One request to delete your data from every registered data broker: California just made it possible

One request to delete your data from every registered data broker: California just made it possible

As states continue to expand consumer privacy protections, the ability to request deletion of personal data varies widely across the U.S. Clym analyzed these rights across states, including California’s new Delete Request and Opt-Out Platform, to show what options are available and where.

For years, getting your personal information removed from data broker databases meant sending individual requests to dozens of companies, each with its own process, timeline, and set of exceptions. California just changed that.

On Jan. 1, 2026, California launched the Delete Request and Opt-Out Platform known as DROP, a first-of-its-kind system that lets any California resident submit a single deletion request to every registered data broker in the state, simultaneously and for free. Starting Aug. 1, 2026, data brokers will be legally required to check the platform every 45 days and process those requests, with up to 90 days to report the outcome to consumers, or face fines of $200 per deletion request per day of noncompliance.

Data brokers are companies that collect and sell personal information, often without consumers ever interacting with them directly. They gather data from public records, loyalty programs, social media activity, app usage, and purchase histories, then package and sell that information to advertisers, employers, insurers, lenders, and others.

While about 20 U.S. states have enacted comprehensive consumer privacy laws, with only four of these also requiring data brokers to register with state authorities, the level of consumer protection each provides varies widely. In California alone, over 500 data brokers are registered with the California Privacy Protection Agency (CPPA), and many operate across multiple states simultaneously.

The data they hold can include names, addresses, phone numbers, email addresses, mobile advertising IDs, financial details, and, in some cases, sensitive categories such as sexual orientation, biometric data, and certain government identifiers, as expanded under California’s SB 361 transparency requirements, which also requires data brokers to disclose whether such data is sold to specific categories of recipients, including foreign actors, government agencies, and generative AI developers.

The scale of the problem is significant. The Identity Theft Resource Center reported that 80% of U.S. consumers received at least one data breach notice in 2025. IAPP Privacy and Consumer Trust Report 2023 found that 68% of global consumers say they are concerned about their privacy online. Data brokers operate largely in the background, making it difficult for most people to know where their data is going, let alone request its deletion.

How DROP works

The DROP platform is accessible through the California Privacy Protection Agency and requires consumers to verify their California residency before submitting a request. The system collects identifying information, including name, date of birth, phone number, email address, and device identifiers like mobile advertising IDs (MAIDs). The more identifiers a consumer provides, the more likely brokers are to find and delete a match.

DROP uses a secure identity verification process through the California Identity Gateway, with encrypted submission and verification workflows. Once a request is filed, it is queued and distributed to all registered data brokers. After Aug. 1, 2026, brokers must check the platform at a minimum every 45 days and assign one of four standardized response statuses to each request:

• "Deleted" means the consumer’s nonexempt personal information has been removed, though certain legally exempt data may be retained.
• "Exempted" means certain data cannot legally be deleted under a statutory exception, and the broker must explain why.
• “Pending” indicates the request is still being processed.
• "Opted Out" applies when full deletion is not possible, but the consumer's data is blocked from future sale or sharing.
• "Record Not Found" means the broker could not locate data matching the submitted identifiers.

More from this section

+3

Study finds children’s mental health top stressor for parents

+3

Is your favorite playlist the key to pump up your endurance?

Themes of peace and human dignity have been central to Pope Leo as he marks his first year in office

Brokers that fail to process requests on time face administrative fines of $200 per request per day, and the CPPA has indicated that compliance with DROP requirements will be subject to enforcement under the Delete Act.

The patchwork problem: where other states stand

California's DROP is the most aggressive consumer data deletion mechanism in the country, but most Americans do not have access to anything comparable. As of 2026, 20 states have enacted comprehensive privacy laws, and while many include the right to request deletion of personal data from individual businesses, none have created a centralized system that covers all brokers at once, the way DROP does.

States like Indiana, Kentucky, and Rhode Island added comprehensive privacy laws on Jan. 1, 2026, giving residents the right to request deletion from individual companies. Connecticut, Arkansas, and Utah added further updates effective July 1, 2026. But consumers in those states must still contact each company separately.

Roughly half of U.S. states still have no comprehensive consumer data privacy law in place at all, leaving residents with limited legal recourse when it comes to personal data held by brokers. The result is a fragmented landscape where a consumer's ability to control their own data depends largely on their zip code.

For companies that handle California consumer data, the DROP system changes the compliance equation significantly. Any business that meets California's definition of a data broker, one that collects and sells personal information about consumers with whom it has no direct relationship, must register with the CPPA, pay an annual registration fee of $6,000, and begin processing DROP deletion requests starting Aug. 1, 2026.

Beyond data brokers, the shift signals where privacy compliance is heading more broadly. As Clym's analysis of CCPA deletion request obligations outlines, businesses of all sizes are expected to have documented processes for receiving, verifying, and fulfilling consumer data deletion requests within 45 days, with records maintained for a minimum of 24 months for audit purposes.

Understanding what qualifies as a deletion exception, how to verify consumer identity without overstepping, and how to document partial deletions are all areas where compliance gaps tend to emerge.

The DROP platform is live and accepting requests as of January 2026. Requests submitted before Aug. 1, 2026, are queued but not yet legally required to be processed. That said, submitting early means brokers will have the request waiting when the enforcement window opens.

Consumers who want to get ahead of the process can visit the California Privacy Protection Agency's data broker portal, submit a deletion request through DROP with as many identifying details as they can provide, and track the status of their request through the platform's dashboard.

For consumers in other states, the rights available depend entirely on where they live. Checking whether your state has a comprehensive privacy law and understanding what data subject rights it includes is the first step. 

This story was produced by Clym and reviewed and distributed by Stacker.