The California Privacy Protection Agency's Delete Request and Opt-Out Platform, known as DROP, registered over 242,000 Californians and surpassed 575 data broker registrations in its first eight weeks of operation, according to figures disclosed at the agency's February 27, 2026 board meeting in Sacramento.

Those numbers far exceeded internal forecasts. The platform went live at midnight on January 1, 2026, mandated under Senate Bill 362, California's Delete Act. Within the first 48 hours alone, more than 18,000 deletion requests came in. The peak single day reached 30,000 requests, with 2,136 submitted during the busiest hour on record. "I'm pleased to announce that as of this morning, over 242,000 Californians have signed up for the service," said Executive Director Tom Kemp at the February 27 meeting.

The figures are significant for the advertising and marketing industry because DROP represents the first government-administered mechanism through which consumers can remove their personal data from hundreds of companies simultaneously - without needing to contact each one individually. That structural change has direct implications for data brokersprogrammatic advertising, and the broader ecosystem that relies on detailed consumer profiles to power targeted campaigns.

How the platform works technically

Before submitting a deletion request, consumers must first verify their status as a California resident. According to Chief of IT Artem Andrusov, approximately 98% of those who attempt the verification process are confirmed successfully. The California Department of Technology's identity gateway manages the verification automatically within DROP.

Two verification paths exist. Around 70% of users verify through personal information entry. The remaining 30% create or sign in using an existing login.gov account. For the roughly 1% who cannot be verified automatically, a manual residency review workflow is available.

Once verified, users land on the request submission page. The average time to complete a request, from start to finish, is eight minutes. Consumers must provide at least one identifier beyond name and date of birth, though the platform encourages submitting more to increase the probability of matching against broker databases.

Across all submitted requests, the identifier breakdown as reported at the meeting was as follows: 99% include at least one ZIP code; 94% include phone numbers; 91% include email addresses; 24% include vehicle identification numbers (VINs); 10% include mobile advertising IDs (MAIDs); and 3% include connected TV IDs. As of February 27, 2026, the system held a total of 1.2 million identifiers.

The low rate of MAID and connected TV ID submissions is notable. These identifiers are central to mobile advertisingand connected TV targeting, two of the fastest-growing programmatic channels. Andrusov acknowledged at the meeting that there is an opportunity to improve messaging around these unique identifiers to encourage broader submission.

Consumer engagement and feedback

Beyond raw deletion volume, the platform has generated substantial downstream engagement. According to figures presented at the board meeting, 85,000 people signed up for DROP-specific updates, while 43,000 opted into the broader CalPrivacy newsletter. The platform's average rating since launch stands at 4.26 out of 5, and the most recent weekly average climbed to 4.42.

Feedback collected through the platform ranged from enthusiastic to constructive. One user wrote, according to the meeting transcript, that the service is "incredibly streamlined and easy." Another noted being "able to go on my TV and change ad settings." On the constructive side, some users requested the ability to submit more than three email addresses per request. Others asked for clearer guidance on how to locate and enter VINs and MAID identifiers before starting the process.

The support volume was also higher than anticipated. Over 6,500 support tickets arrived since launch, split roughly evenly between general inquiries and residency review requests. At peak response periods, approximately eight staff members were managing the inbox simultaneously. Questions about the verification process and identifier entry dominated the ticket categories.

Data broker registration and the August deadline

The number of registered data brokers climbed substantially since DROP went live. According to a Privacy Rights Clearinghouse letter sent to the Attorney General in June 2025, the registry held 459 data brokers as of spring 2025. By December 2025, that figure had grown to over 540. By February 2026, it crossed 575. Executive Director Kemp stated at the board meeting that "no other state or even past data broker registries here in California have as many registered data brokers."

The critical deadline for data brokers is August 1, 2026. That is when companies must begin accessing DROP at least every 45 calendar days to retrieve consumer deletion lists and process requests. The agency is preparing API documentation and developing a data broker sandbox to facilitate technical integration ahead of that date. Publication of the full data broker registry on the agency's website was expected in March 2026.

California's first enforcement action under the Delete Act, announced December 30, 2025, targeted Texas-based Rickenbacher Data LLC, which received a $45,000 fine for failing to register as a data broker. That case involved databases containing home addresses, phone numbers, and email addresses for over 435,000 people classified with Alzheimer's disease. It demonstrated California's willingness to pursue out-of-state companies - a signal that registration compliance carries genuine legal risk.

Data broker registration fees were previously set at $6,600 annually. The agency reevaluated program costs and brought the fee down to $6,000 for the current year. Finance staff indicated at the February 27 meeting that the board would revisit fee levels in coming months given the surge in both registrations and consumer activity. A separate budget request - Item 9840 - was under legislative review to potentially free up an additional $700,000 for identity verification costs. If approved, the legislative clock on that request ended the Sunday after the February 27 meeting.

The advertising and marketing industry context

For the marketing community, DROP's early traction is a concrete data point about what large-scale, government-administered data deletion looks like in practice. A platform that reaches 242,000 users organically in two months - without a major paid push - can be expected to scale significantly once the agency's $2.5 million paid media campaign fully activates. That campaign, branded "The Gatherers" and featuring California wildlife imagery, launched paid search on January 1 and activated paid social ads in mid-February. In March 2026, the agency planned to extend to radio, print, out-of-home, and television formats, with a full-scale "delete week" scheduled for the fall timed to coincide with when broker processing actually begins.

Board Member Drew Liebert raised the scale challenge directly at the meeting. Approximately 35 million Californians are internet users, he noted, and even reaching 10% would imply 3 million participants. The gap between 242,000 and that figure underscores the reach effort still required. Liebert also floated integrating DROP awareness into existing government touchpoints, such as vehicle re-registration at the DMV or voter registration renewals.

The DROP regulations, approved by the California Office of Administrative Law on November 6, 2025, took effect on January 1, 2026. Failure to process consumer deletion requests carries civil penalties of $200 per day per consumer. Data brokers that fail to register face $200 per day in fines. Independent third-party audits become mandatory starting January 1, 2028, on a three-year cycle.

The combination of enforcement activity, a growing registry, and a technically functional platform marks a meaningful shift in how California's privacy law framework operates in practice. Assembly Bills 137 and 566, which updated the California Consumer Privacy Act effective January 1, 2026, expanded requirements for contractual agreements when transferring personal information to third parties. Taken together with DROP, the regulatory environment creates real operational pressure on companies that monetize consumer data at scale.

New leadership and organizational updates

The February 27 board meeting introduced Sabrina Boyson-Ross as the agency's inaugural Chief Privacy Auditor. The position, mandated by the California Privacy Rights Act, had been vacant for six years. Her prior roles included Director of Public Policy at Meta, and senior privacy and policy positions at Uber and Apple. The newly formed Audits Division she leads will conduct privacy compliance examinations of businesses and business practices. Board Member Alastair Mactaggart noted the significance of the appointment directly: "It's been six years that the position has been open, and you are the inaugural person."

Nicole Ozer joined the board as its newest member, appointed by Assembly Speaker Robert Rivas as the assembly's appointee, replacing Dr. Brandy Nonnecke. Ozer previously led the Technology and Civil Liberties Program at the ACLU of Northern California and serves as Inaugural Executive Director of the Center for Constitutional Democracy at UC Law San Francisco. She was among the architects of the California Electronic Communications Privacy Act. Mactaggart linked the appointment to the very origins of the CCPA, recalling that Ozer "was the first person I think I talked to" during early work on the 2018 law.

Agency attorney Liz Travis Allen received the 2026 California Privacy Lawyer of the Year award from the California Lawyers Association. The agency noted this was the second time one of its attorneys had received the honor - Lisa Kim received it in 2023.

The agency also confirmed zero executive-level turnover, that it was on track with hiring and budget goals, and that a website merger combining cppa.ca.gov and privacy.ca.gov was targeted for late summer 2026. Executive Director Kemp noted at the meeting that the agency had met directly with over 70 of California's 120 legislators since joining the agency.

Legislation in progress

Senate Bill 923, the Expanding Privacy Rights Act authored by Senator Josh Becker, addresses two of three bill proposals the board approved in November 2025. The agency is building a coalition in support of the bill, drawing on experience from the California Opt-Me-Out Act, signed into law in 2025 as the agency's first sponsored legislation. Assembly Bill 2021, the Whistleblower Protection and Privacy Act authored by Assembly Member Schiavo, was also introduced, targeting enforcement support through whistleblower mechanisms. Both bills were in early stages as of late February 2026.

Timeline

  • 2018: California Consumer Privacy Act passes
  • 2020: Voters approve Proposition 24, creating the California Privacy Protection Agency
  • January 1, 2024: CPPA takes over data broker registry administration from the Attorney General's office under SB 362
  • Spring 2025: 459 data brokers registered with the agency, according to a Privacy Rights Clearinghouse letter
  • July 1, 2025: Healthline settles CCPA case for $1.55 million, the largest penalty under the law at the time
  • November 6, 2025: California Office of Administrative Law approves DROP regulations
  • November 2025: Board approves three bill proposals; two addressed by SB 923
  • December 2025: Over 540 data brokers registered
  • December 30, 2025: First Delete Act enforcement action against Rickenbacher Data LLC, $45,000 fine
  • January 1, 2026: DROP goes live at midnight; over 18,000 requests in first 48 hours; paid search activates; CCPA updates take effect
  • January 20, 2026: Governor's office issues press release on DROP
  • Late January 2026: Agency publishes its own DROP press release during Data Privacy Week
  • February 2026: 575+ data brokers registered; paid social media ads go live
  • February 27, 2026: CPPA board meeting; 242,000 sign-ups, 1.2 million identifiers, $2.5 million paid media budget remaining reported
  • March 2026 (planned): Data broker registry published on agency website; paid media expands to radio, print, out-of-home, TV; press conference at Capitol with Senator Becker's office
  • June 2026: Deadline to exhaust $2.5 million paid media budget
  • August 1, 2026: Data brokers must begin accessing DROP every 45 days to process deletion requests
  • Fall 2026: "Delete Week" awareness campaign planned
  • January 1, 2028: Independent third-party audits of data brokers become mandatory on a three-year cycle

Summary

Who: The California Privacy Protection Agency, led by Executive Director Tom Kemp and Chairperson Jennifer M. Urban, oversees DROP. Over 242,000 California residents have enrolled, with more than 575 registered data brokers. New additions to the agency include Chief Privacy Auditor Sabrina Boyson-Ross and board member Nicole Ozer.

What: DROP is a state-administered platform that allows California residents to submit a single deletion request reaching all registered data brokers simultaneously. In its first eight weeks, it collected 1.2 million consumer identifiers, received over 6,500 support tickets, and launched a $2.5 million paid media campaign with expansion planned through June 2026.

When: DROP launched January 1, 2026. Figures were reported at the board meeting of February 27, 2026, covering eight weeks of operation. Data brokers face an August 1, 2026 deadline to begin processing requests. Independent audits become mandatory from January 1, 2028.

Where: The platform operates at privacy.ca.gov/drop and is available exclusively to California residents. The board meeting took place at the Cannabis Control Appeals Panel Hearing Room in Sacramento.

Why: California's Delete Act, SB 362, mandated a centralized deletion mechanism to simplify the exercise of consumer privacy rights. Previously, consumers had to contact each data broker individually - a practical barrier that limited the real-world impact of rights already granted under state law. DROP is designed to lower that friction while giving regulators a direct enforcement mechanism against companies that fail to process deletion requests.

Share this article
The link has been copied!