AI Lawyer Blog
California DROP and the Delete Act: What Residents Should Know
Greg Mitchell | Legal consultant at AI Lawyer
3
California's DROP platform matters because it turns a difficult privacy right into one centralized process. Instead of trying to identify and contact hundreds of data brokers one by one, California residents can use the state's Delete Request and Opt-out Platform to submit one verified request across the registered broker ecosystem. The system exists because of the Delete Act (SB 362), and California presents it as a first-of-its-kind consumer privacy tool.
That does not make DROP a universal delete button. The platform is aimed at data brokers, not every company that holds personal information, and it does not replace broader rights under the California Consumer Privacy Act. It is best understood as a practical shortcut for one specific part of the data economy that most consumers would otherwise struggle to navigate on their own.
TL;DR
Californians can use DROP to send one deletion request to registered data brokers.
The platform was created under the Delete Act, SB 362.
Consumers can submit requests now, while brokers begin processing them on August 1, 2026.+
DROP applies to data brokers, not all businesses.
It does not replace standard CCPA or CPRA privacy requests.
You Might Also Like:
What happened in California on January 20, 2026?
On January 20, 2026, Governor Gavin Newsom and the California Privacy Protection Agency publicly announced the launch of DROP, describing it as a tool that lets Californians more easily block the sale of their data by brokers. That announcement turned an enacted privacy reform into a real public-facing tool.
The timing matters. California's About DROP and the Delete Act page says the platform is available to consumers in 2026, while the statute and agency materials make clear that broker-side processing starts on August 1, 2026. The public launch date and the actual broker-processing date are not the same thing.
How DROP works
California's official How DROP works guide breaks the process into three parts: verify eligibility, create a profile, and submit the request. Residents can qualify if they live in California or are domiciled there but temporarily outside the state.
When building a request, users can provide basic information such as name, date of birth, ZIP code, email address, and phone number. They can also add more technical identifiers such as a mobile advertising ID, connected TV ID, or VIN. The more identifiers a person includes, the better the chance of a successful match.
After submission, the confirmation page includes a DROP ID used to check status later. According to the official workflow, possible outcomes include Deleted, Exempted, Opted-out, Record not found, and Pending. The same page explains that brokers may take up to 90 days to report how they handled a request.
Who must comply under the Delete Act?
The SB 362 bill text defines a data broker as a business that knowingly collects and sells personal information to third parties about a consumer with whom the business does not have a direct relationship.
That definition is the key limit on the law's reach. The law targets companies that collect and sell consumer data without dealing with the consumer directly. It does not automatically apply to every retailer, bank, employer, app, or service provider that has personal data because someone used its service.
What DROP covers — and what it does not
DROP is built for the registered data broker ecosystem, not for every privacy problem a consumer may have. It is a broker-focused deletion tool, not a universal privacy control for all businesses.
If a person wants to exercise broader rights against a business they know and interact with directly, California still points consumers to ordinary CCPA rights and the standard process for submitting a privacy request.
The official DROP guidance also notes that some information may remain because it is exempt by law, and that first-party data given directly to a business is outside what the platform deletes through the broker system. In practice, DROP reduces friction, but it does not solve every privacy issue.
What California residents should do now
Residents who want to use the platform should start with the official DROP portal and the How DROP works walkthrough. The goal is to submit enough identifying information to improve matching and then save the DROP ID for tracking.
It is also worth keeping expectations realistic. A "record not found" or "opted-out" result does not necessarily mean the request failed in every sense; it may mean the broker could not verify a match using the data provided. California explicitly says consumers can return later and add more information if they want to improve matching. A weak match does not always mean the system failed — it may mean the request needs more identifiers.
What businesses should review now
Companies that may qualify as data brokers should review the agency's data broker guidance, the CPPA registration instructions, and the SB 362 text. The first question is not whether a company has personal data, but whether it legally qualifies as a data broker.
For covered entities, the compliance burden is broader than just deleting records. California's materials describe annual registration, recurring access to the deletion mechanism, public disclosures, and later audit obligations. Businesses that are not data brokers may still have separate CCPA obligations through their own privacy request channels.
Enforcement and key dates
The timeline is easier to follow when separated into a few concrete milestones:
January 31 — annual registration deadline
August 1, 2026 — data brokers begin processing DROP requests
At least every 45 days — brokers must access the mechanism on a recurring basis
Up to 90 days — brokers may take this long to report how a request was handled
Penalties may apply for failure to register or comply
These dates matter because DROP is not just a public announcement — it is an operational compliance system with deadlines and enforcement consequences.
Conclusion
DROP matters because it makes one important part of privacy law easier to use in practice. California residents now have one centralized path to reach registered brokers, while broader CCPA rights still apply elsewhere.
The best way to describe DROP is simple: it is meaningful progress, but not a complete solution.
Sources and References
Governor Newsom announces DROP
California data broker registry
