A Meaningful DROP in the Messy Bucket That Is the Data Brokerage Industry

The views expressed below are those of the author and do not necessarily reflect those of the Carr Center for Human Rights Policy or Harvard Kennedy School. These perspectives have been presented to encourage debate on important public policy challenges. 

The foundation of DROP, amongst other related registration, is the increasing concerns of the monetization of individual data, often acquired without user consent.

As of January 20, 2026, more than 155,000 Californians have signed up for the Delete Request and Opt-out Platform, or DROP for short, to ensure their data would be safe from sale by data brokers. The free to use tool went live on January 1, 2026, with the capabilities to send a single request to delete consumer data from all the eligible registered California data brokers.

Data brokers, as defined by the Delete Act, are “businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship.” These consumer data-based businesses, which often fly under the radar of government regulation and consumer protection, account for nearly a $40.2 billion dollar market in North America. In California alone, there are around 545 state-registered data brokers. This kind of registration of data brokers is only legally required in four states: California, Oregon, Texas, and Vermont.

The foundation of DROP, amongst other related registration, is the increasing concerns of the monetization of individual data, often acquired without user consent. A prime time example is the settlement between the Federal Trade Commission (FTC) and Inmarket Media, a Delaware-based digital marketing platform and data aggregator. The FTC had charged InMarket Media for collecting location information from consumers without consent. Through its own apps, it collected user information in the background. When third-party apps used their software development kit, they did not require those companies to obtain consent of the collection and selling of user data for their customers. Through various apps and its own proprietary software development kit, InMarket combined location data with other data to find ways to target advertising to increase spending by consumers, exploiting their rights to privacy to increase shareholder value.

Regulating data aggregators and brokers has been a long-time battle. In California, the California Consumer Privacy Act of 2018 asserted the right that consumers ought to have transparency from businesses on the type of information they have, the ability to delete that information, and to opt-out of the sale thereafter of that information. Two years later, Proposition 24, or the California Privacy Rights Act of 2020, was passed. This led to further protection of consumers, which included scaffolding for opting-out of sensitive personal information collection, parental consent for data being collected for users under 13, and the establishment of the California Privacy Protection Agency (CPPA). A couple of years later, the Delete Act was passed in 2023, which asserted the need for data broker registration and started the process to build the DROP.

These consumer data-based businesses, which often fly under the radar of government regulation and consumer protection, account for nearly a $40.2 billion dollar market in North America.

Within two years, and a price tag of $4.8 million dollars, DROP was created. As a collaboration between CalPrivacy and the California Department of Technology, DROP provides California Residents the means to input their personal data to be matched with data that currently exists in their respective databases. On the online platform, users can decide which data brokers can retain their data, and can pick and choose what data needs to be deleted.

Once the request is sent in, DROP provides pieces of data to data brokers to look for matches in their records. If a match is found, there is a deletion of all the information that pertains to you (unless you have chosen to let them retain some form of your data). The data deleted is both the sensitive information and the inferred information of the data. First-party data, exempted data (data they are legally allowed to keep that is protected by other laws), and publicly available data will be retained by data brokers who register.

Data brokers are then given 45 days to delete the requested data, otherwise they are faced with repercussions including a $200 fine every day the data sits in their system.

While an effective system, the original proposal’s wording faced much backlash from data brokers and industries that rely on consumer data due to possible legislative oversteps. An existing debate regarding DROP comes in the way it defines ‘direct relationships’, which as defined by CalPrivacy in this legislation, was a consumer that has intentionally interacted with a business to access, purchase, use, request, or obtain information about the business’s products or services. Dissenters spoke to how strict first-party data transactions are the only ones that should be considered under this definition. Red flags included possible First Amendment rights violations, where entities may argue that the restriction on the ability to exchange and store personal data is a violation of free expression, or Commerce Clause defenses, where courts could find regulations imposed by DROP affect businesses in another state. While there has been significant rewriting of the original proposal and amendments made to be more cognizant of these possible objections, especially through public comment in CalPrivacy board meetings, there seems to be an inevitability of corporations mounting legal defenses when faced with DROP’s heavy scrutiny of their business models.

A universal deletion tool is just a matter of time, where individuals across the U.S. can delete their data from being unjustly commodified and sold

Even given these challenges, consumers have been signing up in hordes. With more than 155,000 sign-ups by January 20th, that amounts to almost 8,000 a day. With the enforcement period beginning in August of this year, the future looks bright for DROP, given its attention from other states.There is some interest at the national level for policies like this. Senator Ron Wyden (D-OR) submitted his active support for the development and implementation of DROP, and hopes it can be oriented to protect U.S. government employees with particularly valuable data. His own bill, the “Mind Your Business Act” (S.1444 — 117th Congress), was not passed in Congress.In his analysis of the potential for DROP to grow, Senator Wyden provides context for where the rest of the country stands on the tool, with states like Oregon and Colorado adopting bills that will likely result in similar systems. A universal deletion tool is just a matter of time, where individuals across the U.S. can delete their data from being unjustly commodified and sold.