New California DROP system lets residents order data brokers to delete their info

Californians now have a new way to force hundreds of data brokers to stop collecting and selling their personal information, after a state-run deletion system took effect at the start of the year.

The new tool, called DROP, which stands for Delete Request and Opt-out Platform, went live on January 1. It is administered by the California Privacy Protection Agency and is intended to make it much easier for residents to exercise rights they already had under the state’s Delete Act.

According to the California Privacy Protection Agency, more than 500 companies currently operate as data brokers in the state. These firms scour a wide range of sources for bits of information on individuals, then bundle and store that data and sell it to marketers, private investigators, and other buyers.

In a 2024 report, the nonprofit Consumer Watchdog said brokers collect information from businesses including automakers, tech companies, junk food restaurants, and device makers. The report said the data can cover financial information, purchase histories, family situations, and details about people’s eating, exercising, travel, and entertainment habits, along with other personal information about millions of individuals.

California’s Delete Act, which took effect two years ago, was meant to give residents a path to push back. That law requires data brokers to provide a way for people to obtain copies of all data held about them and to demand that it be deleted. However, Consumer Watchdog found that in the first 12 months after the law took effect, only about 1 percent of Californians used those rights.

One key problem, according to that analysis, was friction. Residents needed to submit a separate deletion demand to each individual broker. With more than 500 companies in the sector, the time and effort required proved to be too much for most people.

The DROP system is designed to solve that problem by centralizing the process. Instead of contacting each data broker, a California resident can now submit a single deletion and opt out request through the new platform. The California Privacy Protection Agency then forwards that request to all registered data brokers on the state’s list.

Under the new law that created DROP, brokers will also face new reporting requirements. Starting in August, these companies will have 45 days after receiving a forwarded notice to report the status of each deletion request. If they find that any of their records match the personal information in a DROP demand, they must delete all associated data.

That includes not just raw data points but also inferences built from that data, which can reveal sensitive insights about a person’s behavior or circumstances. The text notes that there are legal exemptions. One example is information that comes from one to one interactions between the individual and the broker. In those cases, the broker may not be required to delete the data. The story does not provide a full list of exemptions.

The DROP system is only available to California residents, and the platform requires proof of residency before a person can file a deletion demand. The article describes using the DROP website and finding the process smooth. According to that account, once residency is confirmed, the site prompts the user to enter a range of personal details that will help brokers locate any matching records.

Those details can include any names and email addresses a person uses, as well as specific identifiers such as vehicle identification numbers and advertising IDs associated with phones, televisions, and other devices. The author reported that it took about 15 minutes to complete the form, with most of that time spent locating information that was buried in device settings or spread across different services.

The article notes a potential concern that entering such a wide range of personal information into a single state run system may feel counterintuitive for people already worried about privacy. However, it also points out that this information is likely already collected, stored, and sold by data brokers and is often accessible to hackers and other third parties.

According to the piece, the California Privacy Protection Agency says it will only use personal data submitted through DROP for the purpose of processing deletion and opt out requests. The article does not describe how long the agency retains that information or how it is secured.

The new system is framed as a “supercharged” way to push back on what the article describes as long running data hoarding by brokers. It emphasizes that the ability to file a single, comprehensive deletion request could significantly lower the barrier for Californians who want to limit how their information is collected and sold.

At the same time, the article notes a major limitation. The DELETE Act and DROP are binding only in California. The story characterizes data broker information hoarding and breaches of their databases as an ongoing problem and suggests that the California model could influence other states, although it does not report any specific legislative plans elsewhere.

For Bay Area residents and companies, the rollout of DROP means new practical and compliance steps. Residents who want to take advantage of the law must confirm that they are California residents and be prepared to gather a range of identifiers from their devices, vehicles, and online accounts before submitting a request. Businesses that qualify as data brokers must be prepared to receive and respond to DROP requests, and starting in August they will have to track and report on whether and how those requests are fulfilled.

The article does not yet include information about how many Californians have used DROP in its early days, how data brokers are responding operationally, or whether there are any legal challenges. It also does not describe how the state will enforce compliance beyond the 45 day reporting requirement, or what penalties brokers could face if they ignore or mishandle deletion demands.

What is clear from the text is that California is now offering a centralized, state managed platform that attempts to give residents more practical control over how their personal information is stored and traded in the data brokerage economy. For people in the Bay Area who have long been at the center of debates about digital privacy, the coming months will test whether this new approach can turn strict privacy rules on paper into real change in how data brokers operate.