SB 362 Fines for Small Businesses: How Much Could Non-Compliance Cost You?
How the Fine Structure Works
Under SB 362, the California Privacy Protection Agency can impose fines of $200 per consumer deletion request, per day that the request goes unprocessed past the 45-day deadline. This per-request, per-day structure means fines escalate rapidly. A single missed request costs $200 on day one, $400 by day two, $6,000 after a month. Multiply that across dozens or hundreds of requests and the numbers become staggering. The CPPA has discretion in enforcement but the statutory framework provides for these maximum penalties.
Real-World Fine Scenarios by Business Size
For a small lead generation agency receiving approximately 20 deletion requests per cycle, missing a single 45-day window could result in fines of $4,000 per day or $120,000 per month. A mid-sized data enrichment company receiving 100 requests faces $20,000 per day or $600,000 per month. A larger data broker with 500 or more requests could face $100,000 per day in fines. These scenarios assume the CPPA applies the maximum statutory penalty, which is more likely in cases of willful non-compliance or repeated violations.
Comparing Compliance Costs to Fine Exposure
The cost of compliance is a fraction of potential fines. The annual registration fee is approximately $6,600. Implementing proper procedures, data maps, and tracking systems can be done for a few hundred to a few thousand dollars depending on your approach. Even hiring a privacy consultant for initial setup typically costs $5,000 to $15,000 one time. Compare that to the tens or hundreds of thousands in daily fines and the math is clear: compliance is the only rational business decision.
How to Minimize Your Risk
The most effective way to minimize fine exposure is to implement a complete compliance program before the August 1, 2026 enforcement date. This means registering with the CPPA, connecting to the DROP portal, establishing your 45-day cycle procedures, creating a data map, training your team, and setting up tracking and reporting systems. If you are already past the enforcement date and have not complied, the priority is to register immediately and begin processing any backlog of requests as quickly as possible. Voluntary compliance, even if late, is viewed more favorably than willful avoidance.
Calculate your exact fine exposure with our free Data Broker Risk Assessment tool.