Reference

Glossary

TermDefinition
DROPDelete Request and Opt-out Platform — the platform created by CalPrivacy for consumers to submit deletion and opt-out requests and for data brokers to retrieve and respond to them
Delete ActCalifornia law requiring data brokers to process consumer deletion requests through DROP (see Civil Code section 1798.99.80 et seq.)
CPPA / CalPrivacyThe California Privacy Protection Agency — the state agency responsible for DROP
API keyThe credential sent in the X-API-KEY header to authenticate API requests
Data broker IDThe unique identifier assigned to your organization, used in file naming
Consumer deletion listA list containing one or more hashed consumer identifiers that consumers provided as part of a deletion request
Work itemA single consumer deletion request record identified by its ID in a CSV file
NDZName + Date of Birth + ZIP — a composite-hash list type
MAIDMobile Advertising Identifier
VINVehicle Identification Number
CTVIDConnected TV Identifier — covers smart TVs, streaming players, and gaming consoles
NameVINName + VIN — a composite-hash list type
New uploadSubmission of new status responses
Amend uploadCorrection or update to previously submitted status responses
Composite hashA multi-step hash where individual fields are hashed first, concatenated, then hashed again (used by NDZ and NameVIN)

Status code reference

Code LabelMeaning
2ExemptedMatch found and personal information is exempt
3DeletedMatch found and non-exempt personal information was deleted
4Opted outMultiple consumers are linked to the same identifier and all were opted out of sale or sharing
5Not foundNo match found after completing the matching process
Reference codes 0 and 1 are unused.
For more information on the legal requirements based on match outcomes, see California Civil Code section 1798.99.80 et seq. and CCR, title 11, section 7600 et seq.

File naming pattern

<YYYYMMDD>_<DataBrokerId>_<DataType>[_<OptionalSuffix>].csv

Notifications

DROP sends notifications to data brokers based on system activity. By default, the notifications below are sent via email to primary and secondary email addresses on your DROP account. Optionally, you may enable webhooks for these notifications.

Events

Event nameDescriptionEmailWebhook
Download ReadySelected lists are ready for downloaddefaultoptional
Upload ConfirmationYour upload has been received and is being processeddefaultoptional
Upload ProcessedYour list has been processed and responses are available for reviewdefaultoptional
Amendment ConfirmationYour amendment upload has been received and is being processeddefaultoptional
Amendment Upload ProcessedYour amendment list has been processed and is ready for reviewdefaultoptional
API Key IssuedAn API key has been issued for your accountdefaultn/a
API Key ChangedA new API key has been issued; all previous keys have been deactivateddefaultn/a

Webhook configuration

To enable webhook notifications:

  1. Go to Notification settings in the Data Broker Portal.
  2. Toggle Webhook to Active.
  3. Enter your HTTPS endpoint URL.
  4. Save changes.

Signing secret:

When you enable webhooks, a signing secret is generated and shown in the portal. Store this secret securely in your webhook receiver configuration. It is used to verify that incoming webhook requests are sent by DROP. Rotate the secret as needed for security.

Supported webhook messages

Event typeWhen it is sent
download.readyDownload package is ready
upload.receivedUpload was received
upload.processedUpload processing complete
amendment.receivedAmendment upload was received
amendment.processedAmendment processing completed

HTTP headers

Each webhook request includes:

HeaderDescription
X-Webhook-Event-IdUnique ID for the logical event
X-Webhook-Event-TypeEvent type
X-Webhook-Delivery-IdUnique ID for this delivery attempt
X-Webhook-TimestampUTC timestamp for the request
X-Webhook-VersionWebhook version
X-Webhook-SignatureHMAC-SHA256 signature

Webhook body

Each webhook request includes a JSON body.

{ 
 "message": message text, 
} 

Example

POST https://example.com/drop/webhook 
Content-Type: application/json 
X-Webhook-Event-Id: 00000000-0000-0000-0000-000000000000 
X-Webhook-Event-Type: download.ready 
X-Webhook-Delivery-Id: 11111111-1111-1111-1111-111111111111 
X-Webhook-Timestamp: 2026-07-02T18:30:00.0000000Z 
X-Webhook-Version: 1.0 
X-Webhook-Signature: sha256=abc123... 
 
{ 
 "message": "download ready" 
} 

Secret verification

DROP signs each webhook using the data broker’s webhook signing secret.

To verify:

  1. Read the raw request body exactly as received.
  2. Read X-Webhook-Timestamp.
  3. Build the signing string: <timestamp>.<raw request body>
  4. Compute HMAC-SHA256 using the webhook signing secret.
  5. Compare the hex digest to X-Webhook-Signature after removing the sha256= prefix.
  6. Reject the request if the signature is invalid.
Example logic:

const expected = hmacSha256Hex(secret, `${timestamp}.${rawBody}`); 

const received = signatureHeader.replace("sha256=", ""); 

 

if (constantTimeEqual(expected, received)) { 

  // valid DROP webhook 

} else { 

  // reject 

} 

Recommended: reject webhook requests with timestamps older than five minutes to prevent out of date webhook requests.

Expected response

Return any 2xx status when the webhook is received successfully.
Preferred response: HTTP/1.1 204 No Content
DROP treats non-2xx responses as failed delivery and may retry.

Documentation map

DocumentAudienceContents
Getting StartedAllAccount setup, authentication, API key generation, quick start
Integration WorkflowAllThe download-process-upload cycle, validation, retries
Working With the DataTechnicalList types, file schemas, standardization rules, hashing examples
API OperationsTechnicalEndpoints, request examples, error handling, rate limits
ReferenceAllGlossary, status codes, documentation map, and support information
OpenAPI Specification (YAML)DevelopersMachine-readable API definition for OpenAPI-compatible tools

Contact and support

Use the Data Broker Portal for account setup, credentials, and to contact us.

When reporting an issue, include:

  • Timestamp (Pacific Time)
  • Endpoint and HTTP status code
  • File name involved
  • Upload response payload or error message

Version history

VersionDateNotes
1.2.0July 2, 2026
1.1.0June 3, 2026General release on privacy.ca.gov/drop-for-data-brokers
  • Adds information about cancellations and removed .csv
  • Publishes Technical Docs on privacy.ca.gov.
1.0.0April 2, 2026Initial release in DROP
  • Initial release to accompany DROP Sandbox.