California Just Made It Easy to Delete Your Data From Every Data Broker at Once

The Data Broker Problem

Data brokers collect your personal information—names, addresses, emails, phone numbers, purchase history, location data—and sell it to anyone willing to pay. Until now, exercising your legal right to delete that data meant tracking down each broker individually, navigating different request processes, and hoping they actually complied.

California's Delete Act, passed in 2023, promised to change that. On January 1, 2026, that promise became reality with the launch of DROP—the Delete Request and Opt Out Platform.

How DROP Works

DROP is operated by the California Privacy Protection Agency. The platform lets California residents submit a single authenticated deletion request that gets sent to every registered data broker in the state.

Here's the process:

• Authenticate your identity through the state's identity gateway or Login.gov
• Submit your deletion request through the DROP portal
• Your request automatically goes to all registered data brokers
• Brokers must process requests and report back their status

Instead of sending dozens of individual requests and hoping for compliance, you submit once and the state handles distribution and tracking.

The Timeline for Data Brokers

Data brokers operating in California face strict deadlines under the Delete Act:

• January 31, 2026: Registration deadline. Brokers must create a DROP account and pay the $6,000 annual fee.
• August 1, 2026: Processing begins. Brokers must start retrieving and acting on DROP deletion requests.
• Every 45 days: Brokers must download consumer deletion lists from DROP.
• Within 90 days: Brokers must finalize each deletion request and report status.

Brokers who miss the registration deadline face fines of $200 per day. Those who fail to process deletion requests face penalties of $200 per request per day.

What Brokers Must Report

When a data broker processes your deletion request, they must report one of four statuses through DROP:

• Record deleted: Your personal information has been removed
• Record opted out of sale: Your data won't be sold but may be retained
• Record exempt: Legal exemptions apply to your data
• Record not found: The broker doesn't have your information

This transparency requirement means you'll actually know what happened to your request—a significant improvement over sending emails into the void.

The Enforcement Muscle

California isn't just creating a platform—it's building enforcement infrastructure. In December 2025, the California Privacy Protection Agency issued an enforcement advisory specifically targeting data broker registration practices.

The agency has also launched a "Data Broker Strike Force" to investigate and penalize non compliance. Starting January 1, 2028, data brokers will be required to undergo independent privacy audits every three years.

The Delete Act transforms data deletion from a theoretical right into an enforceable one. Brokers who ignore requests now face real financial consequences.

Who Qualifies as a Data Broker

Under California law, a data broker is a business that knowingly collects and sells personal information about consumers with whom it doesn't have a direct relationship. This covers the usual suspects—people search sites, background check services, marketing data aggregators—but the definition has caught some companies off guard.

The CPPA's enforcement advisory highlighted problematic registration practices, suggesting some businesses either don't realize they qualify as data brokers or are trying to avoid registration. The $6,000 annual fee and deletion obligations apply regardless of business size.

What This Means for Your Inbox

Data brokers are a major source of the email addresses that power spam campaigns, phishing attacks, and marketing bombardment. When brokers sell your information, they're not just selling your name—they're selling your contact details to anyone who wants them.

By exercising your deletion rights through DROP, you can reduce the spread of your personal information across marketing databases. It won't stop every unwanted email, but it can slow the pipeline of your data flowing to new buyers.

The Limitations

DROP only applies to data brokers registered in California. Companies that should register but haven't are a blind spot until enforcement catches up. The platform also can't reach data that's already been sold—once a broker shares your information with a buyer, that copy exists independently.

Brokers also have legitimate exemptions. Information needed for legal compliance, fraud prevention, or existing business relationships may be retained even after a deletion request.

Finally, DROP only covers California residents. If you live elsewhere, you're still stuck with the old process of contacting brokers individually—though other states are watching California's experiment closely.

How to Use DROP

California residents can access DROP through the California Privacy Protection Agency's privacy portal. You'll need to verify your identity and California residency before submitting a deletion request.

The process is designed to be straightforward—authenticate once, submit once, and the system handles the rest. Given that data brokers must start processing requests by August 2026, now is the time to submit so you're in the queue when the deadline hits.

For non California residents, the Delete Act serves as a template for what privacy legislation can accomplish. If your state is considering similar laws, DROP demonstrates that centralized deletion mechanisms are technically feasible and enforceable.