What Is the California DROP System?

DROP, the Delete Request and Opt-Out Platform, is a free online tool being built by the California Privacy Protection Agency (CPPA) under the authority of SB 362, also known as the DELETE Act. When it launches on August 1, 2026, it will allow California residents to submit a single deletion request that reaches every data broker registered with the state.

This is the first government-operated data deletion platform in the United States, and it represents a major shift in how consumers can exercise their privacy rights.

The DELETE Act (SB 362): What the Law Actually Says

SB 362, signed by Governor Gavin Newsom on October 10, 2023, amended the California Civil Code to add several critical requirements:

Key Provisions

Section 1798.99.82(a): The CPPA must establish an "accessible deletion mechanism" allowing consumers to request deletion from all registered data brokers through a single verifiable request.
Section 1798.99.82(b): Data brokers must process deletion requests received through the mechanism within 31 business days (approximately 45 calendar days).
Section 1798.99.80(d): Data brokers must register with the CPPA annually and pay a registration fee. Failure to register carries fines of $200 per day.
Section 1798.99.82(d): Every 45 days after the initial deletion, registered data brokers must delete any newly acquired personal information about the consumer, unless the consumer revokes the request.

That last provision is critical. DROP is not a one-time deletion. It creates an ongoing obligation for data brokers to keep deleting your data every 45 days for as long as you maintain your request.

How DROP Will Work

Based on the CPPA's published rulemaking documents and public board meetings, here is what we know about how the platform will function:

Step 1: Identity Verification

You will need to verify your identity as a California resident. The CPPA has indicated this will likely involve:

A valid California ID or driver's license
Proof of California residency (utility bill, lease agreement, or voter registration)
Possibly integration with California's existing digital identity infrastructure

Step 2: Submit a Deletion Request

Once verified, you submit a single request through the DROP portal. This request is transmitted to every data broker currently registered with the state.

Step 3: Broker Processing

Each registered data broker has 31 business days to process your deletion request. They must:

Search their databases for your personal information
Delete all personal information they hold about you
Confirm deletion to the CPPA

Step 4: Ongoing Protection

After the initial deletion, brokers must check for and delete any newly collected information about you every 45 days. This continues indefinitely unless you revoke your request.

Who DROP Covers (and Who It Does Not)

Covered: Registered California Data Brokers

As of early 2026, approximately 530 data brokers are registered with the CPPA. These include major people-search sites and data aggregators:

Acxiom (now Liveramp)
CoreLogic
Epsilon Data Management
LexisNexis Risk Solutions
Spokeo
BeenVerified
Whitepages (Marchex)
Intelius
PeopleFinder

NOT Covered: Several Important Categories

DROP has significant limitations that consumers need to understand:

1. Unregistered data brokers. Any data broker that fails to register with the CPPA is technically in violation of the law, but their absence from the registry means DROP requests will not reach them. Research suggests hundreds of data brokers operating in the US have not registered.

2. Companies that do not meet California's data broker definition. Under Section 1798.99.80(d), a "data broker" is defined as a business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." Companies that have a direct relationship with you (your bank, employer, social media platform) are excluded.

3. Data brokers outside California's jurisdiction. Companies operating entirely outside the US or without sufficient California contacts may not comply.

4. AI training data companies. Many AI companies that have scraped personal data for training purposes may not meet the technical definition of "data broker" under California law, though this is an evolving area of litigation.

5. Data already sold before deletion. DROP requires deletion from the broker's systems, but it does not claw back data that has already been sold to third parties. If your information was sold to a marketing firm last month, that copy persists.

DROP vs. Manual Opt-Outs vs. Automated Services

Manual Opt-Out

Opting out of data brokers individually is free but extraordinarily time-consuming:

Time required: Research by Incogni estimates it takes over 304 hours to manually opt out of all known data brokers
Brokers covered: Limited to however many you can find and submit to
Ongoing protection: None. You must repeat the process every few months
Success rate: Variable. Some brokers make opt-out deliberately difficult

California DROP

Time required: Minutes (single request)
Brokers covered: Only the ~530 registered with California
Ongoing protection: Yes, every 45 days (for registered brokers only)
Limitations: California residents only; does not cover unregistered brokers, non-broker data holders, or data already sold

Automated Services (GhostMyData, etc.)

Time required: Minutes (sign up and scan)
Brokers covered: GhostMyData covers 1,500+ data sources, including brokers outside California's registry
Ongoing protection: Continuous monitoring and re-removal
Additional features: Dark web monitoring, privacy score, removal verification, detailed progress tracking

Why DROP Is Not Enough by Itself

DROP is a significant step forward for consumer privacy, but treating it as a complete solution would be a mistake. Here is why:

The Registration Gap

California's registry has approximately 530 data brokers. Independent research has identified over 4,000 data broker companies operating in the US. That means DROP covers roughly 13% of known data brokers.

Many of the most problematic data brokers, particularly smaller people-search sites and fly-by-night operations, have not registered and may never register. These are often the sites that appear first in Google searches for someone's name.

Geographic Limitations

DROP is available only to California residents. If you live in any other state, you have no access to the platform. While other states are considering similar legislation (Texas and Oregon have passed data broker registration requirements), no other state has built a centralized deletion platform.

The 45-Day Window

Even for registered brokers, there is a 45-day gap between deletion cycles. During that window, a broker can collect and use your personal information before the next deletion sweep. For someone actively being stalked, harassed, or targeted by scammers, 45 days is a dangerously long exposure window.

No Enforcement Track Record

As of early 2026, the CPPA has not yet demonstrated significant enforcement action against non-compliant data brokers. The penalties exist on paper ($200/day for failure to register, plus CCPA enforcement), but the agency's enforcement capacity and willingness to pursue violators remains untested.

How DROP Interacts with Existing Privacy Laws

CCPA (California Consumer Privacy Act)

DROP builds on the foundation of the CCPA, which already grants California residents the right to:

Know what personal information a business collects (Section 1798.100)
Delete personal information (Section 1798.105)
Opt out of the sale of personal information (Section 1798.120)
Non-discrimination for exercising privacy rights (Section 1798.125)

DROP essentially automates the deletion right for data brokers specifically, making it practical for consumers to exercise a right that was previously too burdensome.

GDPR (for comparison)

The EU's General Data Protection Regulation provides broader protections under Article 17 (Right to Erasure), which applies to any data controller, not just data brokers. GDPR also requires affirmative consent for data collection in most cases, a standard US law has not adopted. Europeans already have stronger baseline protections, though enforcement varies by member state.

Other State Laws

Several states have enacted or are considering data broker legislation:

Vermont: First state to require data broker registration (2018)
Texas: Data broker registration law passed in 2023
Oregon: Data broker registration and consumer deletion rights (2024)
New Jersey: Consumer data privacy act with data broker provisions (2024)

None of these states have built a DROP-equivalent centralized platform.

The Political and Industry Landscape

Industry Opposition

The data broker industry has lobbied aggressively against the DELETE Act and DROP. The Data & Marketing Association (now the Association of National Advertisers) submitted formal opposition during SB 362's legislative process, arguing that the bill would impose undue compliance costs and disrupt legitimate data-driven marketing.

Industry lobbying efforts have focused on:

Narrowing the definition of "data broker" to exclude as many companies as possible
Extending compliance timelines beyond the 31-business-day requirement
Weakening the ongoing 45-day deletion obligation
Arguing that federal preemption should override state-level privacy laws

Consumer Advocacy Support

Privacy organizations including the Electronic Frontier Foundation (EFF), Consumer Reports, and the California Privacy Rights Advocates have strongly supported DROP. Their advocacy emphasizes that:

Consumers currently bear a disproportionate burden in exercising their deletion rights
The estimated 300+ hours required for manual opt-out across all brokers is an unreasonable barrier
A centralized mechanism is the only practical way to make deletion rights meaningful
California's approach could serve as a model for federal privacy legislation

What This Means for Federal Privacy Law

The American Data Privacy and Protection Act (ADPPA) has been proposed at the federal level but has not passed as of early 2026. If federal legislation eventually passes, it may include a national equivalent of DROP. Until then, California's implementation will serve as the test case that either validates or exposes the challenges of government-operated deletion platforms.

What You Should Do Before DROP Launches

If You Are a California Resident

Do not wait until August 2026. Your data is being sold and used right now. Take action today.
Start removing yourself from data brokers now. Use GhostMyData to scan and remove your data from 1,500+ sources, including all of the brokers in California's registry and thousands more.
Plan to use DROP as a supplement, not a replacement. When DROP launches, use it for the ongoing 45-day deletion cycle, but maintain an automated service for the 1,500+ brokers DROP does not cover.
Freeze your credit at Equifax, Experian, and TransUnion.

If You Live Outside California

You cannot use DROP (at least not yet). Contact your state representatives and advocate for similar legislation.
Use your existing rights. Many data brokers honor CCPA deletion requests from all US residents, even though they are only legally required to honor California residents' requests.
Use an automated removal service. GhostMyData works for residents of all 50 states and covers brokers nationwide. See our pricing and how it works.

Frequently Asked Questions

When does DROP launch?

The DELETE Act requires the CPPA to have the DROP platform operational by August 1, 2026. The CPPA has been conducting rulemaking proceedings throughout 2025 and early 2026 to define the platform's requirements.

Is DROP free to use?

Yes. DROP is a free government service funded by data broker registration fees. There is no cost to consumers.

Do I need to be a California resident?

Yes. DROP is available only to verified California residents. There is currently no federal equivalent, though legislation has been proposed.

Will DROP delete my data from Google?

No. Google is not a data broker under California's definition because it has a direct relationship with its users. However, Google does offer a "Results About You" tool that allows you to request removal of personal information from search results.

How is DROP different from GhostMyData?

DROP covers approximately 530 registered California data brokers with 45-day deletion cycles. GhostMyData covers 1,500+ data sources nationwide with continuous monitoring and immediate re-removal. DROP is free and government-operated; GhostMyData is a paid service with broader coverage and faster response times. The two are complementary, not competing.

What if a data broker ignores my DROP request?

The CPPA has enforcement authority to fine non-compliant data brokers. If a registered broker fails to process a DROP deletion request within 31 business days, you can file a complaint with the CPPA. Penalties can include administrative fines and CCPA enforcement actions.

Does DROP cover data that has already been sold?

No. DROP requires data brokers to delete your information from their own systems, but it does not affect copies that have already been transmitted to third-party purchasers. This is one reason ongoing protection through a service like GhostMyData is important: your data is continuously recollected and resold.