> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
It really depends on the quality (strenght of the teeth, willingness to use it) of the regulator here; we have a lot of similar situation in EU/France and it's always a case that either it creates a new right or it creates a moat, depending on the enforcer.
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
No shit. All data brokery is a poison pill to justify itself. Until you illegalize the entire damn endeavor, it'll find a way to justify it's own existence through malicious compliance.
I would assume so. It's sort of a catch 22 because if they delete your data, they have no way of knowing about you when they buy another batch of data. To have some sort of no track list, they have to keep your data.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
California also requires data brokers to register with the state, creating the (intended) possibility of removing your info fully from all brokers all at once
I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.
Much of the data is just scraped from public records that aren't going away. (Yes, collection/resale of those records should be restricted...there is good reason for some types to at least be available)
Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.
By that time the data brokers might have sold off the data to others outside USA. may they already have. This is just US law, it will not affect India, China, Russia, etc data brokers
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
"consumer" is the language in the CCPA (which had its origins in a ballot initiative); most general privacy laws in the states are designed as consumer protection laws rather than civil rights like in the EU.
Indeed. The CCPA is welcome, but this explicit opt-out just means that only broccoli of the technical caliber that frequents HN will realistically benefit from the law. This needs to go a step further and make opt-out the default for all to benefit. And it is the social duty of the technical broccoli that understand these things that need to push this for everyone's benefit.
Which will never happen in a million years with the current regime. Which is exactly why corporations put them there -- to ensure industry will not be regulated (unless you're not paying protection money).
I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
I don't see them being on the resident's side when it comes to something as valuable as data.
I agree with you on this. They'll play the loop hole long enough that by then your data has conjoined and transverses into some other data: it has served it's purpose.
I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
Depends on what kind of life you live, daily. If you're totally inoffensive and not being bold about anything, not interacting with people in meaningful way, such that no one could possibly be motivated to use the information to track you down and hurt you, then, practically speaking, you're too boring to be of note. But if you are interesting to someone. Maybe you're the other person in an affair, or you're active online in some sort of fashion; if you stick out in some way, then they, whomever you've pissed off, is gonna track you down thanks to such data leaks. Personally, an ex girlfriend just got into a fight with her latest beau, and for some reason I came up, and he was able to track me down to tell me exactly what he thought about I don't know what. Not having that information out there would make me safer when the woman at the bar I made out with turns out to be married to a jealous and violent police officer.
For people in general these data brokers are a primary source of information for spammers, both political and semi-targeted. So they share responsibility for making calls from unknown numbers useless.
The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.
You can go back by the year. Though I ended up hitting another roadblock down the road yesterday. So, I am currently waiting a couple of weeks for the flow to be functional.
terminalshort|1 month ago
I'm seeing a problem here...
nolok|1 month ago
cogman10|1 month ago
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
salawat|1 month ago
lionkor|1 month ago
rl3|1 month ago
https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.
puppycodes|1 month ago
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.
terminalshort|1 month ago
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
hellcow|1 month ago
usr1106|1 month ago
derektank|1 month ago
repeekad|1 month ago
tartoran|1 month ago
temp0826|1 month ago
georgemcbay|1 month ago
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
alsetmusic|1 month ago
forks|1 month ago
Guestmodinfo|1 month ago
jmward01|1 month ago
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
dongkyun|1 month ago
nalekberov|1 month ago
yunnpp|1 month ago
terminalshort|1 month ago
ungreased0675|1 month ago
gtowey|1 month ago
throwawayqqq11|1 month ago
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
mahirsaid|1 month ago
lunias|1 month ago
SilverElfin|1 month ago
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
AbstractH24|1 month ago
Asking as a non-ca resident.
fragmede|1 month ago
brigade|1 month ago
brian_spiering|1 month ago
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.
ChrisArchitect|1 month ago
magicalhippo|1 month ago
userbinator|1 month ago
anonymousiam|1 month ago
Forgeties79|1 month ago
shadowgovt|1 month ago
Enforce?
pilastr|1 month ago
hcnews|1 month ago
andrewbutts|1 month ago
meroes|1 month ago
forks|1 month ago