California has introduced a centralized system that allows residents to delete their personal data from data brokers through a single state-run website. The platform is called the Delete Request and Opt-out Platform, commonly known as DROP. It became operational on January 1, 2026.
DROP is the enforcement outcome of a law passed earlier to address the difficulty consumers faced when trying to remove their data from the broker ecosystem.
What Is DROP and the Delete Act
In 2023, California Governor Gavin Newsom signed Senate Bill 362, Chapter 709 known as the Delete Act. The law directed the California Privacy Protection Agency to build a single platform where residents could submit one deletion request that applies to all registered data brokers in the state.
Before the Delete Act, consumers were required to contact each data broker separately. This process was time-consuming and unclear, which resulted in very low usage of deletion rights despite legal availability.
DROP implements the Delete Act by turning the right to delete data into a practical, centralized process.
How the DROP Platform Works
Through DROP, a California resident can submit one request to delete their personal information from every registered data broker. More than 500 data brokers currently operate under California’s registration system.
The request applies to personal data that brokers collect, aggregate, or sell without having a direct relationship with the individual. This includes profile-based and inferred data commonly used in secondary data markets.
Once a request is submitted, brokers are legally required to delete the data and confirm completion within 90 days.
Mandatory 45-Day Processing Cycle After August 2026
The Delete Act introduces a stricter operational requirement starting August 1, 2026. From this date onward, data brokers must check the DROP platform for new deletion requests at least once every 45 days.
This creates a rolling compliance obligation. Brokers cannot delay or batch requests indefinitely. Every new request must be identified, processed, and completed within the required cycle.
This provision ensures that deletion remains continuous and automated rather than occasional or manual.
Penalties and Enforcement Structure
Data brokers that fail to comply with DROP requirements face monetary penalties calculated per individual, per day. The fines apply once enforcement begins at scale and can accumulate quickly if brokers ignore or delay requests.
The California Privacy Protection Agency is responsible for oversight. Starting in 2028, registered data brokers will undergo independent audits to verify compliance with deletion, documentation, and internal controls.
In addition, brokers must maintain active DROP accounts and keep records proving that deletion requests were completed.
What Data Is Covered and What Is Not
DROP applies only to data held by registered data brokers. It does not apply to businesses that collect personal information directly from their own customers or users.
First-party data such as customer accounts, purchase records, subscriptions, and newsletter signups remain unaffected. The law focuses on indirect data collection and resale, not direct consumer relationships.
Impact on the Data Broker Market
As consumers begin using DROP, broker-held datasets will steadily shrink. Data accuracy, coverage, and resale value will decline as deletion requests increase.
Companies that rely on purchased data for targeting, enrichment, or profiling will face reduced data availability in California. The impact will grow over time as awareness and usage of the platform increase.
Why DROP Matters Beyond California
DROP represents a shift from symbolic privacy rights to enforceable systems. Instead of placing effort on consumers, the law places operational responsibility on intermediaries.
August 1, 2026 marks the point where this system becomes continuous and unavoidable. The platform changes how personal data circulates in California and sets a model for centralized deletion enforcement.
The result is a structural pressure on broker-based data models and a clear preference for direct, transparent data collection practices.
