The California Privacy Protection Agency (CalPrivacy) is transitioning from implementation to active enforcement of the California Delete Act’s Delete Request and Opt-Out Platform (DROP). At its February 27, 2026, board meeting, agency staff presented key updates on the platform’s performance, data broker compliance, and the road ahead as the August 1 enforcement deadline approaches.
DROP Platform: Exceeding Expectations?!?
Launched on January 1, 2026, DROP allows California residents to submit a single request directing all registered data brokers to delete their personal information and stop collecting and selling it. The response from consumers has been notable: more than 242,000 Californians have submitted DROP requests to date, with 18,000 deletion requests received within just the first 48 hours of launch — a figure that far exceeded the agency’s projections.
CalPrivacy Executive Director Tom Kemp credited the platform’s success to collaboration between policymakers, agency staff, and the California Department of Technology, calling it an innovative achievement that reinforces California’s role as a national leader in consumer privacy protection.
California certainly has been progressive on its data privacy rules and regulations.
Enforcement Strike Force and Growing Broker Registry!
The DROP platform is one part of CalPrivacy’s broader data-broker agenda. The agency has established a dedicated Data Broker Enforcement Strike Force to identify companies that are operating without the legally required state registration. Data brokers must register annually by January 31, and failure to register carries a penalty of $200 per day.
Enforcement efforts are producing results. The number of registered data brokers grew from 459 in June 2025 to more than 575 by February 2026 — a number Kemp described as unprecedented, stating no other state or prior California data broker registry has seen this level of participation. My guess is that announcing an enforcement force specifically dedicated to hunting data brokers likely had a bunch to do with the success.
To further bolster compliance efforts, CalPrivacy appointed Sabrina Boyson Ross as its first chief privacy auditor. A former Meta privacy and AI policy director, Ross will lead independent compliance reviews and proactively identify violations before consumer harm occurs.
Legislative Push for Stronger Authority!
CalPrivacy is also pursuing legislation to strengthen its enforcement arsenal. Because what government agency doesn’t want more authority! The agency is sponsoring the proposed Whistleblower Protection and Privacy Act, which would encourage individuals to report organizations’ privacy violations and assist enforcement actions involving data brokers and other regulated entities.
I have often warned clients that poor planning, policies, and procedures are more likely to be brought to light by a whistleblower than a regulator just happening upon the company. This type of legislation seems to support the argument that regulators are looking for insiders to be the main source of reporting potential bad actors.
What’s Next: The August 1 Deadline and Beyond?
Data brokers have until August 1, 2026, to integrate DROP obligations, meaning they must be able to obtain and process consumer deletion requests submitted through the platform. After that date, brokers will be required to access the platform every forty-five (45) days to process incoming requests.
To help data brokers prepare, CalPrivacy plans to launch a sandbox testing environment where brokers can test their integration before the deadline. The agency will also publish an updated public data broker registry in March to clarify expectations.
On the consumer side, approximately 85,000 people have signed up to receive DROP updates. The agency plans to continue public education and outreach campaigns through community events, media engagement, and partnerships with other state agencies to expand awareness and participation before request processing begins in earnest.
CalPrivacy Assistant Deputy Director Marissa Rosemblat underscored the agency’s commitment to a smooth rollout, noting that significant groundwork has already begun to ensure data brokers can seamlessly process the hundreds of thousands of pending deletion requests.
Looking Ahead
CalPrivacy will provide another formal DROP update on March 31 at the IAPP Global Summit 2026. You can be confident that the team at Troutman Amin will be monitoring this issue for further developments.
As California moves from build to enforce, the DROP platform stands as both a national model and a practical test of whether broad-based consumer privacy tools can operate at scale. The August 1 deadline will mark the real beginning of that test.
If you are looking for assistance in ensuring your policies and procedures are in place to help with your regulatory compliance, you should reach out to Troutman Amin. Our compliance attorneys are ready to help you. If you have DROPped the ball (pun intended), let Troutman Amin help you get you back in compliance.
CIPAWorld 