California’s portal is formally called the Delete Request and Opt-out Platform (DROP). It’s operated by the California Privacy Protection Agency (CalPrivacy/CPPA) and created under the Delete Act (SB 362, Chapter 709, Statutes of 2023). The law requires an “accessible deletion mechanism” so consumers can submit one request that goes to all registered data brokers.

DROP launched on Jan. 1, 2026, which is a critical “start using it” date for residents. The second critical date—often missing from headline summaries—is Aug. 1, 2026, when data brokers must begin processing DROP requests. Those two dates should shape expectations: you can submit early, but the system’s enforcement clock begins later.

The public framing is simple: “one click to delete your data.” The operational reality is closer to: one request, routed widely, processed in required cycles. According to CalPrivacy’s own guidance, data brokers must start processing on Aug. 1, 2026, and then must engage with the platform on a cadence (explained below).

That gap matters because it changes what “success” looks like. DROP isn’t an instant delete button. It’s a state-run request system tied to compliance deadlines and periodic processing.

CalPrivacy is explicit about several limits that are easy to miss:

- DROP does not delete first-party data you gave directly to a business.
- DROP does not cover publicly available data.
- DROP does not delete data that is exempt under applicable rules.

Readers should also absorb a structural limit: DROP reaches registered data brokers—powerful, but not universal.

DROP is for California residents. That eligibility rule is not cosmetic; it’s foundational. The tool is a California legal mechanism directed at California’s broker registry, and it is designed around residency verification.

CalPrivacy says residents can verify California residency in two ways:

1) Enter basic personal information, or
2) Use Login.gov (recommended if you already have an account).

That second option is significant for readers who are privacy-conscious but also want less friction. It offers a standard identity service many people already use for government-related logins.

DROP invites users to submit a wide range of identifiers that data brokers commonly hold, including:

- Name(s), including maiden names
- Date of birth and ZIP code
- Email addresses and phone numbers
- Mobile Advertising IDs (MAIDs) and Connected TV IDs
- Vehicle Identification Numbers (VINs)

CalPrivacy’s design tradeoff is explicit: “The more information you enter, the more likely your data will be deleted.” That is both practical and unsettling.

Practically, it’s true: matching systems are only as good as their inputs. If a broker has you as “Chris J.” with an old email and a device ID, a single name might not match. More identifiers can improve the odds that a broker finds the correct record.

Unsettlingly, the user is being asked to increase the “surface area” of identifying information in order to reduce it elsewhere. The platform’s purpose is deletion, but the process still relies on identification.

DROP’s most important feature is not the form—it’s the distribution mechanism. A resident submits one request, and the platform routes it to registered brokers through a structured process.

CalPrivacy lays out a set of deadlines that function like guardrails:

- Starting Aug. 1, 2026, data brokers must begin processing DROP requests.
- Brokers must process consumer DROP requests every 45 days by downloading lists, deleting matching personal information, and reporting status back to CalPrivacy.
- Starting Aug. 1, 2026, brokers must delete your data within 90 days.

Those are not casual recommendations; they’re the compliance backbone. The 45-day cycle defines how often brokers must check in and process. The 90-day window defines how long deletion can take once processing begins.

CalPrivacy also describes status outcomes consumers may see, which double as a transparency mechanism—and a clue about how matching went:

- Deleted (with a caveat: some information may be legally exempt and retained)
- Exempted
- Opted-out (couldn’t make an exact match; broker cannot sell but may still hold data)
- Record not found

For readers, “Opted-out” is the status that deserves special attention. It signals the system may have failed to confidently match you to a specific record. The broker cannot sell your data, but may still retain it. That is not nothing—it constrains the broker’s behavior—but it may feel like an incomplete win.

When a match is found, CalPrivacy says deletion covers the consumer’s personal information including “sensitive” and “inferred” information. That language matters because the most consequential data about you is often not your phone number; it’s the predictions built from it.

DROP’s reach is defined by California’s data broker registry. CalPrivacy’s own guidance emphasizes that the platform reaches “every registered data broker in California.” That’s a sweeping promise, but it also draws a boundary around who is included.

The Associated Press reported that more than 500 registered brokers were in scope around the Jan. 2026 launch window. CPPA regulatory materials (April 2025) noted 496 registered as of March 2025, offering a useful point-in-time snapshot and a sense of scale.

Those figures are striking in context: we’re not talking about a handful of sketchy list sellers. We’re talking about a large, formal ecosystem.

The registry is both DROP’s strength and its limitation. It’s a strength because it creates a definitive list of targets, turning a fragmented opt-out maze into a centralized pipeline.

It’s a limitation because entities that function like data brokers but aren’t registered—or don’t fit the definition that triggers registration—sit outside the system. The AP’s coverage flagged this constraint directly: the tool does not reach unregistered brokers.

For readers, the practical implication is simple: DROP can dramatically reduce exposure across registered brokers, but it cannot guarantee a clean slate across the entire commercial data market.

DROP’s matching logic forces a real question: how much personal information are you willing to provide to increase the odds of deletion?

CalPrivacy’s guidance is blunt: more information increases deletion likelihood. The platform invites high-signal identifiers—MAIDs, Connected TV IDs, and VINs—because those can disambiguate people with common names and shared addresses.

Consider two California residents named “Maria Garcia” living in the same ZIP code, both with records scattered across brokers over a decade. One submits only her name and ZIP code. Another submits name variations, date of birth, old emails, and phone numbers.

DROP’s system and the brokers’ matching processes have a clearer path with the richer profile. The first Maria is more likely to get “Record not found” from some brokers, or “Opted-out” because the broker cannot confidently match. The second Maria is more likely to see “Deleted,” because the match threshold is easier to meet.

That example doesn’t require speculation about proprietary algorithms. It follows directly from the statuses CalPrivacy says consumers may see, and from the agency’s own warning that more identifiers improve deletion odds.

A privacy minimalist might argue for submitting the least information possible. That approach aligns with an intuitive principle: don’t expand your data footprint while trying to shrink it.

DROP’s design complicates that principle. A sparse request may reduce matching risk, but also reduces deletion success. The result can be a paradox: you share less, and more of your data survives.

Readers should treat this as a strategic choice, not a moral one. DROP does not force maximal disclosure; it offers it as a lever for effectiveness.

DROP’s promise is meaningful, but bounded.

When the system finds a match, CalPrivacy says deletion can extend beyond the identifiers you submit to include personal information, including sensitive and inferred information. That is the best-case scenario: the broker finds you, deletes broadly, and reports back.

At the same time, CalPrivacy is clear about what DROP won’t delete:

- First-party data you gave directly to a business
- Publicly available data
- Exempted data

A common frustration with privacy tools is the expectation mismatch: a person submits a request and then still finds an address on a website, or a phone number in a public record.

DROP is not built to scrub the open web. It is aimed at data brokers in the registry. If the information is public—or a business collected it directly from you—DROP is not the instrument for that job.

The more productive way to measure success is narrower: did registered brokers stop selling and/or delete the records they held about you? That’s less visible than a web search result, but it is closer to the system’s legal target.

DROP is a California tool, but it’s also a preview of where privacy enforcement is heading: away from hundreds of separate opt-outs and toward centralized mechanisms with compliance reporting.

For Californians, the practical takeaways are concrete:

- Submit early if you want, but set expectations: processing obligations start Aug. 1, 2026.
- Understand the cadence: brokers must process requests every 45 days once the system is active.
- Track the deadline: CalPrivacy says brokers must delete within 90 days starting Aug. 1, 2026.

A sensible decision framework looks like this:

- If your goal is maximum deletion, consider providing more identifiers (the platform itself says this increases success).
- If your goal is minimum disclosure, submit less—accepting higher odds of “Opted-out” or “Record not found.”
- If you have multiple emails, phone numbers, or name variations, include them if you want to improve matching across older broker records.

CalPrivacy also points residents to Login.gov as a verification option, particularly if you already have an account. That may reduce friction for users who prefer not to repeatedly type personal information into forms.

DROP is limited to California residents and registered California brokers. Still, the model matters nationally. The underlying insight is straightforward: privacy rights become usable when they are centralized, standardized, and tied to enforceable reporting cycles.

If other states adopt similar registries and one-request mechanisms, the most important debates will mirror California’s: registry coverage, identity verification, and the “more data to delete data” tradeoff.

California’s DROP is not magic. It is bureaucracy, sharpened into a tool.

DROP represents a rare thing in American privacy policy: a state-built mechanism that tries to make deletion rights usable at scale. It launched Jan. 1, 2026, and it puts a single consumer request in contact with more than 500 registered brokers, according to AP reporting around the launch window.

But DROP also asks the central question of modern privacy: how do you prove who you are, precisely enough to be deleted, without feeding the same ecosystem you’re trying to escape?

CalPrivacy’s own language tells the story. Brokers must begin processing Aug. 1, 2026, check in every 45 days, and delete within 90 days. Users may see “Deleted,” “Exempted,” “Opted-out,” or “Record not found.” Those statuses are more than labels; they are a reminder that privacy is not a switch. It is a process, with deadlines, loopholes, and imperfect matches.

DROP won’t erase your past from the open web. It won’t touch the data you handed directly to companies. It won’t reach brokers outside the registry. Even so, it marks a shift: privacy rights becoming something closer to infrastructure than paperwork.

The most honest way to describe California’s “one-click” tool is this: it doesn’t make your data instantly vanish. It makes the people who profit from it answer, repeatedly, on a schedule, under law.