According to TechCrunch, California has officially launched the Delete Requests and Opt-Out Platform (DROP), giving residents a single portal to demand data deletion from over 500 registered data brokers. The tool stems from the Delete Act passed in 2023, designed to simplify a previously laborious process that required opting out with each company individually. Brokers are required to start processing these deletion requests in August 2026, and then have 90 days to complete them. If they fail to delete requested data, the penalty is $200 per day plus enforcement costs. The system only applies to brokers who buy and sell data, not to companies’ first-party data, and certain public records are exempt.
How DROP actually works
Here’s the thing: the process is simple on the user’s end but incredibly complex on the backend. You verify you’re a California resident, submit a request through the official DROP site, and that’s it. Your request is then, in theory, propagated to every current and future broker registered with the state. But that “in theory” is doing a lot of work. The system has to authenticate you, format and transmit your request to hundreds of disparate companies, and then track compliance. It’s a massive logistical undertaking that explains the long lead time. They basically built a bureaucratic API for your privacy rights.
The 2026 catch
Now, the big caveat everyone’s talking about: August 2026. That’s when brokers have to start processing requests. So if you submit today, it goes into a queue that won’t even be touched for over two years. That feels like a lifetime in tech, right? The state says this gives brokers time to build their own systems to handle the influx. But it also gives them two more years of business-as-usual data hoarding. It’s a classic compromise between enacting a bold law and the practical reality of forcing an entire shadow industry to change its ways.
What gets deleted (and what doesn’t)
This isn’t a magic “erase me from the internet” button. And it’s important to understand the limits. First-party data—the info a company collects directly from you, like your Amazon purchase history—is untouched. DROP only targets the brokers in the middle. Also, data from public records (vehicle registration, voter info) is exempt. Sensitive health data might be covered under HIPAA instead. So, will it stop unwanted calls and lower identity theft risk, as the California Privacy Protection Agency hopes? Probably, to a degree. But your data has a way of replicating. Deleting it from 500 sources doesn’t mean a new broker won’t scrape it from somewhere else tomorrow.
A new model for privacy
Look, despite the delays and limitations, this is a huge deal. It shifts the burden from the individual, who could never realistically opt-out of hundreds of sites, to the industry and the regulator. It treats data brokering as a systemic problem needing a systemic solution, not just a personal responsibility. The $200-a-day penalty for non-compliance is a real financial stick. If this works in California, it sets a blueprint. Other states with comprehensive privacy laws, like Colorado, are already watching. The real test won’t be the launch of DROP, but what happens in that 90-day window after August 2026. Will brokers actually comply, or will enforcement be the next big battle?
