California DROP, explained
Last verified July 1, 2026 · This is information, and none of it is legal advice.
The short version
California built a delete button. DROP, the Delete Request and Opt-out Platform, lets any California resident file a single request that orders every registered data broker in the state's registry to delete their personal information. The platform opened to consumers on January 1, 2026. Brokers must begin processing requests on August 1, 2026. One request. Over 600 companies. Free.
If you live in California and do nothing else this year about your data, do this.
Who can use it
California residents only, verified before you can submit. You confirm residency through the California Identity Gateway, entering your information directly or signing in with Login.gov, and the state says DROP doesn't retain the verification data. Then you create a profile with basic details, optionally adding date of birth, email, phone, or a mobile ad ID to improve matching, and submit at consumer.drop.privacy.ca.gov. You can return to check the status, and amend or cancel after 45 days.
Everyone else, the DSAR templates in our resource hub are your equivalent tool, filed one broker at a time. The gap between those two sentences is the entire argument for laws like this one.
What gets deleted
More than you'd expect. The Delete Act requires deletion of any personal information related to you, which is broader than most privacy laws that only cover data collected directly from you. That includes inferences, the conclusions brokers have drawn about your income, health interests, politics, and habits. Brokers must also direct their service providers and contractors to delete, and maintain suppression lists so your information stays deleted rather than getting re-collected on the next refresh.
The timeline that matters
- January 1, 2026. DROP opened for consumer requests. Brokers began mandatory registration.
- August 1, 2026. Brokers must retrieve requests from DROP at least every 45 days and process each one within 45 days of retrieving it. Worst case from your submission, about 90 days.
- Penalty for ignoring you. $200 per deletion request, per day (Civ. Code § 1798.99.82(d)), with a separate $200-a-day fine for failing to register at all. California's privacy agency has stood up a Data Broker Enforcement Strike Force and has fined unregistered brokers, most recently S&P Global at $62,600.
File before August 1 and your request sits in the first batch brokers are legally required to process.
What DROP does not cover
This is the part most coverage skips, and it's why our directoryflags DROP coverage per broker.
A company isn't a data broker to the extent its activity is covered by the Fair Credit Reporting Act, so the credit bureaus and formal background-screening products sit outside DROP, and the same carve-out applies to Gramm-Leach-Bliley financial data and insurance data under California's insurance privacy law. HIPAA-covered health data is likewise exempt. Brokers can also retain data that other laws require them to keep, though even then they must stop selling it and keep it suppressed. And a broker you interact with directly, one you have a real customer relationship with, isn't a data broker with respect to that data.
Translation. DROP clears the resale layer. The credit file, the screening reports, and the government records underneath stay put, and each has its own separate process, which we cover in the resource hub.
What to expect after filing
Slowness, by design. Brokers check the platform on a 45-day cycle and must process what they retrieve within another 45 days, so a request filed today resolves across the registry through late 2026. Unresolved requests must be treated as opt-outs at minimum.
And then the honest part. Suppression lists are new, enforcement is new, and 600+ companies with a financial incentive to keep your data are being asked to police themselves on a compliance schedule. Some will comply cleanly. Some will slow-walk. The records will keep regenerating from public sources either way. DROP is the best single action available to a Californian, and it's an action, where the problem is a condition. Conditions need management, which is the problem Sya exists to solve.
Do this now
- If you're in California, file at privacy.ca.gov. Budget 15 minutes.
- Note your confirmation and check status monthly.
- Handle the exempt layer separately. Freeze your credit files, and use the resource hub for the rest.
- If you're not in California, check whether your state has a broker registry or deletion law, then work the directory with our templates.