Paper 2026/1421

A Cryptographic Perspective on California's Delete Request and Opt-out Platform

Aarushi Goel, Rutgers, The State University of New Jersey
Gabriel Kaptchuk, University of Maryland, College Park
Peihan Miao, Brown University
Phuoc Van Long Pham, Brown University
Satvinder Singh, Purdue University West Lafayette
Rachel E. Thomas, University of Maryland, College Park
Abstract

The California Consumer Privacy Act (CCPA) grants consumers the right to request deletion of personal data held by registered data brokers. California’s 2023 Delete Act provides a new mechanism through which consumers can exercise this right by leveraging a centralized Delete Request and Opt-out Platform (DROP), enabling users to submit a single request that must be periodically processed by all registered data brokers. Since this platform aggregates sensitive user information, it is intentionally designed with safeguards against information leakage and unauthorized disclosure. This legislation, and the system it introduces, are positioned to serve as a template for wider deployment, with copy-cat legislation already introduced in many US states. In this document, we evaluate the privacy architecture of the first-generation DROP system from a cryptographic perspective. The proposed design relies on hash-based record linkage---a widely used technique that offers heuristic rather than rigorous privacy guarantees. We begin by analyzing the inherent risks of this approach and identifying simple, lightweight modifications that can modestly improve its privacy guarantees by making it more difficult for malicious actors to exploit these vulnerabilities. We then contrast this approach with Private Set Intersection (PSI), a class of provably secure cryptographic protocols that only reveal the intended matching records and nothing more. For future iterations of DROP, we propose a comprehensive PSI-based redesign, arguing that it would substantially reduce the risk of accidental information leakage while incurring only moderate additional computational overhead. Next, we highlight how DROP presents a compelling application for advanced variants of PSI with extended functionalities and stronger security guarantees, and we outline several research directions for the cryptography community, motivated by the unique requirements of such systems. Finally, we identify systemic risks that cannot be mitigated by PSI alone and discuss potential complementary approaches for addressing these broader challenges. We hope this document serves as a common starting point for the cryptography and policy communities working to design future data deletion systems.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
Private Set IntersectionData deletionPrivacy laws
Contact author(s)
aarushi goel @ rutgers edu
kaptchuk @ umd edu
peihan_miao @ brown edu
phuoc_pham_van_long @ brown edu
sing1745 @ purdue edu
rthomase @ umd edu
History
2026-07-16: approved
2026-07-11: received
See all versions
Short URL
https://ia.cr/2026/1421
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/1421,
      author = {Aarushi Goel and Gabriel Kaptchuk and Peihan Miao and Phuoc Van Long Pham and Satvinder Singh and Rachel E. Thomas},
      title = {A Cryptographic Perspective on California's Delete Request and Opt-out Platform},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/1421},
      year = {2026},
      url = {https://eprint.iacr.org/2026/1421}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.