Data privacy laws have been around for a few good years now, but the process of removing your personal information from the internet often felt like a game of whack-a-mole. If a consumer wanted to scrub their data from the dozens of companies that buy and sell it, they had to contact each one individually, navigate complex opt-out forms, and hope the request was honored. As a result, a Pew Research survey found that most Americans believe they have “little to no control” over how companies or the government use their data. 

With the implementation of California’s Delete Act (SB 362) and the launch of the Data Rights Oversight Portal (which forms the catchy abbreviation DROP), the power dynamic between consumers and registered data brokers has shifted significantly. This legislation creates a centralized deletion mechanism covering all registered data brokers in California. Let’s dive in to learn what that means. 

‍

Fast Facts: What is the Delete Act and DROP?

• The DROP System: The California Privacy Protection Agency (CPPA) is responsible for developing and overseeing the Data Rights Oversight Portal (DROP). This centralized online platform allows consumers to submit a single request instructing data brokers to delete their information.

• The One-Stop Shop: Instead of sending dozens of emails to different companies in the hope of effectively deleting their data, a resident can log in to DROP, verify their identity, and click one button. 

• The Continuous Delete: The law requires data brokers to access the DROP system at least once every 45 days. After a consumer submits a valid deletion request, the broker must delete that consumer’s personal information and continue doing so at least every 45 days going forward. As with other CCPA rights, certain statutory exemptions still apply, including situations where data must be retained for legal compliance, fraud prevention, or other permitted purposes.

• Audit Requirements: To ensure compliance and transparency, data brokers are now required to undergo independent audits every 3 years to verify they are honoring these deletion requests.

• Strict Penalties: The CPPA may impose administrative fines, including up to $200 per day per consumer, for failure to register or comply with deletion obligations. This is a major shift, given research showing that over 40% of data brokers failed to respond to requests at all. 

‍

1. Data Minimization is Now a Risk Mitigation Strategy

Data hoarders, it’s time for some deep cleaning. The Delete Act turns this practice into a liability by imposing the added administrative burden of purging unnecessary data every 45 days. Companies should move toward a data-minimization model, keeping only the bare essentials. This reduces the surface area for both regulatory audits and potential data breaches.

‍

2. Privacy Only Works When It’s Easy to Implement 

Privacy frameworks succeed or fail based on usability. When exercising privacy rights requires dozens of manual requests that are often ignored, many consumers simply give up /9and who can blame them?). On the business side, complicated compliance processes create friction, delays, and operational risk.

The shift toward centralized mechanisms like DROP reflects a broader realization: privacy must be easy to execute, not just legally defined. Automation and centralized management turn privacy from an administrative burden into an operational process.

Platforms like MineOS make a measurable difference in achieving these goals for everyone. By automating deletion workflows, quickly managing cross-system requests, and reducing manual tasks, organizations can respond to large-scale privacy actions efficiently and consistently. 

‍

3. Focusing on Data Centralization and Visibility 

The creation of DROP, a formal centralized system, proves above all that this is what is needed to manage data privacy. Businesses need a unified view of how data enters the organization and which systems continue to process it over time.

MineOS solves this challenge by providing organizations with a continuously updated data map. Instead of chasing information across disconnected tools, teams gain a single operational layer that tracks data flows, surfaces blind spots, and enables reliable deletion across environments. When a deletion request arrives, organizations don’t have to start scrambling to locate data in order to meet deadlines and avoid fines, because they already know where it is and how to act on it.

If there ever was a doubt, California continues to set a high bar for transparency and corporate accountability. This time, it reminds us all how crucial it is to have a single source of truth we can act on. 

‍