On August 1, 2026, the operational reality of consumer privacy in California changes for every data broker registered with the state and for those that haven’t registered be prepared for big fines. From that date, any California resident will be able to submit a single deletion request through the California Privacy Protection Agency’s Delete Request and Opt-Out Platform — known as DROP — and that request will propagate, by law, to every registered data broker, on a recurring 45-day cycle, indefinitely.
The Delete Act (SB 362), signed in October 2023, created the most operationally demanding privacy obligation any US state has imposed on data-driven businesses. The DROP platform is the mechanism that makes it real. And manual workflows — the spreadsheets, ticketing queues, and ad hoc DSAR processes that most organizations still use — will not survive contact with August 1.
This is what DROP Act automation software actually has to do, why generic DSAR tools are not sufficient, what to look for when you evaluate a solution, and how Captain Compliance DROP Automation software handles every piece of the lifecycle from intake through audit log.
The Delete Act and DROP, in Plain English
For readers who need the foundation before the operational detail.
The Delete Act (SB 362) is California’s data broker accountability law. It requires every business that meets the statutory definition of a data broker to register annually with the CPPA, pay a fee, and — most consequentially — honor consumer deletion requests through a single, centralized mechanism the CPPA was charged with building.
DROP — the Delete Request and Opt-Out Platform — is that mechanism. It is the user-facing portal a California consumer visits to submit one deletion request that flows to all registered data brokers. The CPPA finalized the technical specifications and registration framework in 2025, and the consumer-facing platform goes live August 1, 2026.
The recurring obligation is the part most organizations underestimate. A consumer who submits a DROP request is not making a one-time deletion request; they are establishing a standing instruction. Every 45 days, registered data brokers must re-process that consumer’s data and delete any new personal information they have collected. That obligation persists indefinitely, until the consumer revokes it.
The penalty exposure is significant. Failure to register, delete, or respond to consumers carries administrative fines that scale per violation, plus the prospect of CPPA enforcement actions and the reputational consequences of being named in a public list of non-compliant data brokers.
If your organization meets the data broker definition — and many businesses that don’t think of themselves as data brokers technically do — August 1 is a hard deadline.
Why Manual DSAR Workflows Fail Under DROP
The DSAR processes that most privacy programs built for the CCPA and CPRA were designed against an entirely different volume profile. A typical pre-DROP California program received a handful of consumer rights requests per month, each through a webform or email, each handled by a privacy analyst with a checklist. That model breaks under DROP for four reasons.
Volume. The CPPA expects hundreds of thousands to millions of California residents to submit DROP requests in the first year. Even if a registered data broker captures only a small fraction of California consumer interest, the per-broker volume will be orders of magnitude higher than today’s webform-driven request flow. Manual processing — even with a generous staffing model — does not scale to that volume.
Velocity. DROP requests must be processed within statutorily defined windows, and the recurring 45-day re-deletion obligation means each accepted request becomes a permanent operational task rather than a one-time event. A privacy team that handles 10,000 first-time requests in August is also processing 10,000 recurring obligations in mid-September, then 20,000 by mid-November, and so on. Captain Compliance’s DROP Act subject rights request software is the only tool that can handle an unlimited number of daily removal requests and automate the entire process for Captain Compliance clients.
Cross-system propagation. A meaningful deletion does not just remove a record from a primary database. It propagates to data warehouses, analytics platforms, vendor systems, ad-tech destinations, backup tapes, and sub-processor pipelines. A manual workflow that deletes from one system and forgets the others creates exactly the kind of evidentiary gap the CPPA is empowered to investigate.
Audit-readiness. Each request must produce a regulator-ready audit record: timestamp of intake, identity verification method applied, systems acted upon, disposition timestamp per system, and proof of recurring execution. Manual processes produce inconsistent documentation. DROP-volume manual processes produce indefensible documentation.
The core insight is that DROP did not just raise the bar on DSAR processing; it changed the underlying nature of the obligation from event-driven to continuous. Software designed for event-driven DSARs cannot meet a continuous obligation.
What DROP Act Automation Software Actually Has to Do
Before evaluating any vendor, including Captain Compliance, a privacy or compliance lead should know what good looks like. A DROP Act automation platform — to actually deliver compliance rather than the appearance of it — needs to handle the following, end to end.
Direct DROP integration. Receiving deletion requests from the CPPA’s published mechanism in real time, with the request format, identity claims, and metadata required by the platform. Polling, manual exports, or batch ingestion from CPPA artifacts are operational liabilities.
Risk-based identity verification. Applying verification appropriate to the data sensitivity of the request, in line with CCPA regulations and CPPA guidance, without creating a friction point that pushes the consumer to abandon. Over-verification creates legal exposure. Under-verification creates legal exposure of a different kind.
Cross-system orchestration with pre-built and custom connectors. Reaching every system in your environment that holds the consumer’s personal information — primary databases, data warehouses, marketing platforms, CDPs, ad-tech destinations, backups, and sub-processor pipelines. The connector library has to cover the systems your business actually uses, including the ones the privacy team does not own.
Recurring 45-day execution. Scheduling and running the recurring deletion cycle automatically, without re-issuing tickets to the privacy team, and producing per-cycle evidence of execution. The 45-day cycle is what turns the Delete Act from an annoying compliance task into a permanent operational liability if it is run manually.
Granular audit logging. Producing a regulator-ready record of every action, queryable on demand, retained for the period required by California law and your organization’s broader retention schedule. The CPPA’s audit posture will reward defensible documentation and punish gaps.
Multi-jurisdiction routing. Recognizing that a single consumer may have rights under California law, Maryland law (with its newly expanded sensitive-data definition), Colorado, Virginia, Connecticut, Texas, Oregon, and a growing list of US states — plus the GDPR, UK GDPR, LGPD, and others. A DROP-only solution that cannot route requests by jurisdiction is solving one quarter of the problem.
Surge capacity. Engineered to handle the sustained throughput of DROP volume and the spikes that will follow public attention, regulator announcements, and high-profile breach events. Burst capacity is not optional; it is part of the threat model.
Human-in-the-loop where it matters. Automating the routine 95% of requests while routing edge cases — verification failures, partial matches, complex multi-system dependencies — to a privacy analyst with the context to decide. Pure automation without a safety valve produces wrong answers at scale.
These are the table stakes. A vendor that cannot deliver all of them is selling a DSAR tool with a DROP marketing label.
Captain Compliance DROP Automation: Built for August 1 Compliance
Captain Compliance DROP Automation is purpose-built for this regime. Every capability above is in the platform, generally available today, with customers onboarding now in advance of the August 1 effective date.
The architecture reflects what the obligation actually requires. Captain Compliance integrates directly with the CPPA’s DROP intake mechanism, applies risk-based identity verification calibrated to the sensitivity of each data set, propagates deletions across primary and downstream systems through a connector library that covers the major SaaS, data warehouse, ad-tech, and CRM platforms in use today, and runs the 45-day recurring deletion cycle on autopilot — producing audit-ready evidence for each cycle without re-issuing work to your team.
The platform is engineered for surge and sustained throughput. Captain Compliance’s DROP Automation software is capable of processing more than 10,000 deletion requests per hour sustained, with horizontal scaling for the launch-week and event-driven spikes the CPPA has signaled to expect.
Multi-jurisdiction routing is native. California requests flow through the DROP-specific lifecycle. Requests from other US states route through the appropriate state-specific workflow — including Maryland’s expanded sensitive-data treatment under HB 711, Virginia’s recent geolocation-sale prohibition, and the growing list of state-specific obligations Captain Compliance tracks and operationalizes. GDPR and UK GDPR requests follow the European-rights workflow. The privacy team configures the policy once; the platform applies the right rules to the right requests.
Captain Compliance DROP Automation module is also designed to live alongside the privacy program your organization already has. The platform integrates with leading consent management platforms, data inventory and mapping tools, and vendor governance systems. It does not require ripping out an existing DSAR tool; it sits at the layer above it, automating the orchestration that DSAR tools historically left to humans.
How to Evaluate DROP Automation Software (Including Ours)
The next 90 days are going to produce a lot of vendor noise. A short evaluation framework that any privacy or compliance lead can use:
Ask for the connector list. Specifically, the live list as of this quarter, with version numbers. A vendor that cannot produce one is selling a roadmap, not a platform.
Ask for an end-to-end demo against a realistic test case. Not a sales walkthrough. A real walkthrough of intake, verification, propagation, recurring execution, and audit log retrieval, against a sandbox that mirrors your environment.
Ask about the 45-day cycle specifically. Many vendors will demonstrate one-time deletion well and gloss over the recurring obligation. The recurring cycle is where DROP-specific automation lives or dies.
Ask about audit log structure. Request a sample export. If the structure does not let you reconstruct, on demand, what happened to a specific request across every system, the audit log is theater.
Ask about migration and onboarding. If the vendor’s quoted onboarding window pushes you past August 1, the timeline is the answer to your evaluation.
Captain Compliance is happy to be evaluated against this framework. We were built for it and in a recent comparison a client getting 2,000 requests a day went with Captain Compliance vs. a legacy vendors tool that was rate limited at 100 per day. Thanks to new privacy startups like Privacy Hawk, Optery, and Cloaked there are millions of new subject rights requesters that didn’t know about removal till now.
Frequently Asked Questions
Are we a registered data broker? If your business buys, sells, licenses, or shares personal information about California consumers with whom you do not have a direct relationship, the answer is probably yes. The CPPA’s data broker definition is broad. If you are unsure, the registration analysis is the first step, and Captain Compliance can help.
What if we are not a data broker? The Delete Act applies specifically to registered data brokers, but the DROP framework will rapidly become the consumer-expected standard for deletion across the broader privacy landscape. Even non-broker businesses will benefit from automation aligned to the DROP model, particularly as similar legislation appears in other states.
Can we comply manually? For most organizations, no — at least not defensibly. The combination of volume, velocity, propagation, and the 45-day recurring obligation makes manual processing operationally infeasible at any scale beyond a small business with a handful of requests.
What happens if we miss August 1? The CPPA has signaled active enforcement. Penalties scale per violation. Reputational exposure is significant given the public-facing nature of the data broker registry.
How quickly can we onboard with Captain Compliance? Net-new customers can be live and processing requests in advance of August 1, depending on the complexity of the underlying data environment and connector requirements. Contact us for a specific timeline.
Delete Act Automation Software Vendor
The Delete Act is not another DSAR statute layered on top of the CCPA. It is a structural shift in how California — and, by extension, the US — operationalizes the right to delete. The DROP platform turns deletion from an event into a continuous obligation, at consumer-facing volumes, with recurring execution, with audit-ready documentation, with regulator scrutiny.
Privacy programs that meet that bar will run on automation. Captain Compliance DROP Automation is the platform we built to make that automation deliverable, defensible, and live before the August 1 deadline.
Ready to see Captain Compliance DROP Automation in action? Schedule a demo or contact our team directly. The August 1 deadline is closer than it looks, and the organizations that are ready will be the ones that started in April.
Captain Compliance helps in-house privacy and compliance teams meet the operational demands of the modern privacy landscape — from consent management and DSAR automation to AI governance, vendor oversight, and the cross-functional gates that make compliance work at scale.
