California is providing residents with a new tool designed to simplify limiting data brokers’ ability to store and sell personal information. While state residents have had the right to demand companies stop collecting and selling their data since 2020, the process previously required opting out with each individual company, which was laborious.
The Delete Act, passed in 2023, was intended to streamline this by allowing residents to make a single request for deletion from more than 500 registered data brokers. Now, the Delete Requests and Opt-Out Platform, known as DROP, finally gives residents the ability to make that unified request. After verifying they are California residents, users can submit a deletion request that will be sent to all current and future data brokers registered with the state.
However, this does not guarantee all your data will be deleted immediately. Brokers are required to begin processing requests starting in August 2026. They then have 90 days to process the requests and report back. If a broker does not delete your data, you will have the option to submit additional information that may help them locate your records.
It is important to note that companies can still keep first-party data they collect directly from users. The deletion requirement applies specifically to brokers who buy or sell personal data, which can include details like your social security number, browsing history, email address, and phone number.
Certain types of information are exempt from deletion. Data from public documents, such as vehicle registration and voter records, is not covered. Other sensitive information, like medical data, may be protected under separate laws such as HIPAA.
The California Privacy Protection Agency states that, beyond giving residents more control, this tool could lead to fewer unwanted texts, calls, or emails. It may also reduce the risk of identity theft, fraud, AI impersonations, or having your data leaked or hacked.
Data brokers who fail to register with the state or fail to delete requested consumer data face a penalty of $200 per day, plus enforcement costs.