California’s New “One-Click Delete” Tool Could Reshape Privacy
Imagine wiping your personal information from hundreds of data brokers with one action. No endless opt-outs. No searching for hidden links. No guessing who has your data.
Beginning January 1, 2026, California’s Delete Request and Opt-Out Platform (DROP) will make that possible. A single verified request will require every registered data broker to delete a resident’s personal information.
For consumers, this creates an unprecedented level of control. For data brokers, it marks a sweeping—and urgent—compliance shift backed by serious penalties. Under the Delete Act, ignoring deletion requests can trigger $200 per consumer per day, meaning even brief noncompliance could explode into billions.
DROP serves as the California Privacy Protection Agency’s (CPPA’s) centralized system for deletion requests and broker registration. It functions like a modern, far-reaching successor to the Do Not Call Registry, but aimed at companies that collect and sell personal data without any direct relationship to the individuals behind it.
Consumers will verify their identity through login.gov or the state’s Identity Gateway, provide basic details, and select which identifiers to remove. They can choose names, emails, phone numbers, and certain device-level identifiers. After submitting a request, they receive a DROP ID to monitor whether brokers deleted their data, opted them out, or found no record.
The consumer-facing experience is intentionally simple. Behind the scenes, the work for data brokers is anything but.
Brokers must routinely download hashed deletion lists from DROP and reformat and hash their own datasets to match the CPPA’s technical requirements. Many companies expect this will require rebuilding internal databases or restructuring how identifiers are stored.
Once a match is found, brokers must delete all associated personal information and any profiling inferences derived from it. They must also add the individual to a suppression list to prevent reacquisition of the data and report the result to DROP within 45 days.
Even after the initial matching and deletion, the obligations continue. Brokers will need to revisit DROP multiple times each year, follow expanded disclosure rules, and prepare for mandatory audits starting in 2028. These audits will verify that deletions actually occurred and that suppression lists are functioning correctly.
Taken together, DROP represents a major reset in California’s approach to consumer data. It gives individuals a powerful, centralized deletion tool while imposing substantial new technical and operational responsibilities on the companies that trade in their information. As the 2026 launch approaches, DROP is set to become one of the most closely watched developments in U.S. privacy law.