A PYMNTS Company

California to Implement Single Opt-Out System to Remove Personal Data From Data Brokers

By  |  November 14, 2025

California’s Privacy Protection Agency (CPPA) announced Thursday that the Office of Administrative Law has approved regulations establishing operational requirements for the Delete Request and Opt-out (DROP) Platform. The platform is a state-hosted system that allows residents to submit a single request to have their data deleted by all data brokers registered with CPPA. The platform will go live on January 1, 2026.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    DROP represents the first state-administered mechanism to automate the process of requesting removal of data from brokers’ system. Under the new rules, data brokers must access the platform at least once every 45 days to retrieve removal requests.

    “Adoption of these regulations is a major milestone. Californians will soon be able to delete their data from hundreds of data brokers with one simple action,” said Tom Kemp, executive director of CPPA. “We encourage consumers to take advantage of this important tool so they can easily and effectively exercise their privacy rights.”

    The California Delete Act was passed in 2018 and allows consumers to request that their personal information be removed from data brokers’ systems. It applies to businesses that made more than $25 million in revenue in the previous year,  and which “annually buy, sell, or share the personal information of 100,000 or more consumers or households.” Organizations covered by the Fair Credit Reporting Act and HIPAA are exempt from the law.

    The law has required data brokers to register annually with CPPA beginning on January 1, 2024.

    Related: California’s New CCPA Rules Bring Corporate Accountability to the Individual Level

    According to the CPPA website, DROP will maintain lists of hashed consumer identifiers, such as email addresses, phone numbers, dates of birth, and mobile ad IDs. When a consumer identifier matches records in a data brokers system the broker must delete all associated personal information, included personal information inferred from other data sources. Delete requests also must be passed on to any contractor or service provider retained by the broker.

    If the matched identifier(s) is associated with more than one consumer within the broker’s records, “they must opt all associated consumers out of the sale or sharing of their personal information.” Brokers are required to select the list(s) to download that will match the most records within their system.

    Additionally, data brokers must maintain each consumer deletion request in a suppression list—”regardless of whether or not they initially matched with records in their own database”—to ensure ongoing compliance with the law.

    Although brokers must register with CPPA, the Broker Registry is administered by the Office of Attorney General. Brokers that fail to register within the required timeframe face fines of $200 per consumer per day they are out of compliance.

    Starting January 1, 2028, data brokers must also undergo an audit by an independent third party three years to verify compliance with consumer deletion requirements.