Skip to main content
A woman realizes that a company she uses has been accused of CCPA violations.

California’s DROP Platform & Delete Act

Written by Joseph Lyon on . Posted in Class Action, Product & Consumer Safety News.

The introduction of the Delete Request and Opt-out Platform (DROP) and the aggressive enforcement of the California Delete Act send a clear message: unregulated data brokerage is no longer acceptable.

The recent enforcement action against Datamasters—a marketing firm accused of selling sensitive health and demographic data without proper registration—shows just how seriously California regulators are taking privacy violations. As DROP prepares to launch in 2026, consumers need to understand what’s changing. Contact our privacy attorneys to learn more. 

Understanding the California Delete Act

The California Delete Act addresses a fundamental problem that earlier privacy laws couldn’t fully solve: the hidden economy of data brokers. While the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) granted individuals the right to delete their personal information, exercising those rights was challenging when dealing with companies you’d never even heard of.

Data brokers operate in the shadows, quietly collecting and reselling your personal information from apps, websites, retailers, and countless other sources. The Delete Act brings this industry into the light by imposing strict requirements on businesses that buy or sell consumer data. Under the law, qualifying businesses must:

  • Register annually as data brokers with the state
  • Disclose their data brokerage activities publicly
  • Comply with centralized deletion and opt-out requests
  • Submit to regulatory oversight by the California Privacy Protection Agency

What Is DROP and How Does It Work?

The Delete Request and Opt-out Platform (DROP) represents a fundamental shift in how Californians can control their personal information. Set to launch in 2026, DROP allows you to submit a single request that applies to all registered data brokers simultaneously. Think about it: instead of tracking down dozens of companies and sending individual deletion requests to each one, you’ll be able to:

  • Request deletion of your personal information across the entire data broker ecosystem with one submission
  • Opt out of future sales or sharing of your data
  • Avoid the repetitive, time-consuming process of managing privacy requests

Once you submit a request through DROP, registered data brokers are legally obligated to act on it within the timelines specified by law. The platform is expected to expose companies that fail to register or deliberately ignore consumer rights—which brings us to the enforcement authority making all of this possible.

The California Privacy Protection Agency: A New Era of Enforcement

The California Privacy Protection Agency (CalPrivacy) is the first regulatory body in the United States created exclusively to enforce privacy laws. Unlike previous enforcement models that relied on the Attorney General’s office juggling multiple responsibilities, CalPrivacy has dedicated authority to investigate, audit, and penalize businesses that violate California privacy statutes.

CalPrivacy wields significant enforcement powers, including:

  • Issuing substantial administrative fines
  • Ordering the deletion of unlawfully obtained data
  • Imposing ongoing compliance requirements and monitoring
  • Prohibiting companies from selling California residents’ personal information

The Datamasters case shows these powers aren’t just theoretical—they’re being actively used to protect consumer privacy.

The Datamasters Case: What Happened and Why It Matters

Rickenbacher Data LLC, doing business as Datamasters, found itself in CalPrivacy’s crosshairs for failing to register as a data broker as required by the Delete Act. Despite engaging in large-scale data trading involving California residents, the company missed the statutory registration deadline of January 31.

CalPrivacy imposed a $45,000 administrative fine for the registration failure, but the financial penalty was just the beginning. Due to ongoing and severe violations, the agency took the extraordinary step of barring Datamasters from selling California residents’ personal information altogether.

The Sale of Health and Sensitive Personal Information

What made this case particularly egregious? According to CalPrivacy’s findings, Datamasters purchased and resold extensive datasets containing information about millions of individuals with specific medical conditions, including Alzheimer’s disease, substance abuse disorders, and bladder incontinence.

This data was reportedly marketed for targeted advertising purposes, raising serious ethical concerns about exploitation, stigma, and potential harm to vulnerable populations.

The company’s data trading went far beyond health information. Datamasters allegedly trafficked in lists segmented by:

  • Age categories, specifically targeting senior populations
  • Perceived race and ethnicity, including so-called “Hispanic Lists”
  • Political beliefs and affiliations
  • Consumer purchasing behavior and preferences
  • Financial and banking activity

The scale was staggering: hundreds of millions of data records containing names, phone numbers, email addresses, and physical mailing addresses.

Why the Datamasters Decision Changes Everything

This case carries far-reaching implications for the entire data broker industry.

  • Geographic location doesn’t limit California’s reach. Companies based outside the state remain subject to California privacy law if they trade in California residents’ data. There’s no hiding behind state lines.
  • Registration failures are serious violations. CalPrivacy has made it clear that missing registration deadlines isn’t a minor administrative lapse—it’s a significant breach with real consequences.
  • Health data and demographic profiling receive heightened scrutiny. Regulators view these areas as particularly vulnerable to abuse and are more likely to take aggressive enforcement action when they’re involved.
  • Cooperation matters. The decision demonstrates that stonewalling regulators or providing misleading information can dramatically worsen outcomes. Transparency and good faith compliance efforts make a difference.

How DROP Will Transform Consumer Privacy Rights

Once DROP becomes operational, California consumers will gain a level of control over their personal data that’s unprecedented in the United States. The platform is expected to:

  • Significantly reduce unauthorized circulation of personal information
  • Limit targeted advertising based on sensitive attributes like health conditions or political beliefs
  • Increase transparency within the historically opaque data brokerage market
  • Empower consumers to meaningfully disengage from data brokers entirely

For many people, DROP will be the first realistic opportunity to take back control of information that’s been bought and sold without their knowledge for years.

Why Choose The Lyon Firm for Your Data Privacy Case

When your privacy rights have been violated, you need legal representation that understands both the technical complexities and the human impact of data privacy law.

The Lyon Firm brings deep expertise in California privacy law. Our attorneys stay ahead of rapidly evolving regulations like the Delete Act, CCPA, and CPRA, ensuring you receive counsel based on the most current legal landscape. We’ve successfully represented clients in enforcement actions and privacy litigation across California.

We understand the stakes. If you’re a consumer whose sensitive health information was sold without consent, we recognize that data privacy cases involve real harm and significant risk. We treat every case with the seriousness it deserves. For consumers, we fight to hold data brokers accountable for violations and seek maximum compensation for privacy breaches.

We explain complex issues clearly. Data privacy law involves technical concepts that can be difficult to understand. We take the time to explain your rights, your options, and the potential outcomes in plain language, so you can make informed decisions about your case.

We’ve built a track record of results. Our firm has successfully resolved data privacy disputes, negotiated favorable settlements. The Lyon Firm has the knowledge and experience to guide you through every step of the process.

Contact The Lyon Firm today for a consultation. When it comes to protecting your privacy rights, having experienced legal counsel on your side makes all the difference.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.