TL;DR: On January 1, 2026, California launches DROP, the Delete Request and Opt-Out Platform. Submit one request and it goes to every registered data broker in the state. Brokers must check the platform every 45 days and respond within 45 days. The CPPA has already filed 8 enforcement actions against non-compliant data brokers. One company got fined $55,400 just for failing to register. If you're a California resident, this is the easiest way to mass-delete your personal data.
What DROP Actually Does
DROP is a state-run website where California residents can submit a single deletion request that automatically goes to every registered data broker [1].
The old way: Find each data broker individually. Navigate their opt-out process. Submit separate requests. Repeat dozens of times. Hope they comply.
The new way: One form. One submission. Every data broker gets the request.
Here's how it works:
- You submit a deletion request through DROP
- Data brokers must check DROP at least every 45 days
- They must update your request status within 45 days of receiving it
- Failure to comply means enforcement action from the CPPA
California Is Actually Enforcing This
The California Privacy Protection Agency isn't waiting around. On December 17, 2025, they issued an enforcement advisory warning data brokers to register immediately [1].
The numbers so far:
- 8 enforcement actions already initiated
- $55,400 fine against one Washington-based company for failing to register
- "Strike Force" established specifically for data broker violations
The CPPA calls it the "Data Broker Enforcement Strike Force." They're not being subtle about the crackdown.
What Data Brokers Must Do
Under the Delete Act regulations approved November 13, 2025, data brokers must [1]:
- Register annually with the CPPA
- Disclose information about their data processing practices
- Submit independent audits every three years
- Check DROP at least every 45 days
- Process requests within 45 days
That last requirement matters. It puts a hard deadline on deletion. No more "we'll get to it eventually."
Who Can Use DROP
California residents. That's the legal requirement.
But here's the thing about data brokers: they often can't easily verify where you actually live. If your data is in their systems with a California address (even an old one) you may be able to use DROP.
The platform launches January 1, 2026. The CPPA will host it at a state website (not yet publicly available at time of writing).
What DROP Won't Do
DROP is powerful, but it has limits:
- Only registered brokers: Companies that don't register aren't in the system (though they face fines)
- Only California: Other states don't have this yet
- Data comes back: Brokers can re-acquire your data from other sources
- Not all data holders: Companies that aren't legally "data brokers" aren't covered
This is one tool in the toolkit, not a complete solution. But it's a significant one.
What You Should Do
California Residents
• Bookmark DROP when it launches January 1
• Submit a deletion request immediately
• Set a calendar reminder to re-submit periodically
• Your data gets re-collected; deletion isn't permanent
Everyone Else
• Use our manual opt-out guide
• Consider data removal services like Optery, Incogni, or DeleteMe
• Push your state legislators for similar laws
• California often sets the template others follow
Ongoing Protection
• Minimize data you share going forward
• Use email aliases for signups
• Freeze your credit
• Deletion is reactive; prevention is better
Why This Matters Beyond California
California has a history of setting privacy standards that spread nationally. The CCPA influenced privacy laws across multiple states. DROP could do the same for deletion mechanisms.
Currently, 20 states have comprehensive data privacy laws [2]. Many classify biometric data, location data, and health information as "sensitive" requiring stricter consent. But California is the first with a centralized deletion platform.
If DROP works, if it actually forces data brokers to delete information at scale, expect other states to copy it.
Data brokers are already nervous. The $55,400 fine for just failing to register? That's the warning shot.