California’s DROP Tool Went Live on Jan. 1, 2026—But Data Brokers Don’t Have to Delete Anything Until Aug. 1 (So What Exactly Did You ‘Opt Out’ Of?)
DROP isn’t an instant delete button. From January to August 2026, you’re filing a verified, state-mediated standing request that won’t be processed until brokers are legally required to start acting.
By TheMurrow Editorial
March 1, 2026
Key Points
- 1Understand the gap: DROP accepts requests Jan. 1, 2026, but brokers don’t have to start processing them until Aug. 1, 2026.
- 2Treat early use as filing: you create a profile, supply identifiers for matching, and receive a DROP ID—nothing is deleted yet.
- 3Know the limits: DROP targets 500+ registered California data brokers, not first-party accounts, unregistered brokers, or the entire internet.
On January 1, 2026, California flipped on a new switch for privacy-conscious residents: a state-run website where you can tell data brokers to delete your personal information and stop selling it. The platform has a crisp name—DROP, for Delete Request and Opt-out Platform—and an even crisper promise: one request, sent to hundreds of brokers at once.
Then comes the detail that makes readers squint. Under California’s own timeline, data brokers don’t have to begin processing those DROP requests until August 1, 2026. CalPrivacy, the state agency running the site, is explicit: August is the “processing” start date, and status won’t change until then.
So what, exactly, did you “opt out” of on January 1?
The honest answer is more interesting than the marketing-friendly one. Early DROP use isn’t a real-time marketplace shutoff. It’s a government-run queuing system that turns your intent—delete me, don’t sell me—into a verified, state-mediated “standing request” that becomes operational when the law requires brokers to start their recurring sweeps.
“January 1 is when Californians can file the request. August 1 is when brokers must start acting on it.”
— — TheMurrow Editorial
What DROP actually does on day one (and why that still matters)
DROP is operated by the California Privacy Protection Agency (CalPrivacy) under the California Delete Act (SB 362, 2023). CalPrivacy describes the platform as a way to submit a single request to every registered data broker in California—more than 500 of them—without forcing consumers to find and contact each broker individually.
That “registered” qualifier is doing a lot of work. DROP is designed to route requests through a state-managed system to brokers on California’s registry. If a broker isn’t registered, DROP can’t deliver a legally structured request through the registry channel.
From January 1 to August 1, CalPrivacy’s own documentation suggests three practical functions for early users:
That “registered” qualifier is doing a lot of work. DROP is designed to route requests through a state-managed system to brokers on California’s registry. If a broker isn’t registered, DROP can’t deliver a legally structured request through the registry channel.
From January 1 to August 1, CalPrivacy’s own documentation suggests three practical functions for early users:
From Jan. 1 to Aug. 1, what early DROP use does in practice
- ✓Creating and storing a profile plus identifiers (name, date of birth, emails, phone numbers, advertising IDs, and other match data) that brokers can later use to find your record(s).
- ✓Generating a DROP ID, so you can track your request.
- ✓Establishing a standing request that will be transmitted to registered brokers and processed when legally required cycles begin.
CalPrivacy warns that the status won’t change until processing begins in August 2026. That’s not bureaucratic foot-dragging so much as it is how the program is designed: the platform can accept, verify, and stage requests ahead of the compliance date.
“DROP isn’t a privacy ‘off switch.’ It’s a state-run batching system that turns a consumer request into a legally scheduled process.”
— — TheMurrow Editorial
A practical way to think about it: “filed” vs. “fulfilled”
The gap between January and August is where consumers can feel misled if they expected instant deletion. The better framing is legal and logistical:
- Filed: You’ve created a verified request inside a state-operated platform, with identifiers that will later be used for matching.
- Fulfilled: Brokers begin processing in August 2026, and then continue on recurring cycles.
If you’re the kind of reader who cares about leverage, that “filed” status still matters. A request lodged early sits at the front of the line when processing begins.
- Filed: You’ve created a verified request inside a state-operated platform, with identifiers that will later be used for matching.
- Fulfilled: Brokers begin processing in August 2026, and then continue on recurring cycles.
If you’re the kind of reader who cares about leverage, that “filed” status still matters. A request lodged early sits at the front of the line when processing begins.
The dates that define the entire debate
If DROP feels simultaneously powerful and underwhelming, look at the calendar.
California’s Delete Act—SB 362—was approved October 10, 2023, according to the state’s legislative record. The statute required CalPrivacy to establish an accessible deletion mechanism by January 1, 2026. CalPrivacy met that deadline by launching DROP for consumers at the start of 2026.
The broker-side obligation comes later. CalPrivacy has publicly set August 1, 2026 as the start date when data brokers must begin processing DROP requests, then continue doing so in recurring cycles.
Here are the four numbers that matter most, with context:
California’s Delete Act—SB 362—was approved October 10, 2023, according to the state’s legislative record. The statute required CalPrivacy to establish an accessible deletion mechanism by January 1, 2026. CalPrivacy met that deadline by launching DROP for consumers at the start of 2026.
The broker-side obligation comes later. CalPrivacy has publicly set August 1, 2026 as the start date when data brokers must begin processing DROP requests, then continue doing so in recurring cycles.
Here are the four numbers that matter most, with context:
The four numbers that matter
- ✓October 10, 2023: SB 362 is approved (the legal foundation for DROP).
- ✓January 1, 2026: DROP goes live for consumers (request intake and identity/identifier setup begins).
- ✓August 1, 2026: brokers must start processing DROP requests (the compliance “processing” start date).
- ✓500+ registered brokers: the scale of the broker ecosystem DROP aims to reach in one move.
The early-months confusion is not a footnote. It’s the core question: if a consumer can opt out on January 1, but a broker must begin processing on August 1, then the “opt out” is best understood as a state-mediated instruction queued for later execution.
Why regulators might prefer a delayed processing start
A program built to send deletion and opt-out requests to hundreds of companies invites operational risk: mismatched identities, incomplete records, and uneven handling. A defined processing start date creates a synchronized point when brokers must be ready, and when the agency can monitor compliance in a more structured way.
That’s a charitable reading, but it’s also a realistic one. Consumer privacy systems fail most often at the seams—identity matching and enforcement—not at the headline promise.
That’s a charitable reading, but it’s also a realistic one. Consumer privacy systems fail most often at the seams—identity matching and enforcement—not at the headline promise.
August 1, 2026
CalPrivacy’s stated “processing” start date—when brokers must begin acting on DROP requests and status can start changing.
What DROP is—and what it is not
CalPrivacy’s public-facing description is simple: DROP helps Californians tell data brokers to delete personal information and stop selling it. The platform is free and state-run, built with the California Department of Technology involved in delivery and identity verification.
That’s the “is.” The “is not” matters just as much, especially for readers who want to know what this does not clean up.
That’s the “is.” The “is not” matters just as much, especially for readers who want to know what this does not clean up.
DROP targets brokers, not your everyday first-party relationships
CalPrivacy draws a bright line between broker-held data and data given directly to a business (first-party data). If you bought something from a retailer, signed up for a newsletter, or hold an account with a service, DROP is not a magic eraser for that first-party relationship.
A consumer can feel this in ordinary life: a deletion request to a broker might reduce spammy outreach and background profiling, yet it won’t delete your purchase history from the store you bought from.
A consumer can feel this in ordinary life: a deletion request to a broker might reduce spammy outreach and background profiling, yet it won’t delete your purchase history from the store you bought from.
DROP coverage is limited to registered brokers
Press coverage has emphasized that DROP is limited to the brokers in California’s registry. Brokers outside the registry—unregistered, out-of-state, or offshore—are outside the program’s direct reach.
That limitation isn’t a flaw unique to DROP; it’s a boundary condition of law. California can regulate businesses under its jurisdiction and registration regime. It cannot unilaterally force compliance from every entity worldwide that traffics in data.
That limitation isn’t a flaw unique to DROP; it’s a boundary condition of law. California can regulate businesses under its jurisdiction and registration regime. It cannot unilaterally force compliance from every entity worldwide that traffics in data.
Deletion is not absolute
CalPrivacy also notes that some categories of information can be exempt or outside the Delete Act mechanism. Readers should expect a familiar reality: privacy rights often come with exceptions and carve-outs, particularly where other laws require retention or where a particular data category falls outside the program’s scope.
“DROP can be sweeping without being universal. It aims at registered brokers, not the entire internet.”
— — TheMurrow Editorial
The mechanics: how one request can reach 500+ brokers
The central promise of DROP is administrative: instead of a consumer contacting hundreds of brokers one by one, the state offers a single platform that delivers requests to every registered data broker.
CalPrivacy’s “how DROP works” materials describe the creation of a consumer profile using identifiers—name, date of birth, emails, phone numbers, advertising IDs, and similar details. Those identifiers are the connective tissue that makes deletion plausible at scale. Data brokers often hold partial records: a phone number here, an old email there, a device identifier somewhere else.
Matching becomes the real work.
CalPrivacy’s “how DROP works” materials describe the creation of a consumer profile using identifiers—name, date of birth, emails, phone numbers, advertising IDs, and similar details. Those identifiers are the connective tissue that makes deletion plausible at scale. Data brokers often hold partial records: a phone number here, an old email there, a device identifier somewhere else.
Matching becomes the real work.
Why matching is both necessary and messy
At a technical level, deletion and “do not sell” instructions require a broker to find the consumer in its systems. If a broker can’t match the request to a record, nothing happens—because the broker does not know what to delete.
That’s why DROP asks for multiple identifiers. One email might be enough for one broker, while another broker might need a phone number or date of birth to distinguish you from someone with a similar name.
The uncomfortable truth is that privacy protection often requires revealing enough information to be recognized. DROP tries to manage that tension by mediating the request through a state platform and standardizing the process.
That’s why DROP asks for multiple identifiers. One email might be enough for one broker, while another broker might need a phone number or date of birth to distinguish you from someone with a similar name.
The uncomfortable truth is that privacy protection often requires revealing enough information to be recognized. DROP tries to manage that tension by mediating the request through a state platform and standardizing the process.
Status tracking: what your DROP ID really signals
CalPrivacy says consumers receive a DROP ID and can monitor status, while also noting the status won’t change until processing begins in August 2026. The ID is not proof that brokers have deleted anything before then. It’s proof that your request exists in the system, linked to the identifiers you provided.
For many consumers, that’s still valuable. It turns privacy rights from a scavenger hunt into a documented action.
For many consumers, that’s still valuable. It turns privacy rights from a scavenger hunt into a documented action.
500+
The number of registered California data brokers CalPrivacy says DROP can reach with a single request.
The real-world impact: what changes, and what doesn’t
The Delete Act was sold as harm reduction. CalPrivacy’s public materials connect the broker ecosystem to risks such as spam/scams, identity theft/fraud, and other misuse of personal information. The logic is straightforward: less circulating data means fewer opportunities for misuse.
But readers deserve a clear-eyed view of what DROP can realistically change.
But readers deserve a clear-eyed view of what DROP can realistically change.
Where you might notice a difference
DROP is aimed at the broker layer—the shadow distribution system that can amplify exposure. Over time, if brokers honor deletion and “do not sell” requests, consumers could see:
- Less broker-sourced outreach that feels oddly personalized.
- Reduced risk from brokers that package identity details for downstream buyers.
- Less passive profiling that follows you across contexts.
Those are “could” statements because the effect depends on compliance, matching accuracy, and how much of your data was in broker systems to begin with.
- Less broker-sourced outreach that feels oddly personalized.
- Reduced risk from brokers that package identity details for downstream buyers.
- Less passive profiling that follows you across contexts.
Those are “could” statements because the effect depends on compliance, matching accuracy, and how much of your data was in broker systems to begin with.
Where you should not expect miracles
DROP won’t stop every spam message. Many scams do not depend on California-registered brokers; criminals buy, steal, or scrape data from countless sources. DROP also does not reach first-party systems where you have an account or a transaction history.
A realistic expectation is narrower: DROP can reduce exposure in the portion of the market California can regulate—especially among registered brokers—while leaving other channels untouched.
A realistic expectation is narrower: DROP can reduce exposure in the portion of the market California can regulate—especially among registered brokers—while leaving other channels untouched.
A simple case study: the “many identities” problem
Consider a common modern biography: two phone numbers over a decade, three primary emails, and a handful of devices. One broker might know you as an old Gmail address. Another might know you by a phone number you no longer use. Another might link you mainly through a mobile advertising ID.
DROP’s design—collecting multiple identifiers—acknowledges this reality. The platform is built for the fact that you are not one data point. You’re a constellation.
DROP’s design—collecting multiple identifiers—acknowledges this reality. The platform is built for the fact that you are not one data point. You’re a constellation.
January 1, 2026
The consumer-facing launch date: DROP begins accepting and staging requests (but not triggering broker processing yet).
The controversy: consumers want immediacy; regulators build cycles
A delayed processing start date invites criticism. If a state launches an “opt-out” tool in January but brokers don’t have to act until August, some consumers will call that gap a bait-and-switch.
The better criticism is more precise: the public-facing language can make DROP sound like an instant command, while the legal obligation to “begin processing” is keyed to a later date. CalPrivacy’s own materials do disclose the timeline, but disclosures and impressions are not the same thing.
The better criticism is more precise: the public-facing language can make DROP sound like an instant command, while the legal obligation to “begin processing” is keyed to a later date. CalPrivacy’s own materials do disclose the timeline, but disclosures and impressions are not the same thing.
The regulator’s perspective: standardization and oversight
From CalPrivacy’s perspective, DROP is a centralized mechanism with standardized intake, identity verification support, and a recurring processing schedule. The agency has positioned DROP as a public service to simplify the exercise of rights.
If the system works, it changes the power dynamic. A single consumer request becomes a broadcast instruction to hundreds of companies, mediated by the state and tied to a compliance regime.
If the system works, it changes the power dynamic. A single consumer request becomes a broadcast instruction to hundreds of companies, mediated by the state and tied to a compliance regime.
The consumer’s perspective: “Why can’t they delete now?”
That question is reasonable. Many services process opt-outs quickly when they choose to. Yet the Delete Act sets a defined compliance start for processing via DROP, and the agency has publicly anchored that start at August 1, 2026.
The result is a rare thing in privacy policy: an official tool whose launch date and operational impact date do not fully align.
The result is a rare thing in privacy policy: an official tool whose launch date and operational impact date do not fully align.
What a skeptical reader can do with this knowledge
Treat DROP as an early filing opportunity rather than a real-time fix. If you’re motivated, submitting on January 1 positions you ahead of the processing start. If you’re cautious, you might prefer to wait until closer to August 2026, when status changes and broker processing begins.
Both are rational choices, depending on your comfort with creating a profile and providing identifiers now versus later.
Both are rational choices, depending on your comfort with creating a profile and providing identifiers now versus later.
Key Insight
The practical meaning of “opting out” on Jan. 1 is filing a verified request; the practical meaning on Aug. 1 is brokers begin fulfilling it.
Practical takeaways: how to use DROP without fooling yourself
DROP is not a reason to relax about privacy, but it is a meaningful new lever—especially because it’s free, state-run, and designed to reach 500+ registered brokers with a single request.
Here’s the pragmatic playbook based on CalPrivacy’s own descriptions of how DROP works and when processing begins:
Here’s the pragmatic playbook based on CalPrivacy’s own descriptions of how DROP works and when processing begins:
A pragmatic playbook for using DROP
- 1.Decide whether “early filing” helps you
- 2.Provide identifiers you actually control and remember
- 3.Keep your DROP ID and monitor later
- 4.Don’t confuse broker deletion with account deletion
- 5.Remember the coverage limits
1) Decide whether “early filing” helps you
If you want your request in the first wave of legally required processing, filing early makes sense. Your request will function as a standing instruction queued for August 2026 cycles.
If you’re uncomfortable providing identifiers months in advance, waiting is defensible—just don’t confuse waiting with opting out.
If you’re uncomfortable providing identifiers months in advance, waiting is defensible—just don’t confuse waiting with opting out.
2) Provide identifiers you actually control and remember
DROP’s matching depends on the identifiers you supply. If you use an email address you rarely check or a phone number you no longer control, you may be undermining your own request.
A careful approach is to include:
- Current emails and phone numbers
- Older emails/phone numbers you still associate with past accounts (if you can confirm them)
- Relevant advertising IDs if you understand them and can access them
A careful approach is to include:
- Current emails and phone numbers
- Older emails/phone numbers you still associate with past accounts (if you can confirm them)
- Relevant advertising IDs if you understand them and can access them
3) Keep your DROP ID and monitor later
CalPrivacy says you will receive a DROP ID and can monitor status, but it also says status won’t change until August 2026. Keep that ID like a receipt. The value of a centralized system is documentation.
4) Don’t confuse broker deletion with account deletion
If a company knows you because you are its customer, DROP doesn’t erase that. Separate your “broker hygiene” from your “account hygiene.” They are different problems with different tools.
5) Remember the coverage limits
DROP targets registered California brokers. It won’t sweep the entire world of data intermediaries. Treat it as one strong step—not the whole staircase.
Expert attribution (CalPrivacy)
CalPrivacy describes DROP as a platform that lets consumers submit a single deletion and opt-out request to registered data brokers, while noting that brokers’ obligation to begin processing DROP requests starts August 1, 2026, and that request status will not change until processing begins. (CalPrivacy, DROP site and December 2025 explainer)
What DROP signals about the future of privacy rights
Most privacy rights fail in practice because they are burdensome. A right that requires you to hunt down hundreds of companies is, for many people, a right in name only. DROP is an attempt to solve that usability problem through state infrastructure.
Even with its limits, DROP represents a new approach: a government-run platform that operationalizes deletion and opt-out requests at scale. If it works, other jurisdictions may study the model.
The unresolved question is credibility. Programs like this live or die on follow-through—on whether consumers see meaningful status updates after August 1, 2026, and whether brokers treat the requests as mandatory rather than optional.
January 1, 2026 is the date Californians gained a centralized place to say “stop.” August 1, 2026 is the date the broker ecosystem must begin acting like it heard them.
Even with its limits, DROP represents a new approach: a government-run platform that operationalizes deletion and opt-out requests at scale. If it works, other jurisdictions may study the model.
The unresolved question is credibility. Programs like this live or die on follow-through—on whether consumers see meaningful status updates after August 1, 2026, and whether brokers treat the requests as mandatory rather than optional.
January 1, 2026 is the date Californians gained a centralized place to say “stop.” August 1, 2026 is the date the broker ecosystem must begin acting like it heard them.
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering explainers.
Frequently Asked Questions
If I used DROP on January 1, 2026, what did I actually do?
You filed a verified request in a state-operated system. CalPrivacy describes early submissions as standing requests that will be transmitted to registered data brokers and processed when legally required processing begins. You also created a profile with identifiers brokers can later use to match your records, and you received a DROP ID to monitor status.
When do data brokers have to start deleting my data through DROP?
CalPrivacy has set August 1, 2026 as the “processing” start date: the point when data brokers must begin processing DROP requests, then continue in recurring cycles. CalPrivacy also notes request status won’t change until processing begins, so consumers shouldn’t expect visible progress before that date.
Does DROP delete information from companies I buy from or have accounts with?
Not by itself. CalPrivacy distinguishes data held by brokers from first-party data you gave directly to a business. DROP is designed to reach registered data brokers, not automatically delete your information from retailers, banks, employers, healthcare portals, or other services you directly use.
How many companies does DROP reach?
CalPrivacy has said DROP sends a single request to more than 500 registered data brokers in California. That scale is the platform’s central advantage: you don’t have to contact each broker individually—at least for brokers on the registry.
Will DROP remove me from every data broker on the internet?
No. DROP is limited to registered California data brokers. Unregistered brokers, out-of-state entities not covered by the registry, and offshore operations are outside the platform’s direct reach. DROP can still reduce exposure in the regulated broker ecosystem, but it is not a universal purge.
Why does DROP ask for so many identifiers?
Because brokers match people using different pieces of information. One broker may identify you by email, another by phone number, another by an advertising ID. CalPrivacy describes the platform as collecting identifiers (such as name, date of birth, emails, phones, and advertising IDs) so brokers can later locate and process your deletion/opt-out request accurately.
