California DELETE Act Is Live — But Not for Your File Metadata

What the California DELETE Act Actually Does

California's DELETE Act — formally Senate Bill 362, signed by Governor Newsom in October 2023 — is the most aggressive consumer data deletion law in United States history. The core idea is elegant: instead of filing separate deletion requests with hundreds of individual data brokers (each with their own opt-out forms, verification loops, and delays), California residents can submit a single request through a state-operated platform and have it automatically forwarded to every registered data broker in the state.

That platform is called DROP — the Delete Request and Opt-Out Platform, operated by the California Privacy Protection Agency (CPPA). Consumers could start submitting deletion requests through DROP starting January 1, 2026. The enforcement deadline — the date by which data brokers are legally required to begin processing those requests — is August 1, 2026.

The mechanics matter. Data brokers must access the DROP system at least once every 45 days to retrieve deletion requests. Once retrieved, they have 90 days to complete the deletion. There's no fee for consumers. There's no account required. You submit your information once, the state handles the routing, and — assuming brokers comply — you're removed from databases you didn't even know you were in.

As of May 2026, the CPPA has finalized DROP regulations (approved November 2025), launched the enforcement strike force, and is actively pursuing non-registered data brokers. It's early days, but the infrastructure is real and the enforcement teeth are genuine. This isn't vaporware — it's the first government-operated one-stop deletion mechanism of its kind anywhere in the world.

Who Counts as a Data Broker Under This Law

Here's where the law's scope becomes critical to understand — and where a lot of coverage gets hazy. SB 362 defines a data broker as a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship.

That definition captures the Spokeos, Whitepages, Acxioms, and LexisNexis Risk Solutions of the world — commercial aggregators that compile profiles of individuals from public records, purchase histories, social media scraping, and dozens of other sources, then sell that compiled profile to anyone willing to pay. It captures background check services. It captures people-finder sites. These are the entities DROP is designed to reach.

What it doesn't capture: a friend who shared a photo of you. A real estate listing that included interior photos of your home. A news article from five years ago. Your own social media posts. A document you emailed that happened to carry metadata about when and where it was created. The law is about commercial data aggregators, not about information you've already put into the world yourself.

The Gap the Law Can't Close: Your File Metadata

Here's the part that doesn't make the press releases. Every JPEG you take with a smartphone embeds, by default, a set of data fields that can include precise GPS coordinates (latitude, longitude, altitude), the exact date and time the photo was taken, the make and model of your device, and in some cases a unique identifier for that specific device. These fields are part of the EXIF standard — Exchangeable Image File Format — and they travel with the file everywhere it goes.

When you share that photo — post it to a forum, send it in an email, upload it to a listing site, drop it into a group chat — the recipient can extract that data with free tools in seconds. Jeffrey's Exif Viewer, ExifTool, any number of online EXIF readers. No specialized knowledge required. The GPS coordinates become a clickable map link automatically.

The California DELETE Act does not affect this in any way. Not because the law is poorly designed — it's well-designed for what it targets. But because the metadata in your files isn't held by a data broker. It's embedded in the file itself, and it goes wherever that file goes. There's no database to delete it from. There's no company to send a request to. Once the file is shared, the data has already reached whoever received it.

This distinction matters practically. If you've posted a thousand photos over the past decade with GPS enabled, no California law — current or proposed — gives you a mechanism to retroactively strip the location data from copies that others received. The DELETE Act can remove you from Spokeo's database. It can't remove you from the EXIF headers of files already distributed.

For a deeper look at what's actually embedded in your photos and what a skilled analyst can extract from it, our article on what OSINT experts can find in your images covers the full picture — GPS triangulation, device fingerprinting through MakerNotes, and movement pattern analysis from collections of photos.

Two Separate Privacy Layers — Both Matter

It's worth thinking about personal digital privacy as having at least two distinct layers, because conflating them leads to gaps.

The first layer is what commercial entities know about you — the data broker layer. This is the world the DELETE Act addresses. Companies that aggregate your purchase history, infer your income bracket, compile a file on your address history and relatives, and sell that profile. Powerful and invasive, but also amenable to legal remedies because it exists in databases that companies control.

The second layer is what's embedded in files you've already shared — the file metadata layer. This is GPS coordinates in vacation photos. Author names and revision histories in Word documents. Creation timestamps and software version information in PDFs. Camera serial numbers in images you've posted publicly. This layer isn't held by any single company. It's distributed across every recipient of every file you've shared.

The DELETE Act meaningfully addresses the first layer. The second layer requires individual action before sharing.

Our complete guide to photo metadata privacy covers the full technical landscape — what every field means, which platforms strip metadata and which don't, and what your actual risk profile looks like depending on how you share files.

What the DELETE Act Does Accomplish (Genuinely)

It's important not to undersell what SB 362 actually does. Before this law, California consumers already had the right under CCPA to request deletion from individual companies. The practical problem was execution: you had to find each data broker, navigate their specific opt-out process, verify your identity to their satisfaction, and repeat the process regularly because deletion rights don't always mean permanent deletion. The friction was high enough that most people never bothered.

DROP changes that calculus. One request, government-operated, reaches every registered broker simultaneously. The 45-day retrieval and 90-day completion requirement creates enforceable timelines. The $200/day penalty for non-registration gives the enforcement strike force real tools. And the opt-out scope is broader than CCPA — brokers must delete all personal information related to you, not just information collected directly from you.

For anyone who has found their personal address, phone number, and family members listed on people-finder sites they've never interacted with, this is a meaningful change. It won't eliminate all data broker activity — the enforcement challenge is real, and many brokers operate in legal gray areas — but it's the most actionable single-step deletion mechanism available to consumers anywhere.

Governor Newsom's January 2026 announcement when DROP launched framed it as a "first-in-the-nation privacy tool allowing Californians to block the sale of their data." That framing is accurate, as far as it goes. The qualifier is that "blocking the sale" of aggregated profile data is a different problem than protecting the metadata in files you choose to share personally.

What Individuals Still Control

The practical implication of this two-layer framework is that DELETE Act compliance and file metadata hygiene are complementary, not substitutes for each other.

Using DROP to remove yourself from data broker databases addresses the commercial aggregation problem. It doesn't help with the GPS coordinates in the photo you took of your new apartment and sent to twelve people. It doesn't scrub the author name from the Word document you submitted to a client. It doesn't remove the creation timestamp and software version from the PDF you distributed at a conference.

File metadata hygiene is a before-sharing problem, not an after-the-fact remediation problem. The tools exist and they're not complicated:

• For images: strip EXIF data before uploading or sending — GPS, timestamps, camera model, MakerNotes all removed in seconds using a browser-based tool
• For PDFs: remove author name, creation software, revision history, and embedded comments before distributing
• For Office documents: clean author metadata, revision history, and comment trails before sending
• For video: strip location tags and device information before sharing clips

MetaClean handles all of these formats directly in your browser — nothing leaves your device during processing. If you're new to why the file metadata layer matters beyond GPS coordinates, our article on the dangers of geotagging on social media covers the practical risks in detail.

The Forward-Looking Privacy Picture

California's legislative trajectory suggests more is coming. AB 322, which would have specifically regulated business collection and sale of precise geolocation information, was shelved by the Senate Appropriations Committee in 2025 — but the underlying concern is clearly on legislators' radar. The CCPA already treats precise geolocation as sensitive personal information subject to heightened protections when businesses collect it.

What's less clear is whether legislation can ever effectively address the file-metadata-in-personal-sharing problem. The DELETE Act works because data brokers are identifiable commercial entities with databases that can be ordered to delete records. The metadata distribution problem is fundamentally different: it's decentralized, it's embedded in files rather than databases, and the "brokers" involved are often just individual recipients — friends, colleagues, clients — not commercial entities subject to regulation.

This is why the practical advice for the foreseeable future remains: use DROP to address the commercial aggregation layer, and take personal responsibility for the file metadata layer before sharing. Waiting for legislation to solve the second problem is waiting for a law that would need to reach every inbox, every shared drive, and every personal device that ever received a file from you. That's not a solvable regulatory problem. It's a behavior problem.

The good news is that the behavior change is low-friction. Stripping metadata from a photo before posting takes roughly as long as choosing a filter. If you share files regularly — particularly photos from your phone, documents with your name in the metadata, or anything that reveals location — building this into your workflow before sharing is the complete solution.

This information is for educational purposes. While removing metadata enhances privacy, it's not a substitute for comprehensive security measures. Always review your jurisdiction's privacy laws and regulations. MetaClean processes files client-side in your browser and cannot guarantee protection against all privacy risks — use it as part of a broader privacy strategy.

Frequently Asked Questions

What is the California DELETE Act and when does it take effect?

The California DELETE Act (SB 362) is a state law that lets California residents submit a single deletion request through the state-operated DROP platform to have their data removed from all registered data brokers simultaneously. Consumers could start submitting requests through DROP on January 1, 2026, and data brokers are legally required to begin processing those requests starting August 1, 2026.

What is the DROP platform and how do I use it?

DROP (Delete Request and Opt-Out Platform) is a free, government-operated tool run by the California Privacy Protection Agency. California residents submit their information once through the platform, and DROP routes the deletion request to every registered data broker in the state. There's no account required and no cost — you can access it at privacy.ca.gov.

Does the DELETE Act remove GPS and metadata from my photos?

No. The DELETE Act targets data brokers — commercial companies that aggregate and sell your personal information. It has no mechanism to reach metadata embedded in image files, PDF documents, or other files you've personally shared. EXIF data like GPS coordinates travels with the file itself, not through any database a law can order deleted.

If I delete my data from data brokers, am I fully protected?

Partially. Removing yourself from data broker databases is a meaningful privacy step, but it addresses only the commercial aggregation layer. File metadata embedded in photos and documents you've shared represents a separate, distributed privacy risk that legal deletion requests can't reach. A complete strategy combines DROP for the broker layer with metadata cleaning for files before sharing.

Who does the DELETE Act apply to — only California residents?

The DELETE Act protects California residents, and the DROP platform is specifically for California consumers. However, data brokers subject to the law are any business that knowingly collects and sells personal information of California residents — so companies nationwide may have compliance obligations if they hold data on California consumers.

What's the easiest way to remove metadata from files before sharing?

The simplest approach is a browser-based tool that processes files locally without uploading them anywhere. MetaClean's image metadata remover and our guide to removing photo metadata before sharing cover the full process for images, PDFs, and documents — stripping GPS, author names, timestamps, and device identifiers before files leave your device.