I operate on the presumption that any organization that has my personal data will leak it at some point in time, whether on purpose or on accident. To that end I limit who I give personal information too. That includes the DROP administrators.
At least the CAN SPAM act doesn't involve giving data to anyone, instead replying to someone who already has your data, and even that risks confirming the validity of your data to a bad actor.