California's DROP Act requires all 500+ registered data brokers to process consumer deletion requests every 45 days — or face devastating penalties. We automate the entire cycle.
⏱ Time until enforcement deadline
California's DELETE Act (SB 362) mandates all registered data brokers to delete consumer data via a new platform called DROP.
Official enforcement begins August 1, 2026. Compliance checks repeat every 45 days.
Fines of $200/day per consumer request not processed. Failure can cost millions in compounding penalties.
DROP Autopilot completely automates the API download, record matching, secure deletion, and status reporting.
California's Delete Act created a first-of-its-kind government platform called DROP. Starting August 1, 2026, every registered data broker must complete a complex technical cycle — or face escalating daily fines.
Access DROP at minimum once every 45 days to download deletion request lists with SHA-256 hashed identifiers.
Email, Phone, MAID, CTVID, Name+DOB+ZIP, and Name+VIN — each with specific standardization and composite hashing rules.
Delete or opt-out matched records and direct service providers and contractors who received that consumer's data to do the same.
Generate and upload CSV status responses for every request within the 45-day window — Deleted, Exempted, Opted Out, or Not Found.
California's Delete Act (SB 362, signed October 2023) created the DELETE Request & Opt-out Platform. Here's exactly what you're required to do.
Annual registration deadline of January 31 with CalPrivacy. $6,000/year registration fee plus separate DROP access fee starting August 1, 2026.
From 6 available list types (Email, Phone, MAID, CTVID, NDZ, NameVIN), you must select only the ones that match identifiers your systems actually hold and process.
Access the DROP API at minimum once every 45 days to download ZIP files containing CSV lists of SHA-256 hashed consumer identifiers requesting deletion.
Standardize your records using DROP's exact rules, hash with SHA-256 → Base64, and match against downloaded identifiers. Composite hashing required for NDZ and NameVIN.
Delete or opt-out matched records. Forward deletion requests to service providers and contractors who received that consumer's data.
Submit CSV status responses back to DROP: Deleted (3), Exempted (2), Opted Out (4), or Not Found (5) for every single request — within the same 45-day window.
GET /data/download from DROP API
Extract CSVs, load hash sets
SHA-256 match against your records
Remove matched data
Upload status CSV to DROP
Cycle restarts every 45 days
DROP Autopilot is a platform that completely automates the entire DROP compliance cycle. Connect your databases and systems once — we handle everything else.
We provide custom-built connectors tailored to your specific system. No matter what database or platform you use — we handle the integration for you.
Our system automatically downloads consumer deletion lists from DROP on schedule — with a built-in safety buffer. You never have to worry about missing a 45-day deadline.
Our engine handles all the complexity of matching consumer identifiers against your records. Every list type, every edge case — automatically processed with zero manual effort.
Matched records are deleted from your system automatically — fully hands-off.
Status reports are generated and uploaded back to DROP automatically — Deleted, Exempted, Opted Out, or Not Found. No spreadsheets, no manual uploads, ever.
Every action is permanently logged in an immutable audit trail. Starting 2028, data brokers must submit audit reports every 3 years — our system keeps you ready from day one.
Built-in deadline guardian automatically triggers emergency actions if your 45-day cycle is approaching
We provide custom connectors to handle your data — whatever system your organization uses, we build the bridge.
Starting 2028, brokers must submit audit reports every 3 years. Our immutable logs give you a complete, exportable compliance history from your very first cycle.
From download to deletion to reporting — every step of the DROP cycle runs on autopilot. Set it up once and your compliance is handled forever.
This isn't a generic compliance tool. Our entire system is purpose-built from the ground up to automate DROP — and nothing else. Every feature exists to keep you compliant, automatically.
We don't do "general compliance." Our entire platform is engineered exclusively for the California DELETE Act DROP cycle — purpose-built and laser-focused.
Download, match, delete, report — every 45 days, automatically. No manual intervention, no spreadsheets, no missed deadlines. Set it up once and walk away.
Starting 2028, data brokers must submit audit reports every 3 years. Our system creates permanent, tamper-proof records of every action — keeping you audit-ready from day one.
We provide built-in and custom-built connectors for your specific system. Whatever platform your data lives on, we connect and handle it all for you.
What operations, DROP compliance, and data brokers need to know about DROP Act and DROP Autopilot.
Every entity defined and registered as a data broker with the California Privacy Protection Agency (CPPA) is legally required to comply with the DROP Act, which includes connecting to and processing requests from the DROP platform.
We build custom-fit, secure connectors for your specific database setup (PostgreSQL, MySQL, SQL Server, MongoDB, Oracle, Snowflake, Redshift, etc.). Our team handles the integration, ensuring safe data synchronization without disrupting your live database performance.
No. DROP Autopilot matches records in a secure, memory-isolated compliance environment. Hashing and comparison happen in-memory and never stored in disk even in Drop Autopilot servers. Your customer data never leaves your environment, and we do not store your databases.
We can complete the configuration and begin testing within 5-7 business days. We provide end-to-end integration support, including connection testing against the official CPPA sandboxes.
Our platform records every single API request, standardization rule, matching query, service provider notification, and feedback submission code in a tamper-proof, write-once, read-many (WORM) audit trail. When the auditor arrives, you can export a complete audit package with one click.
Thank you for reaching out! Our compliance team will get back to you within 24 hours.