Processing DROP requests

To comply with the Delete Act, data brokers must use DROP to download and process deletion requests.

Before you get started, ensure that you:

1. Create an account in DROP
2. Register as a data broker (when applicable)
3. Pay required fees (registration or access fees)
4. Select your consumer deletion list(s)
5. Choose your integration method (API or manual)
6. Understand the requirements and workflow
7. Complete your testing in the DROP Sandbox  (optional) 

DROP Sandbox

Data brokers can access the sandbox environment from their DROP accounts.

The DROP Sandbox is a test environment data brokers may use to develop and validate their integration with DROP and test DROP request processing.

Sign in to your DROP account to access the sandbox. Review Technical specifications for more information about integration and API documentation.

Direct service providers to process accordingly

Maintain list of identifiers needed to ensure ongoing compliance for matched and unmatched records

Beginning August 1, 2026, data brokers must download their selected consumer deletion list(s) at least once every 45 days. You will do this either by API (automated) or manually within DROP.

Consumer deletion lists contain hashed identifiers supplied by consumers as part of their deletion requests.

There are six lists:

• First name + last name + date of birth + ZIP code
• Email address
• Phone number
• Mobile advertising ID
• First name + last name + VIN
• Connected TV identifier

Choosing lists

A data broker chooses consumer deletion lists based on the consumer data they have. They must select all lists that contain consumer identifiers that match to personal information about the consumer within their records.

However, a data broker may select fewer lists if the consumer identifiers used across multiple lists would lead to matches with the exact same set of consumers in the data broker’s records.

For example, if a data broker collects both email addresses and telephone numbers for every consumer in its records, then the data broker may select only the email address or telephone number consumer deletion list. If, however, a data broker collects email addresses for some consumers and telephone numbers for other consumers, then the data broker must select both lists (Cal. Code Regs., tit. 11 §7610(a)(3)).

Downloads

After your first download, subsequent downloads will only include new or amended requests since your last download and upload.

You may download your consumer deletion list(s) more than once every 45 days.

If your automated connection with DROP fails for any reason, you must notify CalPrivacy in writing through your DROP account within 45 days (Cal. Code Regs., tit. 11 §7612(b)(1)).

Review Consumer deletion lists for more information.

All consumer identifiers in DROP are hashed.

Before comparing the identifiers in the DROP consumer deletion requests to your records, you must standardize your own data.

This includes:

• converting text to lowercase
• removing special characters
• adhering to proper formatting for dates, phone numbers, and ZIP codes
• following the protocol for multi-identifier concatenation

Review Hashing and standardization for the full list of standardization and hashing requirements, including examples.

Compare your hashed records against the identifiers in your consumer deletion list.

1. Delete all non-exempt personal information, including inferences, for the consumer
2. Direct all service providers and contractors to delete matching records

• Opt all associated consumers out of sale and sharing
• Direct all service providers and contractors to opt-out accordingly 

• Save and maintain a list of all consumers who submitted a deletion request via DROP to screen any newly collected records before they are sold or shared to ensure the deletion requests are maintained on an on-going basis. For more details, review Ongoing requirements.

After you process the DROP requests in your consumer deletion list or lists, you must:

• Report the status of each request (manually or by API)
• Report within 45 days of receiving the request

Statuses include:

• Record deleted: Data brokers have deleted the consumer’s data and will no longer sell their information. However, some information may be exempt.
• Record opted out of sale: Data brokers couldn’t make an exact match based upon the information the consumer provided. For now, these data brokers still have the consumer data, but can no longer sell it.
• Record exempt: Data brokers are allowed by law to keep certain information, such as public records or sensitive health information. This data may be protected under other privacy laws.
• Record not found: Data brokers may not have information about the consumer or could not locate the consumer based on the information provided.

Review Status code reference for more information.

There are some tasks you must regularly complete to lawfully process DROP requests.

Consumers are not required to resubmit requests. You are responsible for maintaining consumer requests on an ongoing basis.

Maintain consumer deletion lists

Data brokers should maintain a list of identifiers needed to ensure ongoing compliance for both matched and unmatched records. Some people refer to this as a “suppression list.”

Compare this list against any newly collected records before new personal information is sold or shared.

Note: For this list, you do not have to use our identifiers. Use the identifiers you need to maintain compliance.

Retain only the minimum data necessary to maintain your compliance obligations; this data may not be used for any other purpose.

Service providers and contractors

Some data brokers work with service providers and contractors to offer their services and, as part of that workflow, share consumer information. As part of processing obligations, data brokers must direct their service providers and contractors to take the required action towards all personal information associated with DROP requests.

This includes deleting all non-exempt personal information or opting a consumer out of the sale or sharing of their personal information.

Update request status/Amending request

If a data broker detects a change in status for a given request, the data broker must update the status in DROP within 45 days of detecting the change.

Review Technical specifications for information on amending records.

For example:

• If a data broker is unable to match a given identifier to a consumer in their records, they should report the status as “NOT FOUND”.
• If, several months later, the data broker collects personal information about the consumer and now finds a match with the given identifier, the data broker must delete all non-exempt personal information associated with that consumer.
• Within 45 days of detecting the change, the data broker must report back the “DELETED” status to DROP.