James Mitchell
155,000 people in 20 days. That is the number of California residents who signed up for DROP before most outlets even covered the story. The numbers speak for themselves: people are fed up with their personal data circulating online without consent, and when someone hands them a button to erase it all, they press it.
California DROP (Delete Request and Opt-out Platform) is the world's first government-built tool designed to let any California resident request the deletion of their personal data from over 545 registered data brokers. One click. Zero cost. No need to send 545 individual emails or subscribe to a monthly paid service.
I tracked this for weeks and can tell you that what California just did has no precedent in any privacy legislation on the planet, including Europe's famous GDPR. But like anything that sounds too good to be true, there are critical nuances you need to understand before getting excited.
In this guide, I break down exactly what DROP is, how it works step by step, who can use it (and who cannot), how it compares to paid services like DeleteMe and Incogni, and the limitations nobody is telling you about.
What California DROP Is and Why It Exists
DROP stands for Delete Request and Opt-out Platform, a system created and administered by the California Privacy Protection Agency (CalPrivacy). Its function is simple but revolutionary: you sign up, verify your identity, and the platform automatically sends deletion requests to all 545 data brokers registered in the state.
The legal backbone of DROP is the Delete Act (SB 362), signed by Governor Gavin Newsom in October 2023. This law did not just create the platform β it required every data broker operating in California to register with CalPrivacy and process any requests routed through DROP.
How the Technical Process Works
The system operates using what CalPrivacy calls a privacy-preserving approach. This means your personal data is processed through hashing techniques before being sent to brokers. In practice, DROP does not tell a data broker "delete John Smith at 123 Maple Street." Instead, it sends an encrypted identifier that the broker must match against their internal records.
The full workflow looks like this:
- You register on the DROP platform with your personal information
- You verify your identity as a California resident
- DROP hashes your data to protect your privacy during the process
- The platform sends automated requests to all 545 registered data brokers
- Brokers have 90 days to process each request and delete your data
- DROP monitors compliance and reports violations to CalPrivacy
Data brokers will begin processing requests starting August 2026, when the 90-day compliance window kicks in. This means that if you sign up today, you will not see immediate results, but you will be in the queue when the enforcement mechanism goes live.
The Legal Muscle Behind DROP
This is where things get interesting. Unlike private services that send "please delete my data" requests with no real consequences if the broker ignores them, DROP has legal teeth. The fine for non-compliance is $200 per request per day. If a broker ignores 1,000 requests for 30 days, that is $6 million in fines.
Tom Kemp, one of the key advocates behind the Delete Act, puts it bluntly: the fines are cumulative, and they are designed to make ignoring DROP financially unsustainable. CalPrivacy has already demonstrated it does not bluff β it has fined 8 or more companies with penalties ranging from $34,400 to $56,600, and that was before DROP was even operational.
On top of that, data brokers must pay an annual fee of $6,600 just for the right to operate in California. This creates a natural filter: smaller brokers that cannot justify that cost will simply stop operating in the state.
Who Can Use DROP and Who Is Left Out
This is the part most articles skip, and in my testing across 50+ privacy tools, eligibility details are what frustrate users the most.
Requirements to Use DROP
- California residency: You must be a current resident of the state. Having a mailing address or having lived there previously is not enough.
- Identity verification: DROP requires you to prove your identity, though the exact verification method is still being finalized for the full public rollout.
- Individual person: Businesses cannot use DROP to delete their corporate data.
Who CANNOT Use It
- Residents of other U.S. states: If you live in Texas, New York, or Florida, DROP does not cover you. Period.
- People outside the U.S.: Not Europeans, not Latin Americans, not Asians. It is exclusive to California.
- Unrepresented minors: Minors need a legal guardian to manage the request.
The real ROI here is massive for Californians, but it creates an absurd privacy gap: two people can work at the same company in San Francisco, and if one lives in Oakland (California) and the other in Reno (Nevada, 3 hours away), only the first one gets access to DROP. It is a geographic lottery of digital rights that reflects the chaotic state of U.S. privacy legislation, where each state does whatever it wants without a federal law to unify standards.
DROP (Free) vs DeleteMe vs Incogni: The Real Comparison
Before DROP, if you wanted to remove your data from brokers, you had two options: do it yourself (sending hundreds of emails) or pay a service. Now there is a third option, but it does not necessarily make the others obsolete. Let me break this down with data.
| Feature | California DROP | DeleteMe | Incogni |
|---|---|---|---|
| Price | Free | $10.75/mo | $7.99/mo |
| Data brokers covered | 545 (CA-registered) | 750+ | 180+ |
| Availability | California residents only | Anyone in the U.S. | Global |
| Legal enforcement | $200/request/day fines | No direct enforcement | No direct enforcement |
| Scan frequency | TBD | Quarterly | Continuous |
| Covers Google/Facebook | No | No | No |
| User support | Government (limited) | Chat + email | |
| Hashed data | Yes | Varies | Varies |
| Years in operation | 2026 (new) | 2011 | 2022 |
My Analysis
The numbers speak for themselves: DROP wins on price (free) and legal power (real fines), but loses on geographic coverage and total broker count. DeleteMe covers more brokers and is available across the entire U.S., but costs $129 per year. Incogni is the cheapest paid option and works globally, but only covers 180 brokers.
If you are a California resident, the optimal strategy is to use DROP as your baseline (it is free β why wouldn't you?) and supplement with a paid service if you want to cover brokers not registered in California. If you do not live in California, DeleteMe or Incogni remain your best options.
One data point few people mention: none of these services, including DROP, can delete your data from Google, Facebook, or Amazon. These companies have a "direct relationship" with you (you accepted their terms of service), so they do not qualify as data brokers under California law.
What DROP Cannot Do: The Honesty You Need
In my testing across dozens of privacy tools, the limitations reveal more than the features. And DROP has several you need to know about.
1. It Does Not Address Data Collection
The Electronic Frontier Foundation (EFF) has been clear in its criticism: DROP treats the symptom, not the disease. You can delete your data today, but tomorrow those same brokers can collect it again from public records, social media, purchase histories, and hundreds of other sources. It is like emptying a bucket with a hole in the bottom.
This does not invalidate DROP. Imperfect does not mean useless. But you need to understand that deleting your data once is not a permanent solution. You will need to repeat the process periodically β something paid services like DeleteMe and Incogni automate with recurring scans.
2. It Does Not Cover Companies With a Direct Relationship
As I mentioned earlier, Google, Facebook, Amazon, Apple, and any company where you hold an account are not covered. If you uploaded photos to Instagram, Instagram is not a data broker. It is a company you chose to share information with. DROP cannot force them to delete anything.
3. It Is Not Instantaneous
Brokers have 90 days to process requests, and enforcement does not begin until August 2026. If you register expecting your data to vanish overnight, you will be disappointed. It is a slow process by legal design.
4. It Does Not Protect Against Past Breaches
If your data was already leaked in a security breach (like the ones we have seen in espionage scandals involving major tech companies), DROP cannot erase copies circulating on the dark web or in pirated databases. It only acts on legitimate, registered brokers.
5. It Is Not a Federal Law
DROP only works in California. The rest of the United States remains in the digital Wild West. This is particularly ironic considering that major tech companies like TikTok face regulatory pressure at the federal level, yet individual privacy remains fragmented across 19 state laws with no coherence between them.
Global Impact: California vs GDPR vs the 19-State Patchwork
To understand why DROP matters, you need global context. There are currently 19 U.S. states with some form of privacy law, but no federal law. Zero. None. The country that houses the most powerful tech companies on Earth does not have a national digital privacy regulation.
California vs Europe (GDPR)
| Aspect | California (DROP + CCPA) | GDPR (European Union) |
|---|---|---|
| Centralized platform | Yes (DROP) | No equivalent exists |
| Right to deletion | Yes | Yes (Art. 17) |
| Automated enforcement | In development | Manual (individual complaints) |
| Fines | $200/request/day | Up to 4% of global revenue |
| Targets specific brokers | Yes (545 registered) | Applies to all data controllers |
| Geographic coverage | California only | 27 EU countries |
The surprising finding is that the GDPR has no centralized platform equivalent to DROP. If a European citizen wants to delete their data from a data broker, they must identify the broker, send an individual request citing Article 17, and wait. If the broker does not respond, they must file a complaint with their country's data protection authority. It is a manual, fragmented, and exhausting process.
California, with DROP, has just created something that even Europe does not have: a "delete everything" button backed by automated fines. It is a precedent that will likely inspire similar legislation in other states and countries.
The Domino Effect Across Other States
The Delete Act is already generating imitators. Oregon, Texas, and Connecticut are considering similar legislation, though none have reached California's level of implementation. The problem is that without a federal law, each state creates its own system, with its own requirements, its own definitions of "data broker," and its own fines.
The result is a regulatory patchwork that tech companies exploit to their advantage. And meanwhile, the integration of AI into enterprise tools continues to generate massive amounts of personal data that feed these very same brokers.
How to Protect Your Data If You Do Not Live in California
If you have read this far and are not a California resident, do not close this page yet. There are concrete actions you can take today.
If You Live in Another U.S. State
- Check if your state has a privacy law: 19 states already have some form of legislation. Search for your state's data protection authority.
- Use paid services: DeleteMe ($10.75/mo) or Incogni ($7.99/mo) work across the entire U.S.
- Pressure your legislators: California's Delete Act passed because citizens pushed for it. Your state could be next.
- Do manual opt-outs: Many brokers have opt-out pages. It is tedious but functional.
If You Live Outside the U.S.
- In the European Union: Use your right under the GDPR (Article 17) to request deletion directly from each broker.
- In Latin America: Countries like Argentina, Brazil, and Mexico have data protection laws. Research your local legislation.
- Use Incogni: It is the only service mentioned here that works globally.
- Minimize your digital footprint: Use temporary emails, VPNs, and avoid unnecessary sign-ups.
Daily Habits That Reduce Your Exposure
- Review app permissions every month
- Do not accept unnecessary cookies (choose "essential only")
- Use a password manager instead of reusing credentials
- Disable location tracking when you do not need it
- Check which data brokers already have your data at sites like haveibeensold.app
Frequently Asked Questions About California DROP
Is DROP truly free, or are there hidden costs?
DROP is completely free for users. The costs are borne by data brokers, who must pay an annual fee of $6,600 to CalPrivacy to operate in California. There is no premium tier, no subscription, and no fine print with charges. It is a public service funded by broker fees and the state budget.
Can I use DROP if I used to live in California but moved away?
No. DROP requires current California residency. If you relocated to another state, you lose access to the platform. This is verified during the registration process. However, deletion requests you submitted before moving remain valid, and brokers are still required to process them.
What happens if a data broker ignores my request through DROP?
CalPrivacy has the authority to impose fines of $200 per request per day of non-compliance. If a broker ignores your request for 30 days, that is $6,000 in fines for your case alone. Multiplied by thousands of requests, the financial pressure becomes unsustainable. CalPrivacy has already fined more than 8 companies before DROP was even operational, so the enforcement precedent is real.
Does DROP delete my data from Google, Facebook, or social media?
No. DROP only covers the 545 data brokers registered in California. Companies like Google, Facebook, Amazon, Apple, or any service where you hold a direct account are not classified as data brokers. To delete your data from these platforms, you must use their own privacy settings tools or submit deletion requests through their individual forms.
How often should I use DROP to keep my data deleted?
CalPrivacy has not yet defined the exact re-scan frequency for the platform. However, since data brokers can recollect your data after deletion, repeating the process at least every 6 months is recommended. Paid services like DeleteMe do this quarterly and Incogni does it continuously, which is an advantage if you want permanent protection without manual intervention.
Conclusion: A Historic First Step With Real Limitations
California DROP is, backed by hard data and not hyperbole, the most ambitious government-built privacy tool in existence anywhere in the world. 155,000 registrations in 20 days prove the demand was there, waiting for an accessible solution.
But the data is equally clear about its limitations: it only covers California residents, it does not address the root cause (mass data collection), it does not include big tech companies you have a direct relationship with, and it cannot erase data already circulating from past breaches. It is a first step, not the definitive solution.
My recommendation after weeks of analysis is this: if you live in California, sign up today. It is free, and the legal enforcement makes it more effective than any paid service. If you do not live in California, use DROP as a benchmark for what you should demand from your legislators, and in the meantime, consider services like DeleteMe or Incogni to protect yourself actively.
Digital privacy is not a luxury. It is a right. And for the first time, a government has built a concrete tool to defend it. The question is not whether other states and countries will follow California's lead. The question is how long it will take them.
