California residents now have a straightforward way to demand that data brokers delete their personal information. Instead of contacting hundreds of companies individually, you can submit a single request through the state’s new Delete Request and Opt-Out Platform—known as DROP.
The tool launched on 1 January 2026 under the California Delete Act, passed in October 2023. It covers more than 500 registered data brokers who buy, sell, and trade personal information about consumers. For anyone tired of their data circulating between companies they’ve never heard of, this is a meaningful step forward.
This article explains how DROP works, what the law requires from data brokers, and what California residents should know before using it.
What Is the DELETE Act?
The California Delete Act (SB 362) created the first centralised system in the United States for requesting deletion of personal data from data brokers. Before this law, Californians had the right to request deletion under the California Consumer Privacy Act (CCPA), but exercising that right meant identifying and contacting each data broker separately—an impractical task given hundreds of companies operate in this space.
The Delete Act addressed this by directing the California Privacy Protection Agency (CPPA) to build a single platform through which residents can send deletion requests to all registered data brokers at once. That platform is DROP.
What Data Brokers Must Do
Data brokers are businesses that knowingly collect and sell personal information about consumers with whom they have no direct relationship. Under the Delete Act, these companies must:
- Register with the CPPA by 31 January 2026
- Pay registration fees based on their revenue
- Access the DROP system at least every 45 days to retrieve deletion requests
- Process deletion requests within 90 days
- Treat unverified deletion requests as opt-outs from future data sales
- Maintain suppression lists to prevent re-collecting deleted data
Non-compliance carries penalties of $200 per request, per day—a structure designed to make ignoring the law expensive.
How DROP Works
The process is simple for consumers. You create an account on the DROP platform, verify your California residency, and submit a deletion request. That single request is then made available to all registered data brokers, who must retrieve and process it according to the law’s timeline.
The Timeline
- January 2026: DROP launches and data brokers begin registration
- Spring 2026: API integration opens for automated request processing
- August 2026: Data brokers must begin retrieving and processing requests every 45 days
- 90 days after retrieval: Deadline for data brokers to complete deletion
Once brokers begin processing in August 2026, they have 90 days to delete your data. They cannot deny a request, though certain exemptions apply to data that falls outside the law’s scope.
What DROP Covers
DROP applies to third-party data brokers—companies that collect your information indirectly, often by purchasing it from other sources or scraping it from public records. These brokers may hold your name, address, phone number, email, social security number, financial information, location history, browsing behaviour, and information about family members including children.
DROP does not cover first-party data—information you provide directly to companies you do business with. If you sign up for a retailer’s loyalty programme, that retailer is not a data broker under this law. Similarly, some public records are exempt from deletion requirements.
Why This Matters for Privacy
Data brokers operate largely out of sight. Most people have never heard of the companies holding their information, yet these businesses fuel targeted advertising, background checks, people-search websites, and increasingly, AI training datasets. When your data circulates through broker networks, the risks compound.
Reduced Spam and Scams
Data brokers supply contact information to marketers, including less scrupulous ones. Removing your data from broker databases can reduce unwanted calls, texts, and emails. It also limits the information available to scammers who use purchased data to craft convincing phishing attempts.
Lower Risk of Identity Theft
The more places your personal information exists, the more opportunities for it to be exposed through data breaches. Data brokers are attractive targets for hackers because they concentrate large volumes of sensitive information. The 2024 breach at National Public Data exposed records on hundreds of millions of people—a stark reminder of what happens when these databases are compromised.
Limiting AI Impersonation
As generative AI advances, the information data brokers hold becomes more dangerous. Detailed personal profiles can be used to create convincing impersonations, whether for fraud, harassment, or manipulation. Reducing the data available about you makes these attacks harder to execute.
Early Enforcement Under the Delete Act
The CPPA has already taken action against non-compliant data brokers. In May 2025, National Public Data was fined $46,000 for failing to register and pay required fees. In July 2025, Accurate Append received a $55,400 penalty for similar violations.
These early cases signal that California regulators intend to enforce the law actively. For data brokers that have ignored registration requirements, the combination of registration penalties and per-request fines for non-compliance with DROP could be substantial.
Limitations to Understand
DROP is a significant tool, but it has boundaries. It only covers data brokers registered in California, though this includes most major players operating nationally. Companies that are not classified as data brokers—including many tech platforms that collect data directly from users—fall outside its scope.
The law also requires verification of California residency before you can submit a request. If you live outside California, DROP is not available to you, though several other states have passed or are considering similar legislation.
Finally, deleting your data is not permanent protection. Data brokers may legally acquire new information about you after processing your deletion request. Using DROP periodically—rather than once—provides better long-term coverage.
How to Use DROP
If you’re a California resident, here’s what to do:
- Visit privacy.ca.gov/drop
- Create an account and verify your identity and residency
- Submit your deletion request
- Check back periodically to submit new requests and ensure ongoing protection
The system is designed to be accessible and does not require technical knowledge. Once submitted, your request is automatically distributed to all registered brokers.
Conclusion
California’s DROP tool represents a practical approach to a problem that has plagued consumers for years: the near-impossibility of controlling personal data once it enters the data broker ecosystem. By centralising deletion requests and imposing real penalties for non-compliance, the Delete Act gives residents meaningful leverage over companies that profit from their information.
If you’re a California resident concerned about privacy, DROP is worth using. It won’t eliminate all data collection about you, but it addresses one of the largest and least visible parts of the personal information economy.
Sources
- California Privacy Protection Agency – DROP
- California Delete Request and Opt-Out Platform
- CPPA Enforcement Advisory on Data Broker Registration
- TechCrunch: California residents can use new tool to demand brokers delete their personal data
- DataGrail: The Delete Act and DROP
