PurgeProof

A self-hosted proof-of-deletion engine for data brokers: it pulls the California DROP deletion list every 45 days, reconciles it against your records without ever copying raw PII, suppresses every matched and re-acquired identity, and emits a tamper-evident ledger you can hand an auditor — before the $200-per-request-per-day fines start.

Problem

As of January 1, 2026 any California consumer can press one button in CalPrivacy's DROP platform and order every registered data broker to delete them. Starting August 1, 2026 brokers must pull that deletion list and process it every 45 days — forever — and report each request's status back to DROP inside the window. Miss one and SB 361 sets the fine at $200 per request, per day, until it's resolved, on top of a continuous obligation never to re-acquire that person. Most brokers run sprawling, denormalized ingestion pipelines with no single chokepoint where "this identity is permanently suppressed" can be enforced or proven, and no audit-grade record to survive the independent third-party audit that begins in 2028.

Target user

Compliance and data-engineering leads at registered data brokers and people-search companies (the ~500+ entities on the public CalPrivacy registry, plus the much larger set newly swept in by SB 361's broadened definition). JTBD: "Prove, every 45 days and on demand for six years, that every DROP-deleted consumer is gone from all of my systems and stays gone — without standing up a new PII honeypot to do it, and without betting the company on a spreadsheet." Today's options are a manual SQL-and-screenshots scramble or a generic privacy-rights tool that wasn't built for continuous re-suppression and tamper-evident proof.

MVP scope

• DROP cycle connector: authenticates to the broker's DROP account, retrieves the deletion list on a 45-day cadence, and writes back per-request status (deleted / suppressed / error) inside the reporting window.
• Privacy-preserving reconciliation: matches DROP identifiers against the broker's records using salted-hash / Bloom-filter set intersection that runs inside the broker's own environment, so PurgeProof never ingests or stores a new copy of raw consumer PII.
• Append-only suppression ledger: a hash-chained, tamper-evident log of every deletion and every later re-acquisition auto-suppressed, signed so a row can't be backdated or removed without detection.
• Re-acquisition guard: a lightweight check that ingestion pipelines call before persisting a record, returning "suppressed — do not store" for anyone on the ledger, closing the "we deleted them but re-bought the file" gap.
• Audit package export: one command produces the evidence bundle (per-request timeline, ledger Merkle root, coverage attestation) formatted for the CalPrivacy reporting fields and the 2028 independent third-party audit, with six-year retention built in.
• Coverage dashboard: requests processed this cycle, requests at risk of blowing the 45-day window, and a running estimate of accrued penalty exposure if the backlog isn't cleared.

Monetization

B2B SaaS, priced against penalty exposure, not seats. Starter ~$499/mo for brokers under ~25k suppressed identities (DROP connector, ledger, monthly audit export). Growth ~$1,500/mo adds the re-acquisition guard API, multi-source reconciliation, and SLA-backed cycle processing. Enterprise custom for high-volume people-search brokers with on-prem deployment, SSO, and a dedicated audit-evidence add-on sized for the 2028 independent audit. The math sells itself: a single ignored deletion request can accrue $200/day, so one prevented backlog pays for years of subscription.

Why now

DROP went live January 1, 2026, and the August 1, 2026 processing deadline is roughly two months out — every registered broker needs a working 45-day pipeline before then or starts bleeding $200/request/day. SB 361 doubled the daily fine from $100 to $200 and extended it from registration lapses to actual deletion-processing failures, turning a paperwork problem into a metered liability. The independent third-party audit requirement that begins January 1, 2028 (with six-year record retention) means brokers need tamper-evident proof, not just a script that ran. And the federal SECURE Data Act, released by the House Energy & Commerce Committee and covered May 12, 2026, signals this model is heading nationwide — California is the wedge, not the ceiling.

Risks & open questions

• Demand-side: the registered-broker population is small (hundreds, not millions) and well-resourced enough to build in-house — the wedge is speed-to-August-1 and audit-grade proof, so the sale has to close in weeks, not quarters.
• Build-side: the product lives or dies on the real DROP technical spec and API behavior, which is government-run and still maturing; a breaking change to the platform mid-cycle is an existential dependency risk for a solo build.
• The privacy paradox: a tool that proves deletion must not become a new database of "people who asked to be deleted" — the salted-hash, self-hosted design is non-negotiable and materially harder to build than a naive central index.
• Liability framing: selling "compliance" invites blame when a customer is still fined for an upstream pipeline gap PurgeProof can't see; positioning must be "audit-grade evidence," never "guarantee of compliance," with the legal language to match.
• Regulatory timing risk: if CalPrivacy softens or delays August 1 enforcement, the urgency that drives the sale evaporates until the next deadline.

Next step

Validate by pulling the public CalPrivacy data-broker registry and interviewing 5 registered brokers about their August 1 DROP-integration readiness and whether proof-of-deletion plus 2028-audit tooling is a buy-or-build decision.

Sources

• https://cppa.ca.gov/data_brokers/ — official CalPrivacy data-broker / DROP page: brokers must access DROP and process deletion requests every 45 days and report each request's status within the window.
• https://iapp.org/news/a/calprivacy-unpacks-drop-updates-on-consumer-participation-upcoming-enforcement — IAPP on DROP consumer participation and the upcoming August 1, 2026 enforcement of processing obligations.
• https://technologylaw.fkks.com/post/102lp8c/new-law-and-regulations-expand-californias-data-broker-oversight — SB 361 doubling the daily fine from $100 to $200 per request and extending penalties to deletion-processing failures.
• https://www.freshfields.com/en/our-thinking/blogs/a-fresh-take/the-delete-act-calprivacy-seeks-input-on-data-broker-audit-requirements-102mqe8 — the Delete Act's independent third-party audit requirement (from 2028) and multi-year record-retention obligations.
• https://www.consumerfinancemonitor.com/2026/05/12/u-s-house-committee-releases-secure-data-act-to-establish-new-federal-privacy-framework/ — federal SECURE Data Act released by the House Energy & Commerce Committee (May 12, 2026), signaling national expansion of the broker-deletion model.