California's DROP portal goes live August 1 — what it means for data brokers and for the people on their lists
California Privacy Protection Agency's DROP portal — Delete Request Opt-Out Platform — launches August 1, 2026. the mechanism: send a single deletion request that reaches over 500 registered data brokers, with a 90-day deletion deadline that's enforceable under SB 362 (the Delete Act).
that's a meaningful escalation from the previous state, where individual deletion requests had to be submitted broker by broker, often through obscure web forms with inconsistent response times and no enforcement mechanism.
DROP doesn't replace individual broker requests — it supplements them. but the 90-day compliance window with enforcement backing changes the calculus for brokers significantly.
what "90 days to delete" actually means for brokers
before the Delete Act, a data broker that ignored a deletion request faced minimal practical risk. the enforcement mechanism was weak, the consumer had limited visibility into whether deletion happened, and the cost of non-compliance was low.
after August 1, that changes. DROP creates a centralized record of the deletion request and the timestamp it was submitted. 90 days later, if the data hasn't been deleted, the broker has a documented compliance failure — not just a dissatisfied consumer with no recourse.
the "over 500 registered data brokers" number is important context. SB 362 required brokers to register with the CPPA as a condition of operating in California. the registration created a list. DROP is now built on that list. every registered broker is reachable from a single submission, and every registered broker is on the hook for the 90-day timeline.
who actually needs to act before August 1
the DROP portal matters most for three categories of people:
people who are actively trying to limit their digital footprint — executives, public figures, people going through security-sensitive personal situations (domestic disputes, stalking situations, relocation). data brokers aggregate addresses, phone numbers, family members, employer history. DROP is the fastest path to removing that data from the 500+ registered broker databases simultaneously.
businesses with employees in high-visibility roles — companies with executives or public-facing staff who might be targets of social engineering or physical threats. the same data that makes phishing attacks effective lives on broker sites. a systematic removal campaign before August 1 takes advantage of the enforcement window.
anyone who's already submitted individual broker deletion requests and found them ignored — the enforcement mechanism is now real. DROP submissions create a compliance record. if a broker ignored your individual request before, submitting through DROP creates a documented case for enforcement action.
what happens after the 90-day window
the Delete Act's deletion requirement isn't one-time. data brokers continuously acquire new data from public records, purchase transactions, and third-party data sources. data that's deleted in September 2026 may reappear by early 2027 as brokers refresh their databases from new sources.
continuous monitoring is the part DROP doesn't handle — it handles the initial deletion request, not the ongoing re-accumulation problem. that's the gap where ongoing data removal services provide value: monthly re-scans, new broker monitoring, and deletion requests for re-appearing data.
BizSuite's Data Removal service covers 48 brokers across 5 tiers, with California Delete Act (SB 362) built-in and continuous monitoring for re-appearing data. $497 + $49/month. the August 1 DROP launch is the right moment to address both the initial deletion (which DROP helps with) and the ongoing monitoring (which DROP doesn't).
for most people the answer isn't "use DROP or use a service" — it's both. DROP handles the registered brokers. a monitoring service handles the re-accumulation and the brokers that are outside the registration list.
Top comments (0)