As Californians spend a lot of time on the internet, they may not realize how vulnerable they are to data breaches, say experts

By ONME News

SACRAMENTO, Calif. — California’s new Delete Request and Opt-out Platform, or DROP, gives residents a free, centralized way to tell hundreds of registered data brokers to delete their personal information and stop selling it, as state officials warn that identity theft, scams and large-scale data breaches continue to expose millions of Californians to risk.

For years, privacy advocates have argued that one of the biggest gaps in consumer protection was not whether Californians had privacy rights on paper, but whether they could realistically use them. The state’s new Delete Request and Opt-out Platform, launched by the California Privacy Protection Agency earlier this year, is designed to close that gap by replacing a fragmented, broker-by-broker process with a single online request. Through DROP, a California resident can verify eligibility, create a basic profile and submit one deletion request that is sent to more than 500 registered data brokers. According to the state’s privacy portal, data brokers must begin processing those requests starting Aug. 1, 2026, and must delete data within 90 days.

The stakes are not abstract. California’s economy is deeply digital, and so is daily life for its nearly 40 million residents. Californians use the internet to communicate, work, learn, access government services and manage health information. Research from the Public Policy Institute of California shows that internet access is now nearly universal in the state, with 96% of Californians having internet at home in 2023. That ubiquity has brought convenience and economic opportunity, but it has also expanded the amount of personal data generated, collected, shared and sold in the background of everyday online activity.

That is where data brokers enter the picture. Unlike a bank, retailer or health plan that has a direct relationship with a customer, data brokers often compile and sell information about people who may have never heard of them. The state’s privacy portal says the information these firms collect can include contact details, browsing history, information about children and other sensitive personal data. Before DROP, consumers who wanted their information removed had to locate individual broker websites and submit separate requests one by one — a cumbersome task that privacy experts said made meaningful control nearly impossible for ordinary people.

Tom Kemp, executive director of the California Privacy Protection Agency, has framed the platform as both a practical service and a public-awareness campaign. “Removing your personal information from the businesses that sell it could decrease the risk of identity theft, fraud, spam calls, and hacking attempts,” Kemp said in agency messaging about the launch. He has also said the goal is to ensure that Californians — especially communities that are more vulnerable to scams, fraud and impersonation schemes — know they have rights under state privacy law and understand how to use them.

Using DROP is meant to be straightforward. On the state portal, users first confirm that they are California residents through the California Identity Gateway or another trusted verification option. They then create a profile with basic identifying information and submit the request. The state says DROP is free, funded by data broker registration fees and built so the information entered is used only to complete the request. The portal also notes that family members may, in some cases, submit requests on behalf of another California resident, such as a child or an elderly relative.

The timing matters. While the platform opened to consumers on Jan. 1, 2026, the compliance obligations for data brokers are phased in. State guidance says brokers must begin processing DROP requests on Aug. 1, 2026, as part of a recurring cycle that occurs every 45 days, and they must complete deletions within 90 days. That distinction is important because it means Californians can begin filing requests now, but the effect of those requests will become more visible once broker processing formally begins later this summer.

Early signs suggest strong public demand. Industry reporting on a February board update said more than 242,000 Californians had already submitted DROP requests, including roughly 18,000 within the first 48 hours after the platform’s launch. The same report noted that the number of registered data brokers had grown to more than 575 by February, reflecting the expanding scale of the marketplace that the new system is intended to regulate.

The platform arrives against a backdrop of persistent cybercrime and data exposure. The FBI said in its 2024 Internet Crime Report that California had the highest number of internet crime complaints of any state, with 96,265 complaints and more than $2.5 billion in reported losses. Nationally, the top complaint categories included phishing, extortion and personal data breaches — all threats that can become more dangerous when personal information is widely available in commercial databases.

Historical data underscore how exposed Californians have become. The FBI’s Internet Crime Complaint Center has repeatedly ranked California among the states with the largest number of victims and losses, while the California Department of Justice maintains a long-running breach notification database showing the steady cadence of incidents affecting residents. Separate reporting on major corporate and healthcare exposures has documented how millions of Californians can be affected at once when a single organization fails to protect sensitive records.

One of the most frequently cited examples remains the 2015 Anthem cyberattack, which affected 13.5 million Californians and exposed highly sensitive information, including names, dates of birth and Social Security numbers. More recently, Blue Shield of California disclosed that protected health information of approximately 4.7 million members had been shared with Google’s advertising platform because of a configuration error involving analytics tools. The details vary from case to case, but the pattern is familiar: once personal data is collected and retained at scale, the risks multiply.

That reality helps explain why state officials are trying to reach residents who may not think of themselves as privacy activists. In California, online life now extends well beyond shopping or social media. Public policy research has found that many residents use the internet for health and insurance tasks, remote work, education and government services. In other words, the same population being encouraged to use digital tools for essential parts of daily life is also being told that the trails of data produced by that activity can be packaged and sold in ways they neither see nor control.

Supporters of the new platform say that is precisely what makes DROP significant. California has long positioned itself as a national leader in privacy regulation, but enforcement and usability have often lagged behind legislative ambition. By creating a single state-run mechanism, California is testing whether privacy rights can be made operational at scale. If the system works as intended, it could reduce spam, unwanted solicitation and certain fraud risks for consumers while also forcing more transparency and accountability on an industry that has largely operated out of public view.

Even so, officials and privacy specialists caution that DROP is not a silver bullet. The state’s portal notes that deleting information from data brokers may change some online experiences, including reducing targeted advertising or personalized content. It also does not erase the data that consumers have voluntarily provided to companies they do business with directly, nor does it eliminate all privacy risks associated with phishing, malware, weak passwords or poor corporate security practices. What it does offer is a narrower but important form of control over one of the least visible segments of the modern information economy.

That may be why public awareness remains central to the agency’s message. State officials have said millions of Californians still do not know they can require data brokers to delete their personal information. In practical terms, the success of DROP may depend as much on outreach as on code: a privacy tool only shifts power if people know it exists, understand why it matters and trust the state enough to use it. Kemp has argued that the broader mission is to make sure no community is left out of the conversation about personal data rights.

In that sense, DROP is more than a new website. It is a test of whether privacy law can move from principle to routine practice in a state where digital exposure has become part of ordinary life. Californians have grown used to hearing about another breach, another scam campaign or another revelation that personal information has traveled farther than expected. The state is now offering a simple answer to at least one part of that problem: one request, sent once, to reclaim a measure of control. Whether that model becomes a blueprint for other states may depend on how many Californians decide that the invisible trade in their personal data has gone on long enough.

Companies in California sued by the state for data breaches from 2025-2026:

General Motors

General Motors, in a stipulated judgment, agreed to pay $12,750,000 to resolve allegations that it unlawfully sold driving and location data of California drivers that GM had collected through its OnStar connected car service, in violation of the California Consumer Privacy Act and the Unfair Competition Law. GM had been secretly selling consumer data to two data brokers to develop a product that rated drivers based on data pulled from their vehicles. Using driving data to set insurance premiums is illegal in California. Along with four District Attorneys and CalPrivacy, we found that GM had misled consumers on how GM used driving data and never disclosed the sales to data brokers. These unlawful sales, which included precise location data, also violated the CCPA’s purpose limitation and data minimization provisions. The settlement requires GM to develop and maintain a robust privacy program focusing on the risks of collecting data through OnStar and bans the company from selling driving data to any consumer reporting agencies for five years, including to data brokers like Lexis and Verisk.

• Press Release (5/8/2026)

• Complaint

• Settlement

•  

Disney

The Walt Disney Company, in a stipulated judgment, agreed to pay $2,750,000 to resolve allegations that it failed to fully effectuate consumer requests to opt-out of the sale or sharing of their personal information across its Disney+, Hulu, and ESPN+ streaming services, in violation of the California Consumer Privacy Act. Despite linking consumer devices and data for purposes of targeting consumers with ads, our investigation found that Disney failed to link those same devices and data when it came to complying with consumers’ exercise of their statutory right to opt out of targeted advertising. As a result, a consumer’s opt-out choice was not effectuated across all devices connected to the consumer’s Disney account. The settlement requires that Disney implement a comprehensive opt-out that effectuates a consumer’s opt-out choice across all Disney businesses and products associated with the consumer’s Disney account.

• Press Release (2/11/2026)

• Complaint

•  Judgment

•  

Jam City, Inc.

Jam City, in a stipulated judgment, agreed to pay $1,400,000 to resolve allegations that it failed to provide methods for consumers to opt-out of the sale of their personal information in its mobile gaming apps and failed to provide sufficient privacy protections for children, in violation of the California Consumer Privacy Act. Despite collecting and sharing consumer personal information nearly exclusively through its mobile games, our investigation found that Jam City did not offer CCPA-compliant opt-outs in any of its 21 mobile apps. The investigation also found some Jam City games shared or sold the data of children between the age of 13 to 16 without the affirmative consent required by the CCPA. The settlement requires that Jam City provide in-app methods for consumers to opt-out of the sale or sharing of their data and must not sell or share the personal information of consumers at least 13 and less than 16 years old without first obtaining their affirmative “opt-in” consent.

• Press Release (11/21/2025)

• Complaint

• Judgment

Illuminate Education, Inc.

Illuminate Education, Inc., in a stipulated judgment, agreed to pay $3.25 million to resolve allegations that it violated consumer protection and privacy laws arising from a 2021 data breach Illuminate is an ed-tech company that provides software to educators to monitor and assess student academic progress. California's K-12 Pupil Online Personal Information Protection Act (KOPIPA) requires ed-tech providers to protect student data. Illuminate's unreasonable data security practices included failing to: terminate login credentials of former employees, monitor and alert for suspicious logins and activity, and secure back up databases. This allowed a threat actor to steal and delete student data including sensitive personal and medical information, such as student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions. Of the three million California students impacted by the breach, more than 434,000 had sensitive information stolen. Illuminate also made misleading statements regarding the adequacy of its student data safeguards. The settlement requires Illuminate to improve its data security safeguards, inform California DOJ of breaches involving student data, and provide reminders to school districts to perform a review of student data stored by Illuminate on the school's behalf.

• Press Release (11/6/2025)

• Complaint

• Judgment

Sling TV L.L.C. and Dish Media Sales L.L.C.

Sling TV, in a stipulated judgment, agreed to pay $530,000 to resolve allegations that the app-based television streaming service failed to provide easy-to-use methods for consumers to opt out of the sale of their personal information in connection with targeted advertising, and failed to provide sufficient privacy protections for children, in violation of the California Consumer Privacy Act. An investigation found that Sling TV combined the CCPA opt-out with cookie choices in a confusing way; opting out required consumers to work through multiple steps, even for logged-in consumers; and Sling TV did not provide an opt-out method within its apps, even though a majority of Sling TV customers access its services through its apps available on various living-room devices; and unlike other streaming services, Sling TV did not offer parents the ability to set one or more user profiles as a “kid’s profile” that would limit the use of targeted advertising when children are watching. The settlement requires Sling TV to maintain a CCPA opt-out that is easy for consumers to execute, requires minimal steps, and does not require logged-in consumers to provide additional information, as well as provide parents with tools, including “kid’s profiles”, to minimize collection and use of their children’s data.

• Press Release (10/30/2025)

• Complaint, pdf

• Judgment, pdf

Healthline Media LLC

Healthline Media LLC, in a stipulated judgment, agreed to pay $1.55 million to resolve allegations that its use of online tracking technology on its health information website, Healthline.com, violated the California Consumer Privacy Act. An investigation found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections — including data suggesting that a person may have a serious health condition. The settlement includes a novel term that bans Healthline from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition with third parties. Healthline must also ensure that its opt-out mechanisms work correctly, maintain a CCPA compliance program that, among other things, mandates that Healthline audits its contracts for specific, required privacy terms or confirm that third parties have signed an industry contractual framework that includes those terms, and maintain accurate online disclosures and privacy policy.

• Press Release (7/1/2025)

• Complaint, pdf

• Judgment, pdf

Tilting Point Media LLC

Tilting Point Media LLC, in a stipulated judgment, agreed to pay $500,000 to resolve allegations that the mobile video game developer collected and shared children’s data without obtaining parental consent, in violation of the California Consumer Privacy Act and the Children’s Online Privacy Protection Act. Our joint investigation with the Los Angeles City Attorney’s Office revealed that in connection with Tilting Point’s popular mobile app game “SpongeBob: Krusty Cook-Off,” which is directed to children under the age of 13 as well as targeted to older teens and adults, Titling Point’s age screen did not ask age in a neutral manner, meaning children were not encouraged to enter their age correctly to be directed to a child-version of the game. Tilting Point also inadvertently misconfigured third-party software development kits (SDKs), resulting in the collection and sale of kid’s data without parental consent. The settlement requires Tilting Point to take significant steps to prevent future improper collection and sale of children’s data and improper advertising to children in connection with all of its games directed to children, including: using only neutral age screens that encourage children to enter their age accurately; not selling or sharing the personal information of consumers less than 13 years old without parental consent, and not selling or sharing the personal information of consumers at least 13 and less than 16 years old without the consumer’s affirmative “opt-in” consent; minimizing data collection and use from children; complying with laws and best practices related to advertising to minors; and implementing and maintaining a SDK governance framework to review the use and configuration of SDKs within its apps.

• Press Release (6/19/2024)

• Complaint, pdf

• Judgment, pdf

About The California Privacy Protection Agency (CalPrivacy)

CalPrivacy is committed to promoting the education and awareness of consumers’ privacy rights and businesses’ responsibilities under the California Consumer Privacy Act, Delete Act, and Opt Me Out Act.

Consumers can visit Privacy.ca.gov to access helpful and up-to-date information and tips on how to exercise their rights, protect their personal information, and learn about the Delete Request and Opt-out Platform (DROP). In addition, CalPrivacy’s website provides important information about Board Meetings, announcements, and the rulemaking process.