The California DROP Mechanism—$1.5 Billion in Exposure and the Clock Is Ticking: Key Takeaways from 2026 IAPP Global Summit

$1.5 billion. That number got the room’s attention at the 2026 IAPP Global Summit: $1.5 billion is the theoretical penalty exposure for a single data broker that misses just one deletion cycle under California’s new Delete Request and Opt-Out Platform (DROP), a first-of-its-kind centralized deletion mechanism that goes live on August 1, 2026. And, who’s considered a data broker may surprise you. 

The California Privacy Protection Agency (CalPrivacy) and the California Department of Technology (CDT) used their IAPP session (DROP Update) to walk through how the system works and where registration stands today. Below, we break down the key takeaways for businesses that are still evaluating whether they need to register and how to prepare if they do.

The Backstory: DROP and the Delete Act

California’s data broker registration law has been on the books since 2019, but it started primarily as a transparency exercise. The Delete Act (SB 362), enacted in 2023, transformed the 2019 framework into something more novel and ambitious: a centralized platform that lets a California consumer submit a single deletion request and have it cascade to every data broker registered in the state. 

The result is DROP, a platform built jointly by CalPrivacy and CDT, and the first system of its kind anywhere in the world—but likely not the last. CalPrivacy’s General Counsel Phil Laird noted during the session that multiple states are already in talks with CalPrivacy about replicating the system, and he signaled a willingness to make components of the technology available on an open-source basis.

Key Dates and Ongoing Obligations

Starting August 1, 2026, data brokers must begin pulling consumer deletion request lists from DROP and processing them. From that point forward, brokers must access the system at least once every 45 calendar days to download new hashed identifiers, match them against their records, execute deletions, and report status back to DROP.

In practice, a full cycle from the consumer’s perspective can stretch to more like 90 days—there’s a lag between the consumer submitting a request and the broker pulling the next list, plus up to 45 days for the broker to finish processing. Notably, pending legislation (SB 1106) would compress that processing window from 45 to 30 days. (CalPrivacy declined to take an official position on the bill when asked during the DROP Update.)

One procedural detail is worth flagging: brokers must report the status of all outstanding requests from the prior cycle before they can pull a new list. This means status reporting is not optional or deferrable; it is the gate to the next batch.

Are You a Data Broker? You Might Be

Perhaps the most practically significant takeaway was CalPrivacy’s emphasis on the breadth of the definition of “data broker.” The statute captures any business that “collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship.” CalPrivacy’s regulations broaden the definition by limiting a “direct relationship” to circumstances where the consumer intentionally interacts with the business.

Critically, CalPrivacy evaluates whether a business is a data broker at the data level, not the entity level. Under this approach, a company can have robust, direct consumer relationships and may still qualify as a data broker if it also sells personal information acquired from third-party sources. Laird illustrated the point with examples of businesses that had already registered, some of which seemed to surprise a number of people in the room: a large provider of research and analytics tools to professional services companies for use in business environments that also offers services for which it aggregates and sells personal data obtained from third-party sources, and a well-known consumer brand that self-identified because it collects and sells personal information obtained outside its direct customer relationships.

This tracks with responses during the DROP rulemaking process, in which CalPrivacy staff stressed that collection of personal information “outside of [a consumer’s] awareness or without [their] intent is always going to be indirect”—and therefore likely to qualify as data brokerage activity—regardless of whether the business also directly interacts with consumers in other contexts. CalPrivacy’s remarks at the DROP Update at IAPP suggest the agency is concerned that a number of businesses have not fully evaluated whether they fall within the definition. If your company acquires consumer data from third parties and monetizes it, this question deserves a hard look.

Technical Mechanics: Registration and Matching Procedures

The session offered a detailed walk-through of DROP’s technical architecture, exceeding previously published guidance.

• The Identity Gateway. Verifying that a consumer is a California resident without the government maintaining a searchable database of personal information was, as CDT’s Chief Technology Officer Jonathan Pratt described it, the hardest technical problem the team had to solve. The solution: the California Identity Gateway, a vendor-agnostic, open-source digital identity tool that routes verification through third-party identity providers, including login.gov (the federal digital identity service). An interesting data point: roughly 30% of verifications are going through login.gov (higher than the team expected). The Gateway also routes through a third-party identity provider for consumers who can’t verify through login.gov, ensuring that vulnerable populations aren’t locked out of the system.
• Consumer Information and Hashing. Once verified, consumers provide personal information for matching purposes. The minimum required information is a name plus a limited set of identifiers (e.g., date of birth and ZIP code), with optional fields for email, phone number, mobile advertising IDs, connected TV IDs, and vehicle identification numbers. For most categories of identifiers, the form allows multiples to be submitted with a single registration. All personal information is hashed immediately upon submission so that DROP does not store plain-text, searchable identity data.
• Suppression Lists: An Ongoing Obligation. This requirement may catch some registrants off guard. Even if a business pulls a consumer deletion list and finds no match in its current records, it must maintain those hashed identifiers on a permanent suppression list. If the business later acquires third-party data tied to one of those identifiers (for example, through a new data purchase), that data cannot be sold or shared and must be treated as already subject to the deletion request. Put simply, this is not a one-time batch job. Businesses must screen every new data acquisition against all prior DROP lists indefinitely, unless the consumer cancels their request.

The Enforcement Math, Revisited

We dropped the staggering $1.5 billion figure—now let’s unpack it. The Delete Act imposes $200 per day, per consumer for failure to process deletion requests. With over 260,000 consumer deletion requests already queued up in the system, Laird did the math for the room: ~250,000 consumers × 30 days × $200 = $1.5 billion. That’s a ceiling—not a forecast—but it conveys how quickly these penalties can add up. Registration side-violations carry a comparatively modest penalty of $200 per day, but that also adds up: over a year, that’s $50,000 to $60,000 or more. CalPrivacy’s enforcement actions are already well into double digits on registration cases and show no signs of slowing down, suggesting the high priority the agency will place on DROP compliance.

And this is likely just the beginning. CalPrivacy indicated that multiple states are in active discussions about pursuing similar “Delete Act–style” legislation and centralized deletion platforms. California is already fielding requests from other jurisdictions looking to replicate DROP or its components—much as data broker registration requirements have spread from Vermont to California, Texas, and Oregon in just a few years. All considered, data brokers (broadly defined) should expect enforcement exposure to increase sharply in the coming years as California moves from launch to enforcement and other states follow suit. 

Next Steps for Businesses

Whether a business is evaluating its status or already preparing for August 1, the session pointed to several concrete action items for entities subject to the California Consumer Privacy Act:

1. Watch for the late-April technical release. CalPrivacy expects to publish application programming interface (API) specifications, a sandbox environment, and detailed integration examples in the coming weeks. For companies planning API integration, this documentation will be essential as engineering teams start building and testing.
2. Conduct a data inventory focused on information sourced from third parties. Given the data-level definition, the right question isn’t “Are we a data broker?” in the abstract—it’s “Do we sell any personal information that we didn’t collect directly from the consumer?” If the answer is yes with respect to any California consumers, registration and DROP compliance may be required notwithstanding any direct relationship to them.
3. Designate contacts (and consider listing outside counsel). When creating a DROP account, businesses must designate both a primary and a secondary contact for operational communications (sandbox availability, system downtime, implementation updates). CalPrivacy noted that a number of law firms and outside counsel are listing themselves as secondary contacts, which the agency actively encourages. For clients who want help navigating technical updates and agency communications in real time, this is worth considering (and something we can set up).
4. Prepare for the post-DROP era. The deletion platform is only one piece of the broader California framework. Data brokers that meet certain thresholds must also conduct annual cybersecurity audits (phased in starting in 2028 based on revenue) and complete risk assessments for activities involving the sale or sharing of personal information. CalPrivacy is also developing a separate rulemaking package for independent third-party audits specific to Delete Act compliance, meaning brokers will eventually need to demonstrate that they are properly matching records, executing deletions, and maintaining suppression lists.

The throughline from the IAPP session was clear: DROP is not a theoretical compliance exercise. The platform is built, over a quarter million consumers are already in the queue, and enforcement infrastructure is in place. If your business is engaging in third-party data sales in California, now is a good time to get ready for the August 1 deadline and evaluate your obligations to begin processing DROP requests. 

For more information on the conference, including several noteworthy panels, please see the following companion blog posts:

• State Privacy Enforcers Discuss Collaboration and Enforcement Priorities: Key Takeaways From IAPP Global Summit 2026
• Where Privacy Is Headed Next: Key Takeaways From the 2026 IAPP Global Privacy Summit