California DROP: Delete Request and Opt-Out Platform

DROP stands for "Delete Request and Opt-Out Platform." It is the California Privacy Protection Agency’s (CPPA) universal deletion system, created under the Delete Act (SB 362, 2023). Starting August 1, 2026, a single verifiable consumer request submitted through DROP will direct every registered California data broker to delete that consumer’s personal information.

August 1, 2026 is the operational effective date. Starting then, data brokers must access the accessible deletion mechanism at least once every 45 days and process consumer deletion requests. The DROP website application is already live at privacy.ca.gov/data-brokers for informational purposes.

A California resident submits one verifiable deletion request through DROP. That single request propagates to every registered data broker in California’s CPPA registry (currently ~566 brokers). Each broker must check the deletion list every 45 days and process the request. No more contacting brokers one-by-one.

Brokers registered with the California Data Broker Registry must (1) pay an annual $6,000 registration fee plus processing, (2) register between January 1-31 each year, (3) access the DROP deletion list at least once every 45 days, (4) process consumer deletions subject to limited exceptions, and starting 2028, (5) undergo independent audits every 3 years.

SB 361 (2025) expanded the disclosure requirements for California-registered data brokers. In addition to basic business information, brokers must now disclose whether they collect sensitive categories (sexual orientation, union membership, citizenship, biometric, geolocation, reproductive-health, minors), whether they share or sell data to foreign actors, law enforcement, federal/state governments, or generative-AI developers, and the specific types of personal information they collect (mobile ad IDs, emails, phone numbers, login credentials).

Direct DROP usage is limited to California residents — a verifiable request requires California residency. However, because most national data brokers operate unified deletion workflows to avoid maintaining state-specific pipelines, the compliance pressure from DROP will likely extend deletion rights de facto to all US residents via spillover.

No — it supplements them. CCPA’s right to delete against any covered business still exists. DROP specifically handles deletions from registered data brokers. Consumers may continue to submit direct CCPA deletion requests to any broker, or use DROP for batch processing. For businesses that aren’t data brokers (e.g., a retailer), direct CCPA requests remain the path.

Non-compliance triggers administrative fines enforceable by the CPPA under Cal. Civ. Code § 1798.99.82. The penalty structure includes per-violation fines plus costs. Brokers that fail to register by January 31 face additional administrative penalties for failure to register. The audit requirement beginning 2028 adds another compliance checkpoint.

Services like DeleteMe and Incogni will continue to operate, but their core value proposition shifts. Once DROP is live, the "we send deletion requests for you" part becomes redundant for California residents — they can do it themselves in one click. Subscription services will need to pivot toward ongoing monitoring, non-California brokers, or enterprise use cases.

Yes, for three reasons. (1) Non-California residents still need per-broker requests — DROP only covers California. (2) Many people-search sites and non-registered brokers exist outside DROP’s scope; OfflistMe’s 200+ broker coverage is broader. (3) Family-member and historical-address cleanup often require targeted requests beyond what DROP processes.