CalPrivacy Walks Through Data Deletion Platform Ahead of Jan. 1 Rollout
Delete Request and Opt-Out Platform (DROP) rules will take effect Jan. 1, the same day that the accessible deletion platform goes live, the California Privacy Protection Agency announced at the CalPrivacy Board’s meeting Friday. Also at the meeting, CalPrivacy General Counsel Philip Laird walked the board through a presentation on how consumers and data brokers will interact with DROP.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The California Office of Administrative Law gave a final signoff on the rules Thursday, without recommending changes, said Laird. The decision had been expected to come just in time for Friday’s meeting (see 2510280048). Board members voted 5-0 in September to adopt regulations for the accessible delete mechanism (see 2509260039).
Laird described a “privacy-forward” experience for consumers on the DROP system. The first step is for consumers to verify they are California residents through an identity gateway built by the California Department of Technology, he said. Under that system, CalPrivacy never sees any of the data used for verification, said the general counsel.
Consumers may alternatively verify residency by using the federal government’s Login.gov. But the federal government’s involvement prompted questions from CalPrivacy Board members.
Responding to the concerns, Laird acknowledged “some may have biases against” one verification method versus the other. That’s why DROP provides consumers a choice, he said. Also, Laird noted that using either mechanism is unlikely to give its operator “new information” it doesn’t already have about the consumer.
Authorized agents may not perform the residency verification for a consumer, though they can assist with other steps of the process, said Laird. There isn’t an application programming interface (API) option for an “authorized agent who's maybe representing multiple consumers to directly enter the system,” he said. “It's something we thought a lot about and would like to continue to explore in future iterations.”
After verifying residency, consumers provide “limited personal information,” including date of birth, ZIP code, email address and phone number, said Laird: Consumers have the option of submitting mobile advertising or connected television IDs and vehicle identification numbers.
After submitting a request, the consumer may return to the platform to check the status of or update a deletion request. Data brokers will have 45 days to process the request. Also under the system, both before and after submitting a request, consumers may select a specific registered data broker(s) they do or don’t want to receive the deletion request. It’s also possible to check a box signaling that the request should go to any data brokers added to California’s list in the future, he said.
Meanwhile, data brokers’ DROP obligations begin Aug. 1, 2026, though they can start testing the platform this spring, said Laird.
First, under the envisioned process, data brokers must create an account and complete registration, including payment. Next, they must choose consumer deletion lists that correspond with what identifiers they have on consumers. Then, at least every 45 days, the broker would download the deletion list manually or through an API.
After downloading the list, data brokers must identify matches, delete records and maintain a suppression list. The latter will ensure that when a broker buys new data, the data of a person who previously requested deletion won’t come back into the broker’s system, said Liz Allen, a CalPrivacy attorney. The final step is for brokers to report deletion status within 45 days.
“This is pretty darn slick,” remarked CalPrivacy Board Chairperson Jennifer Urban after the presentation.
The agency has “certainly heard interest from other states and … legislators in other states,” noted Laird. “We are happy to share our insights and are exploring … all options in terms of how other states, if they want to leverage our system or copy our system” can do so. Connecticut has voiced interest (see 2510220015).
However, CalPrivacy Board member Drew Liebert asked how the agency would know brokers are “telling the truth” about what identifiers they have. Allen responded that agency technologists could review that with the company if there’s an investigation. Additionally, an independent audit planned for 2028 will help ensure that brokers are complying, added Allen.
In the year ahead, CalPrivacy will be working on regulations related to the audit, said Allen: The agency plans to take comment. Agency officials identified multiple other areas of possible rulemaking earlier in the meeting (see 2511070050)
Also at the meeting, the CalPrivacy Board agreed to proposed dates for its 2026 meetings: Feb. 6, May 1, Aug. 7 and Nov. 6. In addition, the board discussed meeting the Thursday before each of those dates for educational topics.