Skip to content
NordicVeil

The California Delete Act and DROP, explained

By NordicVeil Research Team Last verified

For decades the deal was: hundreds of data brokers hold a file on you, and getting out means filing hundreds of separate requests. California just changed the math. Under the Delete Act (SB 362), the state built DROP — the Delete Request and Opt-out Platform — a single free request at consumer.drop.privacy.ca.gov that reaches every data broker registered with the state, currently over 600 companies. Requests opened in January 2026. The enforcement clock starts August 1, 2026 — the date brokers must begin processing what the platform sends them.

This guide covers what DROP actually does, what it doesn’t, and how to file — with every claim sourced to the statute, the CPPA’s regulations, or the state’s own DROP pages.

What the Delete Act requires

The Delete Act (Civil Code §1798.99.80 et seq.) requires every data broker doing business in California to register annually with the California Privacy Protection Agency, and — the important part — to honor deletion requests delivered through one central platform instead of through each broker’s own maze. From August 1, 2026, every registered broker must:

  • Check DROP at least once every 45 days and download the list of consumers requesting deletion.
  • Delete all matching, non-exempt personal information — including inferences — within 45 days of receiving a request, and report the outcome of each request back to the platform.
  • Keep it deleted: re-screen newly collected data against the deletion list at least every 45 days, and stop selling or sharing new personal information about you.
  • A broker that matches your identifiers to several people and cannot tell which is you must instead opt every matched record out of sale and sharing.

Because brokers pick up requests on a 45-day cycle and then have 45 days to act, the practical window from your submission to completed deletion can run to roughly 90 days — the statute’s processing deadline is 45 days, but the state’s own consumer page describes the combined timeline candidly.

Non-compliance is priced per person: $200 per deletion request per day the broker fails to delete, plus the state’s investigation costs. And beginning January 1, 2028, every broker must undergo an independent compliance audit every three years, with reports producible to the Agency on five business days’ notice.

How to file your DROP request

  1. Confirm you’re eligible. DROP is for California residents only. Residency is verified through the California Identity Gateway (basic information) or a Login.gov account; the state says it does not retain your verification data. If verification misclassifies you, you can appeal within 10 days.
  2. Go to consumer.drop.privacy.ca.gov. It is free — the state will never charge for DROP — and no broker accounts are involved.
  3. Add optional identifiers to improve matching. You can attach a date of birth, email addresses, phone numbers, and even Mobile Ad IDs. More identifiers means brokers match more of their records to you; DROP-provided data may only be used to comply with the Act, and brokers are barred from selling it or contacting you to “verify” the request.
  4. Submit, then leave it alone. Requests can be amended or canceled no sooner than 45 days after submission. Mark August 1 and roughly November 1, 2026 on your calendar: the first is when processing becomes mandatory; by the second, the initial 45+45-day cycle should have run for the full registry.

What DROP will not do

DROP is the biggest single lever an American consumer has ever had against the broker industry. It is still not a master delete for your digital life, and the law says so explicitly:

  • Unregistered brokers are untouched. The request reaches companies on the state registry. A broker dodging registration (at $200/day in fines) is also dodging your request.
  • Exempt data survives. Entities and data covered by the federal FCRA (credit bureaus and consumer-reporting activity), Gramm-Leach-Bliley, California’s insurance-privacy law, and HIPAA-adjacent exemptions are outside the Act’s deletion duty. Data a company collected from you directly, in a first-party relationship, is also out of scope — DROP targets brokers, defined as companies selling data about people they have no direct relationship with.
  • Public records keep flowing. People-search sites rebuild listings from county, court, and voter files on a cycle. A deleted listing can be reconstituted from a fresh public-records batch that doesn’t match the suppressed identity — the same reappearance problem covered in our opt-out guides.
  • It’s California-only. Residents of other states still work broker by broker under their own state laws (or none) — our state-by-state guide maps who has what. Every removal in our guide library is free and works regardless of state.

The realistic playbook for a Californian in 2026: file DROP once, then clear the high-traffic people-search sites directly — they are the listings a stranger actually finds when they Google you, and direct opt-outs act in days rather than the DROP cycle’s weeks. Run our free Exposure Check to see which sites currently list you (nothing you type leaves your browser), then work the guides or let Sentinel file everything with receipts.

Where agents and services fit

The Act explicitly supports authorized agents helping with deletion requests — but the regulations are strict about sequence: an agent may aid a request only after the consumer personally passes residency verification, the agent’s identity must be disclosed inside the consumer’s DROP account, and an agent cannot cancel a request without express direction. In plain terms: no service, including ours, can legitimately press the DROP button for you from a cold start. That is why Sentinel handles DROP as a guided step we complete together for California customers, then spends its effort where automation genuinely works — the people-search network, verification loops, and the re-scan patrol that catches reappearances.

The dates that matter

DateWhat happens
Jan 1, 2026DROP opens; consumers begin submitting (regulations effective)
Aug 1, 2026Brokers must start processing: 45-day pickup cycle + 45-day deletion deadline
~Nov 2026First full processing cycle complete for early requests
Jan 31 (annual)Broker registration window closes for the year
Jan 1, 2028Triennial independent compliance audits begin

Sources: Cal. Civ. Code §1798.99.80–.86 (SB 362); CPPA DROP regulations (effective Jan 1, 2026); privacy.ca.gov/drop and cppa.ca.gov announcements. All verified 2026-07-06.

Frequently asked questions

What is DROP in California?

DROP — the Delete Request and Opt-out Platform — is a free, state-run website (consumer.drop.privacy.ca.gov) operated by the California Privacy Protection Agency. One request tells every data broker registered with the state — over 600 companies — to delete your personal information and stop selling it.

What happens on August 1, 2026?

That is the date registered data brokers must start processing DROP requests. From then on, every broker must check the platform at least once every 45 days, delete matching non-exempt information within 45 days of receiving a request, and keep deleting newly collected data about you on an ongoing 45-day cycle.

Who can use DROP?

California residents only. The state verifies residency through the California Identity Gateway or Login.gov before a request can be submitted. It is free, and no account with any broker is needed.

Does DROP remove me from Whitepages and Spokeo?

Only if the operator is a registered California data broker, and only for non-exempt data. People-search listings often rebuild from public records, so pairing DROP with direct opt-outs is the practical approach — our free guides cover the 18 biggest sites step by step.

What are the penalties for brokers that ignore DROP?

The statute sets an administrative fine of $200 per deletion request per day a broker fails to delete as required, plus the state's investigation costs. Starting January 1, 2028, every registered broker must also pass an independent compliance audit every three years.

Can a removal service file DROP for me?

Partially. The law supports authorized agents, but only after you personally pass residency verification — an agent cannot skip that step for you. A service can assist with and monitor the request afterward; NordicVeil's Sentinel treats the DROP filing as a guided step we do with you, then we work the people-search sites DROP does not fully solve.