Originally, I wrote this post entitled "Failing to DROP in CA". After over a month of waiting and trying, I finally managed to file a DROP request to delete my data from 577 data brokers. The fact that it's this difficult and time consuming is disheartening. The magical incantation on the eighth try (literally 7 failed attempts) seems to have worked. No idea what it was, because it was surely similar to the past seven.

My final thought still stands, we should pass a law that is opt-out by default. Consumers should have to opt-in to any of the data tracking, data recording, data brokering, marketing, etc. The default should be opt-out.  Holding data, especially personally identifying information (PII), should be as toxic as nuclear waste or child abuse material. And breaches should be very punitive, say around $1 million per record per breach, the proceeds of which go into the CA State General Fund. Yes, now I'm making policy. 

Without further ado, the original Failing to DROP in CA post:

---

I've now tried multiple ways to use the CA DROP Act to remove my data from data brokers. They've all failed. I'm not a lawyer, this is not legal advice. I'm just trying to exercise my legal rights. sigh nothing can "just work" anymore.

TL:DR: Should you do this as a CA resident?  Yes. Removing data is better than not.

Let's begin, pedantically.

First, load https://consumer.drop.privacy.ca.gov where you're forced to accept the terms and conditions of Cloudflare, a third-party commercial service, to even get to the site. Of course, this is automated, unless you block WebGL and websockets (we'll return to this later) and are prompted with an endless stream of CAPTCHA requests and challenges to complete. sigh

Ok, load up a clean browser in a virtual machine. Now we get "Verified" automatically, which automatically means I've accepted the T&C apparently by loading the page?  I can't read them, etc, because it all happens in a split second, so did I really agree? I have no choice if I want to get to the DROP site.

Once at the DROP page, you're forced to scroll through the entire Terms of Service. I do actually read these and put them through TOS:DR usually. In the first section is "Use of DROP", the first paragraph:

By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).

Ok, what are 1798.99.80 and 1798.1.40(v)? They aren't linked so, we'll have to go search for them. Of course, there a thousand private companies that will sell you access to the laws to which you're beholden. However, finding the actual ca.gov site that hosts the laws is at https://leginfo.legislature.ca.gov/faces/codes.xhtml.   To start, we agree to 1798.99.80 which basically defines what is a data broker. The next definition is 1798.1.40(v) which defines personal information and exceptions to personal information. Definition v(1) is a long definition which includes what you normally think of as "personal information". As well as some items which you probably don't think of as personal info and then a list of what attributes are exempted from the "personal information" definition. Data Brokers can keep everything in v(1) 2(A), 2(B), and (3) as sub definitions under the v(1) definition of "personal information". Confused yet? Probably by design. I find (3) interesting, because it states:

(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

There is no such thing as "deidentified" information. All information in aggregate can be paired with other information in aggregate and start to build profiles. This is what k-anonymity and differential privacy techniques are designed to prevent. However, current research says k-anonymity doesn't work and differential privacy techniques are a complex matter for the talented data scientist to understand, never mind the average educated consumer.

Next we get to the paragraphs about verifying California "residency". Of course, this mentions a law code but doesn't link to it. The code is:

 section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017

Interesting specificity there, why 01 September 2017?  And where can I find this specific version?  I couldn't find it, only the general regulation. Assuming we are CA residents by that definition, let's move on. 

We get to the section entitled, "Third-Party Links", which I found comical.

DROP may contain links to other websites and access to content and services of third parties, including verification services provided by our contracted vendors (Third-Party Content). We exercise no control over such Third-Party Content, and the Third-Party Content is governed by the respective third party’s website terms and conditions. We are not responsible for Third-Party Content’s accuracy, completeness, or legality. By using DROP, you acknowledge and agree that your use of any Third-Party Content is at your own risk. We shall not be liable for any damages arising from your reliance on or use of such Third-Party Content.

I'll highlight one sentence there, "By using DROP, you acknowledge and agree that your use of any Third-Party Content is at your own risk." That's right, you have to use the CA DROP site, with all the included third party content, links, and forced services, but it's at your own risk. Consumer beware.

Technology Break

Let's open up developer tools and see what other third parties stalking us while we read the ToS. Here's a screenshot for what I see just loading up the site:

Here are the details from the image:

VM7 m=el_conf:5 Uncaught TypeError: _.v is not a function
www.googletagmanager.com/gtag/js?id=G-ZLS9WVTG9N:1  Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
VM26 inject-root-bundle.js:1 RSS_Basic_Detect.js: Expected contentType string
Jn @ VM26 inject-root-bundle.js:1
blazor.web.js:1

[2026-01-22T07:39:54.557Z] Information: Normalizing '/_blazor' to 'https://consumer.drop.privacy.ca.gov/_blazor'.
blazor.web.js:1

[2026-01-22T07:39:54.719Z] Information: WebSocket connected to wss://sigr-drop-prod-003.service.signalr.net/client/?hub=componenthub&asrs.op=%2F_blazor&negotiateVersion=1&asrs_request_id=
blazor.web.js:1

[2026-01-22T08:07:31.229Z] Information: Connection disconnected.
blazor.web.js:1

[2026-01-22T08:07:31.231Z] Information: Normalizing '/_blazor' to 'https://consumer.drop.privacy.ca.gov/_blazor'.
blazor.web.js:1

[2026-01-22T08:07:31.400Z] Information: WebSocket connected to wss://sigr-drop-prod-003.service.signalr.net/client/?hub=componenthub&asrs.op=%2F_blazor&negotiateVersion=1&asrs_request_id=


For a future post, I'll explain my layered approach to ad-blocking, anti-phishing, etc. For now, google tag manger is blocked. What is this websocket connection? This is the wss:// link. Why does CA DROP need a websocket realtime connection to the site? And who is signalr.net? It's a library included for ASP.net websites to send notifications to clients. You can learn more at https://en.wikipedia.org/wiki/SignalR. Ok, two third parties so far. 

Even better, my browser blocked 9 ads and/or 9 trackers according to the ad blocker. Eight of these are google tag manager, one is google translate. Still only two third party sites, but one of them is a massive data vampire. Great </sarcasm>

Back to the Process

So we get through it all and we press the  "I accept" button. We're taken to the "Verify you're a California resident" page. There are two buttons "Use  personal information" and "Use Login.gov". Let's pick one.

When *I* click on "Use personal information", the page turns gray and nothing happens.  In digging through developer tools again, I find there's supposed to be a modal overlay that says,

The personal information you enter here will only be used to help determine you are a California resident. The information will not be shared or stored after verification.

However, I see nothing. There's apparently two buttons on this overlay. The overlay doesn't work because it's served up by a google tag manager url. Ugh. I have to completely disable the adblocker to get the modal overlay to even show up.  I do this and now load "Use personal information for identity and residency verification" web page. Which is a form asking for some personal information so they can verify I'm a CA resident. I enter my information and use an email for the code I'm supposed to receive. The email never arrives. 

Start over, go through the whole process and enter a phone number. I receive the verification code, enter it and 

We couldn't verify you're a California
resident.

This is the same information on my driver's license, my mailing address, my FTB information, and well, everything. If I don't pay taxes, you'll be guaranteed the State of CA will verify I'm a CA resident and hunt me down. However, none of this is good enough for CA DROP. sigh. 

If I click the "try another way" button, it resets my session and I start over. If I click the residency review assistance link, it takes me to a form to fill out to request a review. I fill out the form and get a nice note:

Our agency will do our best to reach out to you by email within two weeks.

Two weeks pass: I never hear from CA DROP via email. 

The Other Way

There were two buttons on the page after "I accept" was clicked. Let's try Login.gov now.

After logging into my account, I'm told to either click on a link on a mobile phone or print a QR Code to take to the Post Office for them to verify I am who I say.

Why do I have to upload a driver's license via a mobile browser only?  My login.gov account was good enough for the IRS to hunt me down, but not good enough for CA residency? sigh. I will never upload an ID to the Internet, especially when it's hosted by some third party service who promises not to store or lose the image. We've all seen how well that goes for everyone involved--spoiler, they all store the data forever in some insecure manner and then are just SHOCKED when the copies of IDs are leaked everywhere. Until I can replace my face, or replace my "government ID" with ease, I don't upload my identification documents anywhere. 

So here we are, I can't use CA DROP as it is now. I'm guessing this is the desired plan. Maybe I should lobby for a law to enforce opt-out by default for everything online.