In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.
At IAPP’s Privacy. Security. Risk. 2025 conference, Cal Privacy Executive Director Tom Kemp said the agency was “laser focused” on having the DROP ready for the launch date. Now, after over two years of development, Kemp confirmed the DROP has over 215,000 registrants and is ready for use.
Using DROP
Data brokers gather, sell, and share third party consumer data, including personal information not provided to them directly by consumers. Such personal information is often sold and resold to data brokers after a consumer initially provides it (for example, to complete an online transaction), which can make it more difficult for consumers to track down. The DROP aims to solve this problem by giving California consumers a platform to delete their personal information held by data brokers.
As of January 1st, 2026, a California resident can create a profile on the DROP, verify their state residency, and submit their request(s) in one place. They can also check deletion status and update their personal information on the platform. The following types of information are eligible for deletion upon request:
- Basic identifiers (name, phone number, email)
- Online behavioral data (social media history, browsing history, online habits)
- Financial-related data (payment history, spending habits)
- Health-related data (use of health-related apps, wearables, trackers, and websites)
- Location data (where they go and how frequently)
- Relationship data (their family and friends and frequency of interactions)
- Inferences (conclusions drawn from their lifestyle, hobbies, income, religious or political beliefs)
Data Broker Guidance
While consumers residing in California can start submitting deletion requests now, data brokers will not be required to process deletion requests until August 1, 2026. After this date, they must:
- Retrieve DROP requests at least every 45 days.
- Determine and act on deletion requests within 90 days.
- Treat unresolved deletion requests as opt‑out requests, at a minimum.
- Maintain suppression lists to ensure personal information is not re‑collected or resold.
- Report compliance status back through the DROP system.
Notably, data brokers do not have to delete information the government makes available to the public or governed by other laws, such as laws pertaining to financial or health information. Likewise, businesses that perform activities already covered by the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA) do not need to register as data brokers.
Unlike other state privacy laws which only require covered organizations to review and delete first-party consumer data upon request, the Delete Act requires data brokers to also forward a consumer’s request to third parties—such as service providers, processors, or other data brokers —with whom they have sold or shared such data.
With monetary penalties starting at $200 per day for failure to delete consumer data upon receiving a valid request, the recent Delete Act fine against Nevada-based marketing firm ROR Partners LLC, the hiring of Cal Privacy’s first Chief Privacy Auditor, there is no sign that there will be half-hearted enforcement. Businesses that perform covered activities under the Delete Act should register as data brokers if they have not done so already and should familiarize themselves with the DROP tool before August 1st of this year.