Privacy & Cybersecurity Law Blog

On September 26, 2025, following a public comment period, the California Privacy Protection Agency (“CPPA”) adopted its regulations concerning the Delete Request and Opt-Out Platform (“DROP”). The DROP is a tool developed to address the California Delete Act’s requirement that the CPPA establish an accessible deletion mechanism to allow consumers to request from registered data brokers the deletion of all non-exempt personal information related to the consumer through a single deletion request to the CPPA.

Under the Delete Act, the tool will be available to consumers by January 1, 2026. Starting August 1, 2026, data brokers must access the DROP system every 45 days to retrieve and process deletion requests. Data brokers should review the CPPA’s Final Statement of Reasons and Update to Informative Digest to prepare for compliance with their obligations under the Delete Act.

The adopted regulations include key updates and clarifications, including:

• Data Standardization. The regulations clarify the data standardization required for comparing the CPPA’s deletion lists acquired via the DROP with the broker’s data, including addressing specific data elements such as date of birth, zip code, phone numbers, and non-English language characters, as well as how to hash identifiers when a deletion list contains multiple identifiers.
• Matching Threshold. In response to concerns that the original 50% matching threshold for removing data was too low and could lead to a consumer’s data being removed when they did not request its removal, the regulations remove the 50% threshold, which results in a 100% consumer identifier match threshold for deletion to be required.  
• Retention of Consumer Deletion Requests. The regulations add language designed to clarify that data brokers must maintain consumer information provided by the CPPA through the DROP, even when the information does not match any of their existing consumer records. This update supports the requirement in the regulations for data brokers to monitor newly collected records for personal information relating to a consumer who previously submitted a deletion request.  
• Service Providers and Contractors. Under the Delete Act, data brokers must direct service providers and contractors to comply with a consumer’s delete request. In response to data brokers’ concerns about how to comply with this requirement, the regulations clarify that data brokers may share the minimum personal information necessary for service providers and contractors to facilitate compliance with a deletion request.  
• Verification of California Residency. The regulations provide that the CPPA will require verification of a consumer’s California residency prior to the submission of a deletion request through the DROP. The regulations also clarify that an authorized agent may assist a consumer in submitting a deletion request only after the CPPA has verified the consumer’s California residency.