Privacy & Information Security Law Blog

On June 26, 2024, the California Privacy Protection Agency (“CPPA” or the “Agency”) held a virtual preliminary stakeholder session regarding a data broker accessible deletion mechanism.

The mechanism, named Data Broker Delete Requests and Opt-out Platform (“DROP”), is an accessible deletion mechanism that will allow consumers to request deletion of their non-exempt personal information held by data brokers through a single request submitted to the Agency. Starting January 1, 2026, consumers may access the DROP and start making single deletion requests. From August 1, 2026, DROP will be available to data brokers, and data brokers must access the online deletion mechanism once every 45 days to review and process consumer deletion requests.

The discussion brought together a diverse group of participants including academics, CEOs, lawyers and policy analysts, who shared insights on making the process more consumer-friendly, addressing potential fraud and abuse, enhancing transparency, and clarifying regulatory ambiguities.

Key suggestions included simplifying the request process for consumers by minimizing required information and ensuring easy verification methods. The discussion also touched on making the system accessible to all age groups and highlighted the importance of clear communication to reassure consumers that their requests are processed.

Participants also discussed issues of potential misuse, emphasizing the need to safeguard against fraudulent activities such as deletion requests from spoofed IP addresses or deceptive practices of companies generating false deletion requests for profit. In addition, participants emphasized the importance of transparency regarding how consumers can identify which data brokers hold their data. Transparency was also requested regarding how entities exempt from the accessible deletion mechanism on the basis of certain federal laws should communicate this exemption to consumers.

Participants further called for more detailed regulations that would outline the responsibilities for data broker processors that do not directly collect consumer data but are involved in handling it. The discussion also emphasized the Agency’s role in authenticating consumer requests before making these requests available to data brokers, suggesting methods such as verification of California residency. Regarding pseudonymous identifiers, participants recommended that the Agency carefully consider how it will handle authentication of pseudonymous identifiers such as device IDs and cookie IDs, suggesting that these categories of data require a different approach. For instance, when data brokers store data in pseudonymous form, they may claim that they have no data about an individual because the information is not directly identifiable, even though they continue to sell pseudonymous information like cookie identifiers.

The discussion underscored the need for a balanced approach that ensures ease of use for consumers while safeguarding against fraudulent activities and maintaining clear communication regarding data management practices.

The full recording of the session can be accessed on the CPPA website.