Ever since California's DELETE Act was signed into law two years ago, attention quickly shifted to how the California Privacy Protection Agency would develop its one-stop-shop platform for consumers to request deletion of their personal information held by data brokers.
During a breakout session at the IAPP's Privacy. Security. Risk. 2025 conference in San Diego, several CalPrivacy staff members showcased how the new Delete Request and Opt-out Platform, or DROP system, will work. During the conference several industry stakeholders shared their reactions to the DROP system demonstration, as well as their thoughts on automated deletion requirements more broadly.
In a keynote conversation with CalPrivacy Executive Director Tom Kemp and IAPP Director of Research and Insights Joe Jones, Kemp said that the agency is "laser focused" on activating the DROP system in time for its projected launch 1 Jan. 2026., as well as conducting a wide-scale public education campaign so state residents can better understand how to exercise their privacy rights.
"The DROP system is really going to be a game-changer, we're going to significantly evangelize Californians to use the DROP system," Kemp said. “We're going to very aggressive in terms of educating Californians on what tips and metrics they should use to enable privacy."
CalPrivacy unveils DROP system
CalPrivacy staff members shared slides featuring screenshots of how the agency's DROP system will function for both consumers and data brokers once it goes live at the beginning of next year.
"The DROP system is a two-sided platform. Consumers are putting in a minimal amount of personal information to create a consumer profile," CalPrivacy Attorney Elizabeth Allen, CIPP/US, said during the presentation. "Consumers are creating a delete request. The data brokers will verify the request, pull a list of (existing) requests, action the request and report back the status."
The DELETE Act required CalPrivacy to develop the DROP system. The law also requires data brokers to register with the agency or be subject to fines. However, the law carries some exemptions for the registration requirement, such as businesses performing activities protected under the U.S. Fair Credit Reporting Act and the exchange of patients' information by covered entities under the Health Insurance Portability and Accountability Act.
The current annual registration fee for data brokers is USD6,000 under the law. CalPrivacy General Counsel Phillip Laird said the DELETE Act carries fines of USD200 per day, for failure to register by in-scope data brokers beginning 31 Jan. 2026.
"What might have been a calculated risk for businesses to not register is going to become a massive liability for businesses that are not registering and not deleting consumer requests," Laird said.
Allen said if 100,000 consumers lodged deletion requests and a data broker did not take action on them for a full year, the failure to register fines alone would exceed USD7.3 billion.
Laird then walked the audience through how consumers will be able to use the DROP system, as well as how registered data brokers will fulfill their obligations using the platform.
He said a consumer using the DROP system will follow a three-stop process. The first is verifying their state residency either using the Login.gov verification service from the federal government or through the California Identity Gateway, which is hosted by the state Department of Technology and contracts a third-party verification service. Allen then clarified that the law allows for an authorized agent to file another party's deletion request, noting that the authorized agent must have the relevant verification information for the data subject.
Laird said once verified, consumers will make their profile within the DROP system. There, he said they can select the type of information they would like deleted by brokers in their request, such as names, nicknames and maidan names; emails and phone numbers, and "pseudonymous identifiers," like mobile advertising IDs, connected televisions IDs and VIN numbers for their cars. He said the final step is to formally submit the request within the system and they are given a DROP ID number they can use to reference their request.
Laird said the deletion requests remains active and consumers can re-enter the portal and add additional identifiers to the initial request or remove them if they so choose.
"Consumers don't have to add all elements in order to submit a request, because we understand not every consumer is going to readily know, or have available or even want to seek out their (mobile advertising ID), but it will be an option for them," Laird said. "The more (information) a consumer puts into the system, the more than 500-plus data brokers may have further matches."
For registered data brokers, Allen said they will be required to make a profile in the DROP system, pay their registration fee and issue their annual report if they conducted data brokerage activities in the year prior. She said upon creating their profile they must select they types of consumers' identifiers they collect data from.
Beginning 1 Aug., per the DELETE Act, data brokers will be required to either manually download a list of updated deletion requests via the DROP system every 45 days, or integrate their API with the DROP system, according to Allen. She said the DROP system will store all consumers' personal information as hashed data and it will be incumbent on the data broker to match their hashed data values
For brokers integrating their API with the DROP system, Allen said CalPrivacy staff will be developing an API sandbox for the system in the spring and data brokers will be given an API key and information to support organizational engineering teams for downloading the deletion lists.
"(The data broker's) obligation is to take the emails in your system, hash them and then match the hashes (in the deletion requests)," Allen said. "If there's a match, and that person is a found record, you must delete all non-exempt personal information, including inferences about that consumer and then report back to the agency."
Stakeholders distinguish DELETE Act requirements from other state deletion frameworks
In another breakout session industry stakeholders representing the advertising technology industry and consumer advocates discussed the implications of the DELETE Act and other similar regulations.
IAP Senior Director of Product, Privacy and Data Rowena Lam walked audience members through the process of carrying out a deletion request under several state frameworks. Once a consumer's request is verified, the first party holding the data must determine, which third-party partners it must forward to request to, she said.
"There are requirements to pass the deletion request on to your service providers, processors and other third parties with whom you may have shared that consumer’s information with," Lam said during her presentation. "You have to figure out who those partners are that you need to onward pass the deletion request to. Now as a recipient of this request, if you're a vendor or processor, you will also need to fulfill your portion of the deletion request on your side, and you might also then need to further pass on that deletion request to another vendor you work with."
Sourcepoint General Counsel and Chief Privacy Officer Julie Rubash, CIPP/US, said for organizations that are not subject to California's DELETE Act, but instead subject to more standard deletion frameworks in states including Colorado, Connecticut, Florida and Texas, that it is important to draw a distinction between complying with the DELETE Act and the other, more generic state frameworks.
"They solve separate problems and thinking of them as overlapping is perhaps not the correct way to go about it," Rubash said. "There are the deletion requirements under comprehensive state privacy laws that are a completely separate process of deleting under the DELETE Act and (CalPrivacy's) DROP system only addresses the DELETE Act side of the equation. (The law) doesn't do anything with respect to first party data."
Alex LaCasse is a staff writer for the IAPP.
