Tags
Read time
5 min read
Last updated
June 25, 2026
🆕 The Ketch Agent Network: Agentic privacy, finally built right. See how it works
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
California's Delete Request and Opt-Out Platform launched January 1, 2026. If your business buys, sells, or shares consumer data, this probably applies to you. Here's what DROP is, who it hits, what it requires, and how to get ahead of it.
DROP (Delete Request and Opt-Out Platform) is a California government-built consumer data deletion system, created by the California Privacy Protection Agency under the California Delete Act (SB 362), that allows residents to submit a single request that goes to all registered data brokers in the state.
DROP stands for Delete Request and Opt-Out Platform. It's a California government-built system created by the California Privacy Protection Agency (CalPrivacy) under the California Delete Act (Senate Bill 362, signed into law in October 2023).
Before DROP, a California resident who wanted to delete their personal data from data brokers had to contact each company one by one. There are 500-plus registered data brokers in California. That process could take dozens of hours and still barely scratch the surface of where their data actually lived.
DROP fixes this. A California resident creates an account, verifies their state residency, and submits a single deletion request. That request goes to every registered data broker in the state automatically.
For consumers, it's a big deal. For businesses operating as data brokers, it's a new, recurring, government-mandated operational obligation. And it's already active.
If you're a data broker and you're not already registered and preparing your systems, you're behind.
Starting August 1, 2026, failure to process deletion requests costs $200 per request, per day.
More than 215,000 consumers are already registered on DROP as of early 2026. That number keeps climbing. The financial exposure for non-compliant data brokers is real and it compounds fast.
This is the question most organizations get wrong, and it's the one to answer before anything else.
The legal definition under the Delete Act: a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
Sounds narrow. It isn't.
CalPrivacy issued clarifying regulations effective January 1, 2026, that expanded the definition significantly. Two things worth knowing:
A "direct relationship" is narrower than you'd expect. The regulations say a direct relationship requires a consumer to intentionally interact with your business, not just any interaction. If someone's data was passively collected on your site via a pixel or tag they didn't know about, that probably doesn't count. This catches a lot of third-party data providers and companies that buy data from other sources and resell it.
The relationship has a three-year limit. Even if you do have a direct relationship with a consumer, if they haven't actively engaged with your business in the past 3 years, that relationship may no longer qualify. If you're still selling their data after that window, you might be doing it as a data broker without realizing it.
CalPrivacy has already fined multiple companies for failing to register. Regulators have been explicit: don't assume you're exempt.
Read more: Enterprise privacy program
You may be subject to DROP requirements if your business:
This isn't an exhaustive list. If you're unsure, talk to legal counsel and do a data flow audit before assuming you're in the clear.
One more thing: CalPrivacy has explicitly said businesses can't rely on a parent company's or affiliate's registration to cover their own obligations. Each legal entity that meets the definition must register independently.
Once you've confirmed DROP applies, the operational requirements are clear on paper and demanding in practice.
Every 45 days, registered data brokers must pull down new consumer deletion requests from DROP. This is not a one-time cleanup. It runs indefinitely.
For each request, you must:
All determinations must be completed within 90 days of retrieval.
If a deletion request can't be verified, you still can't discard it. You must treat it as an opt-out of sale.
There are limited exemptions (HIPAA, FCRA, certain government records, specific business necessity cases), but the exemptions are narrow. Regulators have said as much clearly.
If your team is handling DSRs through spreadsheets, email threads, and manual stakeholder coordination right now, DROP will break that model.
You'll be receiving requests every 45 days, indefinitely, from potentially thousands of consumers. Each one requires deletion across multiple systems and downstream partners, plus documented proof of completion. That can't run on a spreadsheet. The teams that will manage this well are the ones that build the automation infrastructure before August 1 forces their hand.
DROP has three operational requirements that most DSR vendors aren’t built to handle:
Most tools in the market cover one of these. Ketch Rights Management is built to handle all three – not as additions bolted on for a new regulation, but as the core architecture of how the platform works.
If your current DSR vendor can't demonstrate all three capabilities before August 1, you need to start shopping for a new tool.
Most DSR vendors automate the process: they send notifications, route tickets, create a record. But the actual deletion work? Still manual. Someone still has to go into each system and do it.
Ketch automates the tasks themselves. From the moment a DROP request is retrieved and matched to a consumer record, Ketch executes deletion across your connected data systems without requiring human intervention at each step. That's the only model that scales.
"Ketch No-Code Rights Automation is a leap into the future of modern privacy management. Our predecessors feign the DSR automation process by assigning tickets and tasks to people. Ketch automates both the process and the tasks themselves with software."
- Vivek Vaidya, Co-Founder and CTO, Ketch
Read further: Ketch No-Code Rights Automation
DROP requests need to be triaged, matched, routed to the right people for any manual checkpoints, executed across the right systems, and reported back. Different request types may need different workflows.
Ketch's drag-and-drop DSR workflow designer lets privacy and legal team members build and modify those workflows without writing code. You can split workflows by request type (access vs. delete, domestic vs. international), route to specific stakeholders, assign system integrations, and set up automated decision points. All with clicks.
This matters because the operational requirements will change. When CalPrivacy updates its guidance, you need to modify your workflows without waiting on engineering.
DROP's cascade requirement is one of the harder parts to execute. When a consumer requests deletion, it has to flow through your primary database and every downstream system where their data lives: CRM, CDP, email platforms, ad systems, data warehouses.
Ketch's integration library covers hundreds of business systems and applications. Every integration is configurable by non-technical team members with clicks. No code, no professional services. Integrations that cost $20,000 to $50,000 per system with other vendors are included in Ketch and configurable in minutes.
For custom or homegrown systems, Ketch offers open APIs and webhooks for your development team.
When CalPrivacy asks for proof of compliance, you need clear documentation of what was deleted, in which systems, when, and tied to which request.
Ketch generates this automatically with every request. Our Privacy 360 Analytics Suite includes granular reporting, with Identity-linked audit trails. No manual evidence gathering required.
6sense is a B2B account-based marketing platform and a provider of intent and contact data. They receive hundreds of DSRs per month by the nature of what they do. Before Ketch, fulfilling each request meant a series of manual tasks across multiple internal stakeholders. After implementing Ketch DSR automation with custom integrations into their MySQL database:
"Thanks to integrating Ketch with our apps for DSR automation, we estimate that we've saved at least ten hours per week, affecting six employees across four different departments. This is an annual internal savings of 500+ hours per year."
- Shubham Gupta, Product Manager, 6sense
TIME is a global media brand with more than 100 million readers worldwide. Their legacy privacy tool couldn't deliver the workflow flexibility their team needed, so they replaced it. The workflow builder was the deciding factor in choosing Ketch:
"The Ketch privacy request workflow builder did more than streamline our processes. It enabled us to fundamentally redesign how we handle DSRs. With unparalleled options for task routing, system integration, and automation, Ketch presents us an opportunity to modernize our Privacy Program and position us for continued success as the privacy compliance and regulatory landscape evolves."
- Adam Keephart, Senior Manager of Information Security, TIME
If you're using a consent management platform today for your cookie banner and Do Not Sell links, you might assume it handles DROP too. For most companies, it doesn't.
Here's the actual gap.
Your CMP manages browser-based, client-side consent: cookies, pixels, tags. It runs on anonymous, device-level identifiers. It has no idea who your consumers are by name or email.e
Your DSR system handles rights requests tied to known identities: an email address, a customer ID, a phone number. It lives in backend systems. It has no visibility into what's firing in the browser.
So when a consumer submits a deletion request through your DSR form, your CMP doesn't know. The tags and trackers on your website keep firing. The advertising platforms keep receiving signals. The deletion happened in the database layer, and nothing changed anywhere else.
Regulators have made their expectations clear, including through enforcement actions against companies like Honda: opt-out and deletion choices must be honored across all systems where personal data is used. A deletion that only works in one layer isn't compliant.
Read more: Compare the best Consent Management Platforms
California isn't the only state raising this bar.
New Jersey's Data Privacy Act (NJDPA), effective January 2025, goes further. Under the NJDPA, honoring a deletion request doesn't just mean removing stored records. It means suppressing that consumer from future data collection and advertising, permanently.
Concretely: if a consumer submits a deletion request and you honor it in your CRM, you're also required to stop serving that person targeted ads on Facebook, Google, and other platforms. Going forward. A DSR tool that only touches backend records can't enforce that automatically.
More states are heading in this direction. The connection between your rights platform and your CMP is becoming a compliance requirement, not a nice-to-have architectural feature.
Ketch offers both consent management and DSR automation on a shared identity framework. A deletion request processed through Ketch Rights Management automatically communicates with Ketch Consent Management, suppressing that consumer's data signals across downstream systems and connected advertising platforms.
No manual bridging. No gap between what the DSR system recorded and what the ad stack is doing.
💡 Already a Ketch CMP customer? Adding Ketch Rights Management means DROP compliance runs on the same identity framework your consent program already uses. No new integration needed to connect the two. It's the most common reason existing Ketch CMP customers choose to expand into Rights Management.
Enforcement starts August 1, 2026. Here's what to work through now.
Don't assume you're not. Assess whether your business collects and sells personal information outside of direct consumer relationships. Check whether any of the signals above apply to your data practices. Get legal counsel involved. The regulatory definition is broader than most people expect, and the 2026 clarifications made it broader still.
If you meet the definition, register annually with CalPrivacy by January 31 each year and pay the $6,000 fee. If you haven't done 2026 yet, do it now. Late registration costs $200 per day.
DROP's cascade requirement means you need to know where consumer data lives across every system, application, and downstream partner. Run a data mapping exercise before August 1. You can't delete what you haven't found.
Ask your current setup these questions:
If the answers are no, you have a gap that needs to close before August 1.
Ketch Rights Management handles what DROP requires: automated, recurring DSR fulfillment across your full data ecosystem, connected to consent management so enforcement is genuinely end to end.
Whether you're starting fresh or replacing a tool that isn't keeping pace, talk to the Ketch team.
DROP is live. It's being enforced. And the fines are designed to hurt.
The companies that manage this well will be the ones that figured out their data broker status early, picked technology that actually automates the work, and connected their DSR and consent infrastructure before August 1 forced the issue.
It's a solvable problem. The right setup makes it manageable.
Book a demo and we'll walk through how Ketch Rights Management supports DROP compliance.
Want more reading?
