Key Takeaways:
- California’s Delete Request and Opt-Out Platform (DROP) is now finalized and will launch January 1, 2026, enabling consumers to submit a single, authenticated deletion request to all registered data brokers.
- Data brokers face significant new operational obligations starting August 1, 2026, including mandatory DROP integration, retrieval of requests at least every 45 days, 90-day determination deadlines, and suppression list requirements. Noncompliance can result in penalties of $200 per request, per day.
- DROP operationalizes the Delete Act and expands consumer privacy rights, requiring data brokers to overhaul how they identify, match, store, and delete personal information, including in situations where they may not traditionally view themselves as data brokers.
At the November 7, 2025 Board meeting for the California Privacy Protection Agency, which recently adopted the public-facing shorthand “CalPrivacy,” Board Member Jennifer Urban described the state’s new Delete Request and Opt Out Platform (“DROP”) as “pretty darn slick.” The Board Meeting included a detailed presentation from CalPrivacy attorneys Phillip Laird and Liz Allen on how the platform will function when deletion requests begin flowing through it in 2026.
On November 13, 2025, CalPrivacy announced that the California Office of Administrative Law approved the final DROP regulations. The regulations take effect January 1, 2026, and establish the technical requirements for how consumers submit deletion requests through DROP and how data brokers must retrieve and process them. This approval confirms the implementation schedule and provides the final operational framework that data brokers must integrate ahead of DROP’s launch.
This article builds on our earlier analysis of California’s expanding data broker regulatory environment and explains how DROP operationalizes the Delete Act. The system will meaningfully broaden how consumers can exercise control over their personal information and will require data brokers to adjust how they identify, store, match and delete personal information across their systems.
Overview of the Delete Act and CalPrivacy’s Authority
The Delete Act (SB 362), signed into law in October 2023, strengthened California’s data broker regime by requiring annual registration, enhanced disclosures and beginning in 2026, mandatory participation in a centralized deletion-request platform administered by CalPrivacy.
Under the Delete Act, a data broker is a “business that knowingly collects and sells the personal information of a consumer with whom the business does not have a direct relationship”. The Act incorporates core definitions from the California Consumer Privacy Act, including “consumer” as a California resident and “sale” as any exchange of personal information for monetary or other valuable consideration.
Although the Delete Act was enacted in 2023, CalPrivacy conducted extensive rulemaking through 2024 and 2025 to clarify technical requirements, matching obligations and how data brokers must retrieve and process deletion requests through DROP.
What DROP Will Do Starting January 1, 2026
Beginning January 1, 2026, consumers will be able to authenticate once and submit a single deletion request to every registered data broker through DROP. CalPrivacy designed the platform to minimize the personal information the platform collects and to store all submitted information in an unreadable format used solely for deletion matching.
CalPrivacy Executive Director Tom Kemp emphasized CalPrivacy’s commitment to the project, stating that CalPrivacy is focused on making privacy rights easier to operationalize and that DROP will allow consumers to exercise their rights at scale.
How Consumers Submit a Request Through DROP
1. Identity Verification
Consumers authenticate their identity using either:
- California’s identity verification gateway, or
- Login.gov, the federal identity service managed by the General Services Administration.
CalPrivacy does not receive underlying verification data. Identity providers confirm the consumer’s identity and return a limited confirmation token to DROP.
2. Providing Minimal Personal Information
After verification, consumers may provide limited identifiers to support matching, including:
- Legal name, including up to ten variations such as maiden names or nicknames
- ZIP code
- A verified email address or phone number
- Optional identifiers such as mobile advertising IDs or vehicle identification numbers
DROP also includes educational prompts to help consumers understand where certain identifiers may be found and how data brokers may use them. A match on any single identifier can require deletion of all associated personal information unless a statutory exception applies.
3. Tracking Requests and Updating Information
Consumers receive a DROP ID that allows them to:
- Check request status
- Update personal information
- Add identifiers that may improve matching
- Reverify if needed
The DROP interface shows data broker responses and provides clear status labels for each determination.
What DROP Status Categories Mean
When data brokers retrieve and review deletion requests, they must classify each determination as one of the following:
- Deleted. The data broker located a matching record and deleted the consumer’s personal information to the extent required by law.
- Opted Out. Deletion is not required because a statutory exception applies, but the data broker must stop selling or sharing the consumer’s personal information and must place the consumer on a suppression list to prevent future transfers.
- Exempted. The data broker determined that the personal information falls within a statutory exemption that permits retention, such as fraud prevention, security, or legal compliance purposes.
- Record Not Found. The data broker did not locate matching personal information after conducting a reasonable search.
- Pending. The review is ongoing. Data brokers must finalize each determination within 90 days of retrieval.
The distinction between “Opted Out” and “Exempted” is significant. “Exempted” means the information can be retained because a statutory exception applies. “Opted Out” means the data broker may retain the information but must ensure that no future sales or sharing occur, supported by an internal suppression mechanism.
Obligations for Data Brokers
Registration Requirements. Data brokers must register annually with CalPrivacy by January 31, pay the required fee, and disclose the categories of identifiers they collect. These requirements come directly from the Delete Act and apply independently of DROP.
Retrieving and Processing Deletion Requests. Beginning August 1, 2026, data brokers must:
- Retrieve DROP deletion requests at least every 45 days
- Evaluate and match requests using standardized identifiers
- Delete personal information unless a statutory exception applies
- Complete determinations within 90 days of retrieval
- Maintain suppression lists when required
- Document and retain records of all determinations
CalPrivacy will provide an API and sandbox environment for engineering teams to integrate with DROP.
Potential Penalties
Registration Penalties. Data brokers who fail to register by the January 31 deadline face penalties of $200 per day, plus any expenses incurred by CalPrivacy in the investigation. These registration penalties have been in effect since the 2024 registration period.
Deletion Request Penalties. Beginning August 1, 2026, when data brokers must start processing DROP deletion requests, data brokers who fail to act on deletion requests may incur penalties of $200 per request per day. At the IAPP Privacy. Security. Risk. conference in October 2025, CalPrivacy staff discussed the implications of these penalties and the complications involved in processing deletion requests. Noncompliance could result in extensive financial exposure for large-scale data brokers.
During the November Board Meeting, CalPrivacy stressed that businesses should not assume they are exempt from registration. Even consumer-facing companies may qualify as data brokers if they sell personal information collected outside a direct relationship.
Timeline: Key Milestones Under the Delete Act and DROP
- October 2023. The Delete Act is signed into law, expanding California’s data-broker regime and directing CalPrivacy to build the DROP platform.
- January 31, 2024 (and annually). Data brokers must register with CalPrivacy, pay the annual fee, and disclose the identifiers they collect. Failure to register incurs penalties of $200 per day.
- 2024-2025. CalPrivacy continues rulemaking to clarify DROP operations, matching requirements, suppression obligations, and retrieval schedules.
- January 1, 2026. DROP opens to California consumers, who can authenticate through the identity gateway or Login.gov and submit deletion requests to all registered data brokers.
- August 1, 2026. Data brokers must begin retrieving DROP deletion requests at least every 45 days and finalize determinations within 90 days of retrieval. Penalties of $200 per request per day begin for failure to process deletion requests.
- January 1, 2028. Data brokers become subject to independent privacy audits every three years.
- January 1, 2029. Data brokers must submit their first audit results to CalPrivacy.
Looking Ahead
DROP represents a significant shift in California’s privacy landscape. While the platform is intended to simplify consumer deletion requests, it also signals increased regulatory expectations for data brokers. Many businesses may fall within the scope of the Delete Act even if they have never viewed themselves as data brokers, particularly if they sell or share personal information collected outside a direct relationship or rely on data sourced from third parties. This can include retailers that operate retail media networks or sell audience segments to brand partners, SaaS providers that offer targeted audiences built from third party data, or businesses that sell enrichment attributes derived from non-customer information.
As CalPrivacy continues to provide guidance and finalize technical specifications, businesses should reassess whether they qualify as data brokers and ensure their systems are prepared to retrieve, match and process deletion requests beginning in 2026.
***
Author’s Note: Information regarding the November 7, 2025, CalPrivacy Board Meeting, including quotes from Board Member Jennifer Urban and descriptions of the presentation by attorneys Phillip Laird and Liz Allen, based on firsthand attendance and observation by our associate, Grace McElroy. Meeting materials are publicly available at https://cppa.ca.gov/meetings/materials/20251107.html