How California's DROP innovation could be leveraged to create a single European transparency, security & consent platform.
California's Delete Request and Opt-out Platform (DROP) is an admirable example of what can be achieved when technical, administrative and legal expertise cooperate to improve online privacy. When the service is activated in August 2026 Californians will not only be able, at a centralised location, to easily opt-out of having their personal information shared or sold by some or all registered Data Brokers, but also have already collected data deleted.
Under California's Delete Act a business that operates as a "Data Broker", defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”, must register with the Califoria Privacy Protection Agency and pay an annual fee.This broad definition covers all businesses that operate third-party content that communicates personal information, such as the unique identities held in cookies or other browser storage.
Those fees also fund the now available DROP platform, allowing consumers to direct all registered data brokers to delete their personal information with a single request.
546 businesses are currently registered, though this is a tiny minority of the companies that will eventually have to register. They not only have to give all their affilated "doing business as" names but also all the website domains (e.g. main domains and subdomains) that appear as third-party content on the websites that use them. It is now possible to identify data brokers, or at least the registered ones, when their URLs are detected embedded on websites.
Websites that include such third-party content must also ensure that personal information gathered from opted-out users, including those whose browsers send the DNT or Sec-GPC request headers, or other recognised opt-out mechanisms, is not shared with data brokers. This is even more important given that so many third-parties on websites have yet to register.
If this "registry" approach were to be emulated in Europe, it could help create a single platform to improve privacy and data protection rights for Europeans, while reducing onerous regulatory burden - especially on small business.
- The registry could be extended to a wider set of organisations, i.e. any controller or processor who processes Europeans' personal data online. It is currently very difficult to determine what companies control the embedded content on European web or mobile applications because domain name data is often purposely redacted, and the information provided by the controllers responible for the containing websiites is often inaccurate, or they may not be aware of its ultimate purpose.This information should be easily available to anyone who needs it - such as the data subject themselves, or supervisiory authorities.
- The register would not only identify the processor or controller, but also describe the proposes for processing - including what cookies and other storage items ere in use, their expiry etc. It would be declared and updated by the controllers themselves so more useful and hopefully more accurate.
- Data Brokers, defined similarly to the DROP definition “a controller or processor that processes the personal data of persons with whom it does not have a direct relationship”, would be required to monitor the service and pay a fee, as in DROP. Other controllers and processors would perhaps only be required to keep the register information about them updated.
- The service should not only support the centralised ability to opt-out but also the ability for a data subject to opt-in, i.e. give consent as per Article 6.1(a), and not only to whether the data is shared or sold, but any processing of it - in line with European data protection principles.
- A database containing the minimised identity data of opted-in data subjects is likely to be much smaller than one containing all those that wish to opt-out under the limited legal basis of legitimate interest, making it easier to scale the service to the 95% of European households with internet access, at least an order of magnitude larger than the database used to support California's DROP service.
- There could be a duty on web browsers, similar to provisions in the draft ePrivacy Regulation, to use the new service to limit the transmission of data to not opted-in (or in some circumstances opted-out) controllers or processors, combining it with the duty laid out in the European Commission's Data Omnibus proposal "for automated and machine-readable indications of individual choices and respect for those indications".
- There should also be a duty on all processors and controllers to become registered, and for data brokers to additionally pay a fee which can support the operation of the service.
Some suggested amendments to the European Commission's Digital Omnibus
The European Commission's Digital Omnibus Proposal has been rightly criticized by NOYB and others but even so it usefully incorporates some of the improvments recommended in the European Parliament's 2017 draft of the ePrivacy Regulation for duties on web browsers and similar software providers for the use of automated means and machine-readable indications. The following are our suggested amendments to these provisions in order to incorporate and improve on California's DROP concept.
Add a new Definition in Article 4:
(27) ‘data broker’ means a controller or processor that processes the personal data of persons with whom it does not have a direct relationship
Replace paragraph 6 and 7 of Article 88b in the European Commission's Digital Omnibus Proposal with the following paragraphs 6a and 7a, and add the following further paragraphs 8, 9 and 10.
(6a) The Commission shall request [one or more competent authorities such as supervisory authorities, the European Data Protection Supervisor (EDPS), the European Data Protection Board (EDPB), or the European Data Innovation Board (EDIB)] to establish a registry of controllers declaring information, including that described in paragraph (1) of Article 30, in order to provide a service whereby European residents can easily give their consent for the processing of their personal data in conformity with Article 7, exercise their right to object pursuant to Article 21(2), and their right to erasure pursuant to Article 17(1), to one or more of the registered processors and controllers, and the appropriate information is made available, in a way conformant with the principles of Article 5 including the data-minimisation principle, to the registered processors and controllers, and to web browsers pursuant to paragraph 9 of this Article,
(7a) Controllers, who do not have a direct relationship with the data subjects whose data they process, are required to be listed in the registry established pursuant to paragraph 6a, declare the required information including that described in Article 30(1), and continue to ensure in a timely manner the accuracy of this information .
(8) Providers of web browsers, which are not SMEs, shall provide the technical means to allow data subjects to give their consent, refuse a request for consent or exercise the right to object pursuant to Article 21(2) through the automated and machine-readable means referred to in paragraph 1 of this Article, as applied pursuant to paragraphs 2 to 5 of this Article.
(9) Providers of web browsers, which are not SMEs, shall provide the technical means whereby the information provided under paragraph 6a of this Article is accessed, in order to generate the appropriate machine-readable indications conformant with the standards drafted in accordance with paragraph 4 of this Article, and, to the maximum extent possible, implement appropriate automated means to fulfil the lawfulness of processing principles laid out in Article 6.
(10) Paragraphs 6 and 7 shall apply from [OP: please insert the date = 12 months following the date of entry into force of this Regulation]. [N.B. we suggest, that the provisions should be in force after 12 months rather than the proposed overly relaxed 48]