![California's DROP Platform: Delete Your Data From 500+ Brokers [2025]](https://tryrunable.com/blog/california-s-drop-platform-delete-your-data-from-500-brokers/image-1-1767479754529.jpg)
Your Personal Data Is Everywhere (And Now You Can Do Something About It)
Somewhere right now, a data broker you've never heard of has your social security number. They probably also have your browsing history, email address, phone number, purchase records, and maybe even information about your health searches. Not because you gave it to them directly, but because they bought it from someone else who bought it from someone else in an endless chain of data sales.
For California residents, this nightmare just got slightly more manageable.
As of 2025, the state's new Delete Requests and Opt-Out Platform (DROP) gives people the ability to submit a single deletion request to over 500 registered data brokers simultaneously. No more filling out individual forms. No more sending certified letters to dozens of companies. One request. Multiple brokers. Actually deleting your data.
But here's the thing: this tool isn't perfect, and the timeline isn't as fast as you might hope. Data brokers don't have to start processing deletion requests until August 2026, and then they get 90 days to actually delete your information. Plus, not all of your data is covered. Some categories are exempt because they come from public sources or other laws protect them.
Still, DROP represents the most significant shift in consumer data control that California has seen since the CCPA went live in 2020. And understanding how it works, what it actually protects, and what gaps still exist could genuinely change how much of your information is floating around in the data broker economy.
The question isn't just whether you should use DROP. It's understanding what problem DROP actually solves, what problems it doesn't, and what you should do about it.
TL; DR
- DROP launches January 2025: California residents can request data deletion from 500+ brokers with a single submission through the new platform
- Processing begins August 2026: Brokers have 90 days after that to delete your data and confirm deletion
- Not all data qualifies: First-party data, public records, and information covered by other laws (HIPAA, voter registration) are exempt
- Penalties are real: Data brokers face $200 per day fines plus enforcement costs for failing to delete requested data
- It requires action: The tool doesn't automatically delete your data; you must actively submit requests and may need to provide additional information for brokers to locate your records
Estimated data shows that large brokers like Equifax face significantly higher compliance costs across all categories compared to smaller brokers. Development and lost revenue are major cost drivers.
Understanding the Data Broker Economy
Before we talk about deletion, you need to understand what you're actually deleting from. The data broker industry isn't some shadowy underground operation. It's completely legitimate, heavily regulated in California, and absolutely massive.
Data brokers occupy a weird space in the digital economy. They're not the retailers collecting your data when you shop. They're not social media platforms tracking your behavior. Instead, they're aggregators. They buy data from retailers, financial institutions, marketing firms, insurance companies, and dozens of other sources. Then they repackage that data and sell it to other companies.
Who buys this stuff? Insurance companies use it for risk assessment. Employers use it for background checks. Marketers use it to build targeting profiles. Debt collectors use it to find people. Landlords use it to screen tenants. Credit bureaus use it to inform credit scores.
The brokers themselves often have names you've probably never seen. Equifax, yes—but Equifax is primarily a credit bureau, not a typical data broker. Companies like Experian, Trans Union, Spokeo, Radaris, Truth Finder, and hundreds of others operate almost entirely out of public view.
California requires data brokers to register with the state. Before DROP existed, there was no centralized way to request deletion from all of them. You'd have to:
- Identify which brokers have your data (nearly impossible without professional help)
- Find each broker's opt-out mechanism (if they had one)
- Submit individual requests to each one
- Follow up if they didn't respond
- Repeat the process because new brokers keep registering
This system practically guaranteed that most people would do nothing. And the brokers knew it.
The DROP platform was launched in January 2025, but data deletion by brokers begins in August 2026, with full compliance expected by early 2027. Estimated data.
The Delete Act: Five Years to Build a Platform
California's Delete Act passed in 2023, but it took two years for the actual platform to go live. That timeline matters because it tells you something about how complex this is.
The law was straightforward in theory: create a single portal where California residents can request data deletion from all registered brokers simultaneously. Brokers have to honor the requests or face $200 per day in penalties.
But implementing it required:
Defining the universe of brokers: California had to figure out exactly who counts as a data broker. The definition matters enormously because it determines who has to participate in DROP. The law defines brokers as for-profit entities that collect and sell personal information about California residents that they didn't obtain directly from the consumer.
Building the platform: Someone had to actually create DROP. That meant databases, verification systems, request routing, confirmation mechanisms, and audit trails. The California Privacy Protection Agency (CPPA) handled this, and the fact that it took two years shows you how non-trivial this is.
Designing the verification system: The platform had to verify that you're actually a California resident without making it so difficult that nobody uses it. They settled on using public records, ID documents, and other verification methods.
Creating broker compliance: Brokers needed notice that they'd have to process bulk requests. They needed clear instructions. They needed to set up systems to handle thousands of simultaneous deletion requests starting in August 2026.
Legal harmonization: CCPA has exceptions. GDPR (if it applied) would have exceptions. Medical privacy laws exist. Voter registration comes from public records. The Delete Act had to define which data actually qualifies for deletion and which doesn't.
The two-year gap between passage and implementation tells you that creating a working deletion infrastructure for 500+ companies isn't something you do overnight.
How DROP Actually Works
Let's walk through what happens when you use DROP to delete your data. It's straightforward on the surface, but the details matter.
Step 1: Verification
You go to the DROP platform and verify that you're a California resident. This isn't trivial because the system has to prevent fraud while not requiring you to submit a notarized affidavit. The CPPA uses multiple verification methods, including ID documents, government records, and other identity verification systems.
The verification process typically takes minutes, but it requires you to prove your identity. If you've moved recently or your documentation is out of order, this could take longer. You can't just type your name and hit submit.
Step 2: Submission
Once verified, you submit a deletion request. You can submit a request for yourself, or a parent can submit on behalf of a minor. You specify which California resident's data you want deleted (if submitting for someone else).
DROP then routes your request to all currently registered data brokers. This happens electronically. It's not an email—it's a standardized data submission through the platform.
Step 3: Broker Processing Window
Here's where it gets frustrating. Brokers don't have to start processing requests until August 2026. That's almost two years away from January 2025. Brokers get this grace period to build systems and adjust workflows.
Once they start processing, they have 90 days to locate your records and delete them. If they can't find your records using the information you provided, they're supposed to notify you. Then you have the option to submit additional information that might help them locate your data.
Let's call this out: if a broker claims they can't find your data, you need to provide more specific identifiers. This means you might need to give them more information to get them to delete what they already have. It's a catch-22 that exists because brokers legitimately may not be able to identify your records from just your name and address.
Step 4: Confirmation
Brokers are supposed to confirm deletion within the 90-day window. In practice, confirmation might look like "we've deleted all matching records" without specifying exactly which records they deleted or providing granular detail. There's no requirement that brokers provide proof of deletion—just notification that they've processed the request.
Step 5: Non-Compliance Consequences
If a broker doesn't comply, the California Privacy Protection Agency can fine them
For mid-size brokers, this actually matters. For the massive players (Equifax, Trans Union), $200 a day is background noise—but CPPA can also pursue additional civil remedies, and the reputational hit of being publicly called out for not complying could impact business relationships.
The DROP data deletion process involves verification and submission steps that take minutes, but brokers have until August 2026 to start processing requests, with a 90-day window to complete deletion. Estimated data.
What Data Gets Deleted (And What Doesn't)
Here's where DROP starts to feel less powerful than it first appears.
Not all of your data can be deleted through this system. Some categories are exempt.
Data that CAN be deleted:
Any personal information that brokers collect with the intent to sell or buy. This includes:
- Social Security numbers
- Browsing history (if collected and sold by brokers)
- Email addresses
- Phone numbers
- Purchase records
- Location history
- Financial information they've aggregated
- Health search history (in some cases)
- Demographic information
- Behavioral profiles
Basically, if it's data that a broker acquired to resell, it's fair game for deletion.
Data that CANNOT be deleted:
First-party data. If a company collected information directly from you (you filled out a form, used their service, bought something from them), they can keep that. DROP only applies to brokers who acquire data from third parties. A bank's customer data? The bank doesn't have to delete it. A retailer's purchase history with you? The retailer can keep it. Only data that brokers bought and resold is subject to deletion.
Public records. Vehicle registration, voter registration, property records, court documents, business licenses—all exempt because they're from public sources. A data broker can aggregate public records and still sell them; they just have to disclose that they're selling public record information.
Information covered by other laws. HIPAA-protected medical information has its own deletion rules. Financial information covered under GLBA (Gramm-Leach-Bliley) can't be deleted just because you asked a broker to delete it; GLBA requirements apply. Insurance information has its own regulations.
This creates a significant loophole. A health insurance company can retain all your health data forever under HIPAA. A financial institution can retain all your financial data under GLBA. A broker aggregating that information still has to delete it if it's been sold, but the original source retains it.
The Timeline: Why August 2026 Matters
The delay between DROP's January 2025 launch and August 2026 processing start date is intentional but frustrating.
Brokers argued (not unreasonably) that they needed time to build systems to handle the incoming requests. Some operate with decades-old infrastructure. Some use data models from the 1990s. A few still operate with primarily paper-based record systems. Retrofitting 500 companies to handle automated deletion requests from a state portal in 90-day windows is genuinely complicated.
The CPPA also needed time to identify all registered brokers, notify them, and give them time to set up DROP integration.
But there's another reality: giving brokers an 18-month grace period is a gift. Data doesn't get stale. The longer a broker has your data, the more times they can sell it. The longer they have to plan, the more they can optimize their systems to comply minimally without actually doing more than required.
Some brokers will probably use the grace period to sell more aggressively, knowing that deletion requests are coming. It's not necessarily unethical—it's just how business works. If you know a revenue stream is ending, you maximize it while you can.
Once August 2026 hits and processing begins, expect brokers to:
- Create new systems specifically for DELETE request processing
- Implement deletion workflows that comply with the letter of the law
- Possibly rotate data more aggressively (refresh data more often so old data is "flushed" naturally)
- Require additional information from deletion requesters to extend timelines
- Delete what legally qualifies but retain everything in gray areas
The 90-day processing window is tight enough to matter but loose enough that brokers have real time to deal with requests. This is actually reasonable—forcing deletion in 30 days would be impractical, but 90 days is achievable for most companies.
DROP provides limited protection against legitimate data aggregators, new data collection, out-of-state brokers, and core data brokerage issues. Estimated data.
Who Benefits Most From DROP
DROP isn't equally useful for everyone. Understanding who benefits most helps you figure out whether it's worth your time.
High-value targets benefit most
If your data is being actively sold—if you're a high-income earner, recent mover, active online shopper, or person with significant assets—data brokers value your information more. Deletion requests from these profiles result in actual revenue loss for brokers, which means brokers are more likely to take them seriously.
If you're lower-income or don't fit valuable demographic profiles, brokers may process deletion requests more casually. Not because of discrimination exactly, but because the opportunity cost of your data deletion is lower.
People targeted by stalkers, debt collectors, or scammers benefit significantly
One of DROP's explicit goals is to make it harder for bad actors to find people. If your data is widely available in broker databases, debt collectors, scammers, and in the worst cases, abusive ex-partners can locate you easily. Deleting that data makes you harder to track.
This is substantial. Deletion through DROP isn't identity protection, but it's a meaningful privacy improvement for high-risk individuals.
Younger people benefit less (immediately) but more (long-term)
If you're 22, you have 40+ years of data generation ahead of you. Deleting data now only stops new sales from this point forward. Brokers still have everything from your past. However, you can request deletion every year, in theory making it harder for brokers to maintain comprehensive profiles over time.
For people in their 60s and 70s, a single deletion request removes decades of accumulated data all at once. More dramatic benefit, but also because you have fewer years of future data generation.
Business owners and public figures benefit the most
If your information is mixed into public databases anyway (business ownership, professional licensing, real estate ownership), DELETE does less for you. But if you're someone with both public presence and privacy concerns, removing your non-public data from brokers does reduce your overall digital footprint.
The Gaps in DROP's Protection
Before you get too excited about DELETE, understand what it doesn't do.
It doesn't touch legitimate data aggregators
Agencies that collect data for specific legal purposes—credit bureaus gathering data for credit reporting, consumer reporting agencies doing background checks for employers—often aren't classified as "data brokers" under California law. They operate under different rules. DROP doesn't apply to them.
Equifax, Trans Union, and Experian are the biggest players, and while they're regulated, deleting your data from the three major credit bureaus is a separate process from DROP.
It doesn't prevent data brokers from collecting new data about you
DROP deletes existing data. It doesn't prevent brokers from buying new data about you tomorrow. If you request deletion in January 2026 and a broker deletes your profile in October 2026, they can start collecting data about you again immediately. There's no automatic opt-out from future collection.
You'd need to request deletion again the next year. And the year after that. DROP isn't a one-time solution; it's an annual maintenance task if you want to keep brokers from re-accumulating your data.
It doesn't protect you from brokers outside California
The 500+ registered brokers that DROP applies to are those doing business in California. But data brokers operating entirely in other states aren't subject to this law. If you move out of state or someone buys your data about you from a national broker that doesn't register with California, you lose that protection.
It doesn't address the data brokerage ecosystem's core problem
The fundamental issue is that data is valuable and relatively easy to aggregate. DROP adds friction to the system, which is good. But it doesn't change the fact that if someone wants to buy data about you, they can. They'll just buy it before you request deletion, or they'll buy it again after you delete it.
A friend of yours could sell their contacts list, which includes your info, to a broker. Data brokers can acquire that, and DROP wouldn't cover it because they acquired it directly from someone (your friend), not from buying it from another broker.
It doesn't prevent data from being sold immediately after collection
A broker could theoretically sell your data to 100 companies in the morning, then delete it from their own records by evening when your deletion request is processed. The data is still out there in those 100 companies' hands.
In theory, data brokers aren't supposed to sell data with "no deletion" rights, but enforcing that requires audit and oversight.
The Delete Act took two years to implement, with significant progress in defining brokers and building the platform. Estimated data.
How This Compares to CCPA and Federal Privacy Law
California's approach to privacy has evolved. Understanding the layers helps you understand what DROP actually adds.
CCPA (2020): The foundation
The California Consumer Privacy Act gave residents broad rights to know what data companies collect, delete it, and opt out of sales. Any company processing personal information of California residents has to honor these requests.
But CCPA applied to every company, not specifically to data brokers. A data broker claiming they had 10 million people's records would theoretically have to process 10 million individual deletion requests if everyone asked. The system didn't scale.
CPRA (2023, effective 2024): Refined CCPA
The California Privacy Rights Act updated CCPA, clarifying definitions, adding consumer rights, and making enforcement easier. It's essentially CCPA 2.0.
But it still didn't address the core problem: individual companies scattered across the state receiving scattered requests.
Delete Act (2023, DROP launched 2025): Centralized deletion
The Delete Act created the infrastructure for centralized deletion requests. Instead of requesting deletion from each broker individually, you request it from DROP, which distributes it.
Federal law (FTC Act, GLBA, HIPAA) addresses specific sectors, but there's no federal equivalent to DROP. The US doesn't have a national data broker registration requirement or a federal deletion portal. This is purely California.
What other states are doing
Virginia, Colorado, Connecticut, Utah, and other states have passed privacy laws inspired by CCPA. Most don't yet have deletion portals as comprehensive as DROP. Virginia and Colorado are watching California's implementation to see if they should build something similar.
The Compliance Cost for Data Brokers
Understanding what DROP costs brokers helps you understand how serious they'll be about compliance.
Direct costs
Brokers have to build integration with DROP. Someone has to write the API calls, test them, document them. For a 20-person data broker, this might be
They have to store deletion requests and track compliance. If they get 100,000 requests a year, they need systems to process them, audit them, and report on them.
Operational costs
Whenever someone requests deletion, a broker has to locate that person's records, which isn't always simple. If data is distributed across multiple systems, databases, and archives, finding and deleting it all takes time.
For organized brokers with good data governance, this might mean 30 seconds of work per request. For disorganized brokers with distributed systems, it could be 30 minutes per request.
Indirect costs
Every deletion is lost revenue. If a broker's primary business model is selling data, DELETE reduces their addressable market. For a broker that makes
Over time, if a significant percentage of California's population requests deletion, brokers' entire business models might need to shift.
Reputational costs
A broker that's publicly called out for non-compliance faces pressure from business partners and regulators. If you do business with Company A, and Company A gets regularly fined for violating CPPA, you might reconsider the relationship.
These costs together create real incentive to comply. It's not altruism; it's economics.
Estimated data shows marketers as the largest clients of data brokers, followed by insurance companies. This highlights the diverse applications of aggregated data.
What Happens If a Broker Doesn't Comply
Penalties matter because they determine whether brokers will actually comply or take their chances.
$200 per day for non-compliance
That's the statutory penalty. If a broker gets 1,000 deletion requests and doesn't process them within 90 days, that's 1,000 times
Obviously, brokers aren't stupid. But the structure of this fine means non-compliance gets expensive fast. Compliance costs money upfront; non-compliance costs more money later.
Enforcement costs
If the state has to spend resources investigating and enforcing, the broker pays those costs too. If CPPA spends 500 hours investigating a broker's non-compliance, the broker might owe
Additional civil remedies
Beyond the statutory fine, CCPA allows for additional civil action. A broker that demonstrates a pattern of non-compliance could face lawsuits, extended investigations, and requirements to hire external auditors to verify compliance going forward.
Losing registration
In theory, CPPA could refuse to renew a broker's registration if they chronically violate deletion requests. That would mean they couldn't legally operate in California. For a broker that does any business in California, that's existential.
These enforcement mechanisms are reasonably robust. They're probably enough to push most brokers toward compliance, especially larger ones that can afford compliance infrastructure.
The Mechanics of Submitting a Deletion Request
Let's walk through the actual practical steps of using DROP.
Access DROP
DROP is available at the California Privacy Protection Agency website. It's free. You don't need a special app; it's just a web portal.
Verify your identity
You'll need to verify that you're a California resident. This involves submitting identification or authorizing a background check. The exact process depends on which verification methods CPPA accepts at the time you use it.
Provide your information
You provide your name, current address, and previous addresses (if you've moved recently). You might also provide email addresses, phone numbers, and other identifiers that help brokers locate your records.
Here's the thing: the more information you provide, the better chance brokers have of finding your records. But providing more information also means you're telling the platform more about yourself. It's a trade-off.
Submit the request
You submit the request to DROP. The platform logs it, routes it to all registered brokers, and sends you a confirmation that your request was received.
Wait
You wait until August 2026 for brokers to start processing. Then you wait 90 days for them to process. So realistically, if you submit in January 2025, your data might not actually be deleted until January 2027.
Follow up if needed
If a broker says they can't find your data, DROP allows you to submit additional information. You might get contacted by brokers asking for more identifiers. Respond to these if you want to maximize the chance of deletion.
Receive confirmation
Once brokers process your request, they're supposed to notify you (through DROP or directly) that they've completed deletion. Note: "completed deletion" might mean "we deleted all records matching the criteria you provided," not necessarily "we've verified everything is gone."
Best Practices for Using DROP Effectively
Maximizing the effectiveness of DROP requires a few practical steps.
Submit early
When DROP opens for requests, submit immediately. Early submissions mean you're early in the queue when brokers start processing in August 2026. All else being equal, brokers will work through requests chronologically.
Be accurate with your information
Provide correct information about yourself. Typos in your name or address mean brokers might not find your records. Use all previous names if you've been married, divorced, or changed your name.
Keep records
Save confirmation emails from DROP and from individual brokers. If a broker claims they processed your deletion but you later find your data still in their system, you'll need proof that they acknowledged your request.
Request annually
Even after your first deletion processes, brokers can collect new data about you. Once a year, submit a new deletion request to prevent re-accumulation. This becomes an annual maintenance task.
Use complementary tools
DROP addresses data brokers, but other privacy tools address other data sources. You might also want to:
- Request deletion from major credit bureaus separately (Equifax, Trans Union, Experian)
- Use opt-out tools for marketing databases
- Request deletion from people-search websites individually
- Use privacy settings on social media platforms
DROP is one piece of a larger privacy strategy, not the complete solution.
Document everything
Keep screenshots of your DROP confirmation, broker notifications, and any correspondence. If there's a dispute about whether a broker processed your request, documentation helps.
The Bigger Picture: Privacy in the Data Economy
DROP is important, but it's worth stepping back to understand what it actually represents in the larger context of data privacy.
We're not solving the core problem
The core problem is that data is valuable. As long as data is valuable, people will find ways to collect and sell it. DROP adds friction—it makes some data sales harder, requires deletion processing, and creates operational costs. But it doesn't eliminate the incentive.
If anything, DROP might accelerate some privacy-conscious companies' moves toward using data more efficiently. Instead of collecting and selling as much as possible, they might collect smarter data that's harder to request deletion for (data covered by HIPAA, GLBA, etc.).
California is leading; others will follow
Every state watching California's implementation of DROP is taking notes. If it works, other states will implement similar systems. If it fails, states will learn from the failures.
Over a decade, you'll probably see federal data broker regulations that look similar to California's. Federal deletion portals might emerge. The trend is toward more data control, not less.
The real win is modest but meaningful
DROP doesn't restore perfect privacy. But it does:
- Reduce the passive accumulation of your data
- Make it harder for bad actors to find you
- Create costs for data brokers that might slow their collection
- Give California residents a tool they didn't have before
These are real improvements, even if they're not revolutionary.
Limitations and Future Challenges
DROP will face challenges as it scales. Anticipating them helps you understand what might not work as planned.
Broker identification
Not all entities that function as data brokers register with California. Some operate in gray areas—they aggregate data but claim they're not "brokers." Others haven't heard about the registration requirement. As DROP matures, there will be disputes about which entities actually have to participate.
International data transfers
If a broker's data leaves California and the US, California's law doesn't apply. A broker could legally move your data to a server in another country, claim it's not subject to California law, and resist deletion. The CPPA will eventually have to address this.
Consent mechanisms
DROP is an opt-out system. You have to know about it and request deletion. An opt-in system (where brokers can't collect data without permission) would be more effective, but it's harder to implement at scale. Future versions might move toward opt-in for new data.
Technology gaps
Brokers use vastly different systems. Some can integrate with DROP in weeks. Others might take years. Data gets duplicated, stored in multiple places, and backed up. Finding all of someone's data and ensuring it's all deleted is harder than it seems.
Verification challenges
How do you verify someone is who they claim to be? If verification is too strict, honest people can't use DROP. If it's too loose, bad actors can request deletion of other people's data to damage them. Getting this balance right requires ongoing refinement.
Alternatives and Complementary Tools
DROP is powerful for deleting data from brokers, but it's part of a larger privacy toolkit.
Credit freeze/lock
If identity theft is your main concern, a credit freeze (through Equifax, Trans Union, Experian) or a fraud alert prevents new accounts from being opened in your name. This doesn't delete your data, but it protects against some misuse.
Privacy-focused browsers and VPNs
Browsers like Firefox and Duck Duck Go limit tracking. VPNs hide your location. These prevent data generation in the first place, rather than deleting data that's already been collected.
People-search removal tools
Services like Delete Me and Reputation.com submit deletion requests to hundreds of people-search websites. They handle the tedious work of removing your info from these databases. They're complementary to DROP.
Opting out of marketing lists
DMA (Direct Marketing Association) maintains an opt-out service for marketing mail and calls. This doesn't delete data but does reduce how much it's used for marketing.
Data brokers' direct opt-out
Most major brokers have their own opt-out mechanisms. You can go to Spokeo, Radaris, Truth Finder, etc., directly and request removal. DROP consolidates this, but individual brokers' systems still exist.
Looking Forward: What Happens in 2026 and Beyond
The question everyone should be asking: will DROP actually work as intended?
The optimistic scenario
Brokers build systems, process deletion requests efficiently, and by late 2026, thousands of Californians have successfully deleted their data from hundreds of brokers. The system works. Other states copy it. By 2030, multiple states have deletion portals, and the data broker industry has fundamentally shifted its practices.
Brokers move toward transparency, consent-based collection, and higher-value data that's harder to delete. The volume of data sold decreases. People feel more in control of their digital privacy.
The realistic scenario
Some brokers comply smoothly; others find reasons their data can't be fully deleted. Some claim technical challenges that extend beyond 90 days. Some process deletions minimally while retaining data in archival systems. Litigation happens. CPPA spends years in court battles with brokers over what "deletion" actually means.
Meanwhile, brokers shift to collecting data covered by other laws (HIPAA, GLBA) and data from sources that DROP doesn't apply to. The volume of deleted data is less than expected because brokers found ways around it.
But even in this scenario, friction increases. The data broker industry adapts and continues, but less efficiently.
The pessimistic scenario
Some brokers simply don't comply. CPPA lacks resources to enforce uniformly. Litigation drags on for years. Meanwhile, brokers build workarounds. They claim data is covered by medical privacy or financial privacy. They argue they're not "brokers" but "analytics providers."
DROP becomes functional for the most compliant brokers but doesn't significantly impact data sales at scale. The publicity around DROP makes people feel like they're doing something about privacy, when in reality, data collection continues mostly unchanged.
Most likely, reality falls somewhere between realistic and optimistic. Some brokers comply fully. Others comply partially. Over time, the system improves as edge cases get litigated and clarified.
FAQ
What is the DROP platform?
The Delete Requests and Opt-Out Platform (DROP) is a tool launched by the California Privacy Protection Agency that allows California residents to submit a single deletion request to over 500 registered data brokers simultaneously. Before DROP, people had to request deletion from each broker individually. DROP consolidates these requests into one portal, then distributes them to participating brokers who are legally required to process them.
When does DROP actually delete my data?
DROP launched in January 2025, but brokers don't have to start processing deletion requests until August 2026. Once they start processing, brokers have 90 days to delete your data and confirm deletion. So if you submit a request in January 2025, your data realistically won't be deleted until late 2026 or early 2027. The 18-month gap gives brokers time to build systems and prepare for bulk requests.
What data qualifies for deletion through DROP?
DROP covers personal information that data brokers acquired from third parties with the intent to sell or resell. This includes social security numbers, browsing history, email addresses, phone numbers, purchase records, location history, and demographic information. However, first-party data (information companies collected directly from you), public records (voter registration, property records), and information covered by other laws (HIPAA, GLBA) are exempt from deletion requirements.
How do I use DROP?
First, you verify that you're a California resident through the CPPA's verification system. Then you submit your request with your name, current and previous addresses, and any other identifying information that will help brokers locate your records. DROP routes your request to all participating brokers. Once brokers start processing in August 2026, they have 90 days to delete your data. You'll receive confirmation when they complete the deletion.
What if a broker claims they can't find my data?
If a broker can't locate your records using the information you provided, they're supposed to notify you through DROP. You have the option to submit additional information, such as previous addresses, alternative email addresses, or phone numbers that might help them identify your records. This is necessary because brokers' systems may not match your information perfectly, making it hard for them to locate your data without more details.
What happens if a data broker ignores my deletion request?
If a broker fails to delete your data or doesn't comply with the 90-day processing window, the California Privacy Protection Agency can fine them $200 per day plus enforcement costs. These penalties add up quickly, especially for brokers receiving thousands of deletion requests. The financial incentive for compliance is substantial, and the CPPA can pursue additional civil remedies for chronic non-compliance.
Does DROP protect my data from future collection?
No, DROP only deletes existing data. It doesn't prevent brokers from collecting new data about you after deletion. Brokers can legally start acquiring information about you again immediately after deleting your old profile. If you want to maintain privacy, you'll need to submit deletion requests annually to prevent re-accumulation of your data.
Is DROP the only tool I should use for privacy?
DROP addresses data brokers specifically, but there are other privacy concerns it doesn't cover. You might also want to place a credit freeze with major credit bureaus (Equifax, Trans Union, Experian), opt out of marketing lists through the DMA, request removal from people-search websites directly, and adjust privacy settings on social media platforms. DROP is one piece of a broader privacy strategy.
What's the difference between DROP and CCPA?
CCPA (California Consumer Privacy Act) applies to any company collecting California residents' personal information and gives you rights to know, delete, and opt out of sales. CCPA requires you to submit individual requests to each company. DROP is specific to data brokers and centralizes deletion requests, so you make one request instead of hundreds. DROP makes CCPA's deletion right more practical at scale.
Can I request deletion for someone else?
Yes, parents can request deletion on behalf of minors. However, you need to verify your legal relationship to the minor. For adults, you can't request deletion of someone else's data without their authorization. If you're helping an elderly parent or someone with limited digital access, the CPPA's instructions should clarify the process for authorized representatives.
Will DROP be available in other states?
Currently, DROP is specific to California. However, other states like Virginia and Colorado are watching California's implementation to determine whether they should build similar systems. If DROP works as intended, other states will likely follow. Federal regulations on data brokers could eventually emerge, but as of now, DROP is a California-only tool.
The Bottom Line
California's DROP platform represents a genuine shift in how much control people can have over their personal data in the hands of data brokers. For the first time, residents can request deletion from hundreds of brokers through a single portal rather than individually contacting each one.
But it's important to maintain realistic expectations. The 18-month delay before brokers start processing means deletion won't happen immediately. Data covered by other laws, first-party data, and public records remain exempt. And brokers can legally start collecting data about you again once the deletion is processed.
DROP isn't perfect, but it's a meaningful improvement. It creates friction in the data broker ecosystem that didn't exist before. It gives individuals a practical tool they didn't have. And it establishes a model that other states are likely to follow.
If you value your privacy, using DROP makes sense. Submit a request when you can verify your identity. Update it annually to prevent re-accumulation. Combine it with other privacy tools like credit freezes and direct opt-outs from major brokers. Over time, these steps reduce how much data is circulating about you, even if they don't eliminate the problem entirely.
The data broker economy isn't going away. But it's getting harder to operate with complete opacity, and that's progress.
Key Takeaways
- DROP consolidates deletion requests to 500+ California data brokers into a single portal, eliminating the need for hundreds of individual opt-out requests
- Brokers don't start processing requests until August 2026, with 90 days to delete data, meaning deletion won't complete until late 2026 or early 2027
- Not all data qualifies—first-party data, public records, and information covered by HIPAA or GLBA are exempt from DROP deletion requirements
- Data brokers face $200 per day in penalties plus enforcement costs for non-compliance, creating strong financial incentive to process deletion requests
- DROP is an annual maintenance task; brokers can legally re-collect data after deletion, so you'll need to submit requests yearly to prevent re-accumulation
- Using DROP as part of a broader privacy strategy (credit freezes, people-search removal, privacy browsers) provides better overall protection than DELETE alone
Related Articles
- California's DROP Platform: Delete Your Data Footprint [2025]
- Tax Season Security Threats: How to Protect Your Data [2025]
- 1Password Deal: Save 50% on Premium Password Manager [2025]
- Holiday VPN Security Guide: Expert Tips for Safe Festive Season [2025]
- Holiday Email Scams 2025: How to Spot and Stop Them [Updated]
- How to Explain VPN Importance to Your Parents: 2025 Guide
