California residents can now request all data brokers delete personal info

> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.

I'm seeing a problem here...

How does this work over time?

Do you have to keep submitting this every month as they recollect your info from databases in other states?

Seems great in concept but I am skeptical this will change much.

Data doesn't respect state lines.

Additional context:

https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...

https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...

https://cppa.ca.gov/data_broker_registry/

https://cppa.ca.gov/announcements/

Here's hoping other states follow suit.

This was already the law, correct? The change here is that California now provides its own platform for submitting requests?

CloudFlare just decided I’m not a person, so I’m unable to access the website.

I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.

> Processing begins August 1, 2026.

I love the idea. A few thoughts though:

- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.

- I understand why the residency requirement is there but it just bums me out.

- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."

I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.

I’d love to have a federal version of this.

I always wondered about a possible loophole in opt-out.

Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?

This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.

Curious, practically speaking, how much does this impact people's lives daily?

Asking as a non-ca resident.

This is a dangerous precedent for the boundaries of ownership.

The word "request" sounds very passive, but it seems data brokers actually have to abide to be in accordance with the law?

Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.

My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).

Why data brokers are allowed to collect your data without an explicit consent in the first place is a question no one yet seems to address.

I'm feeling left out. I've got a house in California, but I'm no longer a resident. I wish this law was also applicable to me.

[dupe] Discussion: https://news.ycombinator.com/item?id=46449694

I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.

Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.

"Request," sure.

Enforce?

The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.