The state of California in the United States recently officially launched an online platform called the "Delete Requests and Opt-Out Platform" (DROP), providing state residents with a new centralized tool to limit the ability of data brokers to store and sell their personal information. Under previous privacy regulations in effect, California residents have had the right to ask companies to stop collecting and selling their data since 2020, but in the past they had to submit separate opt-out applications to each company one by one, which was a cumbersome process.

The Delete Act passed in 2023 aims to simplify this process, allowing residents to request more than 500 registered data brokers to delete their personal information through a one-time request.

Currently, the DROP platform has begun accepting applications. After residents complete California residency verification on the platform, they can submit a deletion request, which will be automatically sent to all data brokers registered in the state and those registered in the future. However, this does not mean that all relevant data will be deleted immediately: according to regulations, brokers will not begin to officially process such requests until August 2026, and will also have a 90-day processing period after which they will need to provide feedback to the regulatory agency upon completion. If the broker fails to find relevant records or deletes the data, users can supplement more information through the platform to help the company locate their personal data.

It is worth noting that the new tool is mainly aimed at data brokers who buy and sell personal information, and does not obligate companies to delete data they obtain directly from users as a first party. In other words, the first-party data legally collected and retained by the enterprise based on its own service relationship can still be retained; what must be deleted is the personal data used by the broker for buying and selling, including social security numbers, browsing history, email addresses, phone numbers and other types of information. In addition, some information derived from public records, such as vehicle registration information and voter registration records, are excluded from deletion. Some highly sensitive data, such as medical information protected by other federal or state laws such as the Health Insurance Portability and Accountability Act (HIPAA), are subject to their own specific legal frameworks.

The California Privacy Protection Agency said that in addition to further strengthening residents’ control over their own data, this new tool is expected to bring multiple effects in real life, such as reducing unwanted text messages, phone calls, and email pushes. The agency also pointed out that centralized deletion of data can also help reduce the risk of identity theft, fraud, "AI impersonation" (the use of generative artificial intelligence to simulate a voice or identity to commit fraud), and data breaches or hackers. For data brokers that fail to register with California as required or fail to fulfill their obligations after receiving a deletion request, regulators can impose fines of $200 per day and recover enforcement costs.

Industry insiders believe that the implementation of DROP means that the key implementation links of the "Deletion Act" have officially taken shape, providing a practical sample for data brokerage supervision at the other states and even the federal level. In the context of the rapid development of generative artificial intelligence and the rising risk of data abuse, the supervision of the personal data buying and selling chain is becoming a new focus in the field of privacy and security policies. The centralized “one-click deletion” mechanism launched by California may push more regions to re-examine the compliance boundaries and obligations of the data brokerage industry.