California’s DROP Hits 258K Registrations & Europe Tackles Age Assurance: Privacy Roundup

Want to receive these privacy recaps in your inbox each week? Subscribe here.

California’s data deletion platform, DROP, has surpassed 258,000 registrations ahead of its August 2026 compliance deadline. A milestone that signals growing consumer awareness even as data brokers brace for significant operational demands. Meanwhile, regulators in Spain and the UK have each issued age assurance guidance this week, revealing a striking divergence between the EU’s flexible, risk-based approach and the UK’s more prescriptive framework for protecting minors online.

Keep reading to learn more and discover my takeaways.

United States

Over 258,000 Californians have registered for DROP

In a press conference, Delete Act author Senator Josh Becker and CalPrivacy Executive Director Tom Kemp announced that registrations for the Delete Request and Opt-Out Platform (DROP) have “exceeded expectations,” reaching 258,000 as of March 24, 2026.

TAKEAWAY

DROP is a central mechanism provided by CalPrivacy that enables users to request the deletion of their personal information across all or a subset of registered data brokers. Data Brokers (as broadly defined by the Delete Act) were required to create an account in the DROP system by January 1, 2026. As of August 1, 2026, they will be required to honor requests submitted by California users dating back to January 1, 2026.

Failure to comply may result in a $200 penalty for each day a data broker fails to delete a request submitted to DROP.  Although 258,000 is less than 1% of all Californians, the operational lift of honoring 258,000+ requests may be significant for some companies. CalPrivacy has publicly indicated it will provide additional guidance and resources to support data brokers’ compliance with DROP between now and the August 1 deadline. 

Europe

Age Assurance Guidance Issued in Spain and UK

The Data Protection Authorities in Spain (AEPD) and UK (ICO) both issued guidance this week on using mechanisms to verify or estimate user age. The article published jointly by the AEPD and the Spanish National Markets and Competition Commission (CNMC) largely repackages guidance previously issued by the European Commission, whereas the ICO guidance presents a framework derived from the UK GDPR, Children’s Code and ICO policy positions.

TAKEAWAY

Juxtaposition of the guidance highlights the fundamental differences between the UK and EU age assurance models. Notably, the ICO guidance is more prescriptive, requiring services likely to be accessed by children to either design the entire service for children or implement robust age assurance to exclude them, pushing toward verification rather than estimation or self-declaration. The EU guidance, on the other hand, allows for more flexibility based on a risk assessment dictating where age assurance is needed and how strong it needs to be. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• First- and zero- party data: the marketers guide to privacy-first data collection
• What is the average consent rate in Europe in 2026?
• The French DPA’s (CNIL) 2026 consent priorities
  
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.