California keeps passing privacy laws because personal data has become a business asset that moves far beyond the company that originally collected it. Previous regulations mostly focused on transparency and choice. Companies had to explain what they collected, give people a way to opt out, and respect those requests when they came in.
The Delete Act takes a different approach to privacy. Instead of putting the burden on individuals to track down every company that might have their data, it creates a single way to remove that data from the resale market altogether.TL;DR
As of January 1, 2026, California residents can submit centralized deletion requests that apply across the registered data broker market. DROP is the platform that delivers those requests. DROP does not delete data from internal systems, but it does restrict whether personal data can continue to be sold, shared, enriched, or resold. For lead sellers and brokers, the effects show up through registration obligations, changes in data availability, and statutory penalties tied to the continued circulation of restricted data.
The Delete Act is a California privacy law that gives consumers a centralized way to remove their personal information from data brokers.
Instead of requiring individuals to contact each company separately, the law establishes a single deletion mechanism that applies across the registered data broker market. Once a deletion request is retrieved and processed, the consumer’s personal data is no longer permitted to be sold, licensed, or made available through resale.
The law is focused on the resale layer of the data market. It applies to businesses that collect, sell, or share personal data about consumers with whom they do not have a direct relationship.
Reference
California Privacy Protection Agency
https://privacy.ca.gov/drop/about-drop-and-the-delete-act/
DROP stands for Delete Request and Opt-Out Platform.
It is operated by the California Privacy Protection Agency and serves as the system through which deletion requests are submitted and distributed. As of January 1, 2026, California residents can submit requests through DROP that apply to every registered data broker.
DROP does not reach into private databases or downstream systems. Its function is to require data brokers to delete the consumer’s personal information from their own systems and stop making that data available for resale, sharing, or enrichment going forward.
A useful comparison is the Do Not Call list. DNC restricts the use of specific phone numbers for marketing outreach. DROP works similarly for personal data. It restricts whether that data can continue circulating in the broker market. The onus is on the broker and marketer to comply.
Consumers can submit deletion requests through DROP as of January 1, 2026. Data brokers are required to begin accessing and processing those requests starting August 1, 2026.
From that point forward:
Data brokers must access DROP at least once every 45 days
Deletions must be completed within 90 days of retrieving a request
Deletion status must be reported within 45 days of retrieval
The compliance timeline starts when the broker retrieves the request, not when the consumer submits it.
If you work in lead generation or lead sales, you already know how much of the ecosystem relies on third-party data. Lists, enrichment, identity matching, suppression, and resale are all built on the assumption that data continues to circulate once it enters the market.
The Delete Act nullifies that assumption. DROP gives consumers a way to opt out of the resale layer that allows personal data to move from one company to another over time.
When data is deleted at the broker level, it is no longer supposed to re-enter the market through resale or enrichment. Over time, that reduces upstream availability and makes third-party data less predictable.
For lead sellers and brokers, the impact isn't immediate; it shows up gradually. Fewer matches appear and coverage becomes uneven. Attributes that once populated reliably stop showing up. Data behaves differently even when collection practices haven’t changed.
For lead sellers, enrichment sits at a critical point in the workflow. It’s where partial records become usable and where value is added after the initial capture. Pricing, scoring, routing, and delivery often depend on what enrichment returns.
DROP reaches into that layer because enrichment vendors rely on the same underlying data pools that are affected by deletion requests. When a consumer removes their information from data broker databases, that data is no longer supposed to be available for resale or reuse, including through enrichment services.
The effect is subtle. Coverage varies from record to record, match rates change, and some fields that once came back consistently may no longer be present, even when the original lead was collected properly.
This introduces variability that enrichment hasn’t historically had to account for. Two leads captured the same way may return different enrichment results based on whether supporting data still exists upstream.
From a compliance perspective, enriched data doesn’t exist in a separate category. It carries the same obligations as the underlying source. If the source data has been removed, continuing to append or rely on it creates risk, regardless of how the original lead entered the system.
For lead sellers, this matters because enrichment has always been part of how value is created and measured. DROP doesn’t eliminate enrichment, but it does change how predictable it is, and predictability has always been part of its appeal.
Not all data is affected the same way under the Delete Act. The key distinction is whether the data came from a direct relationship with the consumer.
Information collected through your own sites, forms, ads, or applications is tied to an explicit interaction. DROP is not designed to undo those direct exchanges. Its focus is on data that moves beyond the original relationship and continues circulating through resale and redistribution.
For lead sellers, this matters because many records are a mix. A lead may be collected directly, then enriched or supplemented with third-party data later. In those cases, the original submission and the appended data don’t have the same durability.
Over time, that difference becomes visible. The core lead may remain intact while surrounding data changes or disappears. What looks like a single record is really a combination of data with different lifespans and different obligations attached.
From a compliance standpoint, first-party and third-party data can’t be treated as interchangeable. They age differently once DROP requests begin flowing through the system, and understanding that difference becomes more important than it used to be.
California requires businesses that meet the definition of a data broker to register annually with the California Privacy Protection Agency.
Under California law, a data broker is a business that sells or licenses personal information about consumers with whom it does not have a direct relationship.
Registration is not triggered by notice from the state. Companies are expected to self-identify based on how they handle data. This applies regardless of where the business is located, as long as the data involves California residents.
Once registered, a company becomes visible to DROP requests and to enforcement. From that point forward, deletion obligations attach to the broker’s ongoing activity, not just to future acquisitions.
When data is deleted at the broker level, it is no longer permitted to circulate through resale, sharing, or enrichment. Continuing to make that data available, even if it already exists in internal systems, is where compliance exposure begins to accumulate.
That’s why risk under the Delete Act doesn’t hinge on a single transaction. It builds over time, as restricted data continues to move through resale or enrichment paths after it should have been removed from the market.
The California Privacy Protection Agency has direct enforcement authority under the Delete Act.
For lead sellers who sell or license third-party lead data, failure to register as a data broker can result in civil penalties of up to $200 per day until registration occurs.
If deletion requests retrieved through DROP aren’t processed as required, penalties can reach up to $200 for each deletion request, per day. That exposure grows over time as the same records continue to circulate through resale, sharing, or enrichment after they should have been removed from the broker market.
These penalties are enforced through audits and investigations by the agency, not private lawsuits.
Reference
California Civil Code § 1798.99.80–1798.99.82
https://leginfo.legislature.ca.gov/
This article provides general information about California's Delete Act and DROP platform. It is not legal advice. Compliance requirements vary by business model and data practices. Consult qualified legal counsel for guidance specific to your situation.
What happens to data that’s already been delivered?
DROP restricts continued resale and enrichment at the broker level. It does not automatically remove records from downstream systems.
If I’m outside California, does DROP apply to me?
Yes, if you sell or license personal data about California residents and do not have a direct relationship with them.
When do brokers have to start processing DROP requests?
August 1, 2026.
How often must brokers check DROP?
At least once every 45 days.
How long do brokers have to complete deletions under the Delete Act?
Within 90 days of retrieving a request.
What are the penalties for non-compliance?
Up to $200 per day for failure to register, and up to $200 per deletion request per day for failure to delete.
Understanding the CCPA
Understanding the CPRA
Trestle Real Contact Validation
Lead Compliance Hub
We’ll send you practical tips and ideas that we use ourselves and show you how to apply them to your sales and marketing workflow
