On January 1, 2026, the California Privacy Protection Agency (CalPrivacy, as it is now known) will launch the Data Rights Opt-out Platform (DROP System), an online tool enabling California residents to send a single request to over 500 data brokers requiring them to delete their personal information.
Who Are Data Brokers
Data brokers are companies that collect and sell personal information without directly interacting with consumers, and they must register with the CPPA and integrate with the DROP system. Data brokers often obtain your email, phone number, browsing history, or location data, and make inferences about your interests or characteristics from this data.
How the System Works for Consumers
The DROP System aims to make it much easier for Californians to exercise their right to delete their personal information. Through a secure online portal, users will be able to verify their California residency, choose which data brokers to contact, and track their requests using a unique DROP ID. The system will ask California residents to provide information about themselves such as their name, date of birth, phone number, and email address, in addition to device identifiers such as Mobile Advertising IDs (MAIDs). The more identifiers you provide, the more likely a data broker will be able to match your information to data in their system and delete your data. To protect user information, the DROP System will use multi-factor authentication and encrypted (hashed) data transmission.
Implementation Timeline
- January 1, 2026 – DROP System opens to California residents.
- August 1, 2026 – Data brokers begin processing deletion requests every 45 days.
Data Broker Response Requirements
When a broker receives a request, they must delete the consumer’s entire record if any identifier matches their records. When processing a deletion request, data brokers must assign one of four standardized response statuses. A request marked “Deleted” means the consumer’s non-exempt personal information has been fully removed. “Exempt” indicates that certain data cannot legally be deleted, and the broker must explain why. “Opted Out” applies when full deletion isn’t possible, but the consumer information is blocked from being sold or shared in the future. Finally, “Record Not Found” means the broker couldn’t locate any data matching the identifiers submitted in the request.
Data Broker Obligations
Data brokers will face several new compliance requirements, including:
- Annual registration with the CPPA, including a $6,000 fee.
- Completion of deletion requests within 45 days of receipt.
- Maintenance of suppression lists to prevent re-collection or resale of deleted data.
- Audit trail creation documenting each deletion response.
- Reporting of data sales to specified entities, including foreign actors, AI developers and federal government agencies.
Enforcement and Penalties
To ensure compliance, the CPPA will impose penalties of $200 per day per consumer for noncompliance. Beginning in 2028, data brokers will also undergo independent audits, and consumers will have access to a formal complaint process for unresolved or disputed deletion requests.