California has launched a first-in-the-nation centralized data deletion privacy tool called the Delete Request and Opt-Out Platform (DROP). Developed by the California Privacy Protection Agency (CPPA), it is an online platform that allows Californians to submit a single request directing registered data brokers to delete their personal information and stop selling it.
The authority for this tool traces back years to the passage of the California Privacy Rights Act (CPRA) in 2020, followed by the The Delete Act (SB 362) that was signed into law in 2023. In January 2026, the DROP website tool was officially launched and open for California residents to submit a DROP request. Starting August 1, 2026, data brokers must delete users data within 90 days of request.
What Has Changed
Under the CCPA and CPRA, consumers have long had the right to request deletion of their personal information and opt out of its sale. However, the newly launched DROP tool relieves much of the friction in that process.
Instead of navigating individual data broker websites one by one, consumers can now submit a single request through a state-managed portal. That request is then transmitted to registered California data brokers.
When the process becomes easier, participation tends to increase. Initial reporting in early January noted more than 10,000 signups shortly after launch. Official figures now show over 155,000 total DROP registrations — highlighting accelerated consumer engagement with the tool.
Why This Matters for Ecommerce Brands
Data brokers are businesses that knowingly collect and sell the personal information of consumers with whom the business does not have a direct relationship. For example, a company that compiles public records, social media profiles, and purchase history to sell consumer profiles to marketers — without those consumers ever signing up with or contacting that company — is a classic data broker. Most ecommerce businesses are not data brokers themselves, but some may rely on third-party data brokers to augment their own data about a consumer.
If DROP drives a meaningful increase in deletion and opt-out requests, data brokers may see reduced datasets. That, in turn, can affect ecommerce brands that depend on this data to fuel growth strategies.
With over 150,000 Californians already enrolled, this is no longer a compliance footnote. It is an operational development with potential downstream consequences. For EIA members, this creates several practical considerations:
1. Vendor Risk Is Elevated
Brands should understand whether their marketing partners are registered California data brokers and how they are handling DROP-related requests. Noncompliance at the vendor level can create contractual, operational, and reputational risk.
2. Third-Party Data Availability May Shift
If deletion requests scale, audience sizes and match rates for certain campaigns could decline. Brands that rely heavily on broker-sourced data may need to adjust acquisition strategies.
3. Enforcement Is Becoming More Scalable
DROP signals a broader evolution in privacy enforcement: infrastructure that enables consumer rights at scale. California is moving beyond policy mandates to technical implementation that gives consumers greater control over their data.
4. National Ripple Effects Are Likely
California often sets the privacy standard for the rest of the country. Other states with comprehensive privacy laws may pursue similar centralized mechanisms. For ecommerce brands operating nationally, California developments rarely stay confined to California.
The Broader Privacy Trajectory
EIA has consistently tracked California’s evolving privacy landscape, from CCPA implementation through CPRA expansion and ongoing enforcement trends. DROP marks a new stage in the state’s privacy regime — making deletion rights easier to exercise and raising the stakes for businesses that rely on third-party data.
For ecommerce brands, privacy compliance is no longer limited to updating a privacy policy or responding to occasional deletion requests. It now requires:
- Clear data mapping and documentation
- Ongoing vendor oversight
- Monitoring how regulatory tools affect marketing performance
- Strategic evaluation of reliance on third-party data
In sum, California’s DROP tool is significant not because it creates new privacy rights — but because it makes existing rights easier to exercise at scale. As more consumers engage, ecommerce brands should be prepared for potential downstream impacts on data availability, vendor compliance, and regulatory scrutiny.
Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.
