The Weekly Breach Breakdown: The California Delete Act and the New “Delete Button” for Your Data

Summary

• California has launched DROP, a first-of-its-kind online platform that lets residents delete their personal data from more than 500 registered data brokers with a single request. 
• The system was created under the California Delete Act, which expands California’s existing privacy laws and imposes fines of up to $200 per day per request on data brokers who fail to comply. 
• DROP gives Californians unprecedented control over their digital information—allowing them to remove certain personal data that’s been collected, shared and sold behind the scenes for years. 
• Data brokers must start processing deletion requests by August 1, 2026, marking the next major shift in the U.S. privacy landscape and potentially setting a model for other states to follow. 
• Even if you don’t live in California, you can still take steps to protect your data by using privacy-focused browsers, reviewing your account settings, and supporting stronger privacy laws in your state. 
• For more information about data privacy and how to protect your identity, visit the Identity Theft Resource Center at www.idtheftcenter.org or speak with an advisor for free support at 888.400.5530. 

Full Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 16, 2026. I’m Tim Walden. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. This week, we’re talking about something privacy advocates have dreamed of for years — a  delete button for your personal data. 

On January 1, 2026, California launched a new online system called DROP, short for Delete Request and Opt-out Platform. It’s the first website in the world where residents – and only California residents – can ask hundreds of data brokers to delete the personal information they’ve collected and sold, all through one verified request. 

This new capability comes from the California Delete Act, an update to California’s existing privacy laws that expands the state’s 2018 Consumer Privacy Act and 2020 Privacy Rights Act. Together, those laws laid the foundation for CalPrivacy — California’s privacy watchdog agency — which now oversees data brokers and ensures they comply with the new rules. 

Here’s how it works: once you verify that you’re a California resident, you can log into DROP, fill out a simple form, and request that every registered data broker remove your information from their systems. 

That includes companies that may have compiled details like your name, address, phone number, income level or even where you’ve traveled with your phone. 

Data brokers have until August 1, 2026, to start processing those requests. After that, each missed deletion could cost them $200 per dayper request, so the penalties for ignoring consumers’ privacy rights are steep. 

It’s worth noting that DROP won’t erase public records like property or voter registration data, but it is likely to make a significant dent in the  digital marketing ecosystem that fuels targeted ads, spam callsand emails, and people-search websites. 

This is a major milestone for data privacy in the United States, and a signal that other states may soon follow. 

That’s an important point – other states will have to pass their own versions of a “Delete Act” in order for their residents to have the same kind of control over the collection and use of personal information. Or Congress would have to pass a law that applied to all U.S. states and territories.  

One thing to keep in mind…businesses retain the ability to deny a delete request if removing the information would defeat efforts to prevent fraud. Legitimate data brokers help ensure people are who they claim to be when opening and accessing accounts, reducing the number of cases of identity theft, fraud, and scams. 

Even if you don’t live in California, you can still take steps to protect your data by using privacy-focused browsers, reviewing your browser, app, and social media account settings, and supporting stronger privacy laws in your state. 

If you’ve received a data breach notice or believe your personal information has been misused, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to SentiLink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to podcasts. Join us next week for another episode of the Weekly Breach Breakdown. I’m Tim Walden — thanks for listening.