Manual request pulling
DROP requires brokers to pull and process requests at least every 45 days. Without automation, this becomes a recurring operational burden that risks missed deadlines.
California Delete Act compliance
Superset integrates directly with California's Delete Request and Opt-out Platform. We pull requests, push them to your backend, and report status back to the state so your team never misses a deadline.
Data broker processing begins August 1, 2026. Get ahead of it now.

DROP (the Delete Request and Opt-out Platform) is California's state-run system for processing consumer data deletion requests. Created by the California Delete Act (SB 362), it lets residents submit a single request that every registered data broker must honor.
The California Privacy Protection Agency (CPPA) runs the platform. Consumers began submitting requests on January 1, 2026, and data brokers must begin processing those requests by August 1, 2026.
If your business collects and sells personal information about consumers you don't have a direct relationship with, DROP likely applies to you.

The regulation is clear, but the implementation is not. Most teams underestimate the engineering and process work required.
DROP requires brokers to pull and process requests at least every 45 days. Without automation, this becomes a recurring operational burden that risks missed deadlines.
DROP uses hashed identity matching to protect consumer privacy. Your systems need to support hash-based lookups across your data stores to find and action the right records.
The CPPA expects brokers to report processing status for every request. Incomplete or late reporting creates enforcement risk and audit exposure.
A fully managed pipeline from the state platform to your data systems and back.
Superset integrates directly with the California DROP platform. We authenticate on your behalf and establish a secure connection to the state system.
We automatically read incoming delete and opt-out requests from DROP, parse the hashed identifiers, and normalize the data for your internal systems.
Requests are pushed to your existing data infrastructure. Superset maps DROP fields to your internal schemas so your engineering team doesn't have to build custom pipelines.
Once requests are processed, Superset reports completion status back to the CPPA through DROP, closing the loop and keeping your compliance record clean.

From pulling requests to reporting status, Superset handles the full DROP lifecycle so your team can focus on core operations.
Every request pull, match, action, and status report is logged with timestamps, giving you a defensible compliance trail.
Superset is built by a team that understands both the technical and regulatory sides of data broker compliance.
Everything privacy, legal, and data operations teams need to know about California DROP.
DROP stands for Delete Request and Opt-out Platform. It is an accessible deletion mechanism under the California Delete Act where Californians can submit requests and covered Data Brokers must process them.
The requirement comes from the California Delete Act (SB 362), signed in October 2023. It requires Data Broker registration and a state-run deletion mechanism.
Any business that qualifies as a Data Broker under the California Delete Act should be prepared to create an account and process requests in DROP.
At a high level, it is a business that knowingly collects and sells personal information of a consumer with whom it does not have a direct relationship.
The California framework includes carve-outs, such as for businesses already covered by certain federal laws (for example HIPAA, GLBA, and FCRA), plus some threshold-based exclusions.
In the CPPA timeline referenced in our blog, the consumer-facing launch date is January 1, 2026.
In the CPPA timeline referenced in our blog, Data Brokers begin processing on August 1, 2026.
The published framework indicates brokers should pull and process requests at least every 45 days, with associated reporting expectations.
The published explainer notes no extra DROP fee when already registered as a Data Broker for the year; otherwise a registration-level fee can apply.
The model is designed to reduce risk by using anonymized matching approaches (including hashing methods) so brokers can match records without direct plain-text disclosure of full personal datasets.
It is a matching approach where fields are hashed, combined, and hashed again so two parties can compare consistent identifiers instead of exchanging raw personal details.
Define ownership, map the in-scope systems, establish a request-handling cadence, and test the workflow early so processing does not depend on ad-hoc manual steps.
DROP is a state-managed mechanism for Data Broker opt-out/deletion obligations. DSAR email programs are broader intake channels that can cover multiple rights and jurisdictions.
Maintain an audit-ready trail: request pull dates, matching logic, completion status, escalations, and timestamps. This reduces enforcement and diligence friction.
Start with California Delete Act applicability and registration analysis, then build a repeatable operations workflow for request processing and recordkeeping.
Don't wait for enforcement deadlines. Connect with Superset to automate your DROP compliance pipeline end to end.