California DROP: 6-Month Review — Is It Actually Working?
When California launched the DROP platform on January 1, 2026, we were among the first to test it and publish a review. That post became the most-read article on this site — and for good reason. DROP was the first government-run data deletion tool in the US, and people wanted to know if it actually worked. Five months later, with over 215,000 registrants and the August 1 compliance deadline less than three months away, it's time for a follow-up. Here's what's changed, what hasn't, and what the numbers actually show.
Where Things Stand: DROP by the Numbers
The California Privacy Protection Agency (CPPA) has been publishing periodic updates on DROP adoption. The numbers are encouraging from an adoption standpoint, even if the results are more complicated.
DROP Adoption (January–May 2026)
- 215,000+ — Total deletion requests submitted
- ~530 — Data brokers on the California registration list
- 114 million+ — Individual broker deletion requests generated (215K users × ~530 brokers)
- 47 — Consumer complaints filed with the CPPA regarding broker non-compliance
- 0 — Enforcement actions taken by the CPPA (as of May 2026)
The registration numbers exceeded the CPPA's own projections. Internal planning documents obtained through a public records request showed the agency expected 50,000–100,000 registrations in the first year. Hitting 215,000 in five months suggests genuine consumer demand for this kind of tool. Privacy isn't a niche concern anymore — it's mainstream.
What We Found When We Checked Again
In our original review, we reported that 45 days after submitting a DROP request, most major people-search sites still showed complete profiles. We ran the same check again at the five-month mark — 150 days after our initial submission.
The results were better, but far from complete:
- Spokeo: Profile removed. Searching returned no results for the submitted identity. This is a genuine win.
- BeenVerified: Partial removal. Name and age still visible, but address and phone number were gone. Relative associations remained.
- Whitepages: Full profile still live. No visible changes from our January check. Name, address, phone number, and age all listed.
- TruePeopleSearch: Profile removed, but a new partial listing appeared — likely from a re-scrape of public records. Different address, same name and phone.
- FastPeopleSearch: Full profile still live. Complete listing with address history.
- Radaris: Profile removed. This was the one broker that showed partial removal in our first review, and it now shows full removal.
- PeopleFinders: Full profile still live. No changes visible.
- Nuwber: Profile removed. Clean search results.
So out of eight major people-search brokers, three showed full removal, one showed partial removal, and four showed no changes at all — five months after submitting through DROP. That's progress, but it's not the kind of comprehensive deletion the platform promises.
What Users Are Reporting
We spent time on Reddit's r/privacy, r/California, and several privacy-focused forums to collect real user experiences. The picture is consistent with our own findings: mixed results with wide variation.
The most common complaints center on three issues:
- No status visibility. DROP still shows "processing" with no broker-by-broker breakdown. Users have no way of knowing which brokers received the request, which ones acted, and which ones ignored it. This was the top complaint in January, and nothing has changed.
- Re-listing after deletion. Multiple users reported that brokers who initially removed their data re-listed them within 4–8 weeks. TruePeopleSearch was the most frequently cited offender. Brokers scrape public records continuously, and a one-time deletion request doesn't prevent future re-listing.
- Non-registered brokers untouched. Several users pointed out that brokers not registered with California — including some of the largest data aggregators — were completely unaffected by DROP. The platform can only reach registered brokers, and registration compliance is itself imperfect.
On the positive side, some users reported noticeable reductions in direct mail and marketing emails after about three months. A few reported fewer unknown callers, though most said spam calls were unchanged. The users who reported the best results tended to be those who also manually submitted opt-out requests to non-registered brokers — suggesting that DROP alone is insufficient for comprehensive data removal.
The August 1 Deadline: What It Actually Means
The Delete Act (SB 362) set August 1, 2026 as the deadline for full compliance. After that date, every data broker registered with California must be processing DROP deletion requests within 45 days of receipt. The CPPA gains full enforcement authority, including the ability to impose fines.
Delete Act Enforcement: What Happens After August 1
- $200/day per violation: Brokers that fail to process deletion requests face fines of $200 per day per violation. For a broker ignoring thousands of requests, this adds up to millions quickly.
- CPPA complaint investigations: The agency has committed to investigating every consumer complaint filed through the portal.
- Annual audit authority: The CPPA can audit any registered broker's compliance with deletion processing requirements.
- Registration revocation: Brokers that repeatedly fail to comply can have their California registration revoked, making it illegal for them to operate in the state.
The enforcement teeth are real — on paper. The question is whether the CPPA has the resources to actually enforce them. The agency's 2026 budget allocated $2.8 million for Delete Act enforcement, which covers a staff of roughly 12 people overseeing 530+ registered brokers processing requests from 215,000+ users. Privacy advocates have called this underfunded, and they're probably right.
The most likely outcome is selective enforcement: the CPPA will pursue high-profile cases against the worst offenders to create deterrence, rather than attempting to audit every broker. This is standard regulatory practice, but it means plenty of mid-tier brokers may continue dragging their feet for months after the deadline.
The Re-Listing Problem DROP Can't Solve
Even when DROP successfully gets your data deleted, there's a fundamental structural problem it doesn't address: re-listing.
Data brokers don't generate your personal information from nothing. They aggregate it from public records (court filings, property records, voter registration), commercial sources (loyalty programs, purchase history, app data), and other brokers. When one broker deletes your record, the underlying data sources still exist. Within weeks, the broker's automated systems scrape those sources again and rebuild your profile.
DROP submits your deletion request once. It does not monitor for re-listings. It does not re-submit requests. Once the initial request is processed, DROP's involvement ends — but the data pipeline that created your broker profile in the first place keeps running.
This is the single biggest limitation of any one-time deletion mechanism, and it's not something the Delete Act was designed to solve. The law requires brokers to process deletion requests. It doesn't require them to stop collecting data from public sources. Until that changes, data removal is an ongoing process, not a one-time event.
What's Changed Since Our Original Review
Comparing our January findings to our May findings, here's what's genuinely different:
| Area | January 2026 | May 2026 |
|---|---|---|
| Registrations | ~30,000 (first two weeks) | 215,000+ |
| Broker removals visible | 1 of 8 tested (Radaris partial) | 3 full + 1 partial of 8 tested |
| Status transparency | "Processing" — no detail | "Processing" — still no detail |
| Re-listing observed | Too early to measure | Yes — TruePeopleSearch, BeenVerified |
| CPPA enforcement actions | None (pre-deadline) | None (pre-deadline) |
| Consumer complaints filed | Not disclosed | 47 filed with CPPA |
| Spam call reduction reported | None | Minimal — a few anecdotal reports |
The trajectory is positive. More brokers are processing deletions than in January. But the pace is slow, transparency is nonexistent, and the re-listing problem is exactly as bad as we predicted.
DROP Alone vs. DROP + a Data Removal Service
Our recommendation hasn't changed from the original review, but we now have five months of evidence to back it up. DROP is valuable — it's free, it carries legal authority, and it does reach some brokers that commercial services don't (because those brokers only respond to government mandates). But DROP alone leaves too many gaps.
| Capability | DROP Alone | DROP + GhostVault |
|---|---|---|
| Broker coverage | ~530 (CA-registered) | 530 CA + 500+ nationwide |
| Re-listing monitoring | None | Continuous scans |
| Automatic re-removal | No — one-time request | Yes — ongoing |
| Status tracking per broker | No — "processing" only | Yes — live dashboard |
| Dark web breach monitoring | No | Included |
| Deletion verification | No | Yes — confirmed via scan |
| Works for non-CA residents | No | Yes — all 50 states |
| Cost | Free | $3.99/mo |
If you're a California resident, submit through DROP — it's free and there's no downside. But pair it with ongoing monitoring and removal through a service like GhostVault to catch the re-listings, cover unregistered brokers, and verify that deletions actually stick.
What to Watch for After August 1
The August 1 compliance deadline will be the real test of the Delete Act's effectiveness. Here's what we'll be watching:
- First enforcement actions. The CPPA has hinted it will pursue cases quickly after the deadline. The first fines — and the broker reactions — will set the tone for whether the law has teeth.
- Broker de-registration. Some smaller brokers may choose to de-register from California rather than comply with deletion processing requirements. This would remove them from DROP's reach entirely while allowing them to continue operating in other states.
- Status transparency updates. The CPPA has acknowledged the lack of per-broker status tracking as a known issue. Internal roadmap documents suggest a dashboard update is planned for Q3 2026, though no firm date has been set.
- Other states following California's lead. Oregon and New Jersey are both considering legislation modeled on the Delete Act. If those pass, the federal pressure for a national standard increases significantly.
- Re-listing enforcement. The most important question: will the CPPA consider re-listing after deletion a new violation? If so, brokers would face ongoing fine exposure. If not, the one-time deletion model remains fundamentally limited.
Our Updated Verdict
Five months ago, we said DROP was "a good start." That assessment hasn't changed — but we now have the data to be more specific about exactly where it succeeds and where it falls short.
DROP is working for some brokers. It is not working for others. It has no mechanism to handle re-listing, which is the biggest real-world privacy problem consumers face. And it provides zero transparency into what's happening with your request.
The August 1 deadline will matter. Enforcement will matter more. But even in a best-case scenario — full compliance from every registered broker, aggressive enforcement, real fines — DROP will still only cover California-registered brokers, and it will still be a one-time request in a world that requires ongoing protection.
Bottom Line
DROP is doing more than nothing and less than enough. Use it if you're eligible — it's free and legally backed. But don't rely on it as your only line of defense. The data broker ecosystem is too large, too aggressive, and too automated for a single government filing to handle. Pair DROP with a service that monitors, re-removes, and verifies continuously. GhostVault covers 500+ brokers at $3.99/month, works in all 50 states, and doesn't stop after the first request.
Frequently Asked Questions
How many people have signed up for California DROP?
Over 215,000 California residents have submitted deletion requests through DROP since its January 1, 2026 launch. The CPPA exceeded its own first-year projections within the first five months, indicating strong consumer demand. Each registration generates individual deletion requests to all ~530 registered brokers, meaning the platform has generated over 114 million individual broker requests.
Are data brokers actually complying with DROP requests?
Compliance is inconsistent. In our testing, three out of eight major people-search brokers fully removed profiles after five months, one showed partial removal, and four showed no visible changes. User reports on Reddit and privacy forums confirm this pattern — some brokers are processing deletions, while others appear to be ignoring requests entirely. The August 1, 2026 compliance deadline, after which the CPPA can impose $200/day fines, is expected to accelerate compliance.
What happens on August 1, 2026 for California DROP?
August 1, 2026 is the statutory compliance deadline under the Delete Act. After this date, all registered data brokers must be processing DROP deletion requests within 45 days. The CPPA gains full enforcement authority, including $200/day fines per violation, audit rights, and the ability to revoke broker registrations. The agency has allocated $2.8 million and approximately 12 staff members for enforcement, though privacy advocates have called this insufficient for overseeing 530+ brokers.
Has California DROP reduced spam calls?
For most users, no. The majority of DROP registrants report no noticeable change in spam call volume. A small number of users on Reddit reported modest reductions after 3–4 months, but these are anecdotal and difficult to attribute directly to DROP. Spam calls originate from many sources beyond California-registered data brokers, and DROP does not address data that has already been sold to telemarketers or re-scraped from public records.
Should I wait for the August 1 deadline before trying other data removal options?
No. Waiting for the compliance deadline means your data remains exposed on broker sites for months longer than necessary. Even after August 1, DROP only covers ~530 California-registered brokers out of 4,000+ operating nationally. It does not monitor for re-listings, verify deletions, or scan for breach exposure. A data removal service provides ongoing protection that runs in parallel with DROP — there's no reason to choose one over the other.
This is just one of 500+ brokers selling your data.
GhostVault removes you from all of them automatically — and keeps you removed.