One-Click Privacy: California Launches "DROP" Centralized Deletion Platform
Why This Alert Is Important
The launch of the Delete Request and Opt-out Platform (DROP) represents a global first in privacy enforcement, allowing consumers to wipe their digital footprint across hundreds of data brokers with a single request. For organizations, this shifts data deletion from a reactive, manual process to a high-frequency regulatory requirement with significant financial penalties for non-compliance.
Overview Text
Established by the California Delete Act (SB 362), DROP officially opened for consumer use on January 1, 2026. The platform, administered by the California Privacy Protection Agency (CPPA), serves as a centralized "accessible deletion mechanism". It allows California residents to authenticate their identity once and submit a single request that applies to all 500+ registered data brokers in the state.
While consumers can submit requests now, data brokers have a transition period to integrate their systems. Starting August 1, 2026, data brokers must access DROP at least every 45 days to retrieve new requests. Once a request is retrieved, the broker has 45 days to process the deletion and report the status back to the platform. The law applies to any business that knowingly collects and sells personal information of consumers with whom they do not have a direct relationship, even if the business does not traditionally self-identify as a "data broker".
What It Covers
- Key Implications or Developments
The implementation of DROP creates a new operational reality for data-driven enterprises. Unlike previous laws where the burden was on the consumer to contact companies individually, DROP automates the process, likely leading to a massive surge in deletion volumes. - Automated Suppression Requirements: Data brokers must not only delete existing data but also implement internal suppression lists. This ensures that once a consumer opts out via DROP, their information is not re-collected or repopulated in the broker’s database from future third-party sources.
- Expansion of Deletable Data: The requirement extends to inferences and derived data. If a data broker has used consumer information to build a profile or predict behavior, those generated insights must also be purged.
- High Financial Stakes: There is no cure period for violations. Starting August 1, 2026, failure to process a DROP request can result in administrative fines of $200 per request, per day. For large-scale brokers handling thousands of records, daily exposure could reach millions of dollars.
- Mandatory Audits: Beginning January 1, 2028, and every three years thereafter, data brokers must undergo independent third-party audits to verify compliance with the Delete Act.
Expert Analysis
The launch of California’s DROP platform is a seismic shift in data privacy. The era of manual, ad-hoc data deletion is officially over. With consumers now able to opt out across hundreds of organizations with a single click, we anticipate an unprecedented surge in request volumes.
What many organizations fail to realize is how surprisingly broad the "data broker" definition is under the Delete Act. If your business collects and sells third-party personal data without a direct consumer relationship, this likely applies to you. The $200 per-day, per-request fines starting in August 2026 mean that relying on manual workflows is now a massive financial risk.
To prepare, you must move beyond simple data mapping to dynamic data intelligence. You can’t delete, or suppress, what you can’t accurately locate.
Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro
Data Privacy Tip
Proactively map your third-party data sources. Understanding if you meet California's "data broker" definition is essential for avoiding $200-per-day penalties starting in August 2026.
