CPPA advances ‘DROP’ deletion platform to formal rulemaking; consumer access planned for Jan. 1, 2026

The California Privacy Protection Agency on March 7 voted 5‑0 to direct staff to begin formal rulemaking on the Delete Request and Opt‑out Platform, nicknamed DROP, authorizing a 45‑day public comment period and allowing staff to make non‑substantive edits required by the Administrative Procedure Act.

The vote follows an agency presentation on the DROP build, an update that the 2025 data broker registry went live Feb. 24 and public comment from businesses and privacy advocates about fees, registration and compliance burdens. "The 2025 data broker registry is live on the CPPA website," Chair Jennifer Urban said during her opening remarks.

Why it matters: DROP is a statutory, statewide mechanism created by SB 362 to let California residents submit a single verifiable deletion request that is routed to registered data brokers and their service providers. The platform is intended to make it easier for consumers to remove personal information and for the agency to monitor compliance; it will also create new operational obligations for data brokers, including annual registration and reporting, periodic deletion processing and independent audits.

Agency plan and timeline The CPPA said it signed an interagency agreement with the California Department of Technology (CDT) with an effective date of Jan. 1, 2025 and that CDT is constructing the DROP system. Staff said consumers will be able to submit deletion requests beginning Jan. 1, 2026; data brokers will be required to begin processing deletion requests on Aug. 1, 2026. The agency also plans to run consumer testing in the fall and to procure supplemental services such as a ticketing system for support.

System design and operational rules Presenters described several privacy‑protective design choices: the CPPA will minimize the personal information it collects, store identifiers in hashed form, and use a third‑party residency verifier tied to the state digital ID service and login.gov to confirm a requester is a California resident. A consumer dashboard will show the status of deletion requests; draft regulation text sets four response codes that a data broker must report back for each identifier: "record deleted," "record opted out of sale," "record exempted" or "record not found." As Attorney Liz Allen summarized, the law requires that a consumer "instruct[] every data broker" covered to delete personal information related to the consumer and any associated service providers.

Data broker requirements and enforcement The CPPA reported that the 2025 registry update (published Feb. 24) listed 496 registered data brokers at the time of the meeting and noted some firms that registered in 2024 did not reappear this year for reasons such as being out of business or changing operations. Staff said data brokers will select the set of identifiers (email, phone, device IDs, pseudonymous IDs, etc.) they will use to match deletion requests, and they may either pull requests via API or download CSVs every 45 days. Data brokers must maintain suppression lists and will be subject to independent audits; the agency said audit reports will be available to the CPPA on request and will inform enforcement investigations.

Public comments recorded Multiple public commenters urged the agency to reconsider the cost and scope of compliance. A representative identifying himself as Nate for the Alliance to Preserve California's Innovation Economy warned the agency that the "standardized regulatory impact assessment" estimated costs in the billions and potential job losses, and urged alignment with legislative and executive guidance. Tasia Kiefer of the LA County Business Federation (BizFed) said nearly 80% of commenters at an earlier meeting opposed the proposed regulations and asked the agency to pause and collaborate with stakeholders. Zane Witherspoon, a compliance‑service CEO, said he is "a big fan of the CPPA" but reported many data brokers "are just flat out refusing to register because of the high cost of doing so," a dynamic he said would undermine consumer protection goals. Several small business speakers asked the agency to reconsider the registry fee, which staff said increased to $6,600 from prior-year levels of about $400.

Unresolved implementation issues Board members asked about technical and operational questions still to be resolved: how hashing and pseudonymous identifiers will be matched in practice; how reassigned phone numbers will be handled; whether suppression lists are effectively used; and how the CPPA will fund and run public education so consumers know how to use DROP. Staff said the agency is building flexibility into the regulations (allowing API or manual CSV workflows), will require multifactor control for listed phone numbers and email addresses, and intends to use registration fees and existing resources to support outreach while noting budget tradeoffs.

Formal rulemaking and next steps The board authorized staff to start formal rulemaking and a 45‑day public comment period, with the agency publishing a notice of proposed rulemaking, a public hearing, and outreach to registrants and stakeholders. Staff emphasized the regulations may be revised during the rulemaking process to match the evolving system build and implementation experience. The motion to begin formal rulemaking passed by roll call vote, with Board Members Liebert, McTaggart, Nonnicki and Worth and Chair Jennifer Urban recorded as voting "aye."

The CPPA said further public hearings and materials will be provided on its website and that the board expects additional updates as testing and stakeholder feedback inform refinement of both the system and the draft regulations.