On 1 Jan., California's Delete Request and Opt-Out Platform, known as DROP, became available to state residents. Part of California's Delete Act, the DROP system thus far has seen more than 215,000 residents sign up for the opt-out mechanism. The platform is overseen by the California Privacy Protection Agency and features more than 500 registered data brokers. Tom Kemp is the executive director of the CPPA, also known as CalPrivacy, and sat down with IAPP Editorial Director Jedidiah Bracy to discuss how the DROP system is faring, as well as the priorities the agency is taking in 2026, including the appointment of Sabrina Boyson Ross as CalPrivacy's first chief auditor.
Takeaways from the interview
The early popularity of the DROP platform among California residents was reflected recently in a press release from Gov. Gavin Newsom, D-Calif., who touted the "nation-leading law" that gives Californians more control over their data. "Your data should belong to you," he said, "and DROP will make that happen in one simple step."
How DROP is a 'game changer for consumer privacy'
CalPrivacy Executive Director Tom Kemp called the platform "a game-changer for consumer privacy," and added in his conversation with IAPP Editorial Director Jedidiah Bracy, that DROP's popularity "clearly shows there's pent-up demand for a free, secure deletion tool at scale."
Though he pointed out the deletions will not commence until the August, consumers wanted to "get in line" to start the process. Kemp said there are currently 545 data brokers registered in the state, "the highest it's ever been."
He said the platform helps solve the "privacy paradox" — that consumers care about their privacy but find it too difficult to exercise their rights. "It may take us 20, 30 minutes of interaction with each and every data broker," Kemp said, which adds up to as much as "10 days’ worth of work." DROP "really facilitates the exercise of privacy rights ... in a highly scalable manner."
Kemp said that data broker compliance is increasing and that the agency has been actively engaged with its Data Broker Strike Force. He warned data brokers that fines "will add up quickly," and that "there is a fine associated with every record not deleted per day" and "failure to register is not a get-out-of-jail-free (card) for avoiding fines."
The so-called "California effect" could come into play, as Kemp said policymakers in several states, including Connecticut, Hawaii, New York and Vermont, have expressed interest in adopting a similar system. "We are open for business to work with other states that want to have something comparable," Kemp said.
CalPrivacy's new chief privacy auditor
Notably, the agency recently announced the appointment of its first-ever chief privacy auditor, Sabrina Boyson Ross, who previously worked on public policy for Meta. In her role, Ross will lead the audits division and oversee compliance and submissions related to risk assessments and cybersecurity audits, which were formalized last year, after a long, winding road of negotiations among stakeholders.
The new division, Kemp said, has "the right to work with businesses to see to what extent businesses are complying with the CCPA, which is different from enforcement." Though new, Kemp said formal staffing is underway at the moment. "We will build it out with headcount," he said, "it will be a good division doing good work here in California."
Kemp emphasized the new audits division will focus on compliance, not enforcement, explaining that it will evaluate whether businesses are meeting CCPA requirements, while the separate enforcement division will focus on violations of the law.
Timeline for new regulations
Last year, CalPrivacy adopted three new regulations, the cybersecurity audits and risk assessments as cited above, but also automated decision-making. Though compliance does not begin for another year — it begins 1 Jan 2027 — Kemp recommended "if you do have ADMT technology that processes personal information to start the process now" and to read the regulations.
Risk assessments became effective 1 Jan. 2026, but attestations are due by 1 April 2028. Cybersecurity audits are a bit further down the line, with certifications for large companies beginning 1 April 2028, and smaller tiers in 2029 and 2030.
Enforcement state-of-play
CalPrivacy has been busy on the enforcement side of things. "We have said there are currently over 100 open investigations with our agency," Kemp said, "and since inception of the agency, we have received approximately 10,000 consumer complaints."
With the advent of DROP, Kemp said, "I expect that number to go higher." Though consumer complaints "fuel our investigations," Kemp said they're not the only thing investigations are based on. "We have a very strong technology team here that does their own independent research on privacy harms and specific data flows associated with businesses as well.
In the full interview, Kemp also discusses his thoughts on the interplay between federal and state regulation, particularly around a proposed moratorium on state AI laws and federal preemption of state privacy laws, including California's. "We firmly believe in the Brandeis statement that states are the laboratories of democracy," he said. A moratorium and preemption is "not just a blue issue; it's a red issue. We've seen strong statements from the governors of Utah, Arkansas and Florida ... that they need to be able to come out with laws that protect the rights of their citizens."
Jedidiah Bracy is the editorial director for the IAPP.
