California DROP Is Live: What the Delete Act Means for Data Brokers

California has taken a major step forward in consumer data protection. With the launch of DROP (Delete Request and Opt-Out Platform), the state is fundamentally changing how personal data deletion, consent, and preferences are enforced. Introduced under the Delete Act (SB 362), DROP is not just a compliance update—it’s a blueprint for the future of data governance.

Why DROP Matters More Than You Think

Historically, consumers had to submit individual deletion requests to dozens—sometimes hundreds—of data brokers. DROP eliminates that friction. Californians can now submit one deletion request through a state-hosted platform, which is then distributed to all registered data brokers simultaneously.

For businesses, this creates a centralized, predictable, and regulated intake mechanism. For consumers, it represents a major shift in control over personal data.

What Is DROP?

DROP stands for Delete Request and Opt-Out Platform. It is a centralized deletion control system created by the California Privacy Protection Agency (CPPA) under the Delete Act (SB 362). Its purpose is to streamline and standardize how deletion requests are submitted, processed, tracked, and reported by data brokers.

Rather than handling fragmented, ad hoc requests, organizations must now treat deletion as a repeatable, auditable workflow.

Who Qualifies as a “Data Broker”?

The definition of a data broker is broader than many organizations expect. A data broker is any business that knowingly collects and sells personal information about consumers without having a direct relationship with them.

This can include:

• Data aggregators

• Marketing intelligence firms

• Analytics providers

• Enrichment services

• Companies trading inferred or derived data

Many organizations that do not traditionally see themselves as data brokers may still fall under this definition.

Key Dates Businesses Need to Know

DROP introduces a clear compliance timeline:

• January 1, 2026: DROP launches for consumers

• August 1, 2026: Data brokers must begin processing requests and access DROP at least every 45 days

• Within 45 days of retrieval: Brokers must report request status in DROP

• Within 90 days: Consumer-facing expectation for deletion (from August 1, 2026 onward)

This cadence makes deletion requests predictable—but also continuous.

Preferences Become “System-Wide Signals”

One of the most impactful changes introduced by DROP is how consumer preferences are treated. Preferences are now considered system-wide signals, meaning they must be honored consistently across:

• Internal systems

• Vendors and processors

• The entire data lifecycle

• Derived data and inferences

This reinforces a regulatory shift away from siloed compliance toward end-to-end data control. 

Security and Operational Impact

DROP should be treated like any other regulated, external-facing workflow. Centralized intake means a predictable request cadence every 45 days, but it also raises the bar for operational maturity.

Organizations will need:

• Strong identity verification processes

• Comprehensive audit trails

• Verifiable proof of deletion

• Secure API integrations using least privilege, logging, and monitoring

Failure in any of these areas can create both compliance and security risks.

A “Prepare Now” Checklist for Organizations

To get ahead of DROP, organizations should take the following steps:

1. Confirm whether you qualify as a data broker

2. Map all data stores and vendors where personal data and inferences live

3. Standardize identifiers and matching processes

4. Automate deletion and suppression to prevent re-collection or re-sale

5. Build reporting and evidence systems with timestamps and outcomes

6. Run tabletop exercises simulating DROP cycles every 45 days

Final Thoughts: DROP Is the Blueprint for What’s Next

DROP is more than a California-specific requirement—it signals where privacy regulation is headed globally. Centralized control, system-wide enforcement, and provable compliance are becoming the new standard. Organizations that prepare now won’t just meet regulatory expectations—they’ll be better positioned to build trust, reduce risk, and scale responsibly in a privacy-first world.