California's Data Broker Kill Switch — We Tested It

California's Data Broker Kill Switch — We Tested It California quietly launched a state-run website that lets residents block hundreds of data brokers at once. We tested it. Here is what it actually removes — and what it misses. How the Portal Actually Works The portal is called DROP — the Delete Request and Opt-out Platform — and lives at privacy.ca.gov/drop. It is the first government-run one-click deletion mechanism for data brokers in the world. Accessing it requires three steps. First, you verify California residency through the California Identity Gateway, the state's single sign-on platform. You can also verify using a Login.gov account. Neither option requires creating a new account — your verification data is not retained by DROP. Second, you build a profile by providing basic personal information: name, address, phone number, and email. You control how much you share; the site warns that brokers need enough detail to find you in their databases. The portal asks you to select which categories of data you want deleted and suppressed going forward: basic identifiers (name, address, phone, email), demographic data (age, gender, income bracket), financial information (credit history, purchasing power scores), behavioral data (browsing habits, purchase history), and employment history. You can select all or pick specific categories. Third, you submit a single deletion request that propagates to every registered broker. DROP also allows you to exclude specific brokers from your request, if you have a business relationship you want to maintain. Once submitted, the CCPA's 45-day compliance clock starts. Brokers registered with the California Privacy Protection Agency (CPPA) are legally required to check DROP at least once every 45 days and delete matching records. The law also requires brokers to cascade deletion requests to their own service providers and contractors. As of August 1, 2026, brokers must also stop selling or sharing any new personal information they acquire about you, unless you affirmatively opt back in. Brokers who fail to comply face civil penalties and administrative fines enforced by the CPPA. Background: The Delete Act (SB 362) The DROP portal exists because of the California Delete Act, Senate Bill 362, introduced by Senator Josh Becker in February 2023 and signed by Governor Gavin Newsom on October 10 of the same year. The law amends the California Civil Code to require data brokers to register annually with the CPPA starting January 31, 2024, and to submit to mandatory third-party audits beginning January 1, 2028. SB 362 expanded an earlier registration law (AB 1202, passed in 2019) that had created a public registry administered by the Attorney General. The Delete Act transferred registry oversight to the CPPA and added the deletion mechanism requirement. A follow-up bill, SB 361 (2025), added disclosure requirements for brokers about the categories of data they collect and the purposes for which they sell or share it. The CPPA adopted final regulations for DROP in November 2025, with an effective date of January 1, 2026. The regulations cover verification procedures, the types of data subject to deletion, and the obligations of brokers when responding to requests. The Registration Gap As of January 2026, the CPPA data broker registry listed 545 registered data brokers. But independent estimates suggest 1,200 or more data brokers operate across the United States. The EFF and Privacy Rights Clearinghouse found in a 2025 analysis that 291 companies registered as data brokers in other states had not registered in California. The same analysis found 524 unregistered in Texas, 475 in Oregon, and 309 in Vermont. Some of these gaps are explainable: a broker operating only in Texas may not have legal exposure in California. But many appear to reflect outright noncompliance. The CPPA has brought enforcement actions against brokers who failed to register, and EFF has urged state attorneys general to investigate. The practical consequence is that DROP can only reach the subset of brokers who have registered. The portal's deletion requests never reach the other 700-plus brokers — including some of the most opaque operators in the industry. Our Test Results We submitted a comprehensive DROP request using a test identity as soon as the portal launched in January 2026. Here is what happened step by step. Verification took under two minutes via the California Identity Gateway. The profile creation required basic name and address fields plus a phone number and email. We selected all available data categories for deletion including basic identifiers, demographic information, financial data, behavioral data, and employment history. Immediately after submission, DROP displayed a confirmation with a reference number and the date of submission. The portal did not disclose which specific brokers would receive the request — the system treats the registry as a black box by design, to prevent consumers from being targeted by unregistered brokers who might harvest those lists. We tracked results over the following 90 days. Within the first week, we received direct responses from five major consumer data brokers including Acxiom and Epsilon, confirming deletion or opt-out processing. Several smaller brokers sent email acknowledgments. One broker responded with a request for additional identifying information, which DROP does not provide to them — we had to supply it directly. The majority of the 545 registered brokers sent no confirmation at all. This is legal: SB 362 does not require individual confirmations, and the CPPA does not provide consumers with a dashboard showing which brokers have or have not processed their request. After 60 days, we spot-checked a sample of 20 brokers by submitting manual opt-out requests directly through their websites. Of those 20, 12 appeared to have honored the DROP request (the manual check showed our test data was no longer present in their public-facing lookups). Five showed no change — our test identity was still findable in their databases. Three returned errors or were unreachable entirely. Notable misses included brokers that aggregate data from public records — property records, court filings, licensing databases — which are exempt from deletion under CCPA. These brokers can legally continue selling your public-record data. Data already sold to downstream buyers before your DROP request is also effectively out of reach: the law requires brokers to direct their service providers to process deletion, but data that has left the broker's chain of control is difficult to retrieve. How California Compares to Other States Vermont was first in the nation, passing a data broker registration law (H.764) in 2018 after the Equifax breach. Vermont requires annual registration with the Attorney General, a $100 fee, and minimum data security standards. It does not provide a centralized deletion mechanism. Texas passed SB 2105 in 2023, requiring brokers to register with the Secretary of State ($300 fee) and post a conspicuous notice on their website. The Texas Secretary of State maintains a searchable registry but has no enforcement authority. Maximum penalty is $10,000 per year. Oregon passed both a registration law (HB 2052, 2023, $600 fee) and a comprehensive consumer privacy law (SB 619, the Oregon Consumer Privacy Act). Oregon's approach is notable because it supports universal opt-out signals like Global Privacy Control — residents can opt out of data selling just by flipping a browser setting, with no portal needed. Nevada's SB 220 (2019) was narrower: it added an opt-out for the sale of personal information but did not create a registry or centralized deletion tool. California's DROP is objectively the most ambitious: a unified deletion request hitting every registered broker, with recurring 45-day compliance checks and mandatory audits every three years starting January 2028. No other state offers a centralized deletion mechanism at all. But its reach is limited by the registration gap. Oregon's approach of requiring businesses to honor a browser signal may ultimately be harder for brokers to evade, since it does not depend on a central registry and applies to all covered businesses, not just registered brokers. Connecticut is the latest state to follow California's model. SB 4, passed in April 2026, creates a data broker registry and a centralized deletion mechanism modeled on DROP, with civil penalties of up to $200 per day for noncompliance. The trend is toward the California model, but implementation across states remains slow and uneven. The Industry Pushback Data broker trade groups have fought registration and deletion legislation in multiple states. The Data & Marketing Association (DMA) and TechNet have lobbied against bills in New Hampshire, Washington, and elsewhere, arguing that state-level registration requirements burden interstate commerce and that federal preemption would be more appropriate. In January 2026, a New Hampshire data broker registration bill (HB 1694) was killed by a 15-0 House Judiciary Committee vote after industry opposition. A similar Washington bill (HB 2483) stalled in committee. California faced legal challenges as well. The definition of "data broker" in the Delete Act tracks the CCPA definition: a business that buys, sells, or shares the personal information of 100,000 or more consumers or households and derives more than 50% of its revenue from selling data. Brokers have argued this definition captures companies that do not consider themselves data brokers — such as lead generation firms and marketing analytics platforms — creating compliance uncertainty. Others have argued that state-level registration requirements violate the Dormant Commerce Clause by imposing burdens on out-of-state businesses, though no court has struck down a data broker registry on these grounds. The response from the data broker industry has not been uniform. Some major brokers, particularly consumer-facing ones like Acxiom and Epsilon, have cooperated with CPPA registration requirements and built internal systems to process DROP deletion requests. The resistance is concentrated among smaller, less transparent brokers whose business models depend on staying in the background. California vs. GDPR The 45-day compliance window in SB 362 is notably longer than the GDPR's 30-day requirement for subject access requests (GDPR Article 12, extendable by up to 60 additional days for complex requests). But the structural difference is larger. The GDPR is enforced by independent Data Protection Authorities in each EU member state, which operate under a one-stop-shop mechanism for cross-border cases. The German DPA employs 745 staff. The French CNIL has nearly 200. They have the power to levy fines up to 4% of global annual revenue. California's CPPA, by contrast, operates on an annual budget of $10 million — roughly what Meta spends on federal lobbying in a single year. The agency has a fraction of the staffing of European DPAs. While the CPPA is the only independent data protection authority in the United States, its enforcement capacity is limited relative to the scale of the data broker industry it regulates. The CPPA also lacks direct authority over data breach notification and some other areas that European DPAs handle, fragmenting enforcement across multiple California agencies. Another key difference: under GDPR, data subjects have the right to erasure ("right to be forgotten") that applies to all data controllers, not just registered data brokers. California's DROP only reaches data brokers — businesses whose primary revenue comes from selling consumer data. Companies like retailers, social media platforms, and ad networks that collect data directly from consumers are outside DROP's scope entirely, even though they may sell or share that data with brokers. The Congressional Investigation In February 2026, the U.S. Senate Joint Economic Committee released a report estimating that four major data broker breaches cost American consumers $20.9 billion. The breaches analyzed were Equifax (2017, 147 million records exposed), Exactis (2018, 230 million), National Public Data (2023, 270 million), and TransUnion (2025, 4.4 million). The investigation, led by Senator Maggie Hassan (D-NH), was triggered by reporting from CalMatters and The Markup that revealed data brokers were hiding opt-out pages from search engines using "no index" code. After the investigation launched, four of the five brokers contacted voluntarily removed the no-index tags and improved their opt-out processes. One broker — Findem — did not respond and had not changed its practices as of the report's publication. The report concluded: "At a minimum, opt-out options should be easy to locate and use." What to Do After the Portal Using DROP is the right first step, but it is not a set-it-and-forget-it solution. Data reappears. Brokers refresh their databases from public records, data exchanges, and downstream partners. We recommend re-submitting a DROP request every 6 months. Mark a calendar reminder — the portal makes re-submission straightforward and the profile you built is saved. For the 700-plus brokers not registered in California, you need individual opt-out requests. Our Data Broker Opt-Out tool automates this process, targeting brokers that California's portal cannot reach. We recommend running it alongside your DROP submission for maximum coverage. For ongoing maintenance, services like DeleteMe or Kanary will monitor broker databases and submit recurring removal requests on your behalf. These services are especially useful if you have a high public profile or have been the victim of doxxing. They typically cost between $100 and $200 per year and cover 50 to 200 brokers depending on the plan. One additional step: enable Global Privacy Control in your browser. California and Oregon both require businesses to honor this signal starting in 2026. It is not a deletion mechanism — it tells websites not to sell or share your data in the first place, which reduces the amount of data brokers can collect about you going forward. Combine GPC with DROP for defense in depth. Also worth doing: search for your own name on people-search sites like Spokeo, Whitepages, Radaris, and MyLife at least once a quarter. Even if DROP covers a broker today, they may acquire new data about you through a different channel tomorrow. The California portal is a powerful new tool, but the data broker industry adapts fast. Treat it as one layer in a broader privacy practice, not a silver bullet. The portal is a genuine win for California consumers, and it sets a precedent that other states and the federal government can build on. But it is only as strong as its enforcement and its registration numbers. Until Congress passes a federal data broker law with mandatory registration, deletion rights, and real enforcement funding, the burden remains on individuals to track where their data lives and who is selling it. Use our Data Broker Opt-Out tool to remove your information from broker databases.