California’s DROP platform enables one-click data deletion across all registered data brokers, reshaping consumer privacy and compliance requirements.
California's DROP Platform: Delete Your Data From Every Registered Data Broker With One Request
For years, getting your personal information removed from data broker databases meant sending individual requests to dozens of companies, each with its own process, timeline, and set of exceptions. California just changed that.
On January 1, 2026, California launched the Delete Request and Opt-Out Platform (DROP). This first-of-its-kind system lets any California resident submit a single deletion request to every registered data broker in the state, simultaneously and for free. Starting August 1, 2026, data brokers will be legally required to process those requests or face fines of $200 per request per day of noncompliance.
This article explains how DROP works, what it means for consumers and businesses, and how the rest of the country compares, including what companies in other states should be doing right now to handle data deletion requests on their own.
What is California's DROP platform?
Quick definition
DROP (Delete Request and Opt-Out Platform) is a free, government-operated system run by the California Privacy Protection Agency (CPPA) that allows California residents to submit one deletion request that reaches every registered data broker in the state at the same time. It is the first centralized data deletion system of its kind in the United States.
DROP was created under California's Delete Act (SB 362), signed into law in 2023 and was launched for consumer submissions on January 1, 2026. Requests submitted before August 1, 2026, are queued, with data brokers legally required to check the platform every 45 days and process outstanding requests after that date.
Before DROP, California residents already had the right to request data deletion from individual companies under the California Consumer Privacy Act (CCPA), however DROP makes that right dramatically easier to exercise; instead of tracking down each broker separately, one submission does the work for all of them.
What is a data broker, and why does it matter?
Data brokers are companies that collect and sell personal information, usually without consumers ever interacting with them directly. They gather data from public records, loyalty programs, social media activity, app usage, and purchase histories, then package and sell it to advertisers, employers, insurers, lenders, background check services, and others.
In California alone, over 500 companies are registered as data brokers with the CPPA, and many operate across multiple states simultaneously. The personal data they hold can include names, addresses, phone numbers, email addresses, mobile advertising IDs, financial details, and in some cases sensitive categories such as sexual orientation, biometric data, and government-issued identifiers, categories that California's SB 361 requires data brokers to disclose as part of expanded transparency requirements.
80% of U.S. consumers received at least one data breach notice in 2025, and 68% of global consumers say they are concerned about their privacy online. Data brokers operate largely in the background, making it difficult for most people to know where their data is going, let alone request its deletion.
How to use the DROP platform: step by step
Go to privacy.ca.gov/drop and create an account through the California Identity Gateway.
Verify your California residency. You will need to confirm your identity before your request is accepted.
Submit your identifying information. The platform collects your name, date of birth, phone number, email address, and device identifiers such as mobile advertising IDs (MAIDs). The more identifiers you provide, the more likely brokers are to find and delete a match.
Your request is distributed to all registered brokers. DROP uses encrypted, hashed data transmission and multi-factor authentication to protect the information you submit.
Track your request status. Once the August 1, 2026, enforcement period begins, brokers must assign a response status and report the outcome within 90 days.
The five DROP response statuses
Deleted: The consumer's non-exempt personal information has been fully removed from the broker's systems.
Exempted: Certain data cannot legally be deleted under a statutory exception. The broker must explain which exception applies.
Pending: The request has been received and is actively being processed within the allowed timeframe.
Opted Out: Full deletion is not possible, but the consumer's data has been blocked from future sale or sharing.
Record Not Found: The broker could not locate any data matching the submitted identifiers. Providing additional identifiers, such as a MAID, may improve the match rate.
State-by-state: who has the right to data deletion in 2026?
California's DROP is the most comprehensive consumer data deletion mechanism in the United States, but most Americans do not have access to anything comparable. As of 2026, 20 states have enacted comprehensive privacy laws that include data deletion rights, but none have created a centralized system covering all brokers the way DROP does.
State | Law in effect | Deletion right | Broker registry | Centralized tool |
|---|---|---|---|---|
California | CCPA / CPRA | ✓ Yes | ✓ Yes (500+) | ✓ DROP Platform |
Virginia | CDPA | ✓ Yes | ✗ No | ✗ No |
Colorado | CPA | ✓ Yes | ✗ No | ✗ No |
Connecticut | CTDPA (updated Jul 2026) | ✓ Yes | ✗ No | ✗ No |
Utah | UCPA (updated Jul 2026) | ~ Limited | ✗ No | ✗ No |
Texas | TDPSA | ✓ Yes | ✗ No | ✗ No |
Oregon | OCPA | ✓ Yes | ~ Partial | ✗ No |
Indiana | INCDPA (Jan 2026) | ✓ Yes | ✗ No | ✗ No |
Kentucky | KCDPA (Jan 2026) | ✓ Yes | ✗ No | ✗ No |
Rhode Island | RIDTPPA (Jan 2026) | ✓ Yes | ✗ No | ✗ No |
New Hampshire | NHPDA | ✓ Yes | ✗ No | ✗ No |
New Jersey | NJDPA (Jan 2026) | ✓ Yes | ✗ No | ✗ No |
~30 other states | No comprehensive law | ✗ No | ✗ No | ✗ No |
Source: IAPP US State Privacy Legislation Tracker, MultiState. As of April 2026.
The picture is clear: most Americans have no centralized way to delete their data from brokers, and roughly half of U.S. states have no data deletion rights at all. A consumer's ability to control their own data depends almost entirely on their zip code.
What businesses must do before August 1, 2026
Any business that qualifies as a data broker under California law must take the following steps:
Register with the CPPA and pay the annual $6,000 registration fee through the DROP platform
Create a DROP account and configure it to receive deletion requests
Check DROP at least every 45 days starting August 1, 2026, to retrieve new consumer requests
Process each request by deleting the consumer's non-exempt data and assigning the appropriate response status
Report outcomes to consumers within 90 days of the request being submitted
Document all decisions, including data retained under a statutory exception and the legal basis for retention
Beyond data brokers, any business that processes California consumer data should already have documented processes for handling data subject requests (DSRs) under the CCPA. As Clym's analysis of CCPA deletion obligations outlines, all verified deletion requests must be fulfilled within 45 days, with records maintained for a minimum of 24 months for audit purposes.
How Clym helps businesses handle deletion requests across all 50 states
California's DROP simplifies deletion for consumers, but it does not simplify compliance for businesses. Companies still need to verify consumer identities, process requests within statutory deadlines, document outcomes, and manage the growing patchwork of deletion rights across 20 states and counting.
Clym's consent management and DSR solution handles this automatically, giving businesses:
- A centralised intake widget for all incoming data subject requests, deletion, access, correction, and opt-out
- Automated identity verification workflows that support CCPA, GDPR, and state-specific standards
- Built-in exception handling with documented legal bases so partial deletions are always audit-ready
- Full audit trails maintained for 24 months, ready for CPPA or state AG review
- Coverage across all 20 active U.S. state privacy laws, not just California
For businesses outside California where no DROP equivalent exists, Clym fills that gap, helping consumers in Colorado, Kentucky, Rhode Island, and every other state to exercise their deletion rights, and your business to prove it honoured their request.
What California residents can do right now
The DROP platform is live and accepting requests as of January 2026. Requests submitted before August 1, 2026, are queued but not yet legally required to be processed. Submitting early means your request will be waiting the moment the enforcement window opens.
To get started, visit the California Privacy Protection Agency's data broker portal, create an account, and submit your deletion request with as many identifying details as possible, including your mobile advertising ID, to maximise match rates across brokers.
For consumers in other states, the rights available depend entirely on where you live. Start by checking whether your state has a comprehensive privacy law in effect and what deletion rights it includes. The table above is a useful starting point. From there, you will need to contact individual companies directly; there is no centralized system outside California yet.
Frequently asked questions
DROP stands for Delete Request and Opt-Out Platform. It is a free, state-operated system launched by the California Privacy Protection Agency (CPPA) on January 1, 2026, that allows California residents to submit a single deletion request to every registered data broker in the state simultaneously. It is the first system of its kind in the United States.
Any California resident can use the DROP platform for free. Users must verify their California residency through the California Identity Gateway. Non-California residents do not currently have access.
Starting August 1, 2026, all data brokers registered in California must check the DROP platform at least every 45 days to retrieve and process consumer deletion requests. Failure to comply results in fines of $200 per request per day of noncompliance.
Under the CCPA, businesses may retain personal data after a deletion request if the data is necessary to: complete a transaction; detect security incidents or fraud; comply with a legal obligation; conduct public-interest research; or exercise free speech. Businesses must tell consumers what data was retained and why. A full breakdown is available in Clym's CCPA deletion guide.
DROP applies to any business that qualifies as a data broker under California law and does business in California, regardless of where the company is headquartered. A data broker is a business that knowingly collects and sells or shares personal information about consumers with whom it has no direct relationship.
In states without a centralised deletion system, businesses must handle individual DSRs submitted directly by consumers. They must verify identity, process within the statutory deadline (usually 45 days), document the outcome, and maintain records for audit purposes. Clym automates this entire workflow across all applicable U.S. state privacy laws.
If a broker cannot locate data matching the submitted identifiers, it assigns a 'Record Not Found' status. Providing additional identifiers, such as a mobile advertising ID (MAID) in addition to name and email address, increases the likelihood of a match.
As of 2026, 20 U.S. states have enacted comprehensive consumer privacy laws that include data deletion rights: California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Kentucky, Rhode Island, New Hampshire, New Jersey, Delaware, Nebraska, Minnesota, Tennessee, Maryland, and New Mexico. Only California has a centralized deletion mechanism. Residents in all other states must submit requests to each company individually.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
Find out more about Adam