Getting Ready To Use The DROP

The January 31 deadline for companies that operated as data brokers in 2025 to register in California has passed, but registration is just the beginning of what lies ahead for data brokers in the remainder of 2026 (and beyond).

Most significantly, beginning on August 1, 2026, data brokers will be required to access deletion requests submitted by consumers (i.e., residents of California) through the California Privacy Protection Agency's (CalPrivacy) Delete Request and Opt-out Platform (DROP). Data brokers must act on those requests within 45 days of downloading and will need to repeat a similar process at least once every 45 days going forward.

Preparing to use the DROP requires data brokers to thoroughly understand their data and data flows and implement new processes to interact with the platform. The core element of the DROP is the array of "consumer deletion lists" that contain identifiers of consumers who sign up and request deletion through the DROP. But pulling consumer deletion lists from the DROP is just the operational first step. The bulk of the work needed to process DROP requests will occur on the back end, where data brokers must ingest, standardize, hash, match, and systematically purge identifiers across fragmented data ecosystems.

This post takes a close look at how the DROP regulations will require data brokers to obtain, process, and report on DROP requests.

How Will the DROP Make Consumer Deletion Lists Available?

The DROP will publish consumer deletion lists that contain specific types of identifiers. Consumers (or their authorized agents) must submit their name, address, date of birth, and phone or email to be assessed for eligibility to make requests through the DROP. Once deemed eligible, consumers must provide their full name and date of birth along with at least one of the following: a phone number, email address, or a "unique identifier" such as a mobile advertising identifier (MAID). Data brokers will download the lists that correspond to and contain identifiers that are in their datasets. (More about this below.)

The first time a data broker pulls a deletion list, the DROP will provide a full list of the identifiers associated with all consumers who submitted a request through the DROP at the time of the data pull. In subsequent deletion list pulls, the DROP will provide identifiers only for consumers who submitted requests since the data broker's last pull. CalPrivacy will not allow data brokers to pull complete deletion lists more than once unless they provide a written explanation and obtain approval from CalPrivacy.

Which Identifiers Will Be in Consumer Deletion Lists?

Consumer deletion lists will consist of hashed identifiers. (The DROP will specify which hashing algorithm was used to produce a given deletion list.)

Data brokers will need to standardize and hash the identifiers in their datasets before attempting to match them with elements of a consumer deletion list. For instance, phone numbers will be written as strings of 10 digits – the number "(415) 555-1234" would be written as "415551234" – and then hashed. The regulations provide similar standardization rules for names, dates of birth, and email addresses. However, the regulations do not require data brokers to maintain identifiers in this form in the ordinary course of business.

If a consumer deletion list contains more than one identifier, the DROP will provide the identifiers as separate hash values. For instance, a deletion list based on consumers' first and last names will contain a hash value for each first name and a value for each last name. The DROP regulations specify that data brokers must concatenate these separate values and match the concatenated value. For instance, if the first name "John" hashes to "abcd" and the last name "Smith" hashes to "1234," the identifier used for matching is "abcd1234."

What Do Data Brokers Need to Do in Response to Consumer Deletion List Matches?

For each matched identifier, a data broker must "completely and permanent erase" all personal information, including inferences, associated with the identifier that was collected outside of a direct, first-party relationship. This may prove especially challenging for mixed data sets and tiered or multi-dimensional data ecosytems. Data brokers must also direct their service providers and contractors to take the same actions with matched identifiers.

There are three alternatives to the "complete and permanent" erasure of a consumer's personal information.

• Deletion exemptions: All exemptions under the CCPA apply to DROP deletion requests. For instance, any personal information that may retain for security purposes is exempt from deletion pursuant to a DROP request.
• Opt-outs: If a set of DROP identifiers matches multiple consumers in the data broker's records, the data broker may opt those consumers out of future sales of their data.
• No match: If a data broker does not match data with any identifiers in its datasets, then no deletion is required. We expect no-match results to be common for data brokers that maintain data keyed to proprietary advertising identifiers and none of the identifiers that consumers enter through the DROP.

What Are Data Brokers' Reporting Requirements?

Data brokers must retain each deletion list. At least once every 45 days, a data broker must pull updates to previously collected deletion lists and repeat the matching and deletion processes for all of the consumer deletion lists in its possession.

Beginning with its second consumer deletion list pull, a data broker must report the status of each identifier in its previous data pull. (A data broker will not have any status to report when it first pulls a consumer deletion list.) The DROP regulations require data brokers to report one of four values for each row in a consumer deletion list:

1. Record deleted
2. Record opted out of sale
3. Record exempted
4. Record not found

DROP and Intensifying Data Broker Regulations

Implementing the DROP will require careful planning and execution, requiring data brokers to have full visibility into their data lineage and internal architecture and robust recordkeeping practices to meet the Delete Act's rigorous standards.

The stakes of getting implementation right are high. CalPrivacy has put significant resources into developing the DROP and has made it the centerpiece of its regulatory agenda and public outreach strategy over the last several months. Its recent enforcement advisory and enforcement actions – and the creation of a "Data Broker Enforcement Strike Force" – make it abundantly clear that the agency takes data brokers' compliance with their registration and deletion obligations seriously. It should also be noted that the Delete Act significantly expands CalPrivacy's civil penalty authority.

Finally, DROP "fever" could spread to other states. At least one state – New York – is considering legislation (A9642) similar to the Delete Act. In its current form, A9642 would require data brokers to register with the state attorney general and authorize the AG to develop regulations for a DROP-like mechanism. Data brokers would need to a pay a much lower registration fee of $100 per year but would also need to pay a deletion mechanism access fee based on "the reasonable costs of providing that access." The Delete Act contains similar language for access to the DROP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.