Introduction: The Dawn of Consumer Data Control
On January 1, 2026, California quietly launched what privacy advocates are calling the most significant consumer data protection mechanism since the EU's GDPR. The Delete Request and Opt-out Platform, known as DROP, represents a fundamental shift in the balance of power between individuals and the multi-billion dollar data broker industry.
For decades, data brokers have operated in the shadows, collecting, aggregating, and selling personal information about hundreds of millions of consumers, often without their knowledge or meaningful consent. These companies know your home address, your income bracket, your health conditions, your political affiliations, and in many cases, far more intimate details about your life than your closest friends.
DROP changes this dynamic. For the first time, California residents can submit a single request that compels every registered data broker to delete their personal information and stop collecting it in the future. No more navigating dozens of different company websites. No more filling out endless opt-out forms. One request. Done.
As someone who has spent over 15 years building identity and access management systems, including scaling a CIAM platform to serve over 1 billion users globally, I've watched the data broker ecosystem evolve from both technical and business perspectives. What California has built with DROP represents a paradigm shift that other jurisdictions would be wise to study closely.
Understanding the Data Broker Problem
What Are Data Brokers?
Under California law, a data broker is defined as any business that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." This definition is crucial, it means that the company collecting your data never interacted with you directly. You didn't sign up for their service. You didn't buy their product. You may not even know they exist.
The data broker industry has grown into a massive, largely invisible ecosystem. As of January 2026, 545 data brokers have registered with the California Privacy Protection Agency (CPPA), though industry analysts believe the true number of companies that should be registered is significantly higher. Privacy Rights Clearinghouse and the Electronic Frontier Foundation have identified hundreds of companies registered in other states that haven't registered in California.
The Scope of Personal Data Collection
The breadth of information data brokers collect is staggering. According to official disclosures, data brokers may hold any combination of the following about you:
| Category | Examples |
|---|---|
| Identification Data | Full legal name, aliases, Social Security numbers, driver's license numbers, passport information |
| Contact Information | Current and historical addresses, phone numbers, email addresses |
| Financial Data | Income estimates, credit scores, purchase history, property records, bankruptcy filings |
| Demographic Information | Age, gender, ethnicity, marital status, household composition |
| Behavioral Data | Browsing history, search queries, app usage, location tracking data |
| Sensitive Categories | Health conditions, political affiliations, religious beliefs, sexual orientation |
| Family Information | Data about your children, parents, and other relatives |
The Human Cost: Identity Theft and Beyond
The proliferation of personal data in broker databases has real-world consequences. According to the Identity Theft Resource Center, the first half of 2025 saw 1,732 publicly reported data compromises, approximately 5% ahead of 2024's record-breaking pace. These breaches affected over 165 million individuals in just six months.
The statistics paint a sobering picture:
- Every 4.9 seconds, someone in the United States becomes a victim of identity theft
- Over 51% of Americans have been scammed at some point in their lives
- The average victim loses $730 in the past year alone
- 24% of identity theft victims were also victims of a data breach
Data brokers are not merely passive repositories of this information. By aggregating data from multiple sources, they create comprehensive profiles that can be used for targeted scams, AI-powered impersonation attacks, and sophisticated social engineering campaigns. The rise of generative AI has made these threats even more acute, attackers can now use leaked personal information to create convincing deepfakes and personalized phishing attacks at scale.
How DROP Works: A Technical Overview
The Consumer Experience
DROP was designed with simplicity in mind. The process involves three straightforward steps:
Step 1 - Verify Eligibility Consumers must confirm California residency through the California Identity Gateway, the state's secure digital identity verification platform. This can be done by entering information directly or by using Login.gov credentials. Importantly, DROP does not retain this verification data.
Step 2 - Create a Profile Users provide identifying information that data brokers can use to locate their records. This might include name variations, email addresses, phone numbers, and date of birth. Consumers choose how much information to provide, more information increases the likelihood of comprehensive deletion.
Step 3 - Submit Request With a single submission, the deletion request is sent to all 545+ registered data brokers. Users can also exclude specific brokers if desired. The request remains active indefinitely, meaning brokers must continue deleting the consumer's data on an ongoing basis.
The Data Broker Compliance Framework
From the data broker perspective, DROP creates new operational requirements:
| Requirement | Details |
|---|---|
| 45-Day Check Cycle | Starting August 1, 2026, data brokers must access DROP at least every 45 days to retrieve new deletion requests |
| Identity Matching | Brokers must compare consumer information against their databases using unique identifiers |
| Comprehensive Deletion | If a match is found, delete all associated personal data, including inferences |
| Status Reporting | Report the status of each deletion request within 45 days of retrieval |
| Ongoing Compliance | Continue deleting data at least every 45 days; cannot collect new data about requestors |
Privacy-Preserving Architecture
A critical aspect of DROP's design is its privacy-preserving architecture. Consumer information submitted to DROP is stored in a hashed format, protecting it from unauthorized access. The platform is built to be "safe, secure, and protects your privacy" according to the CPPA.
Crucially, the information submitted to DROP is only used to complete deletion requests. It won't be sold or shared for any other purpose. This addresses a legitimate concern about centralized data deletion services: that they might themselves become another data aggregation point.
The Legal Framework: From CCPA to the Delete Act
Evolution of California Privacy Law
DROP didn't emerge in a vacuum. It represents the culmination of nearly a decade of privacy legislation in California:
| Year | Legislation | Impact |
|---|---|---|
| 2018 | CCPA | Gave consumers rights to know, delete, and opt-out, but required individual requests |
| 2019 | AB 1202 | Created first U.S. data broker registry |
| 2020 | CPRA | Expanded CCPA; created California Privacy Protection Agency |
| 2023 | Delete Act (SB 362) | Required creation of DROP; mandated data broker participation |
| 2025 | SB 361 Amendments | Required additional disclosures in registration process |
Enforcement Mechanisms and Penalties
The Delete Act includes significant enforcement mechanisms:
- Registration Penalties: $200 per day for unregistered data brokers
- Deletion Penalties: $200 per request per day for failure to process
- Audit Requirements: Independent compliance audits every three years (starting January 2028)
- Cost Recovery: CPPA can recover investigation costs and unpaid fees
Recent Enforcement Actions:
| Date | Company | Penalty | Violation |
|---|---|---|---|
| July 2025 | Accurate Append Inc. (WA) | $55,400 | Failed to register |
| May 2025 | National Public Data (FL) | $46,000 | Failed to register and pay fees |
| February 2025 | Background Alert (CA) | $50,000 | Ordered to suspend operations |
California in Context: The U.S. Data Broker Landscape
State-Level Approaches
California is not the only state to regulate data brokers, but it has gone significantly further than any other jurisdiction. Currently, four states have data broker registration laws:
| State | Year | Annual Fee | Penalties | Unique Feature |
|---|---|---|---|---|
| Vermont | 2018 | $100 | Up to $500/day | First state registry |
| California | 2019/2023 | $6,600 | $200/day | DROP centralized deletion |
| Texas | 2023 | $300 | Up to $10,000/year | Conspicuous notice requirement |
| Oregon | 2024 | $600 | Up to $10,000/year | Opt-out declaration required |
Additional states, including New Jersey, Delaware, Michigan, and Alaska, have data broker registration laws in development.
The Compliance Gap
A June 2025 analysis by Privacy Rights Clearinghouse and the EFF revealed significant compliance gaps across states:
- 291 companies registered elsewhere but not in California
- 524 companies registered elsewhere but not in Texas
- 475 companies registered elsewhere but not in Oregon
- 309 companies registered elsewhere but not in Vermont
While definitional differences between state laws may account for some discrepancies, this data suggests systematic underregistration that state enforcement agencies are now being urged to investigate.
The Case for Federal Legislation
The current patchwork of state laws creates challenges for both consumers and businesses. A data broker operating nationally must navigate different registration requirements, definitions, and deadlines across multiple jurisdictions. Consumers, meanwhile, receive wildly different protections depending on where they live.
Privacy advocates have long called for federal data broker legislation. The Consumer Financial Protection Bureau's March 2023 request for information about data brokers signaled potential federal interest in the space, but comprehensive legislation has yet to materialize. Until it does, California's DELETE Act represents the most robust model for other states considering similar protections.
Global Lessons: What Other Countries Can Learn
GDPR and the Right to Erasure
The European Union's General Data Protection Regulation (GDPR), in effect since 2018, includes a "right to erasure" (Article 17) that allows individuals to request deletion of their personal data. However, the GDPR approach differs significantly from California's DROP:
| Aspect | GDPR | California DROP |
|---|---|---|
| Request Method | Individual requests to each controller | Single centralized request |
| Data Broker Registry | None | Mandatory public registry |
| Enforcement | 30+ national DPAs | Single dedicated agency (CPPA) |
| Ongoing Deletion | Case-by-case | Automatic 45-day cycles |
The European Data Protection Board (EDPB) has made the right to erasure a priority for 2025. Thirty-two DPAs across Europe are participating in coordinated enforcement actions specifically focused on how controllers handle erasure requests. This suggests European regulators recognize gaps in the current framework, gaps that California's approach directly addresses.
Recommendations for Other Jurisdictions
Based on California's experience, jurisdictions considering similar legislation should consider the following principles:
- Create a Data Broker Registry First Before consumers can exercise deletion rights, they need to know who holds their data. A mandatory registry creates transparency and establishes the universe of companies subject to regulation.
- Build Centralized Infrastructure Individual opt-out requests are too burdensome for consumers. A government-operated platform that transmits requests to all registered brokers simultaneously makes the right to deletion practically exercisable.
- Mandate Ongoing Compliance One-time deletion isn't enough. Data brokers can re-acquire information from other sources. Requiring ongoing deletion cycles (45 days in California's case) ensures persistent protection.
- Include Meaningful Penalties Registration fees and daily fines for non-compliance create financial incentives for participation. Without enforcement teeth, regulation becomes advisory.
- Require Independent Audits Self-reported compliance is insufficient. Third-party audits verify that data brokers are actually deleting data as required.
- Protect Privacy in the Protection Mechanism The deletion platform itself must be designed with privacy at its core. Hashing consumer data and limiting its use to deletion requests prevents the platform from becoming another data aggregation point.
Security Implications: Beyond Privacy
Reducing the Attack Surface
From a cybersecurity perspective, DROP addresses a fundamental problem: every database containing personal information is a potential attack target. Data brokers, by definition, aggregate massive amounts of sensitive data, making them attractive targets for malicious actors.
When consumers use DROP to delete their information, they're effectively reducing their "attack surface", the total number of places where their data could be compromised. With 545+ data brokers currently registered in California, that represents hundreds of potential breach vectors that can be eliminated with a single request.
The AI Impersonation Threat
Generative AI has introduced new dimensions to identity-related threats. Personal data harvested from data brokers can fuel sophisticated impersonation attacks, including voice cloning, deepfake videos, and AI-generated phishing that incorporates intimate knowledge of the target's life.
Research indicates that 85% of U.S. consumers believe AI makes scam detection harder, and 62% have either been victims of AI-driven scams or know someone who has. By limiting the personal data available to potential attackers, DROP provides a proactive defense against these emerging threats.
Implications for Enterprise Security
For organizations, the proliferation of employee data across broker databases represents a significant security risk. Business email compromise (BEC) attacks, which accounted for 251 confirmed incidents in H1 2025, often rely on personal information to craft convincing social engineering campaigns.
Security-conscious organizations should consider encouraging California-based employees to use DROP as part of their personal security hygiene. Reducing the availability of employee personal data in commercial databases makes targeted attacks more difficult to execute.
Limitations and Considerations
What DROP Does Not Cover
It's important to understand DROP's scope limitations:
| Limitation | Details |
|---|---|
| Geographic | Only available to California residents |
| Registered Brokers Only | Only covers companies registered with CPPA |
| Data Broker Definition | First-party data from companies you interact with is not covered |
| Legal Exemptions | Some data may be exempt from deletion requirements |
| Processing Delay | Requests submitted now won't be processed until August 1, 2026 |
Potential Trade-offs
Using DROP may affect certain online experiences. The CPPA notes that deletion may result in fewer targeted advertisements and reduced content personalization. For some users, this may be a welcome side effect; for others, it may represent a trade-off worth considering.
Additionally, data brokers may re-acquire information from other sources over time. While the ongoing deletion requirement addresses this partially, consumers should understand that DROP is not a permanent shield but rather a continuous protection mechanism.
Looking Ahead: The Future of Consumer Data Rights
DROP represents a significant step forward in consumer data protection, but it's likely just the beginning of a broader transformation in how societies approach personal data rights.
Several trends suggest where this space is heading:
- State Expansion: Other states are watching California's implementation closely. Success could trigger a wave of similar legislation, potentially creating pressure for federal action.
- International Adoption: Countries with existing privacy frameworks (particularly in the EU and Asia-Pacific) may incorporate centralized deletion mechanisms into their regulatory structures.
- Technology Integration: Future iterations may include automated monitoring, real-time deletion verification, and integration with identity management systems.
- AI and Data Rights: As AI systems increasingly rely on personal data for training, questions about data rights in machine learning contexts will become more pressing. DROP-like mechanisms may eventually extend to AI training data.
Conclusion: A Model Worth Emulating
California's DROP platform represents a genuine innovation in consumer privacy protection. By combining a comprehensive data broker registry with a centralized deletion mechanism, ongoing compliance requirements, and meaningful enforcement, California has created a framework that makes data deletion rights practically exercisable, not just theoretically available.
For California residents, the message is clear: if you haven't already, visit DROP and submit your deletion request. It's free, it takes minutes, and it provides ongoing protection against the 545+ data brokers currently collecting and selling your personal information.
For policymakers in other jurisdictions, DROP offers a proven template. The data broker problem is not unique to California, it's global. Every jurisdiction grappling with personal data protection would benefit from studying California's approach and adapting it to their own legal and cultural contexts.
The data broker industry has operated in the shadows for too long. DROP brings it into the light, and gives consumers, for the first time, a meaningful way to take back control of their personal information.
References & Resources
Official Resources
| Resource | URL |
|---|---|
| California DROP Portal | https://privacy.ca.gov/drop/ |
| Consumer Request Portal | https://consumer.drop.privacy.ca.gov |
| California Privacy Protection Agency | https://cppa.ca.gov |
| Data Broker Registry | https://cppa.ca.gov/data_broker_registry/ |
| Delete Act (SB 362) Full Text | https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362 |
Related Reading on guptadeepak.com
- Understanding CIAM: Why Consumer Identity Management Matters
- The Rise of Machine Identity: Security Challenges in the AI Era
- Zero Trust Architecture: A Practical Implementation Guide
- Passwordless Authentication: The Path Forward
- Data Privacy Compliance: What Enterprises Need to Know
Research & Data Sources
| Organization | URL |
|---|---|
| Identity Theft Resource Center | https://www.idtheftcenter.org |
| Electronic Frontier Foundation | https://www.eff.org |
| Privacy Rights Clearinghouse | https://privacyrights.org |
| European Data Protection Board | https://www.edpb.europa.eu |
| Federal Trade Commission | https://www.ftc.gov |
Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. Readers should consult with qualified legal professionals regarding their specific situations. Information about DROP and related regulations was accurate as of publication date but may be subject to change.