Speaking at a privacy summit hosted by DataGrail, California Privacy Protection Agency Executive Director Tom Kemp announced that the Delete Request and Opt-out Platform (DROP) will go live on January 1, 2026. The system—mandated by the Delete Act passed in 2023—will let Californians send deletion requests to all 535 registered data brokers through one online portal.

Under the law, data brokers must process deletions every 45 days and, starting in 2028, undergo third-party audits every three years. Kemp described DROP as enabling “privacy at scale,” offering consumers a frictionless way to reclaim control of their personal data.

The program will likely serve as a model for other states. Since the California Consumer Privacy Act took effect in 2018, 19 other states have enacted comprehensive privacy laws, many inspired by California’s approach.

Kemp said current deletion processes remain “cumbersome,” noting that the goal is to simplify opt-out and deletion requests to a single action. “What we want to do is facilitate the ability to say, ‘Please delete my information and opt me out moving forward.’ And that’s really what the DROP platform is,” he said.

In addition to DROP, California is introducing new requirements for automated decision-making technologies starting January 1, 2027. Businesses using AI in consequential areas—like lending, hiring, housing, or education—must provide clear notices explaining how the technology operates, offer opt-out options, and ensure meaningful human review where applicable. Kemp called such systems “one of the highest-risk AI use cases.”

These new rules complement the California Opt Me Out Act (AB 556), requiring major browsers to include built-in privacy settings that automatically send opt-out signals to websites by 2027. Kemp said he expects this measure to have the broadest impact on consumers. “Once you set it, your preferences are set everywhere you go online,” he said.

Kemp emphasized that businesses should treat privacy compliance as a means to build trust, not merely a regulatory burden. “Transparency should not be seen as a burden,” he said, underscoring the growing consumer expectations for data protection worldwide.

The California Privacy Protection Agency plans to increase outreach to ensure both consumers and companies understand their new rights and obligations before the rollout. “We’re trying to be aggressive about raising awareness,” Kemp said, adding that residents are already filing complaints when unable to exercise their privacy rights easily online.