California’s New DELETE Platform Could Upend How Payment Companies Access Consumer Data 

The DELETE Request and Opt-out Platform — DROP for short — is the creation of the California Privacy Protection Agency, known as CalPrivacy. It stems from California’s Delete Act, which requires data brokers to honor deletion requests submitted through a single, centralized portal. Companies that operated as data brokers in 2025 were already required to register with the state by January 31. But registration was just the opening act.

On August 1, 2026, the real work begins. That’s the date data brokers must start downloading consumer deletion lists from the DROP and acting on them. They’ll have 45 days to process each batch. Then they’ll need to pull fresh lists and do it all over again, at least once every 45 days, indefinitely.

A recent analysis from law firm Kelley Drye & Warren explains just how demanding the process will be. As the firm put it, “the bulk of the work needed to process DROP requests will occur on the back end, where data brokers must ingest, standardize, hash, match, and systematically purge identifiers across fragmented data ecosystems.” That’s a heavy lift for any organization, but especially for companies that stitch together consumer profiles from dozens of sources.

We’d love to be your preferred source for news.

Please add us to your preferred sources list so our news, data and interviews show up in your feed. Thanks!

Add as Preferred Source

Here’s how it works in practice, according to the firm. Consumers sign up through the DROP using their name, date of birth, and at least one other identifier like a phone number, email address, or mobile advertising ID. CalPrivacy then compiles those identifiers into hashed deletion lists. Data brokers download the lists that match the types of identifiers they hold, run them against their own records, and delete any matches.

Read more: New California Law Requires AI Risk Assessments by End of 2027 

For DTC brands and payments companies, Kelley, Drye and Warren say the implications are significant. Many of these businesses rely on third-party data to target ads, personalize offers, and verify identities. The data that powers those functions often flows through brokers. When a consumer submits a deletion request through the DROP, brokers must erase all personal information tied to that identifier — including inferences — unless it was collected through a direct, first-party relationship. That carve-out means companies that build their own customer relationships may be less exposed than those that depend on purchased data.

There are some exceptions. The same exemptions that exist under California’s broader privacy law, the CCPA, apply here. Data kept for security purposes, for instance, doesn’t have to be deleted. And if a set of identifiers matches multiple consumers in a broker’s records, the broker can opt those people out of future data sales rather than deleting everything.

The reporting requirements add another layer. After each deletion cycle, brokers must report the status of every identifier: deleted, opted out, exempted, or not found. CalPrivacy will be watching closely. The agency recently created a “Data Broker Enforcement Strike Force” and has made the DROP the centerpiece of its enforcement agenda. The Delete Act also gives CalPrivacy expanded authority to impose civil penalties.

Other states are paying attention. New York is considering legislation that would create a similar system. Under the proposed bill, data brokers would register with the state attorney general and pay into a deletion platform modeled on the DROP.

For companies in the payments and DTC space, the takeaway is clear: the era of frictionless access to consumer data is winding down. Brands that have not mapped their data supply chains and identified which of their vendors qualify as data brokers should start now. August is closer than it looks.