Getting started
You may build your integration using the DROP Data Broker API or by using the manual download/upload option. For either option, you need to complete the steps below.
- Download hashed consumer deletion list(s) from DROP.
- Match the hashed identifiers in those list(s) against your own records.
- Upload a status file indicating whether each record was deleted, opted out, exempted, or not found.
This guide provides information about the integration workflow, working with the data in DROP, and more. If you elect to build your integration via API, you can use the information in this document to confirm account setup, authentication, and processing via API.
Who is this for
- Data brokers
- Engineering teams building automated download-and-upload integrations
- Quality assurance, operations, and compliance staff supporting the integration lifecycle
Prerequisites for integration
Before you begin, ensure you have an account in DROP and have registered (if applicable) and paid any required fees.
If you elect to integrate via API, please also ensure you have the following:
| Requirement | Details |
|---|---|
API key | Generated after selecting your consumer deletion list(s) |
| HTTPS client | Ability to make GET and POST requests over TLS 1.2+ (for example, curl, PowerShell, or any HTTP library) |
| CSV handling | Ability to read and write CSV files following the required naming convention |
| Secret storage | Secure storage for API key |
| Logging | Ability to log request timestamps and upload/download outcomes |
API base URL
| Environment | URL |
|---|---|
| Production | https://api.drop.privacy.ca.gov |
| Sandbox | https://api.drop.privacy.ca.gov/sandbox |
Authentication
All API requests require an API key passed in the X-API-KEY header:
X-API-KEY: your-api-key-here
Your API key is scoped to the consumer deletion list(s) you select. Only the selected list(s) will appear in your downloads.
API key security
- Store keys securely using environment variables or secret management systems
- Regenerate keys if compromised or if list selection changes
Obtain an API key
- Sign in to the Data Broker Portal.
- For production integration, navigate to Home → Consumer Deletion Lists.
- Select the consumer deletion list(s) your business will process.
- Click Save.
- Open the API Key tab.
- Click Get a new API key.
Your key is now ready to use.
Note: During sandbox testing, navigate to SANDBOX ENVIRONMENT → ISSUE SANDBOX API KEY.
API quick start
- Obtain an API key and confirm your selected consumer deletion list(s).
- Verify connectivity with an authenticated request.
- Download the current ZIP archive.
- Extract and process the CSV files.
- Upload response CSV(s).
- Inspect the JSON response for accepted and rejected files.
Step 1 — Verify connectivity
Send a request to confirm your API key works:
curl -X GET "https://api.drop.privacy.ca.gov/data/download" \
-H "accept: */*" \
-H "X-API-KEY: your-api-key-here" \
-I
A 200 OK response confirms authentication.
401 Unauthorized— incorrect API key. Correct the key or generate a new one and try again.403 Forbidden— registration and/or payment of required fees is incomplete. Confirm account status in the data broker portal and try again.
Step 2 — Download consumer data
curl -X GET "https://api.drop.privacy.ca.gov/data/download" \
-H "accept: */*" \
-H "X-API-KEY: your-api-key-here" \
--output download.zip
PowerShell alternative:
$apiKey = "your-api-key-here"
$url = "https://api.drop.privacy.ca.gov/data/download"
$headers = @{
"X-API-KEY" = $apiKey
"Accept" = “application/zip"
}
Invoke-WebRequest -Uri $url -Headers $headers -OutFile "download.zip"
The response is a ZIP archive containing one CSV file per selected consumer deletion list. See Working With the Data - Downloaded File Scheme and Working with the Data - File Naming Convention.
Step 3 — Process records
Extract the ZIP and read each CSV. Match the hashed identifiers against your records and determine the appropriate action. See Integration Workflow for basic information about the deletion request processing lifecycle.
Step 4 — Upload your response
Respond by uploading one or more CSV files (not the ZIP archive) containing Id and Status columns. Use the downloaded CSV file names when possible.
If you need to upload multiple response files for the same downloaded list, add a suffix to the file name using an underscore followed by up to 10 alphanumeric characters (for example: 20260312_4821_Email_01.csv). Uploading the same file name again without a suffix will result in an error.
You may upload a full or partial response for each file. If you upload only a partial response, you can provide the remaining records later by uploading additional files with the same base file name and different suffixes. Your upload will not be considered complete until all outstanding records from your previous download are uploaded.
curl -X POST "https://api.drop.privacy.ca.gov/data/upload" \
-H "accept: */*" \
-H "X-API-KEY: your-api-key-here" \
-H "Content-Type: multipart/form-data" \
-F "files=@20260312_4821_Email_retry01.csv;type=text/csv" \
-F "files=@20260312_4821_Phone.csv;type=text/csv" \
-F "files=@20260312_4821_NDZ.csv;type=text/csv"
A successful response:
{
"mode": "new",
"acceptedCount": 3,
"rejectedCount": 0,
"accepted": [
{
"fileName": "20260312_4821_Email_retry01.csv",
"fileSizeBytes": 2849112
},
{
"fileName": "20260312_4821_Phone.csv",
"fileSizeBytes": 1934008 },
{
"fileName": "20260312_4821_NDZ.csv",
“fileSizeBytes": 65433649
}
],
"rejected": []
}
If you need to correct a previous submission, use the /amend endpoint.
See API Operations for details.
Step 5 — Confirm successful integration
A successful integration via API indicates you are able to:
- Authenticate against the API
- Download and extract a ZIP archive
- Read CSV files and understand the schema
- Produce a correctly named response CSV with the
Id,Statuscolumns - Upload the response and receive confirmation
Confirm that you can complete all of the steps above prior to automating the end-to-end processing workflow.