CalPrivacy's DROP platform: A legal and engineering roadmap for DROP compliance

California continues to be on the forefront of data privacy in the U.S., with its upcoming Data Broker Requests and Opt-out Platform (DROP) launching January 1, 2026. Part of the Delete Act, DROP will bring profound new operational challenges to businesses while simultaneously making it easier than ever for individuals to exercise their data rights.

Passed in late 2023, California’s Delete Act imposed new regulatory requirements on data brokers, including:

• The need to register with the state’s privacy agency
• Transparency with consumers about what types of data they collect and how that data is used
• Metrics on consumer privacy request fulfillment
• Regular compliance audits

The DROP platform is the latest addition to the Delete Act and will likely be one of the main data privacy drivers of 2026.

DROP explained

The Data Broker Requests and Opt-Out Platform is a centralized system developed and enforced by the California Privacy Protection Agency (recently rebranded as CalPrivacy).

DROP will enable California consumers to submit a single request to all registered data brokers to delete their personal information and opt out of the sale or sharing of that information. CalPrivacy designed the platform to simplify the process for consumers to exercise their privacy rights at scale.

The platform goes live to the public on January 1, 2026, when consumers can begin submitting requests. For data brokers, the deadline to begin processing requests submitted through DROP is August 1, 2026.

How DROP affects consumers

DROP significantly broadens consumer control over their personal information by streamlining the deletion request process.

Where previously an individual would need to send requests to dozens if not hundreds of companies, they can now authenticate their identity once within the platform to send out deletion and opt-out requests to all registered data brokers. This allows individuals to practice their data rights quickly and easily, marking a significant step forward for the consumer-friendliness of data privacy within the U.S.

A DROP request acts as both a deletion and an opt-out, so even if a data broker cannot verify the deletion request, they must treat the request as a Do Not Sell or Share opt-out.

Consumers receive a DROP ID to check the status of their requests and see the final result from each data broker (e.g., Deleted, Opted Out, Exempted, or Record Not Found).

Compliance scope: are you a data broker under the Delete Act?

Compliance with the Delete Act and mandatory participation in DROP is required for any business that qualifies as a data broker under California law.

A data broker is defined as “a business that knowingly collects and sells third-party consumers' personal information without having a direct relationship with them.”

As of January 2025, nearly 500 companies had registered as a data broker with CalPrivacy, with that number expected to grow over the years.

While data brokers will be directly responsible for checking and processing all consumer requests coming through the DROP system, the new platform will have a wider impact on business as well.

Data brokers will need to disseminate requests to their third-party systems, meaning a wide range of companies–particularly B2C–are in line to see a significant increase in the number of user privacy requests they receive throughout 2026 and beyond.

Compliance roadmap: Must-know legal deadlines and operational details

Data brokers must prepare their systems for two main obligations: annual registration and processing DROP requests.

1. Annual Registration

• Register with CalPrivacy every January.
• Pay fees and disclose the categories of identifiers they collect.

2. Processing DROP Requests

Data brokers must create a DROP account and be prepared to process requests starting August 1, 2026, giving them 7 months to prepare after the platform begins accepting consumer requests on January 1, 2026.

To help facilitate the work, CalPrivacy will be making a DROP API accessible sometime in spring. Otherwise, data brokers will need to manually download requests. From there, they must:

• Sign into DROP and retrieve request lists at least once every 45 days.
• Process requests by matching identifiers to data subjects, deleting data from matches and opting them out of data selling and sharing. If a request cannot be verified, the data broker must opt the user out of data selling and sharing regardless.
• Direct third-parties to also delete user data and opt those users out of data selling and sharing
• Report back to CalPrivacy on the completion of requests within 90 days of retrieval (or within 45 days under the initial timeline). Outcomes are categorized as: Deleted, Opted Out, Exempted, or Record Not Found.

Failure to process deletion requests starting August 1, 2026, may incur financial penalties of $200 per request per day (stacked on top of a potential $200 per day fine for failing to register as a data broker). Since the Delete Act has no cure period, enforcement can be swift if CalPrivacy detects noncompliance.

An engineering-readiness overview for DROP compliance

For organizations that still have manual processes or limited legacy solutions in place to complete data subject requests, here are the technical steps to take to prevent the DROP-related increase in requests from becoming an all-encompassing responsibility.

While these steps could be challenging for any organization without dedicated privacy engineering, steps 2 and 7 are heavy lifts in particular given they require new infrastructure to connect the DROP API to the organization’s technical solution.

1. Connect to CalPrivacy’s API sandbox environment once it becomes available in Spring 2026, as manually downloading lists will be highly inefficient.
2. Set up a cron job or equivalent to connect to the DROP endpoint and pull the latest batch of consumer deletion lists every 45 days.
3. Understand your identifiers (such as an email address) so you can be sure you are downloading only the types of information your org already has.
4. Standardize and map identifiers. Verify formatting for identifiers such as email addresses or phone numbers to ensure a 100% match with DROP records (e.g. do phone numbers contain dashes or not?). Then map those identifiers to other possible identifiers your org might have to ensure a complete deletion.
5. Configure connections that run queries or API calls to all databases, data warehouses, and SaaS tools where consumer data is stored. Ensure these calls are also forwarded downstream to third-party service providers who may have stored consumer data.
6. Implement an internal suppression mechanism to block consumer identifiers from being used for future sales or data transfers, as even unverified requests need to be opted-out of data selling and sharing.
7. Set up a reporting mechanism to regularly relay the status of DROP requests.
8. Maintain timestamped audit logs to prove Delete Act compliance and show identifiers used, internal and external systems contacted, each request’s final determination, and completion time.

How Transcend helps legal and engineering teams overcome DROP’s challenges

The above roadmap for technical readiness might be challenging without a proven data privacy platform, but Transcend automates those tasks and limits risk from data brokers’ DROP compliance thanks to our unique technical capabilities:

• Automated Ingestion: Transcend ingests raw DROP registry files (via API or download), eliminating manual retrieval.
• Enriched identifiers: Transcend is uniquely capable of processing numerous identifiers automatically to verify consumer identity’s and process requests without manual intervention.
• Deep Deletion & Opt-Out: The platform automatically orchestrates requests throughout data systems and downstream providers to quickly execute the deletion or opt-out across the entire tech stack.
• Audit Readiness: The platform creates and retains a comprehensive audit log of every request status, determination, and action, ensuring verifiable proof of compliance for the mandatory independent audits.

Managing user requests at-scale is about efficiency. Transcend has helped organizations save thousands of hours a year by streamlining request automation, from data brokers like ZoomInfo to customer-facing financial organizations like GoCardless.

With the quantity of requests and the stakes to process them getting higher than ever in 2026, preparing for this fundamental change in data privacy is vital for success.