The California DROP Act: You Won’t Need Your Records Until You Suddenly Do
The Delete Act and its DROP platform turn data deletion into a hard deadline. Here is what the DROP Act means for anyone who collects, buys, or sells leads, and why the businesses that saved their proof will sleep through it.
The DROP Act is the common name for California’s Delete Act (SB 362) and its Delete Request and Opt-out Platform (DROP). Starting August 1, 2026, registered data brokers must honor one-click consumer deletion requests filed through DROP. If your business collects, buys, or sells personal data, you need provable consent records in place before a request lands, not after.
Picture this: a consumer you have never spoken to files a deletion request through a state website. A clock starts. You now have weeks to find every record tied to that person, prove how you obtained their data, and either delete it or show you had the right to hold it. If your logs are thin, the scramble begins. If you saved everything, it is a five-minute lookup.
The DROP Act in 60 seconds
If you only read one section, read this one. Here is the whole DROP Act in plain terms.
- What it is. The DROP Act is what people are calling California’s Delete Act (SB 362). It created DROP, the Delete Request and Opt-out Platform, a single state-run site where a consumer files one request to delete their data.
- The one-click part. Instead of chasing every company individually, a person submits one DROP request and every registered data broker has to honor it.
- Who has to register. Data brokers must register with the California Privacy Protection Agency each year by January 31 or face $200 per day in penalties.
- The deadline that matters. Starting August 1, 2026, brokers must check DROP at least every 45 days and delete matching records within 90 days.
- Who counts as a “data broker.” Any business that knowingly collects and sells personal information on people it has no direct relationship with. That quietly sweeps in many lead sellers, list brokers, and co-registration aggregators who never used the label.
You can confirm the mechanics and registration rules directly with the California Privacy Protection Agency, the regulator that runs DROP and enforces the Delete Act.
You don’t need your records, until you do
It is easy to be relaxed about compliance. Nothing is on fire, requests are not arriving, and saving every form submission and session recording can feel like overhead you do not need. That is exactly the trap.
Evidence works like insurance. You do not need it on a quiet Tuesday. You need it the moment a deletion request, an angry consumer, or a regulator’s inquiry lands, and by then it is too late to start collecting it. The DROP Act turns that quiet Tuesday into a countdown. When a request comes through, the question is not whether you intend to comply. It is whether you can prove what you held, how you got it, and that the person actually agreed.
A business that quietly saved its traffic and recordings answers in minutes: here is the consent, here is the page they saw, here is the timestamp, here is the device. A business that did not is left scrambling through systems that were never built to reconstruct one person’s history under a 90-day clock.
You don’t need evidence until the day you desperately do. The DROP Act just put that day on the calendar.
The deletion itself is the easy half. The hard half is proving, on demand, that you had a lawful basis to hold the data in the first place. That proof only exists if you captured the interaction before the request arrived.
Why the DROP Act won’t stop at California
California is first, not last. It is the only state today with a universal one-click deletion platform, but it is not alone in regulating data brokers. Texas, Oregon, and Vermont already run broker registries, and California’s model is the template other states copy. The state pioneered the modern privacy playbook with the CCPA, and the rest of the country followed.
Treating the DROP Act as a California-only problem is a planning mistake. The smart read is that one-click deletion is the direction of travel nationally. The businesses that build a provable record now will not have to rebuild it five times as five more states pass their own versions.
How Evidora is your DROP Act hedge
This is what Evidora was built for. Evidora quietly sits in the background of your site and captures a court-ready record of every interaction: which consent language appeared, where the click landed, the timestamp, the device, and the rendered page as the person actually saw it. One line of code. Retain what matters, expire what does not.
That record is your hedge against the DROP Act in two ways. First, when a deletion request arrives, you can find the person instantly and prove exactly what you held and how you obtained it. Second, that same record is what proves you had a direct relationship or documented consent, which can be the difference between being an in-scope data broker and not.
| When a DROP request lands | Without a record | With Evidora |
|---|---|---|
| Find the consumer’s data | Manual search across systems under a 90-day clock | Instant lookup by evidence record |
| Prove how you got the data | Reconstruct from memory and guesswork | Captured consent, page, timestamp, and device |
| Show you had consent or a direct relationship | Often impossible after the fact | Court-ready proof already on file |
| Handle the next state’s version | Start over from scratch | The same record already works |
Most businesses plan to comply with the DROP Act. Far fewer can prove compliance. Proving what you held, how you got it, and that the consumer agreed is the half that wins or loses an audit, and it only exists if you captured it before the request ever arrived.
Frequently asked questions
What is the DROP Act?
The DROP Act is the common name for California’s Delete Act (SB 362), which created DROP, the Delete Request and Opt-out Platform. It lets consumers file one request to have every registered data broker delete their personal information.
When does the DROP Act take effect?
Consumers have been able to file requests through DROP since January 1, 2026. Registered data brokers must begin honoring those deletion requests starting August 1, 2026, checking the platform at least every 45 days and completing deletions within 90 days.
Who is a data broker under the Delete Act?
Any business that knowingly collects and sells personal information about consumers with whom it has no direct relationship. This sweeps in many lead sellers, list brokers, and co-registration aggregators who never thought the label applied to them.
What are the penalties for ignoring the DROP Act?
Data brokers that fail to register with the California Privacy Protection Agency by January 31 face 200 dollars per day, plus investigation costs. California is actively enforcing the Delete Act through a dedicated data-broker effort.
Will other states pass laws like the DROP Act?
Very likely. California is the only state with a universal one-click deletion platform today, but Texas, Oregon, and Vermont already regulate data brokers, and California’s privacy laws have historically been copied across the country.
How do I prove I had consent when a deletion request arrives?
You need a record captured at the moment of collection: the consent language shown, the affirmative click, the timestamp, the device, and the rendered page as the person saw it. Evidora captures this automatically so you can produce proof on demand.
Turn every form and checkout into a record you can produce on demand
Evidora captures court-ready evidence of every interaction on your site. One line of code. Retain what matters, expire what does not, and produce proof the moment a deletion request or dispute arrives.
See how it works →