California DELETE Act: How the DROP Platform Actually Works in 2026

What Is the California DELETE Act?

The California DELETE Act, formally known as SB 362, is a state law signed by Governor Gavin Newsom on October 10, 2023. It amends the California Civil Code to require the California Privacy Protection Agency (CPPA) to build a free, centralized platform that allows consumers to submit a single data deletion request to every data broker registered with the state of California.

The law is significant because it addresses a fundamental problem with existing privacy rights: even though the CCPA already gave Californians the right to request data deletion from individual companies, exercising that right across hundreds of data brokers was so time-consuming that very few consumers actually did it. Research has estimated that manually opting out of all known data brokers takes over 300 hours. The DELETE Act turns a theoretical right into a practical one by creating a single point of submission.

SB 362 builds on California's existing data broker registration requirement (Civil Code Section 1798.99.80), which has required data brokers to register with the state since 2019. As of early 2026, approximately 530 data brokers are registered — making California's registry the most comprehensive in the nation.

What Is DROP (Delete Request Orchestration Platform)?

DROP is the official name for the platform the CPPA is building to implement the DELETE Act. The name stands for Delete Request Orchestration Platform, and it represents the first government-operated data deletion system in the United States.

The platform's core function is straightforward: a California resident submits one deletion request through DROP, and that request is automatically transmitted to every data broker in California's registry. Each broker is then legally required to delete the consumer's personal information within 31 business days and to continue deleting any newly collected data about the consumer every 45 days thereafter.

That ongoing obligation is what distinguishes DROP from a one-time opt-out. When you submit a request through DROP, you are not just asking brokers to delete your data today. You are establishing a recurring deletion obligation that continues indefinitely unless you revoke the request. Every 45 days, registered brokers must check for and delete any new personal information they have collected about you.

The CPPA has been conducting formal rulemaking proceedings throughout 2025 and into 2026 to define the technical and operational requirements for DROP. The platform must be operational by August 1, 2026, as mandated by SB 362.

Who Qualifies to Use DROP

DROP is available exclusively to California residents. This is a legal requirement of SB 362, which is grounded in California's authority to regulate businesses operating within its jurisdiction on behalf of its residents.

To use DROP, you will need to verify your identity and California residency. Based on the CPPA's published rulemaking documents and public board meeting discussions, the verification process will likely require:

• A valid California-issued ID: Driver's license, state identification card, or California Real ID
• Proof of current California residency: This may include a utility bill, lease agreement, mortgage statement, or voter registration confirmation showing a California address
• Digital identity verification: The CPPA has discussed integrating with California's digital identity infrastructure to streamline verification

If you are not a California resident, you cannot use DROP. There is currently no federal equivalent, although legislation has been proposed. Other states with data broker registration laws (Vermont, Texas, Oregon) have not built centralized deletion platforms.

If you live outside California, your primary tools for data deletion are: (1) manual opt-out requests to individual brokers, (2) CCPA deletion requests sent directly to brokers (which many brokers honor regardless of residency, though they are only legally required to honor California residents' requests), and (3) automated data removal services like GhostMyData that handle the process nationwide.

How to Submit a DELETE Request Through DROP: Step by Step

The following walkthrough is based on the CPPA's published platform specifications as of early 2026. The exact interface may differ slightly when DROP officially launches, but the core process has been defined through rulemaking.

Step 1: Access the DROP Portal

Navigate to the CPPA's website. DROP will be accessible through the California Privacy Protection Agency's official domain. You may reach it directly at the DROP URL (to be published at launch) or through the CPPA's main navigation.

Step 2: Create an Account and Verify Your Identity

You will need to create an account on the DROP platform. This account serves two purposes: verifying your identity as a California resident and providing a dashboard where you can track the status of your deletion requests.

During account creation, provide your:

• Full legal name
• Current California address
• Date of birth
• California ID number or other government identification
• Email address and phone number for account access

The CPPA will verify your identity against California state records. This verification process may take a few minutes to a few business days, depending on the method used.

Step 3: Submit Your Deletion Request

Once your identity is verified, you can submit a deletion request. The request form will ask you to provide the personal information you want deleted from data broker databases. This typically includes:

• Your full name and any known aliases
• Current and previous addresses
• Phone numbers
• Email addresses
• Date of birth

The more complete the information you provide, the more effectively brokers can locate and delete your records. If you only provide your name and one address, a broker that has you listed under a previous address may not match the record.

Step 4: Review and Confirm

Before submission, review the information you have provided. Confirm that you want this request transmitted to all registered data brokers in California's registry. You will also be asked to acknowledge:

• That the request creates an ongoing 45-day deletion obligation for registered brokers
• That the request covers only brokers registered with the CPPA
• That you can revoke the request at any time

Step 5: Monitor Your Request Status

After submission, your DROP dashboard will show the status of your request. Each registered broker must confirm deletion within 31 business days. The CPPA will track broker compliance and flag any brokers that fail to respond within the required timeframe.

You should periodically check your dashboard to ensure brokers are processing your request on time. If a broker is non-compliant, you can file a complaint directly through the DROP platform.

Which Brokers Are Covered — and Which Are Not

This is the most critical distinction to understand about DROP, because it defines the boundary between what the platform can and cannot do for your privacy.

Covered: California-Registered Data Brokers (~530)

As of early 2026, approximately 530 data brokers are registered with the CPPA. These include a mix of:

• People-search sites: Spokeo, BeenVerified, Whitepages (Marchex), Intelius, PeopleFinder
• Enterprise data brokers: Acxiom (LiveRamp), CoreLogic, Epsilon, LexisNexis Risk Solutions, Oracle Data Cloud
• Marketing and analytics companies: Nielsen, Datalogix, IRI, Bombora
• Credit and financial data companies: Experian (consumer marketing division), TransUnion (marketing services)
• Advertising technology firms: Various companies in the programmatic advertising ecosystem

These are the companies that will receive your deletion request through DROP.

NOT Covered: The Thousands of Unregistered Brokers

California law requires data brokers to register with the CPPA and pay an annual registration fee. The penalty for failure to register is $200 per day. Despite this, a significant number of data brokers operating in the United States have not registered. Independent research has identified over 4,000 data broker companies operating in the US, meaning DROP's registry covers approximately 13% of the known data broker landscape.

The unregistered brokers fall into several categories:

Smaller people-search sites: Dozens of people-search sites have not registered with California. These are often the sites that appear prominently in Google results when someone searches your name — sites like PeopleSearchNow, USPhoneBook, ClustrMaps, Nuwber, and many others. Some are based outside the US. Others are small operations that have simply ignored the registration requirement.

Fly-by-night aggregators: Sites that scrape data from other sources and repackage it under new domains appear and disappear frequently. They are unlikely to register with any state authority.

Out-of-state operators: Companies that operate entirely outside California and claim no California contacts may argue they are beyond the CPPA's jurisdictional reach. The legal question of whether California can compel registration from a company with no physical California presence is not fully settled.

Companies that dispute the "data broker" classification: Some companies argue they do not meet California's legal definition of a data broker because they have a "direct relationship" with the consumers whose data they collect. This is a gray area that the CPPA has not fully adjudicated.

Also NOT Covered: Non-Broker Data Holders

DROP specifically targets data brokers — companies whose primary business involves collecting and selling personal data about people they have no direct relationship with. The following categories of companies are not covered:

• Social media platforms (Facebook, Instagram, TikTok, X, LinkedIn) — these have a "direct relationship" with users
• Banks and financial institutions — regulated under separate financial privacy laws
• Healthcare providers — regulated under HIPAA
• Employers — regulated under employment law
• Government agencies — public records are outside DROP's scope
• AI training companies — the legal classification of AI companies as "data brokers" is still evolving

Processing Timeline: The August 2026 Deadline

SB 362 mandates that the CPPA have DROP operational by August 1, 2026. Here is the expected timeline:

August 1, 2026: DROP launches and begins accepting consumer deletion requests.

August through September 2026: The first batch of deletion requests is transmitted to registered brokers. Each broker has 31 business days (approximately 45 calendar days) to process the initial round of deletions.

October 2026 onward: The 45-day recurring deletion cycle begins. Brokers must check for and delete any newly collected data about consumers who have submitted DROP requests.

It is important to set realistic expectations. The first months of DROP's operation will involve significant processing volume as the initial wave of California residents submits requests. Brokers may experience delays, technical issues, or confusion about how to handle DROP requests alongside their existing CCPA deletion processes.

The CPPA has indicated it will monitor broker compliance and use enforcement actions against non-compliant companies. However, the agency's enforcement track record is still developing, and the first months of DROP will be a test of both the platform's technical capabilities and the CPPA's willingness to penalize violations.

DROP's Limitations

Understanding DROP's limitations is essential for anyone who plans to use the platform as their primary privacy protection strategy.

Geographic restriction: Only California residents can use DROP. The other 49 states have no equivalent platform. If you move out of California, your ongoing deletion requests through DROP may become invalid.

Registry coverage gap: DROP covers approximately 530 registered brokers out of an estimated 4,000+ operating in the US. The remaining brokers — including many of the most visible people-search sites — are outside the system.

45-day exposure window: Between deletion cycles, brokers can collect and use your personal information. For someone facing an immediate safety threat (stalking, domestic violence, active fraud), 45 days is a dangerously long gap.

No data recall: DROP requires brokers to delete data from their own systems, but it does not affect copies of your data that were sold to third parties before the deletion request was processed. If Broker A sold your data to Company B last month, DROP deletes it from Broker A but Company B still has it.

No non-broker coverage: DROP does not reach social media platforms, AI companies, marketing agencies that bought your data, or any other entity that is not classified as a data broker under California law.

Enforcement is untested: As of early 2026, the CPPA has not demonstrated significant enforcement against non-compliant data brokers. The penalties exist in the statute ($200/day for failure to register, plus CCPA enforcement for failure to process deletion requests), but the agency's willingness and capacity to pursue violators at scale is unproven.

DROP vs. GhostMyData: Coverage Comparison

Factor

California DROP

GhostMyData

Data sources covered	~530 registered CA brokers	1,500+ brokers nationwide
Geographic eligibility	California residents only	All 50 US states
Cost	Free	$9.99/month (Pro)
Deletion cycle	Every 45 days	Continuous monitoring
People-search site coverage	Partial (only registered sites)	Comprehensive (including unregistered)
Enterprise broker coverage	Strong (major brokers registered)	Strong (CCPA legal requests)
Re-listing detection	Relies on broker self-reporting	Active re-scan verification
Time to process	31 business days per broker	Varies by broker (24 hrs to 45 days)
Non-CA broker coverage	None	Full nationwide coverage

The two are genuinely complementary. DROP provides a free, legally mandated baseline for California residents that covers registered enterprise brokers particularly well. GhostMyData extends coverage to the 1,500+ data sources that DROP does not reach, provides faster re-listing detection, and works for residents of all 50 states.

For California residents, the optimal strategy is to use both: submit a DROP request when the platform launches for the ongoing 45-day deletion cycle with registered brokers, and use GhostMyData for the broader data broker ecosystem that DROP does not cover.

Automate Your Privacy with GhostMyData

The California DELETE Act and DROP represent a meaningful step forward for consumer privacy. But with approximately 530 brokers covered out of more than 4,000 operating nationally, DROP alone leaves significant gaps in protection — especially for the people-search sites that are most likely to expose your name, address, and phone number to anyone who searches for you.

GhostMyData scans 1,500+ data broker sites, submits removal requests using the strongest applicable privacy law for your state, and continuously monitors for your data reappearing. Whether you live in California and want to supplement DROP, or you live in any other state and need comprehensive coverage, GhostMyData handles the process.

Start your free privacy scan to see which data brokers have your personal information — including the ones that have not registered with California.

Frequently Asked Questions

When does the DROP platform launch?

The DELETE Act (SB 362) requires the CPPA to have DROP operational by August 1, 2026. The CPPA has been conducting formal rulemaking proceedings throughout 2025 and 2026 to define the platform's technical and operational requirements. The exact launch date within the August 2026 window has not been announced.

Is DROP free to use?

Yes. DROP is a government service funded by annual registration fees paid by data brokers. There is no cost to consumers.

Can I use DROP if I used to live in California but moved?

DROP requires current California residency at the time of submission. If you move out of California after submitting a request, the ongoing status of your deletion request is an open question that the CPPA's rulemaking has not fully addressed. It is possible that your request would remain active, but this has not been confirmed. The safest approach is to supplement DROP with a service that does not depend on state residency.

Does DROP cover people-search sites like Spokeo and BeenVerified?

Some of them. Spokeo, BeenVerified, Whitepages (Marchex), and Intelius are registered with California and will be covered by DROP. However, many people-search sites — particularly newer and smaller ones — have not registered. If a site is not in California's registry, DROP cannot reach it. GhostMyData covers both registered and unregistered people-search sites.

What happens if a broker ignores my DROP request?

Registered data brokers that fail to process a DROP deletion request within 31 business days are in violation of SB 362 and subject to enforcement by the CPPA. Penalties can include administrative fines (the CCPA allows fines of $2,500 to $7,500 per violation) and referral to the California Attorney General. You can file a complaint directly through the DROP platform if a broker does not comply.

Related Reading

• CCPA vs GDPR: Your Privacy Rights Explained
• CCPA Data Deletion Request: Complete Guide
• California DROP System: The New Delete Request Platform Explained
• How to Opt Out of Data Brokers in Bulk