⚖️ California launches DROP

In partnership with

The Launch of the DROP Platform and California’s Data Broker Crackdown

California has officially introduced the Delete Requests and Opt-Out Platform (DROP) as the primary enforcement mechanism for the 2023 Delete Act, marking a major shift in consumer privacy control. While state residents have had the legal right to request data deletion since 2020, the process was previously fragmented and required a laborious manual effort to contact hundreds of individual companies. This new centralized system allows residents to submit a single, verified request that applies to all of the more than 500 registered data brokers currently operating within the state. Although certain information like public voter records and first-party data remains exempt, registered brokers must begin processing these collective deletions by August 2026, facing significant penalties of two hundred dollars per day for each instance of non-compliance.

Decoding the Definition of Data Brokers and the Protection of First-Party Data

For startup founders, the most critical distinction in this legislation is the immunity granted to first-party data collected directly from your own users through your own service or application. The Delete Act specifically targets the secondary data market, meaning that if your business model relies on purchasing third-party marketing lists, enriching user profiles with external data, or selling your user database to aggregators, you are now entering a high-risk regulatory environment. This shift reinforces the inherent value of a direct relationship between a company and its users, as "volunteered" data is legally more resilient than "acquired" data. Analysis of this platform suggests that the valuation of data-centric startups will now depend heavily on the provenance of their records, with a clear premium placed on companies that maintain transparent and direct data pipelines.

Mitigating Operational Risk and Refining Customer Acquisition Strategies

To navigate this evolving landscape, you should immediately audit your data supply chain to determine whether your startup qualifies as a "data broker" under the broad California definition, which typically includes any entity that sells or shares the personal information of consumers with whom they do not have a direct relationship. If your growth strategy relies on third-party data for targeted marketing or product development, you must prepare for that data to become less reliable or completely unavailable as the DROP system gains widespread adoption throughout late 2026. My practical advice is to pivot your engineering and marketing resources toward building robust, direct-to-consumer data collection channels and ensuring your privacy policy is airtight to avoid accidental classification as a broker. Protecting your business requires shifting your investment from external data acquisition to internal community building, which serves as a strategic hedge against the inevitable contraction of the third-party data industry.

In addition to our newsletter we offer 60+ free legal templates for companies in the UK, Canada and the US. These include employment contracts, investment agreements and more