California Delete Act compliance

AutomateDROP Compliance

Superset integrates directly with California's Delete Request and Opt-out Platform. We pull requests, push them to your backend, and report status back to the state so your team never misses a deadline.

Data broker processing begins August 1, 2026. Get ahead of it now.

California DROP system: consumers submit requests through a central hub that routes to data brokers

What is California DROP?

DROP (the Delete Request and Opt-out Platform) is California's state-run system for processing consumer data deletion requests. Created by the California Delete Act (SB 362), it lets residents submit a single request that every registered data broker must honor.

The California Privacy Protection Agency (CPPA) runs the platform. Consumers began submitting requests on January 1, 2026, and data brokers must begin processing those requests by August 1, 2026.

If your business collects and sells personal information about consumers you don't have a direct relationship with, DROP likely applies to you.

California DROP system overview

Why DROP is hard to operationalize

The regulation is clear, but the implementation is not. Most teams underestimate the engineering and process work required.

Manual request pulling icon

Manual request pulling

DROP requires brokers to pull and process requests at least every 45 days. Without automation, this becomes a recurring operational burden that risks missed deadlines.

Complex identity matching icon

Complex identity matching

DROP uses hashed identity matching to protect consumer privacy. Your systems need to support hash-based lookups across your data stores to find and action the right records.

Status reporting back to California icon

Status reporting back to California

The CPPA expects brokers to report processing status for every request. Incomplete or late reporting creates enforcement risk and audit exposure.

How Superset handles DROP

A fully managed pipeline from the state platform to your data systems and back.

1

Connect to DROP

Superset integrates directly with the California DROP platform. We authenticate on your behalf and establish a secure connection to the state system.

2

Pull and parse requests

We automatically read incoming delete and opt-out requests from DROP, parse the hashed identifiers, and normalize the data for your internal systems.

3

Sync to your backend

Requests are pushed to your existing data infrastructure. Superset maps DROP fields to your internal schemas so your engineering team doesn't have to build custom pipelines.

4

Report back to California

Once requests are processed, Superset reports completion status back to the CPPA through DROP, closing the loop and keeping your compliance record clean.

Privacy and compliance team collaboration

Why teams choose Superset for DROP

End-to-end DROP integration icon

End-to-end DROP integration

From pulling requests to reporting status, Superset handles the full DROP lifecycle so your team can focus on core operations.

Audit-ready recordkeeping icon

Audit-ready recordkeeping

Every request pull, match, action, and status report is logged with timestamps, giving you a defensible compliance trail.

Built by privacy engineers icon

Built by privacy engineers

Superset is built by a team that understands both the technical and regulatory sides of data broker compliance.

Frequently asked questions

Everything privacy, legal, and data operations teams need to know about California DROP.

What is the California DROP system?

DROP stands for Delete Request and Opt-out Platform. It is an accessible deletion mechanism under the California Delete Act where Californians can submit requests and covered Data Brokers must process them.

What law created the DROP requirement?

The requirement comes from the California Delete Act (SB 362), signed in October 2023. It requires Data Broker registration and a state-run deletion mechanism.

Who needs to use DROP?

Any business that qualifies as a Data Broker under the California Delete Act should be prepared to create an account and process requests in DROP.

What is the definition of a Data Broker for this context?

At a high level, it is a business that knowingly collects and sells personal information of a consumer with whom it does not have a direct relationship.

Are there carve-outs or exclusions?

The California framework includes carve-outs, such as for businesses already covered by certain federal laws (for example HIPAA, GLBA, and FCRA), plus some threshold-based exclusions.

When does DROP go live for consumers?

In the CPPA timeline referenced in our blog, the consumer-facing launch date is January 1, 2026.

When do Data Brokers need to start processing DROP requests?

In the CPPA timeline referenced in our blog, Data Brokers begin processing on August 1, 2026.

How often do Data Brokers need to check DROP?

The published framework indicates brokers should pull and process requests at least every 45 days, with associated reporting expectations.

What does DROP cost?

The published explainer notes no extra DROP fee when already registered as a Data Broker for the year; otherwise a registration-level fee can apply.

Is there privacy risk in a state platform sharing request lists?

The model is designed to reduce risk by using anonymized matching approaches (including hashing methods) so brokers can match records without direct plain-text disclosure of full personal datasets.

What does 'hash + append + rehash' mean in practice?

It is a matching approach where fields are hashed, combined, and hashed again so two parties can compare consistent identifiers instead of exchanging raw personal details.

What should legal and privacy teams do before August 1, 2026?

Define ownership, map the in-scope systems, establish a request-handling cadence, and test the workflow early so processing does not depend on ad-hoc manual steps.

How is DROP different from ordinary DSAR email intake?

DROP is a state-managed mechanism for Data Broker opt-out/deletion obligations. DSAR email programs are broader intake channels that can cover multiple rights and jurisdictions.

How should teams document compliance activity?

Maintain an audit-ready trail: request pull dates, matching logic, completion status, escalations, and timestamps. This reduces enforcement and diligence friction.

Where should a company start if they are unsure they are in scope?

Start with California Delete Act applicability and registration analysis, then build a repeatable operations workflow for request processing and recordkeeping.

Get DROP-ready before August 2026

Don't wait for enforcement deadlines. Connect with Superset to automate your DROP compliance pipeline end to end.