CalPrivacy unpacks DROP updates on consumer participation, upcoming enforcement

The California Privacy Protection Agency is signaling a transition from implementation to enforcement of the California Delete Act's Delete Request and Opt-Out Platform.

During the CalPrivacy Board's 27 Feb. board meeting, agency staff outlined DROP developments including registrations, expanded audit authority and preparations for enforcement beginning later this year. The platform, which launched 1 Jan., enables California residents to submit a request directing registered data brokers to delete personal information and cease collection and sale of their data.

More than 242,000 Californians have submitted DROP requests to date, with 18,000 data deletion requests within the first 48 hours of its launch. The level of participation far exceeded the agency's expectations.

CalPrivacy Executive Director Tom Kemp noted efforts by policymakers, agency staff and the California Department of Technology helped deliver an "innovative platform that, once again, shows that California is the laboratory of democracy when it comes to consumer protection for the nation."

Enforcement efforts and data broker compliance

The DROP system is just one component of CalPrivacy's broader data broker agenda.

The agency has a dedicated Data Broker Enforcement Strike Force within its enforcement division, tasked with identifying companies operating without required registration under the state's Delete Act. Annual broker registration is due 31 Jan. and nonregistration penalties are USD200 per day. 

In a statement when the unit launched in November 2025, Kemp said, "widespread availability of digital dossiers makes it easier for our personal information to be weaponized against us, and even well-meaning data brokers can be victims of data breaches that leave all of us vulnerable." He added the agency "must do everything we can to reduce these risks, bring transparency, and hold data brokers accountable to their obligations under the CCPA and Delete Act."

Through the agency's efforts, registered data brokers increased from 459 entities in June 2025 to more than 575 in February 2026. "No other state or even past data broker registries here in California have as many registered data brokers," Kemp said during the latest board meeting.

The agency will continue expanding its enforcement capacity with the appointment of its first chief privacy auditor, Sabrina Boyson Ross, who previously served as Meta's privacy and AI policy director. She will oversee the division's work on independent compliance reviews and to identify violations before consumer harms occur.

CalPrivacy also highlighted legislative efforts designed to strengthen investigative authority, including the proposed Whistleblower Protection and Privacy Act, which aims to encourage individuals to share organizations' privacy violations and assist enforcement actions involving data brokers and other regulated entities.

Next steps

Data brokers have until 1 Aug. to integrate DROP obligations that require companies to obtain and process consumer deletion requests submitted through the platform. 

CalPrivacy Chief of IT Artem Andrusov said approximately 85,000 consumers have signed up to receive DROP updates. He noted the ability to communicate updates "will be extremely valuable" as full implementation begins.

After the 1 Aug. deadline, data brokers will be required to access the platform every 45 days to continue processing data deletion requests. CalPrivacy noted it will soon develop a sandbox for data brokers to test their integration of DROP.

To prepare for the deadline, the agency plans to continue ongoing public education and outreach efforts aimed at expanding consumer participation before request processing begins. Outreach campaigns will continue through community events, media engagement and partnerships with other state agencies to increase DROP awareness.

The agency also plans to publish an updated public data broker registry in March, providing data brokers with clarity on DROP expectations to guide implementation.

CalPrivacy Assistant Deputy Director of Public and External Affairs for the Delete Act Marissa Rosemblat said the agency wants to "make sure data brokers have what they need to integrate with DROP, to begin processing hundreds of thousands of requests that are already in, and so there's a lot of work that we'll have to kind of put together to make sure that's a seamless transition, and that work has already begun."

Rosemblat claimed ongoing monitoring of registration activity remains a priority as enforcement teams work to identify companies’ compliance concerns.

"We'll continue to kind of enhance the platform as time goes on, as I think most of us who have worked on platforms like this know the work is never done. There is always more to do to really prepare for continued scale," she said.

CalPrivacy staff will offer another formal DROP update 31 March at the IAPP Global Summit 2026. General Counsel Phillip Laird and Attorney Elizabeth Allen, CIPP/US, will outline how DROP works, including its technical aspects, while covering some of the challenges faced while launching the system.