What California’s DROP Program Really Tells Us 

By C.K. Redlinger

California’s DROP program is a meaningful step forward, but not for the reason most people think. Its real value isn’t permanent deletion. It’s transparency and consolidation in a system that has long thrived on opacity. At the same time, DROP exposes hard limits. Audit cadence lags real-world data movement. Jurisdiction stops at the water’s edge, and deletion does not equal lasting visibility reduction once data has propagated. That gap is often misread as noncompliance. It isn’t. It’s architecture. 

At the start of this year, California rolled out the Delete Request and Opt-Out Platform, better known as DROP. The mechanics are straightforward. California residents can submit a single request to delete their personal information from registered data brokers, and those brokers are legally required to comply within a defined window. It would be easy to stop the analysis there and treat DROP as a consumer-facing privacy tool. That framing is understandable, but incomplete. DROP is better understood as a governance response to a problem that has outgrown individual action. 

Why DROP Exists 
For years, privacy regulation assumed that individuals could meaningfully manage their own data exposure. Opt-out links. Individual deletion requests. Repeated follow-ups. That approach works in theory. In practice, it collapses under scale. Most people have no idea who’s collecting their personal information, how many companies are involved, or how their data is resold once it enters the ecosystem. Even those who do understand the landscape quickly run into a time and effort problem. The burden is simply too high. DROP reflects an acknowledgment of that reality. 

What DROP Gets Right 
Where DROP meaningfully separates itself from earlier privacy efforts is transparency. Not in the abstract, but in the specifics it forces into the open. The public data broker registry requires participating brokers to disclose if they collect data on minors, trade in precise geolocation information, or handle sensitive categories like reproductive healthcare data. These aren’t just technical details. They’re the kinds of data most closely tied to real-world harm, and often the least visible to the people affected. 

The registry is not a complete map of the data broker ecosystem, and it does not pretend to be. But it does establish something that has been largely missing until now: a state-backed disclosure record for the brokers it can reach. That record gives regulators something concrete to measure. It gives people a clearer picture of exposure. And it removes the ability for brokers to hide behind vague privacy policies and generic language. DROP does more than offer a deletion request. It creates visibility where opacity has long been the norm. In a data economy built on silence and scale, that alone is a meaningful shift. 

Where the System Shows Its Limits 
At the same time, DROP makes visible the limits of event-based controls in a continuous data economy. Data brokers do not operate on a static timeline. They ingest continuously, purchase new data sets, and enrich profiles through upstream sources. A deletion request clears data as of a point in time. It does not change the incentives or mechanics that allow that data to be reintroduced later. This is not necessarily noncompliance. It is architecture. 

The enforcement cadence reflects this mismatch. Brokers have up to 45 days to remove data. Audits occur on a multi-year cycle. Against a backdrop of near real-time data movement, those timelines are administrative, not protective. Jurisdiction also matters. DROP applies to a defined set of entities. Offshore brokers, entities shielded by other regulatory regimes, and businesses that collect data through direct consumer relationships often fall outside its scope. These exclusions are not oversights. They are the product of legal and political boundaries. 

The Role of Enforcement 
It is worth being realistic about enforcement capacity. Regulatory agencies are not intelligence organizations. They operate with finite budgets, limited technical reach, and jurisdictional constraints. Enforcement is often reactive by design. 

As a result, the actors most likely to comply are those with a visible footprint and exposure to U.S. legal pressure. The actors least likely to comply are often the least visible and the hardest to reach. This does not invalidate the law. It defines where it can realistically operate. 

What DROP Signals About the Future 
DROP should be viewed as an early version of privacy infrastructure rather than a finished product. It signals a shift away from abstract rights language toward operational systems. Registries. Centralized request handling. Mandatory disclosures. We will likely see more of this approach as data governance evolves. Central coordination is becoming the default response to scale, even when the outcomes are imperfect. What will not change is the underlying tension. Data ecosystems are persistent and adaptive. Regulation is episodic and bounded. That gap cannot be closed through legislation alone. 

A Clear-Eyed Takeaway 
DROP is neither a cure-all nor a performative gesture. It does meaningful work where law is capable of acting. It improves transparency. It lowers barriers for consumers. It pressures legitimate actors to do better. It does not stop repopulation. It does not eliminate visibility once data has spread. And it does not neutralize bad-faith actors operating outside the system. 

Noticing the difference really matters, especially for those of us looking out for risk and caring for people. Sometimes, the biggest value in a new system isn’t what it fixes right away, but what it helps us see about the real issue. 

C.K. Redlinger is a Senior Privacy and Intelligence Advisor at 360 Privacy. He partners with executives and organizations to identify how personal data is exposed, exploited, and operationalized in today’s evolving threat landscape. With four decades of experience across the U.S. Marine Corps, law enforcement, overseas government programs, and executive-level corporate security, he brings a unique, multidisciplinary perspective to privacy challenges.