How the DROP 45-day deletion cycle works
· 2 min read · DROP Privacy
What is the 45-day deletion cycle?
Under the California Delete Act (SB 362), a registered data broker must process the deletion requests submitted through the state's Delete Request and Opt-out Platform (DROP) at least once every 45 days — and keep doing it indefinitely. It is not a one-time cleanup; it is a standing operational cycle. Here is what one full cycle actually involves, stage by stage.
Stage 1 — Download the DROP batch
Each cycle begins by pulling the outstanding request file from the state's DROP platform. This file represents every consumer who has asked to be deleted and is accessible to your business. The batch grows over time as more consumers opt in, so each cycle's input is different from the last.
Stage 2 — Match against your data
The batch is then matched against your consumer records. This is the hardest part at scale: a broker may hold hundreds of millions of records, and the match has to be accurate and reproducible every time. Done well, matching happens on normalized, salted hashes rather than raw identifiers — so the comparison never requires moving consumer personal information around. We cover that in detail in honoring deletion requests without exposing PII.
Stage 3 — Decide each record
Every matched record gets a status:
- Deleted — the consumer's personal information is removed.
- Exempt — you have a lawful basis to retain it.
- Opted-out — treated as an ongoing suppression.
- Not found — no match in your data.
The decision rules differ by broker, so they should be configurable per business without changing the underlying engine.
Stage 4 — Respond and suppress forward
You then answer through the DROP API, delete the matched consumers' data, and add each one to a forward-suppression list so their future records are rejected automatically — you do not want a deleted consumer to quietly reappear in next month's import and get resold.
Why does suppression have to continue after deletion?
Because the Delete Act treats a deletion as an ongoing opt-out, not a single event. If you delete a consumer today and re-acquire them next week, you are out of compliance again. Suppression is what makes the deletion stick.
Stage 5 — Prove it
Finally, every state-changing action is written to a hash-chained, tamper-evident audit log, which backs a proof-of-deletion lookup and a printable attestation. When an auditor asks "show me that you deleted this consumer," you have a defensible record — not a screenshot.
The cycle must be idempotent and resumable: re-running it should never double-delete or double-respond, and a crash mid-cycle should pick up where it left off. A process that "mostly works" compounds risk every 45 days.
Running it without building it
This is exactly the cycle DROP Privacy automates: download, match, decide, respond, suppress, and prove — on a schedule, from a background worker, without consumer PII leaving your systems. See the 2026 compliance timeline for the deadlines, or request a demo to watch a full cycle run end to end.
See DROP Privacy run a full Delete Act cycle on sample data. Request a demo →