Reference
On this page
Glossary
| Term | Definition |
|---|---|
| DROP | Delete Request and Opt-out Platform — the platform created by CalPrivacy for consumers to submit deletion and opt-out requests and for data brokers to retrieve and respond to them |
| Delete Act | California law requiring data brokers to process consumer deletion requests through DROP (see Civil Code section 1798.99.80 et seq.) |
| CPPA / CalPrivacy | The California Privacy Protection Agency — the state agency responsible for DROP |
| API key | The credential sent in the X-API-KEY header to authenticate API requests |
| Data broker ID | The unique identifier assigned to your organization, used in file naming |
| Consumer deletion list | A list containing one or more hashed consumer identifiers that consumers provided as part of a deletion request |
| Work item | A single consumer deletion request record identified by its ID in a CSV file |
| NDZ | Name + Date of Birth + ZIP — a composite-hash list type |
| MAID | Mobile Advertising Identifier |
| VIN | Vehicle Identification Number |
| CTVID | Connected TV Identifier — covers smart TVs, streaming players, and gaming consoles |
| NameVIN | Name + VIN — a composite-hash list type |
| New upload | Submission of new status responses |
| Amend upload | Correction or update to previously submitted status responses |
| Composite hash | A multi-step hash where individual fields are hashed first, concatenated, then hashed again (used by NDZ and NameVIN) |
Status code reference
| Code | Label | Meaning |
|---|---|---|
| 2 | Exempted | Match found and personal information is exempt |
| 3 | Deleted | Match found and non-exempt personal information was deleted |
| 4 | Opted out | Multiple consumers are linked to the same identifier and all were opted out of sale or sharing |
| 5 | Not found | No match found after completing the matching process |
File naming pattern
<YYYYMMDD>_<DataBrokerId>_<DataType>[_<OptionalSuffix>].csv
Notifications
DROP sends notifications to data brokers based on system activity. By default, the notifications below are sent via email to primary and secondary email addresses on your DROP account. Optionally, you may enable webhooks for these notifications.
Events
| Event name | Description | Webhook | |
|---|---|---|---|
| Download Ready | Selected lists are ready for download | default | optional |
| Upload Confirmation | Your upload has been received and is being processed | default | optional |
| Upload Processed | Your list has been processed and responses are available for review | default | optional |
| Amendment Confirmation | Your amendment upload has been received and is being processed | default | optional |
| Amendment Upload Processed | Your amendment list has been processed and is ready for review | default | optional |
| API Key Issued | An API key has been issued for your account | default | n/a |
| API Key Changed | A new API key has been issued; all previous keys have been deactivated | default | n/a |
Webhook configuration
To enable webhook notifications:
- Go to Notification settings in the Data Broker Portal.
- Toggle Webhook to Active.
- Enter your HTTPS endpoint URL.
- Save changes.
Signing secret:
When you enable webhooks, a signing secret is generated and shown in the portal. Store this secret securely in your webhook receiver configuration. It is used to verify that incoming webhook requests are sent by DROP. Rotate the secret as needed for security.
Supported webhook messages
| Event type | When it is sent |
|---|---|
| download.ready | Download package is ready |
| upload.received | Upload was received |
| upload.processed | Upload processing complete |
| amendment.received | Amendment upload was received |
| amendment.processed | Amendment processing completed |
HTTP headers
Each webhook request includes:
| Header | Description |
|---|---|
| X-Webhook-Event-Id | Unique ID for the logical event |
| X-Webhook-Event-Type | Event type |
| X-Webhook-Delivery-Id | Unique ID for this delivery attempt |
| X-Webhook-Timestamp | UTC timestamp for the request |
| X-Webhook-Version | Webhook version |
| X-Webhook-Signature | HMAC-SHA256 signature |
Webhook body
Each webhook request includes a JSON body.
{
"message": message text,
}
Example
POST https://example.com/drop/webhook
Content-Type: application/json
X-Webhook-Event-Id: 00000000-0000-0000-0000-000000000000
X-Webhook-Event-Type: download.ready
X-Webhook-Delivery-Id: 11111111-1111-1111-1111-111111111111
X-Webhook-Timestamp: 2026-07-02T18:30:00.0000000Z
X-Webhook-Version: 1.0
X-Webhook-Signature: sha256=abc123...
{
"message": "download ready"
}
Secret verification
DROP signs each webhook using the data broker’s webhook signing secret.
To verify:
- Read the raw request body exactly as received.
- Read X-Webhook-Timestamp.
- Build the signing string: <timestamp>.<raw request body>
- Compute HMAC-SHA256 using the webhook signing secret.
- Compare the hex digest to X-Webhook-Signature after removing the sha256= prefix.
- Reject the request if the signature is invalid.
Example logic:
const expected = hmacSha256Hex(secret, `${timestamp}.${rawBody}`);
const received = signatureHeader.replace("sha256=", "");
if (constantTimeEqual(expected, received)) {
// valid DROP webhook
} else {
// reject
}
Recommended: reject webhook requests with timestamps older than five minutes to prevent out of date webhook requests.
Expected response
Return any 2xx status when the webhook is received successfully.
Preferred response: HTTP/1.1 204 No Content
DROP treats non-2xx responses as failed delivery and may retry.
Documentation map
| Document | Audience | Contents |
|---|---|---|
| Getting Started | All | Account setup, authentication, API key generation, quick start |
| Integration Workflow | All | The download-process-upload cycle, validation, retries |
| Working With the Data | Technical | List types, file schemas, standardization rules, hashing examples |
| API Operations | Technical | Endpoints, request examples, error handling, rate limits |
| Reference | All | Glossary, status codes, documentation map, and support information |
| OpenAPI Specification (YAML) | Developers | Machine-readable API definition for OpenAPI-compatible tools |
Contact and support
Use the Data Broker Portal for account setup, credentials, and to contact us.
When reporting an issue, include:
- Timestamp (Pacific Time)
- Endpoint and HTTP status code
- File name involved
- Upload response payload or error message
Version history
| Version | Date | Notes |
|---|---|---|
| 1.2.0 | July 2, 2026 |
|
| 1.1.0 | June 3, 2026 | General release on privacy.ca.gov/drop-for-data-brokers
|
| 1.0.0 | April 2, 2026 | Initial release in DROP
|