For decades the deal was: hundreds of data brokers hold a file on you, and getting out means
filing hundreds of separate requests. California just changed the math. Under the Delete Act
(SB 362), the state built DROP — the Delete Request and Opt-out Platform — a single free
request at consumer.drop.privacy.ca.gov that reaches
every data broker registered with the state, currently over 600 companies. Requests opened
in January 2026. The enforcement clock starts August 1, 2026 — the date brokers must begin
processing what the platform sends them.
This guide covers what DROP actually does, what it doesn’t, and how to file — with every claim sourced to the statute, the CPPA’s regulations, or the state’s own DROP pages.
What the Delete Act requires
The Delete Act (Civil Code §1798.99.80 et seq.) requires every data broker doing business in California to register annually with the California Privacy Protection Agency, and — the important part — to honor deletion requests delivered through one central platform instead of through each broker’s own maze. From August 1, 2026, every registered broker must:
- Check DROP at least once every
45days and download the list of consumers requesting deletion. - Delete all matching, non-exempt personal information — including inferences — within
45days of receiving a request, and report the outcome of each request back to the platform. - Keep it deleted: re-screen newly collected data against the deletion list at least every
45days, and stop selling or sharing new personal information about you. - A broker that matches your identifiers to several people and cannot tell which is you must instead opt every matched record out of sale and sharing.
Because brokers pick up requests on a 45-day cycle and then have 45 days to act, the practical
window from your submission to completed deletion can run to roughly 90 days — the statute’s
processing deadline is 45 days, but the state’s own consumer page describes the combined
timeline candidly.
Non-compliance is priced per person: $200 per deletion request per day the broker fails to
delete, plus the state’s investigation costs. And beginning January 1, 2028, every broker
must undergo an independent compliance audit every three years, with reports producible to the
Agency on five business days’ notice.
How to file your DROP request
- Confirm you’re eligible. DROP is for California residents only. Residency is verified through the California Identity Gateway (basic information) or a Login.gov account; the state says it does not retain your verification data. If verification misclassifies you, you can appeal within
10days. - Go to consumer.drop.privacy.ca.gov. It is free — the state will never charge for DROP — and no broker accounts are involved.
- Add optional identifiers to improve matching. You can attach a date of birth, email addresses, phone numbers, and even Mobile Ad IDs. More identifiers means brokers match more of their records to you; DROP-provided data may only be used to comply with the Act, and brokers are barred from selling it or contacting you to “verify” the request.
- Submit, then leave it alone. Requests can be amended or canceled no sooner than
45days after submission. Mark August 1 and roughly November 1, 2026 on your calendar: the first is when processing becomes mandatory; by the second, the initial 45+45-day cycle should have run for the full registry.
What DROP will not do
DROP is the biggest single lever an American consumer has ever had against the broker industry. It is still not a master delete for your digital life, and the law says so explicitly:
- Unregistered brokers are untouched. The request reaches companies on the state registry. A broker dodging registration (at
$200/day in fines) is also dodging your request. - Exempt data survives. Entities and data covered by the federal FCRA (credit bureaus and consumer-reporting activity), Gramm-Leach-Bliley, California’s insurance-privacy law, and HIPAA-adjacent exemptions are outside the Act’s deletion duty. Data a company collected from you directly, in a first-party relationship, is also out of scope — DROP targets brokers, defined as companies selling data about people they have no direct relationship with.
- Public records keep flowing. People-search sites rebuild listings from county, court, and voter files on a cycle. A deleted listing can be reconstituted from a fresh public-records batch that doesn’t match the suppressed identity — the same reappearance problem covered in our opt-out guides.
- It’s California-only. Residents of other states still work broker by broker under their own state laws (or none) — our state-by-state guide maps who has what. Every removal in our guide library is free and works regardless of state.
The realistic playbook for a Californian in 2026: file DROP once, then clear the high-traffic people-search sites directly — they are the listings a stranger actually finds when they Google you, and direct opt-outs act in days rather than the DROP cycle’s weeks. Run our free Exposure Check to see which sites currently list you (nothing you type leaves your browser), then work the guides or let Sentinel file everything with receipts.
Where agents and services fit
The Act explicitly supports authorized agents helping with deletion requests — but the regulations are strict about sequence: an agent may aid a request only after the consumer personally passes residency verification, the agent’s identity must be disclosed inside the consumer’s DROP account, and an agent cannot cancel a request without express direction. In plain terms: no service, including ours, can legitimately press the DROP button for you from a cold start. That is why Sentinel handles DROP as a guided step we complete together for California customers, then spends its effort where automation genuinely works — the people-search network, verification loops, and the re-scan patrol that catches reappearances.
The dates that matter
| Date | What happens |
|---|---|
| Jan 1, 2026 | DROP opens; consumers begin submitting (regulations effective) |
| Aug 1, 2026 | Brokers must start processing: 45-day pickup cycle + 45-day deletion deadline |
| ~Nov 2026 | First full processing cycle complete for early requests |
| Jan 31 (annual) | Broker registration window closes for the year |
| Jan 1, 2028 | Triennial independent compliance audits begin |
Sources: Cal. Civ. Code §1798.99.80–.86 (SB 362); CPPA DROP regulations (effective Jan 1, 2026); privacy.ca.gov/drop and cppa.ca.gov announcements. All verified 2026-07-06.