and the DROP Platform

California's Delete Act (SB 362) passed in 2023 and created the CPPA's Delete Request and Opt-Out Platform (DROP). DROP went live on January 1, 2026, allowing California residents to submit a single deletion request that gets routed to every registered data broker in the state. The operational deadline for data brokers is August 1, 2026: that's when they must begin retrieving and processing requests through the portal on a rolling 45-day retrieval cycle, with 90 days to make a determination on each request. This is a continuous obligation, not a one-time cleanup.

For B2B data teams, the implications are concrete:

1. Any data provider that meets the definition of a data broker under California law must be registered with the CPPA and connected to the DROP system by August 2026.
2. If your provider receives a deletion request through DROP for a record you hold, that record needs to be suppressed in your systems too. The deletion obligation flows downstream.
3. The 45-day cycle means your provider's opt-out and deletion infrastructure needs to be automated and reliable. Manual processing won't keep up.

Data brokers that fail to register face penalties of $200 per day. The CPPA maintains a public registry of registered data brokers. If your provider isn't on it and should be, that's a red flag worth investigating.

New Regulations Effective January 1, 2026

The CPPA finalized several rulemaking packages that took effect at the start of the year. Three of them matter most for B2B data operations.

Risk Assessments

Businesses that process personal information in ways that present "significant risk to consumers' privacy" are now required to conduct and submit risk assessments. The threshold is broad enough to capture most B2B data operations at scale: selling personal information, using it for profiling, or processing sensitive categories all trigger the requirement.

The assessments must be documented and attested to. The CPPA can request them during an investigation or audit. This isn't a checkbox exercise. You need to be able to articulate what data you're processing, why, what the risks are, and what mitigations you've put in place. If you're buying enriched person data from a third-party provider and feeding it into lead scoring models or automated outreach sequences, that processing likely falls within scope.

Automated Decision-Making Technology (ADMT) Rules

The new ADMT regulations require businesses to provide pre-use notice before using automated decision-making technology that produces "significant decisions" affecting consumers. Consumers also get the right to opt out of ADMT in certain contexts and to request information about how ADMT was used in decisions about them.

For B2B data teams, the question is whether your use of enriched data in automated systems (lead scoring, predictive models, automated outreach sequencing, candidate screening) qualifies as ADMT under the regulation. The answer depends on the specifics, but the safe assumption is that any system making automated decisions about individuals based on their personal information needs to be evaluated against these rules.

The pre-use notice requirement is the most operationally disruptive piece. If your enrichment pipeline feeds directly into automated decision logic, you may need to build disclosure mechanisms into your workflows.

Cybersecurity Audits

Businesses whose processing of personal information presents "significant risk to consumers' security" must now conduct annual cybersecurity audits. The CPPA is phasing in the detailed audit framework between 2028 and 2030, but the underlying obligation started January 2026. If you're processing personal information at scale (and most B2B data operations are), you should be preparing now rather than waiting for the detailed requirements to land.

The practical takeaway: document your security posture around the personal data you handle. How is it stored? Who has access? How is it transmitted? What happens when a breach occurs? If your data provider can't answer these questions about their own infrastructure, that gap becomes your gap.

Inferences Are Personal Information

This isn't new to 2026, but it's worth restating because many B2B data teams still haven't internalized it. The California Attorney General ruled that inferences drawn from personal information constitute personal information under the CCPA. Even when the underlying data is publicly available.

What this means in practice: if your data provider infers someone's seniority level from their job title, predicts their likely budget authority from company revenue data, or derives a "persona" classification from behavioral signals, those inferences carry the same CCPA obligations as the source data. They're subject to right-to-know requests, deletion requests, and opt-out rights.

Providers that generate inferences from person or company data need to track them as personal information. If they can't tell you what inferences they generate or how those inferences are handled under deletion requests, that's a compliance hole in your data supply chain.

Enforcement Is Real and Growing

The CPPA moved past warning letters in 2025. Enforcement actions resulted in fines exceeding $1.3 million across multiple cases, and the agency publicly signaled that 2026 enforcement would intensify as new regulations took effect. The CPPA now has a dedicated enforcement division, subpoena authority, and the ability to impose administrative fines without going through the courts.

The fines themselves aren't the biggest risk for most B2B data teams. The bigger risk is the operational disruption of an investigation: document requests, mandated changes to data processing practices, and the reputational damage of a public enforcement action. Prevention is significantly cheaper than remediation.

One pattern worth noting: the CPPA has shown particular interest in businesses that collect or buy large volumes of personal information without adequate consumer-facing transparency. If your data operations are invisible to the people whose data you're using, that's exactly the profile that draws enforcement attention.

What B2B Data Buyers Should Ask Their Providers

The compliance burden doesn't fall solely on the company that originally collected the data. If you're buying enriched person or company data from a provider, you inherit exposure for how that data was sourced, whether opt-outs are honored, and whether deletion requests propagate through the supply chain.

Here's what to ask:

1. Are you registered as a data broker with the CPPA? If so, are you connected to the DROP platform ahead of the August deadline?
2. How do you process CCPA deletion requests today? What's your average turnaround time? Will your process change when DROP launches?
3. When a deletion request is processed, does it propagate to records you've already delivered to customers? How are customers notified?
4. Is the underlying data commercially licensed with documented provenance, or is it scraped from public sources? The legal distinction matters. Licensed data has defined terms of use and update processes. Scraped data carries higher compliance risk, and regulators have imposed major fines for scraping publicly available personal data.
5. Do you generate inferences from personal information? If so, how are those inferences handled under right-to-know and deletion requests?
6. Can you provide documentation of your security practices sufficient for a risk assessment? SOC 2 certification, data handling policies, incident response procedures?
7. What ADMT-related disclosures, if any, should we be making based on how we use your data in automated systems?

These aren't gotcha questions. They're the minimum due diligence for any B2B data buyer operating under CCPA in 2026. A provider that can't answer them clearly either hasn't done the work or doesn't want to tell you the answer. Neither is acceptable.

Building Compliance Into Your Data Operations

Compliance isn't a one-time audit. For B2B data teams, it needs to be built into the operational workflow.

Start with your data inventory. Map every source of personal information flowing into your systems: enrichment APIs, bulk data feeds, form submissions, third-party integrations. For each source, document what data is collected, where it's stored, who has access, how long it's retained, and what the deletion process looks like.

Next, evaluate your provider contracts. Your agreements with data providers should include explicit representations about CCPA compliance, deletion request handling, data sourcing methodology, and breach notification timelines. If your current contracts are silent on these topics, they need to be updated before August.

Then look at your automated systems. Any pipeline that takes personal information as input and produces decisions or classifications as output needs to be evaluated against the ADMT rules. Document what the system does, what data it uses, and what decisions it influences. Build the pre-use notice mechanisms now rather than retrofitting later.

Finally, pressure-test your deletion workflow. Can you actually delete a specific person's data from every system it touches within 45 days? Not just your primary database, but your CRM, your analytics warehouse, your email platform, your enrichment cache? Most teams that haven't tested this end-to-end find gaps they didn't expect.

The 2026 Timeline

For teams planning around these changes, here are the dates that matter:

• January 1, 2026: DROP platform went live. Risk assessment requirements, ADMT pre-use notice obligations, and cybersecurity audit obligations took effect.
• August 1, 2026: Data broker compliance deadline. All registered data brokers must begin retrieving and processing deletion requests through DROP on a 45-day retrieval cycle.
• 2028-2030: Detailed cybersecurity audit framework phases in. The underlying obligation exists now, but specific audit procedures are finalized during this window.

The January rules are already in effect. If you haven't started your risk assessments or ADMT review, you're behind. The August deadline for DROP is close enough that you should be confirming your providers' readiness now, not in July.

Where This Is Heading

California has consistently set the pace for US privacy regulation, and the pattern is clear: more obligations, more enforcement, and more operational requirements for companies that process personal information at scale. The provider evaluation criteria that mattered last year still matter, but compliance posture has moved from "nice to have" to table stakes.

For B2B data teams, the path forward is straightforward even if it's not simple. Know where your data comes from. Know what obligations attach to it. Work with providers that can answer hard questions about sourcing, deletion, and compliance infrastructure. And build your internal processes to handle the 45-day deletion cycle that starts in August.

The teams that treat compliance as an engineering problem, not a legal afterthought, will be the ones that operate without disruption when the next round of rules drops.