California's DROP Platform Is Live. The August 1 Data Broker Deadline Is Four Months Away.

California just made it trivially easy for consumers to delete their personal data from hundreds of data brokers at once. One click. One platform. And starting August 1, 2026, data brokers are legally required to process those requests.

The Delete Request and Opt-Out Platform, known as DROP, went live for consumers in January 2026. It is the first state-hosted tool of its kind: a centralized website where any California resident can submit a single deletion request that gets routed to every registered data broker in the state. The regulations behind it took effect January 1, 2026, after the Office of Administrative Law approved the final rules in November 2025.

If your business collects and sells or shares California consumer data at scale, you need to figure out whether you qualify as a data broker under the Delete Act. Because the compliance deadline is not "someday." It is August 1, 2026.

What DROP actually does

DROP is hosted by the California Privacy Protection Agency (CalPrivacy) at privacy.ca.gov. It allows California consumers to submit a single deletion request that applies to all registered data brokers simultaneously. No need to contact each broker individually. No need to navigate fifty different privacy request forms. One submission covers all of them.

The mechanics are straightforward. A consumer submits their request through DROP. Starting August 1, 2026, data brokers must access DROP at least every 45 days to retrieve new deletion requests. If a consumer's information matches the broker's records, the broker must delete all associated personal data, including inferences derived from that data, unless a specific legal exemption applies. Brokers must report the status of each request back to DROP within 45 days of retrieving it.

There is also a forward-looking obligation. Brokers must maintain a list of all deletion requests they have processed and ensure that deleted consumer data stays deleted. Re-collecting information from a consumer who has submitted a DROP request is not an option unless the consumer initiates a new relationship.

Who qualifies as a "data broker" under the Delete Act

This is the question that trips up most businesses, because the definition is broader than most people assume.

Under California law, a data broker is a business that knowingly collects and sells or licenses the personal information of consumers with whom the business does not have a direct relationship. The key phrase is "does not have a direct relationship." If consumers do not know you have their data, or if they did not voluntarily provide it to you, you may meet the definition.

The obvious cases are traditional data brokers: companies like people-search sites, background check services, and marketing data providers. But the definition can also reach ad tech companies that collect data through third-party tracking. Analytics firms that aggregate consumer behavior data from partner sites. Lead generation companies. Marketing platforms that enrich customer profiles using purchased or scraped data. And businesses with large customer databases that share or license data to partners.

If your business model involves collecting data about people who have never interacted with you directly, and you sell or license that data, you should be evaluating your status under the Delete Act now. Not in July.

The registration requirement is already in effect

The Delete Act requires data brokers to register with the California Data Broker Registry and pay an annual fee. This requirement is not new. It has been in effect for several years, and the CPPA has been enforcing it aggressively.

In November 2025, CalPrivacy launched a dedicated Data Broker Enforcement Strike Force within its enforcement division. Michael Macko, CalPrivacy's head of enforcement, framed it in terms that leave little room for ambiguity: "We intend to bring the same level of intensity to our investigations into the data broker industry" as federal prosecutors bring to their own strike forces.

The enforcement record backs that up. In 2025 alone, CalPrivacy fined a Florida data broker, a Washington data broker, and served subpoena enforcement actions on a Fortune 500 company. A data broker that was promoting its ability to dig up "scary" amounts of personal information was forced to shut down entirely. The agency's 2024 investigative sweep led to a record number of enforcement actions and is still ongoing.

If your business meets the data broker definition and has not registered, you are already non-compliant. The DROP deadline on August 1 adds a second layer of obligation on top of an existing one.

What the August 1 deadline requires

Starting August 1, 2026, registered data brokers must:

• Access DROP at least every 45 days to retrieve consumer deletion requests.
• Match incoming requests against their records. If a match exists, delete all associated personal data, including inferences.
• Report the status of each request back to DROP within 45 days of retrieval.
• Maintain a permanent deletion log to ensure previously deleted data is not re-collected.
• Continue honoring all previously processed requests on an ongoing basis.

The 45-day retrieval cycle is the minimum. Brokers can check more frequently, but they cannot check less often. Miss a cycle and you have a compliance gap that CalPrivacy can identify directly through the platform, because DROP tracks when brokers last accessed it.

The deletion requirement includes inferences. That is worth highlighting because many businesses maintain derived data products built on raw consumer information. Consumer segments, risk scores, behavioral profiles, purchasing propensity models. If those inferences are tied to a consumer who submits a DROP request, they need to be deleted too.

Why this changes the compliance math

Before DROP, a consumer who wanted their data deleted from data brokers had to identify each broker individually, find each broker's privacy request mechanism, submit separate requests, and follow up on each one. The friction was enormous. Most consumers never bothered.

DROP removes that friction entirely. One submission covers every registered broker. CalPrivacy has said publicly that they expect significant consumer adoption, and the platform's simplicity makes that a reasonable prediction.

For data brokers, this means the volume of deletion requests is likely to increase by orders of magnitude. Instead of receiving a handful of individual requests per month, brokers may face thousands of requests flowing through DROP on a regular basis. That has real operational implications. You need systems that can ingest, match, process, and report on deletion requests at scale. Manual workflows will not survive this.

Practical steps to take before August 1

If you have determined that your business qualifies as a data broker, or if you are still evaluating, here is what should be on your timeline right now.

1) Register with the California Data Broker Registry if you have not already

This is not optional and the deadline has already passed. If you are operating as an unregistered data broker, you are in violation today, and the Strike Force is actively looking for exactly this pattern.

2) Map your data to understand what you hold and where it lives

You cannot process deletion requests if you do not know what data you have. Map every data store that contains California consumer information, including derived data products, partner-shared datasets, backup systems, and analytics platforms. This is the same data mapping exercise required for CCPA cybersecurity audits, so if you have already completed that work, you are ahead.

3) Build or buy a deletion processing pipeline

You need a system that can receive deletion requests from DROP, match them against your records, execute deletions across all relevant data stores, confirm completion, and report back to DROP within the 45-day window. If your data architecture is complex, this may require engineering work. Start now, not in July.

4) Account for inferences and derived data

Deletion under DROP includes inferences. If you generate consumer profiles, segments, scores, or models based on personal information, your deletion pipeline needs to reach those derived datasets too. This is where many businesses will discover gaps in their data architecture.

5) Establish a permanent suppression list

The regulations require that deleted data stays deleted. You need a mechanism to prevent re-collection of data for consumers who have submitted DROP requests. This typically means maintaining a hashed suppression list that your data ingestion processes check before adding new records.

The enforcement trajectory is clear

CalPrivacy has been building toward this moment for over a year. The Data Broker Enforcement Strike Force, the record number of enforcement actions from the 2024 sweep, the public statements from leadership about bringing "intensity" to data broker investigations. None of this is subtle.

Tom Kemp, CalPrivacy's Executive Director, put the rationale plainly: "Data brokers pose unique risks to Californians through the industrial-scale collection and sale of our personal information. The widespread availability of digital dossiers makes it easier for our personal information to be weaponized against us."

DROP gives CalPrivacy something it did not have before: a centralized system where it can directly observe whether brokers are retrieving and processing deletion requests on schedule. Compliance gaps will be visible to the regulator in real time, not just during investigations. That changes the enforcement dynamic significantly.

If your business is subject to the Delete Act and you are not ready for August 1, the time to fix that is now. Four months goes fast when you are building data deletion infrastructure from scratch.