California consumer protection tool cuts off sale of personal data at the source

California has rolled out a new statewide mechanism aimed at sharply curbing the sale and circulation of personal information by data brokers, marking one of the most aggressive consumer privacy interventions in the U.S.

It also raises new questions about how identity verification and fraud prevention services will operate in an environment with less freely available personal data.

The tool, known as the Delete Request and Opt-out Platform, or DROP, is enabled by Senate Bill 362, known as The Delete Act, took effect in 2024 and gave the California Privacy Protection Agency (CPPA) new powers to regulate and penalize data brokers.

California’s crackdown shifted responsibility for the state’s data broker registry from the Attorney General to CPPA and placed onerous new requirements on data brokers.

The DROP platform allows California residents to submit a single, centralized request demanding that registered data brokers delete their personal information and cease selling it going forward.

For years, Californians who wanted to limit the spread of their personal data were required to contact brokers one by one, navigating hundreds of opaque opt-out processes. DROP replaces that fragmented system with a single submission that is distributed automatically to every data broker registered with the state.

Data brokers are required to honor verified deletion requests within specified timelines and to continue deleting newly collected data about those individuals on a recurring basis.

The agency has enforcement authority, including fines, against brokers that fail to comply.

“The CPPA’s early enforcement of the Delete Act makes clear that non-compliant data brokers face serious consequences, including mounting fines for failing to register on time,” Crowell & Moring attorneys wrote this week.

“For example, one Florida-based data broker that registered 230 days late was hit with a proposed $46,000 fine,” the lawyers noted.

In 2024, CPPA reached settlements with data brokers Growbots, Inc. and UpLead LLC, which agreed to pay about $35,000 each in penalties after allegedly failing to register by the 2024 deadline.

And in February, CPPA settled with Background Alert, Inc. for failing to register and pay fees, requiring the company to shut down operations through 2028 or incur a $50,000 fine.

“Data brokers and other businesses that disregard California’s privacy laws risk substantial fines, legal orders impacting operations, and reputational damage for not complying with the law,” Crowell & Moring’s attorneys pointed out.

The DROP platform reflects growing concern among lawmakers and regulators that the largely invisible data-broker economy fuels scams, identity theft, stalking, and other forms of misuse by aggregating and monetizing personal details such as names, addresses, phone numbers, email accounts, browsing activity, and inferred characteristics.

While much of this information is technically “public” or indirectly sourced, privacy advocates have long argued that its aggregation and resale create risks that far exceed the original context in which the data was generated.

In July, the Senate Judiciary Subcommittee on Privacy, Technology, and the Law heard testimony about how Americans not only are being systematically stripped of their digital privacy, but also how online data brokers pose a direct threat to the lives of the individuals about whom they collect and sell information.

The hearing came on the heels of an attack that killed former Minnesota House Speaker Melissa Hortman and her husband Mark, and critically injured state Senator John Hoffman and his wife.

Investigators found the alleged assassin used commercial data brokers and people search websites to compile detailed dossiers on them and more than 70 other public figures.

The launch of DROP immediately raised the parallel question of whether restricting access to brokered personal data could affect the identity verification and authentication services used by banks, employers, government agencies, and online platforms.

Many identity verification providers rely on a layered approach to confirming that someone is who they claim to be. In addition to government-issued identity documents, biometric checks, and device-level signals, some systems use brokered or aggregated data as a secondary reference point to corroborate addresses, phone numbers, or historical associations.

As data brokers delete records and stop selling them at scale, those supplemental datasets are likely to shrink, at least for California residents who use the new tool.

Industry experts say the impact is unlikely to undermine core identity verification functions, but it may change how confidence is established at the margins.

High-assurance identity proofing typically depends on authoritative or user-provided sources, such as official identification, live selfie or biometric matching, mobile carrier data, or credit bureau records, rather than on commercial data brokers alone.

Companies such as ID.me, which works extensively with government agencies, already emphasize direct document verification and biometric matching over broker supplied profiles.

Where the shift may be felt most acutely is in low-friction or passive verification models that rely heavily on background data matching to avoid asking users for additional documentation.

So, with fewer brokered records available, some services may require users to provide more explicit proof, potentially adding steps to onboarding or authentication processes. That trade-off, privacy advocates argue, reduces silent data collection in favor of more transparent, consent-based verification.

The long-term effect on fraud prevention could be positive. Data brokers have historically supplied not only legitimate verification services but also criminals who use widely available personal information to construct synthetic identities or refine phishing and social engineering attacks.

By shrinking the commercial availability of detailed personal profiles, California’s approach could make it harder for bad actors to assemble convincing identity composites, even if legitimate services must adjust their methods.

The state’s initiative also carries national implications. Data brokers rarely segregate their databases cleanly by geography, and compliance costs associated with California’s rules may push some firms to reduce data retention or sales more broadly.

Other states are watching closely, and privacy advocates have already called for similar centralized deletion tools elsewhere.

In Colorado, for example, regulators and lawmakers have openly discussed strengthening enforcement of the Colorado Privacy Act by reducing the burden on consumers to submit repeated, company-by-company deletion requests.

During rulemaking and legislative hearings in 2024–2025, the Colorado Attorney General’s Office said California’s data broker registry and deletion framework is an example of how states could operationalize privacy rights at scale.

While Colorado has not yet adopted a single deletion portal, proposals and testimony have explicitly cited the inefficiency of individualized opt-outs and the appeal of centralized mechanisms.

New Jersey, Vermont, and Washington also have been looking at legislative fixes similar to what California put in place.

New Jersey’s 2024 comprehensive privacy law includes deletion and opt-out rights, but relies on traditional, broker-by-broker requests.

During stakeholder sessions and public comments, state officials acknowledged California’s centralized deletion model as a potential “next phase” for privacy enforcement, particularly for data brokers operating across state lines.

Consumer Reports has conducted investigations showing how difficult it is for individuals to remove themselves from broker databases.

In public statements and policy recommendations, the organization has endorsed centralized deletion tools as the only realistic way for average consumers to exercise their rights, pointing to California’s system as a practical solution rather than a theoretical one.

What unites states and advocacy groups is not that they have already replicated California’s system, but that they have explicitly recognized that individual deletion rights are largely meaningless when consumers must navigate a fragmented, opaque broker market on their own.

California’s DROP platform reframes privacy enforcement as infrastructure rather than paperwork. That shift – building a centralized mechanism that scales consumer rights – has become the focal point of policy discussions elsewhere, even in states that are politically or legislatively behind California on privacy.

In that sense, California’s tool is already influencing the national privacy conversation, not because it is universally copied, but because it has changed what policymakers and advocates now consider possible.

For now, California officials frame DROP as a recalibration rather than a disruption. The goal, they say, is not to eliminate identity verification or legitimate fraud prevention, but to break the assumption that vast amounts of personal data should circulate indefinitely without meaningful consumer control.

As enforcement ramps up and deletion requests accumulate, the balance between privacy, security, and convenience is likely to be tested in real time, with California once again serving as a proving ground.

Article Topics

California  |  California Privacy Protection Agency  |  data brokers  |  data privacy  |  data protection