The Delete Request and Opt-out Platform (DROP): California’s One-Click Delete Button for Data Broker Data

POSTED ON JUNE 24, 2026 BY DATA SECURE
AUTHOR NAME: Ganesh Nair, Privacy Consultant
breach

Introduction

In 2023, The California legislature passed the senate bill 362 which is commonly referred to as the California Delete Act (Data Elimination and Limiting Extensive Tracking and Exchange Act) . The Act allows California residents, (referred to as “consumers” under the CCPA) to request the deletion of their personal data. Even though CCPA (California Consumer Privacy Act) gave rights to consumers to request the deletion of personal information collected by business, the Delete Act focuses on a harder problem i.e. data brokers. A data broker“ is a business that collects personal information about consumers from various sources and sells that information to other companies, even when the consumer did not interact with the business for its products or services”. Data brokers often collect and sell information about people who have never directly interacted with them .

The Delete Act introduces DROP (The Delete Request and Opt-out Platform). This enables an individual to send one deletion request to many data brokers instead of contacting each company separately. If an entity functions as a data broker as per Cal. Civ. Code § 1798.99.80 , it must register annually with the California Privacy Protection Agency (CPPA) / Data Broker Registry. DROP became operational in January 2026; consumers were allowed to submit their deletion requests and by August 2026 data brokers are obligated to begin the processing of such requests.

The CCPA Right to Delete and Its Practical Limits

breach

The CCPA has granted California residents with several important privacy rights- these include the right to know what personal information businesses collect, the right to delete personal information, the right to opt out of sale or sharing, the right to correct inaccurate information, and the right to limit use of sensitive personal information. The right to deletion is a key aspect of this framework, this right in theory allows a consumer to ask businesses to delete their personal information subject to legal exceptions.

However, the right to delete is easier to state than to exercise. Before the DROP, if a California resident to get all the data deleted about them had to identify all the relevant brokers, find each broker’s privacy or deletion page and submit the response and repeat this process with different brokers. This entire process was burdensome as the data brokers usually operated outside the consumers’ direct line of sight. Even when a consumer finds a broker, the deletion process may be confusing, hidden, or designed with friction. Researches in the past have repeatedly shown that privacy choices are often undermined by hard-to-find links, complicated forms, unclear language, and design patterns that discourage consumers from exercising their right.

Why DROP Was Needed: The Practical Problem with Data Deletion

The Delete Act helps plug in a practical loophole in CCPA. The gap was not that the “right to delete” didn’t exist, rather the problem was that deletion rights were difficult to use at scale. When numerous data brokers can collect and resell personal information, then a consumer -by-consumer, broker-by-broker deletion model imposes most of the burden on the consumer. That burden is particularly unfair because the consumer often never chose to interact with the data broker in the first place.

DROP was needed because the traditional systems assumed that an average consumer had the time, knowledge and persistence to get their data deleted from brokers, which most people do not have. Even if they were managed to successfully get their data deleted the data broker might be able to obtain the same information again from some other source. Without a recurring deletion obligation, the deletion was temporary at best.

Earlier, Data brokers would end up collecting and storing billions of data elements, which often included sensitive data such as behavioural data, health data, geo location and information of children etc. The Delete Act requires data brokers to make registration disclosures where they are explicitly required to stated whether they collect categories of data such as minors’ information, precise geolocation, reproductive health care data, biometric data, union membership, gender identity, citizenship or immigration status, and whether they have shared or sold data to government entities, law enforcement, foreign actors, or developers of generative AI systems.

With these measures DROP rebalances the burden of privacy enforcement. Instead of requiring every consumer to chase hundreds of companies, the state creates a mechanism that data brokers must check and honour.

How DROP Works

DROP is designed to be an “accessible deletion mechanism”. A Californian resident through a single request, without paying any fee can ask every registered data broker and their associated service provider or contractors to delete the personal information which the brokers have stored about them.

The statute also allows a consumer to selectively exclude specific data brokers from a deletion request, which is important because a consumer might want some brokers to retain information for a legitimate purpose while deleting information from others.

The statute requires data brokers to access the mechanism once in every 45 days to process the request and honour the deletion request

Data Broker Obligations Under the Delete Act

breach

The oncoming DROP has created operational duties rather than symbolic obligations for data brokers, such as:

  1. The data broker must delete the consumer’s personal data within 45 days of receiving such a request.
  2. The data broker must ensure that the deletion of data is carried out by all the associate service providers and contractors with whom the data has been shared with.
  3. After receiving a deletion request from the consumer, the data broker must continue deleting that consumer’s personal information at least once every 45 days, unless the consumer requests otherwise or an exemption applies. This prevents recollection of the same data by other sources.
  4. The broker is prohibited from selling or sharing new personal information about consumer after deletion, subject to statutory exceptions.
  5. If the data broker is unable to verify the identity of the consumer, then the broker cannot ignore the request in its entirety. The data broker in such cases must then process the request as an as an opt-out of sale or sharing within 45 days, subject to the relevant CCPA limitations and exceptions. This helps to overcome the verification problems, which have been a point of friction in such instances in the past.
  6. Data brokers must register annually with the CPPA and provide required information and disclose metrics such as the number of requests received, complied with, denied, and the average time for response.
  7. Post January 1, 2028, data brokers must undergo third party independent audits every three years to assess compliance with delete act.
  8. 8. Failure to comply with these obligations may attract a fine of $200 fine per deletion request per day.

Why ‘DROP’ Centralisation Matters?

breach

Centralisation is the key thought behind the introduction of DROP. The need for such a mechanism became evident from the persistent barriers consumers faced when attempting to exercise their privacy rights against data brokers through individual company processes.

Research on Data broker compliance with California privacy law (Anna Maria et.al) shows why DROP was necessary. The research found that only 9% of registered data brokers were fully compliant with transparency requirements after the Delete Act took effect. They conducted an audit of 250 data brokers where it was found that 43% of such data brokers made it impossible for consumers to exercise all privacy rights where as 64% of them had introduced at least one design on their website which created substantial friction for the consumer to access such rights.

Similarly, another study on Exploring Data Brokers’ CCPA Compliance (Elina van Kepen et.al) substantiates the above-mentioned claims as they found that more than 40% of officially registered data brokers failed to respond to access requests. While the ones who responded to such requests further asked the consumers for additional personal information for verification which was not included in the previously collected data thereby creating a new privacy risk for exercising one’s right.

A recent investigative piece by the Markup/CalMatters found that many data brokers deliberately hid opt-out and deletion pages from search engine results making it harder for a consumer to find such pages and use them. The investigation further revealed that 35 of 499 registered data brokers used code that prevented certain privacy pages from appearing in search results and thereby staying out of the consumers line of sight.

Therefore, the creation of a state-run centralised platform was essential, as it enables a consumer exercise their rights and it helps them to overcome such deliberate frictions and unhealthy practices adopted by the data broker companies.

Limitations of DROP

The Delete Act and DROP represent a major evolution in California privacy law. However, it does have its limitations, for example- the law is strictly applicable to data brokers only, it does not apply to every business that collects personal information of a consumer. Businesses with a direct relationship to the consumer are still governed by general CCPA obligations rather than DROP. Along with these there are certain entities that are excluded from the scope of DROP if they are covered by laws like- Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Insurance Information & Privacy Protection Act. A data broker also does not have to delete information if the consumer data falls under CCPA exemptions such as security, legal compliance, fraud prevention, or other permitted purposes. Lastly the Delete Act also does not create an obligation to erase any public records at source and only targets personal information held by registered data brokers.

Conclusion

DROP solves a major gap in right to request deletion under California privacy law. The CCPA gave consumers the right to request deletion of their personal information but it was difficult to use this right in practice against data brokers. The challenge for consumers was that they did not know which brokers had their data, how to contact them, or whether deletion requests would be honoured.

Delete Act through DROP was able to create a centralized mechanism for consumers to submit one deletion request multiple registered data brokers, thus shifting the burden away from consumers and placing compliance obligation on data brokers.

Although it may not be complete solution to practice right of deletion as it does not apply to all businesses and also may be subjected to certain legal exceptions. But it is a great initiative which allows the transforming data deletion from a fragmented, individual effort into a more streamlined system that gives consumers greater control over their personal information.

We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution  can help you to understand Privacy and Trust while lawfully processing the personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025

We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025

We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – Your Trusted Partner in AI Risk Assessment and Privacy Compliance | AI-Nexus