California's DROP system: One button to rule them all
Are you building privacy controls that work at the scale California is designing for? Because "we'll handle deletion requests manually" doesn't survive a system designed to generate them by the millions.
In October I spent two days at IAPP Privacy. Security. Risk. 2025, watching practitioners wrestle with problems that didn't exist two years ago. The pattern I kept seeing: we're building AI systems faster than we're building accountability structures around them. Over the next few weeks, I'll be publishing field notes on where the handoffs are breaking down—starting with California's approach to making privacy rights actually usable.
California's privacy regulator delivered a Halloween keynote that demonstrated something unusual: solving rights enforcement through infrastructure, not just policy.
The DROP system—a deletion request platform—launches January 1. Single interface for Californians to delete their information from hundreds of data brokers at once. This is actual software, not guidance.
Privacy rights don't mean much if exercising them requires individualized requests to dozens of entities you've never heard of. California is fixing that with product design.
The second piece: AB 566 requires all browsers to support opt-out preference signals by January 1, 2027. Not optional. Not best practice. Required.
For companies, this changes the math. Either embed universal opt-out support or face 40 million Californians who can exercise their rights with a single toggle.
The regulator's background as a Silicon Valley entrepreneur who scaled a cybersecurity company to $100M+ revenue shows. The approach isn't "compliance or else"—it's building privacy controls that work for businesses too. Harmonization with other states. Consistency across California laws. Requirements companies can operationalize.
But there's pragmatism in the enforcement posture too. The agency receives 150 consumer complaints per week now—before DROP launches, before browsers widely support opt-out signals. When 40 million Californians become AI-literate about their privacy rights, those numbers spike.
The message: build this into your systems now, because the alternative is dealing with it under time pressure.
The stakes extend beyond California. Cal Privacy was created by 9.3 million voters through Prop 24—more than the combined population of ten states. The explicit opposition to federal privacy legislation that would cap state rights makes this clear: California views its framework as a floor, not a ceiling.
For legal and product teams, the question is: Are you building privacy controls that work at the scale California is designing for? Because "we'll handle deletion requests manually" doesn't survive a system designed to generate them by the millions.
The DROP system represents a shift from privacy as individual burden to privacy as infrastructural capability. That's not just a California story—it's a preview of what privacy enforcement looks like when regulators decide that serving users means giving them actual tools, not just rights on paper.
