Hello all, and happy Thursday!
It’s the new year, and California is once again leading the charge with new privacy innovations.
I could cover the recent CCPA amendments that went into effect with the new year, but I actually wanted to focus on the DROP tool, which was released on New Year’s Day.
The tool serves as a single portal that Californians can use to request the deletion of their data from the state’s over 500 data brokers. Every data broker that receives a request from DROP will have to action it in their own way, but DROP’s centralization of the request submission is part of a broader pattern.
For example, California’s Digital Age Assurance Act centralizes age verification with OS and app store developers. Another example is the global push toward the GPC and other browser-level opt-out mechanisms.
Pushing privacy operations further upstream–whether that’s on a government website, an app store, or a user’s browser–is a smart move that reduces the burden of compliance on businesses and improves the user experience overall.
The DROP tool only centralizes data broker deletion requests. But it makes me wonder: Would it be possible for all subject rights requests to be handled further upstream, whether that’s in the user’s browser or on a government portal?
Maybe someday. For now, subject rights portals are still the purview of individual businesses.
Best,
Arlo
P.S. Osano is looking for a Senior Platform Product Manager to join our team! This role will lead the development of Osano’s platform capabilities and will be central to how every Osano product ships, scales, and differentiates. If you or someone in your network would be a good fit, you can find more about the role and apply here.
Highlights From OsanoBlog: 5 Emerging Data Privacy Trends in 2026
2026 is here, and with it, a whole new privacy landscape to contend with. What emerging trends, patterns, and challenges do privacy pros need to watch out for in order to survive and thrive in the new year? Find out in our blog.
Webinar: Untangling 2026 Privacy: New Laws, Amendments, Enforcement, and More
Feel like privacy compliance has got you tied into knots? You’re not alone. 2025 was a hectic year for privacy and compliance professionals, and 2026 promises to present even more challenges. On our January 15th webinar, we’ll break down everything you need to know to stay compliant in 2026. Attendees will be eligible to earn 1 CPE credit.
Save your seat | January 15th, 1 pm EST
Podcast: What Businesses Get Wrong About Regulators and How to Fix Privacy Fast
On this episode of the Privacy Insider Podcast, Arlo speaks with data protection commissioner Brent Homan of the Office of the Data Protection Authority. Learn how regulators are approaching enforcement, what privacy by design can look like in the age of AI, and how to actually protect children’s privacy.
Blog: AI Compliance: Why Artificial Intelligence Systems Pose Risk & How to Contain It
AI compliance is an area of ongoing development for regulations. What does the current state of AI compliance look like, and how can businesses get proactive when it comes to containing this emerging risk?
On the last day of 2025, the FTC announced it had secured a $10 million settlement from Disney for COPPA violations. By failing to label certain videos uploaded to YouTube as “Made for Kids,” Disney collected the personal data of children under 13 for use in targeted advertising.
Californians can now use a government website to request that certain companies stop selling their personal information online. The DROP website, which stands for the “Delete Request and Opt-Out Platform,” launched on New Year’s Day as part of a state law aimed at enhancing data privacy.
2026 promises to be a highly active year for state privacy enforcement. As of 1 Jan., effective dates for a slate of California privacy measures and comprehensive privacy laws in Indiana, Kentucky, and Rhode Island kick in. Find summaries of the new year’s new requirements here.
France's data protection authority, the CNIL, has imposed a €1.7 million fine on software company Nexpublica for GDPR violations that led to a significant data breach. Despite being aware of vulnerabilities in a software tool used by social service providers, the company failed to implement adequate security measures. Much of the exposed data was highly sensitive, revealing personal disability information.
The Trump administration has issued demands to 43 countries participating in its Visa Waiver Program (VWP), insisting on unprecedented access to their police databases, including biometric information such as fingerprints and facial images.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!