> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
It really depends on the quality (strenght of the teeth, willingness to use it) of the regulator here; we have a lot of similar situation in EU/France and it's always a case that either it creates a new right or it creates a moat, depending on the enforcer.
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
So now the government has all my data and looks at it constantly to avoid it being available to private companies? Sounds like the worst situation possible.
No shit. All data brokery is a poison pill to justify itself. Until you illegalize the entire damn endeavor, it'll find a way to justify it's own existence through malicious compliance.
I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
You can see this in action today, if you make the effort to manually remove yourself from data brokers.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
If I ever stumble upon such an obvious oversight/loophole, I find it's best to not immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
California also requires data brokers to register with the state, creating the (intended) possibility of removing your info fully from all brokers all at once
I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.
Much of the data is just scraped from public records that aren't going away. (Yes, collection/resale of those records should be restricted...there is good reason for some types to at least be available)
I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.
By that time the data brokers might have sold off the data to others outside USA. may they already have. This is just US law, it will not affect India, China, Russia, etc data brokers
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
"consumer" is the language in the CCPA (which had its origins in a ballot initiative); most general privacy laws in the states are designed as consumer protection laws rather than civil rights like in the EU.
Which will never happen in a million years with the current regime. Which is exactly why corporations put them there -- to ensure industry will not be regulated (unless you're not paying protection money).
I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
I don't see them being on the resident's side when it comes to something as valuable as data.
I agree with you on this. They'll play the loop hole long enough that by then your data has conjoined and transverses into some other data: it has served it's purpose.
For people in general these data brokers are a primary source of information for spammers, both political and semi-targeted. So they share responsibility for making calls from unknown numbers useless.
Depends on what kind of life you live, daily. If you're totally inoffensive and not being bold about anything, not interacting with people in meaningful way, such that no one could possibly be motivated to use the information to track you down and hurt you, then, practically speaking, you're too boring to be of note. But if you are interesting to someone. Maybe you're the other person in an affair, or you're active online in some sort of fashion; if you stick out in some way, then they, whomever you've pissed off, is gonna track you down thanks to such data leaks. Personally, an ex girlfriend just got into a fight with her latest beau, and for some reason I came up, and he was able to track me down to tell me exactly what he thought about I don't know what. Not having that information out there would make me safer when the woman at the bar I made out with turns out to be married to a jealous and violent police officer.
Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
Indeed. The CCPA is welcome, but this explicit opt-out just means that only broccoli of the technical caliber that frequents HN will realistically benefit from the law. This needs to go a step further and make opt-out the default for all to benefit. And it is the social duty of the technical broccoli that understand these things that need to push this for everyone's benefit.
Are you willing to take a significant salary cut to benefit people?
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
You also have to live somewhere for the majority of the year to be a resident. I would assume GP has responsibilities elsewhere that make it impossible to be a resident
The tax savings (let alone cost of living savings) of avoiding California for most readers of this comment would pay for a professional data removal service 100x.
I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.
You can go back by the year. Though I ended up hitting another roadblock down the road yesterday. So, I am currently waiting a couple of weeks for the flow to be functional.
> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
I'm seeing a problem here...
It really depends on the quality (strenght of the teeth, willingness to use it) of the regulator here; we have a lot of similar situation in EU/France and it's always a case that either it creates a new right or it creates a moat, depending on the enforcer.
Ah California.
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
So now the government has all my data and looks at it constantly to avoid it being available to private companies? Sounds like the worst situation possible.
1 reply →
No shit. All data brokery is a poison pill to justify itself. Until you illegalize the entire damn endeavor, it'll find a way to justify it's own existence through malicious compliance.
No, see they are unhackable because they are government contractors. /s
Additional context:
https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.
How does this work over time?
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.
I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
9 replies →
You can see this in action today, if you make the effort to manually remove yourself from data brokers.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
> I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
If I ever stumble upon such an obvious oversight/loophole, I find it's best to not immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
CloudFlare just decided I’m not a person, so I’m unable to access the website.
They decided that my niche phone's stock browser is not good for internet oligopolies.
This was already the law, correct? The change here is that California now provides its own platform for submitting requests?
California also requires data brokers to register with the state, creating the (intended) possibility of removing your info fully from all brokers all at once
Or these databrokers just won’t setup bank accounts or offices in the state and tell CA to go screw itself?
2 replies →
I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.
Much of the data is just scraped from public records that aren't going away. (Yes, collection/resale of those records should be restricted...there is good reason for some types to at least be available)
I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.
> Processing begins August 1, 2026.
By that time the data brokers might have sold off the data to others outside USA. may they already have. This is just US law, it will not affect India, China, Russia, etc data brokers
I love the idea. A few thoughts though:
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
"consumer" is the language in the CCPA (which had its origins in a ballot initiative); most general privacy laws in the states are designed as consumer protection laws rather than civil rights like in the EU.
I’d love to have a federal version of this.
Which will never happen in a million years with the current regime. Which is exactly why corporations put them there -- to ensure industry will not be regulated (unless you're not paying protection money).
The previous regime, and the one before that didn’t do it either, so I think the obstacle might be something more systemic.
There is only one sensible default, and that is opt-in. Requiring submission of a request to opt-out is never an acceptable solution.
I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
I don't see them being on the resident's side when it comes to something as valuable as data. I agree with you on this. They'll play the loop hole long enough that by then your data has conjoined and transverses into some other data: it has served it's purpose.
I signed up for it (took about 5 minutes). I'm cautiously optimistic about it having positive return on that investment.
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.
Curious, practically speaking, how much does this impact people's lives daily?
Asking as a non-ca resident.
For people in general these data brokers are a primary source of information for spammers, both political and semi-targeted. So they share responsibility for making calls from unknown numbers useless.
Depends on what kind of life you live, daily. If you're totally inoffensive and not being bold about anything, not interacting with people in meaningful way, such that no one could possibly be motivated to use the information to track you down and hurt you, then, practically speaking, you're too boring to be of note. But if you are interesting to someone. Maybe you're the other person in an affair, or you're active online in some sort of fashion; if you stick out in some way, then they, whomever you've pissed off, is gonna track you down thanks to such data leaks. Personally, an ex girlfriend just got into a fight with her latest beau, and for some reason I came up, and he was able to track me down to tell me exactly what he thought about I don't know what. Not having that information out there would make me safer when the woman at the bar I made out with turns out to be married to a jealous and violent police officer.
or if you just don’t want manosphere, conspiracy, gender war and partisan echo chamber content, this is a way to reset the algorithm
2 replies →
The word "request" sounds very passive, but it seems data brokers actually have to abide to be in accordance with the law?
Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
This is a dangerous precedent for the boundaries of ownership.
Why data brokers are allowed to collect your data without an explicit consent in the first place is a question no one yet seems to address.
Indeed. The CCPA is welcome, but this explicit opt-out just means that only broccoli of the technical caliber that frequents HN will realistically benefit from the law. This needs to go a step further and make opt-out the default for all to benefit. And it is the social duty of the technical broccoli that understand these things that need to push this for everyone's benefit.
As one of the technical broccoli like you, I think this is a good sentiment, but it would be much harder to legislate.
2 replies →
Are you willing to take a significant salary cut to benefit people?
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
7 replies →
All those TOS you just click the box and don't read give companies permission to sell your data to third parties.
I'm feeling left out. I've got a house in California, but I'm no longer a resident. I wish this law was also applicable to me.
Be a resident, pay the taxes, reap the benefits.
You also have to live somewhere for the majority of the year to be a resident. I would assume GP has responsibilities elsewhere that make it impossible to be a resident
1 reply →
If you have a house in CA they will tax you anyway so might as well.
The tax savings (let alone cost of living savings) of avoiding California for most readers of this comment would pay for a professional data removal service 100x.
2 replies →
[dupe] Discussion: https://news.ycombinator.com/item?id=46449694
I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
"Request," sure.
Enforce?
The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.
You can go back by the year. Though I ended up hitting another roadblock down the road yesterday. So, I am currently waiting a couple of weeks for the flow to be functional.
FWIW not true on safari on iOS, direct month entry works fine
There’s a tiny blue arrow in the widget that lets you scroll to a year (iOS Firefox)
Worked fine on Safari on macOS.