California’s DROP Reaches 155,000 Registrations as FTC Examines Age Verification Rules

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Recent developments in privacy regulation point to accelerating momentum on both data deletion and age assurance. California’s new centralized deletion and opt-out mechanism is drawing early attention from consumers and industry alike, while the Federal Trade Commission’s upcoming age-verification workshop underscores the growing complexity of compliance under COPPA and varying state laws.

Keep reading to learn more and discover my takeaways.

United States

Over 155,000 Californians have registered for DROP Deletion

The California Privacy Protection Agency’s Delete Request and Opt-out Platform (DROP), publicly available since January 1, 2026, has already received over 155,000 registrations, according to a press release from California Governor Newsom. 

TAKEAWAY

Beginning August 1, 2026, all entities meeting the definition of a Data Broker under the California Delete Act must process delete requests submitted to DROP dating back to January 1. 

Although 155,000 is less than half a percent of California’s population, the number may nevertheless raise alarms among both data brokers and those who rely on them for revenue.  This number was announced on January 20, twenty days into the registration period. The initial surge may taper, but registrants will likely continue to rise over the next 6 months and beyond. 

Unless otherwise specified, each request applies to all data brokers that process the applicable identifier type (e.g., MAID, VIN, Connected TV ID, or basic information such as email or phone number) on an ongoing basis. Therefore, once a California resident registers under DROP, that resident is opted out indefinitely across the entire data broker industry, meaning the 155,000 figure can only increase. 

United states

FTC to Hold Age Verification Workshop

The Federal Trade Commission released an agenda for its January 28 workshop on age verification. Topics include exploring the age verification landscape, applicable tools and regulations, and deploying age verification at scale. Representatives from the FTC, ICO, CNIL, certain U.S. states, and various industry stakeholders will participate.

TAKEAWAY

The Children’s Online Privacy Protection Act (COPPA), the federal children’s privacy law enforced by the FTC, currently allows “mixed audience” services (i.e., websites and online services directed to children under 13 but not as their primary audience) to conduct age verification, enabling the collection of personal information from users over 13 without parental consent. 

Age verification must be conducted neutrally, without defaulting to a set age or encouraging visitors to falsify their age. Multiple states also have laws requiring or allowing for age verification or estimation. However, the applicable age thresholds, age assurance requirements, deployment circumstances, and resulting obligations vary across jurisdictions, creating challenges for companies seeking to scale solutions nationwide. 

Although the FTC workshop itself won’t result in any short-term changes to this maze of requirements, it may influence a common understanding of reasonable age assurance, how regulators and legislators think about it in their enforcement and lawmaking efforts, and how technology evolves to reflect it.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• CNIL Announces Public Consult on Advertiser Compliance with GDPR
• ICO Fines Two Companies for Sending Marketing Messages Without Consent
• 2026 data privacy trends: Predictions from the experts
• EU Digital Omnibus: Mapping supporters, critics and key arguments
• OpenAI is adding ads to ChatGPT: Can they get it right?

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.