Before he parodied the Trump administration, Gavin Newsom, signed the California Delete Act (SB 362) back in October 2023.
The law requires a few things:
Data Brokers have to register annually with the CPPA (California Privacy Protection Agency)
Starting 2028, Data Brokers have to undergo an independent audit on their privacy
The CPPA has to build an "accessible deletion mechanism" (now called DROP) that Data Brokers have to integrate with
So what is DROP? Who needs to use it? And how do you comply?
What is California's DROP system?
The Delete Request and Opt–out Platform - better known as "DROP" - is basically a database of opt-out requests from California residents maintained by the state of California.
California residents can sign up and request that Data Brokers stop selling their data, and Data Brokers have to create an account and process all those requests at least every 45 days.
When is DROP going live?
The CPPA says the DROP system will go live for consumers by January 1, 2026.
Data Brokers will have to make an account and start processing opt-out requests starting August 1st, 2026.
Who needs to sign up for DROP?
Any company considered a Data Broker under the California Delete Act needs to make an account with DROP and honor opt-out requests.
Note: A Data Broker has a specific legal definition! It's not exactly what most people would think of when they think "Data Broker"!
What is the definition of a Data Broker?
According to the California Delete Act a Data Broker is:
"a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."
Like the CCPA, there are carveouts for businesses already regulated by some federal privacy laws like HIPAA, GLBA, and FCRA and for businesses with data on less than 100,000 Californians who don't make most of their money selling data.
What does DROP cost?
If you've already registered as a Data Broker with the CPPA in January (costs $6,000 + cc processing fees), then good news! There's no extra charge!
In the weird case that you didn't register as a Data Broker but you still want access to DROP (why?), it will cost $6,600 (plus cc fees) - prorated monthly (so half off if you sign up 6 months into the year).
Isn't giving Data Brokers a list of people a privacy risk?
Yes! That's why the CPPA is developing a sophisticated way of sharing an anonymized list with Data Brokers. Different Data Brokers will get different lists depending on what information the Data Broker needs to find the consumer in their own databases (name, phone number, email, etc.)
The CPPA will also hash the data before giving it to the Data Brokers, so at least theoretically the Data Brokers can only tell who's on the list if they're also in their own database.
How often does a Data Broker need to check the DROP?
Data Brokers are required to pull the latest list at least and report back to the CPPA every 45 days at least.
How will California know if a Data Broker is using DROP?
After a Data Broker pulls the list from DROP, they are supposed to report back to the CPPA to acknowledge who from the list was matched in their database.
How will DROP technically work?
The full technical specs aren't released, but we do know the CPPA plans to use a hash + append + rehash technique to anonymize the data, and they expect Data Brokers to do the same to make an identical list that can be compared.
Step 1 is to agree with the CPPA on what data fields to include. If a Data Broker collects emails and phone numbers for example, that will be the start of that list.
Step 2 is to hash each individual field
e.g. Email => (hashed email)
Step 3 is to append the hashed data together
e.g. (hashed email + hashed phone number)
Step 4 is to hash the appended data
e.g. (hashed email + hashed phone number) => hashed identifiers
Step 5 is to repeat for every user in the database to get the full anonymized list
If both the Data Broker and the CPPA follow the same steps with the same data, the resulting hashed identifiers will be the same without revealing who the data subject is.
Step 6 The Data Broker compares both lists and treats any matches as an opt-out Data Subject Request.
Who is Superset?
Superset is a tech platform that specializes in Data Broker compliance.
We help Data Brokers stay on top on compliance with DROP, State Registrations, Privacy Inbox Management, and more.
Still have questions?
Reach out! I'm around to answer any questions and love talking privacy & compliance :)
Zane Witherspoon, CIPP/US
CEO - Superset
