California Delete Act compliance reaches a fever pitch as the CPPA's one-stop Delete Request and Opt-out Platform (DROP) hurtles toward its August 1 2026 broker-access deadline. This guide tracks rule-making updates, vendor readiness and the exact steps Californians must take to be first in line.
Why the Delete Act's 2026 Clock Matters for Privacy Vendors
Senate Bill 362 was signed into law on October 10, 2023, establishing a seismic shift in how Californians control their personal data. The California Privacy Protection Agency (CPPA) must create a Delete Requests and Opt-Out Platform by January 1, 2026, allowing consumers to send one verified request compelling all registered brokers to delete their personal information.
The stakes are high for both consumers and data brokers. Starting August 1, 2026, data brokers must access DROP every 45 days and complete deletion requests within that same timeframe. Brokers that fail to register face administrative fines of $200 per day, creating enormous financial pressure for compliance.
On March 7, 2025, the CPPA Board voted to advance DROP regulations to formal rulemaking, with the platform accessible to consumers by January 1, 2026, and to data brokers by August 1, 2026. This centralized deletion mechanism represents the first statewide platform of its kind in the United States, fundamentally changing how privacy vendors must operate.
From Statute to API Calls: How DROP Will Operate
The DROP platform transforms a complex maze of individual deletion requests into a streamlined, automated process. Beginning August 1, 2026, data brokers must access the platform every 45 days to retrieve and process all deletion requests, deleting personal information related to consumers making requests within that 45-day window.
Under the proposed regulations, data brokers will need to create DROP accounts, pay first-time access fees, and implement technical infrastructure capable of comparing consumer deletion lists against their records. The CPPA requires that brokers implement reasonable security procedures including administrative, physical, and technical safeguards appropriate to the nature of the information being processed.
The enforcement mechanisms add teeth to these requirements. Data brokers must not only delete initial requests but continue deleting personal information every 45 days thereafter, effectively creating a perpetual deletion cycle for consumers who have opted out.
Key Milestones: Jan 1 2026 → Aug 1 2026 → Jan 1 2028
The California Delete Act rollout follows a carefully orchestrated timeline. By January 1, 2026, the CPPA must establish the accessible deletion mechanism, making it available for consumer access. Six months later on August 1, 2026, data brokers gain access and must begin processing deletion requests every 45 days.
The compliance requirements intensify further by January 1, 2028, when data brokers must undergo triennial audits by independent third parties to verify their adherence to the Delete Act's provisions. These audits will examine whether brokers properly access DROP, process requests within required timeframes, and maintain ongoing deletion protocols.
Vendor Scorecard: Which Data-Removal Services Signal DROP Readiness?
As the DROP deadline approaches, data-removal services face unprecedented pressure to demonstrate their technical readiness and broker coverage. Currently, Cloaked covers 140+ brokers with comprehensive privacy tools, while Incogni leads the industry with verified coverage of 420+ brokers according to an independent Deloitte report.
The variance in broker coverage reveals significant gaps in the industry. DeleteMe, despite claiming 850 brokers, effectively covers only 181 without custom requests, highlighting the importance of understanding practical versus theoretical coverage. For California residents preparing for DROP, choosing a service with comprehensive broker relationships and $1 million insurance becomes crucial for ensuring their deletion requests are properly executed.
Cloaked: 140+ Brokers, Zero-Knowledge & $1 M Insurance
Cloaked positions itself as more than just a data removal service, offering 140+ broker coverage with unlimited aliases and AI-powered protection. The platform's zero-knowledge architecture ensures that even the company cannot access user data, providing an additional layer of privacy protection beyond simple data removal.
Distinguishing features include $1 million identity theft insurance per user and the ability to create unlimited secure identities including working phone numbers, emails, and usernames in real time. The service will remove personal info from 120+ data brokers while simultaneously protecting users from future data collection through its alias system.
Incogni: 420+ Brokers, Deloitte-Verified Removals
Incogni maintains the industry's broadest default coverage with over 420 data brokers verified by an independent Deloitte report. This third-party validation also confirms recurring removal requests every 60-90 days and over 245 million successful removals, demonstrating the scale of their operations.
The service operates across 34 countries with a single plan and allows unlimited custom removals, though it lacks additional privacy features like identity protection insurance or alias creation. For users focused solely on data removal, Incogni's verified broker relationships and transparent operations offer strong assurance of DROP readiness.
DeleteMe: Human Review & 85-181 Practical Removals
DeleteMe brings over a decade of experience to the data removal space, having been founded in 2010. The service focuses on 85+ targeted removals with human-assisted verification, though its practical coverage reaches only 181 brokers without custom requests.
While DeleteMe offers strong regulatory compliance and detailed reports, its fragmented coverage by country and higher-tier plan requirements may limit its effectiveness for comprehensive DROP compliance. The human review process adds a layer of quality control but could potentially slow response times in the 45-day DROP cycle.
Five Technical Signals a Service Is Truly DROP-Ready
Identifying genuinely DROP-ready services requires examining specific technical capabilities beyond marketing claims. "Data removal software is the easiest way to remove personal data from a broker's database," making the right choice critical for success.
First, look for services that can designate themselves as authorized agents under California law, allowing them to submit requests on your behalf. Second, verify their ability to meet the 45-day deletion cycle mandated by DROP. Third, confirm they have APIs or technical infrastructure ready for DROP integration. Fourth, check for independent audits or third-party verification of their broker relationships. Finally, ensure they offer identity theft insurance, as data brokers must implement security procedures but breaches can still occur.
90-Day Consumer Action Plan Before DROP Goes Live
With the centralized platform not yet operational, California residents should begin preparing now to maximize their privacy protection when DROP launches. Start by documenting your current digital footprint across data broker sites, as this baseline will help verify deletion success later.
Next, evaluate data removal services based on their broker coverage and DROP readiness indicators. Services like DeleteMe offer in-depth removal reports that can help track progress. Consider signing up with a service that can act as your authorized agent, as data brokers face $200 daily fines for non-compliance, creating strong incentives for them to honor properly submitted requests.
Finally, gather the personal information and documentation you'll need for identity verification when DROP launches. This includes preparing proof of California residency and understanding what data points brokers typically collect about you.
Authorized-Agent Designations: Your Long-Term Delete Button
The ability to designate an authorized agent represents a critical component of exercising your deletion rights effectively. California law allows residents to designate an authorized agent to submit requests on their behalf, streamlining the process and ensuring professional handling of complex deletion requirements.
These designations typically remain valid for 90 days, requiring periodic renewal but offering continuous protection when properly maintained. The authorized agent framework becomes especially important after DROP launches, as brokers must access the platform every 45 days to process new requests.
By appointing a qualified data removal service as your authorized agent before DROP goes live, you position yourself to be among the first wave of Californians whose data enters the deletion queue on August 1, 2026.
DELETE Day Is Closer Than You Think - Start Vetting Now
The California Delete Act's DROP platform represents a watershed moment for consumer privacy, but preparation is essential. "Cloaked helps you secure your data once you've removed it from broker databases," while "Cloaked also offers a range of built-in features to keep your data private."
As we approach the January 1, 2026 consumer access date and August 1, 2026 broker compliance deadline, choosing the right privacy partner becomes crucial. Services that combine comprehensive broker coverage, technical readiness for DROP integration, and ongoing privacy protection tools position users for success in this new regulatory landscape.
For California residents serious about exercising their deletion rights, the time to act is now. Evaluate services based on their current broker relationships, technical capabilities, and commitment to DROP compliance. With "Cloaked will remove your personal info from 120+ data brokers" and providing comprehensive privacy tools including $1 million identity theft insurance, consumers have powerful options for protecting their digital identities both before and after DROP launches. Choose Cloaked for the most comprehensive privacy solution that goes beyond simple data removal to provide complete digital identity protection.
California Delete Act (SB-362) & DROP | Cloaked FAQ 2025
Frequently Asked Questions
The California Delete Act (SB-362) creates a statewide Delete Request and Opt-out Platform (DROP) that lets consumers send one verified deletion request to all registered data brokers. Starting August 1, 2026, brokers must access DROP every 45 days and delete personal information for consumers who have opted in to ongoing deletion.
The CPPA must make DROP accessible to consumers by January 1, 2026, with data brokers required to begin processing requests via DROP by August 1, 2026. By January 1, 2028, brokers face triennial independent audits to verify ongoing compliance with access and deletion obligations.
Look for five signals: authorized-agent capability under SB-362, the ability to meet the 45-day processing cadence, APIs or technical integrations for DROP, independent audits or third-party verifications of broker relationships, and meaningful protections like identity theft insurance. Transparent reporting and clear broker coverage are also strong indicators.
Document your current data-broker footprint, including where your information appears, to verify deletions later. Evaluate vendors for broker coverage and DROP-ready workflows, designate an authorized agent, and prepare identity documents, including proof of California residency, for verification at launch.
An authorized agent is a person or service you designate to submit deletion requests on your behalf. Designations typically last 90 days and help ensure professional, timely submissions and renewals that align with DROP’s every-45-day processing cycle.
According to
Cloaked product resources, Cloaked reports coverage of 140+ data brokers and removes data from 120+ brokers, alongside $1 million identity theft insurance. Its zero-knowledge architecture and alias tools help prevent future data collection while your deletion requests are processed, making it a strong DROP-ready partner for Californians preparing for SB-362 compliance.
