FRESH

Hacker News

Home

California residents can now request all data brokers delete personal info

302 points by memalign

by terminalshort

4 subcomments

> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.
I'm seeing a problem here...

by rl3

0 subcomment

Additional context:
https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.

by puppycodes

1 subcomments

How does this work over time?
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.

by hellcow

1 subcomments

CloudFlare just decided I’m not a person, so I’m unable to access the website.

by derektank

1 subcomments

This was already the law, correct? The change here is that California now provides its own platform for submitting requests?

by tartoran

1 subcomments

I still think data brokers will not fully delete the data and would make it available or sell it elsewhere. Data should not be in the hands of these companies in the first place but I guess the cat's out of the bag. They should not collect data deemed sensitive and they should be fined heavily at least to deter wrongdoing.

by georgemcbay

0 subcomment

Glad this exists but skeptical about enforcement, particularly for any data broker hosting outside of the US.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).

by alsetmusic

0 subcomment

I tried this yesterday (Saturday). I went through two pages of forms and two rounds of SMS 2FA only for it to reject the 2FA codes on the second page. I gave up because I try not to allocate too much energy toward fighting losing battles.

by forks

1 subcomments

> Processing begins August 1, 2026.

by jmward01

1 subcomments

I love the idea. A few thoughts though:
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."

by nalekberov

2 subcomments

Why data brokers are allowed to collect your data without an explicit consent in the first place is a question no one yet seems to address.

by ungreased0675

1 subcomments

I’d love to have a federal version of this.

by lunias

0 subcomment

There is only one sensible default, and that is opt-in. Requiring submission of a request to opt-out is never an acceptable solution.

by throwawayqqq11

1 subcomments

I always wondered about a possible loophole in opt-out.
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.

by brian_spiering

0 subcomment

I signed up for it (took about 5 minutes). I'm cautiously optimistic about it having positive return on that investment.
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.

by SilverElfin

0 subcomment

I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.

by AbstractH24

2 subcomments

Curious, practically speaking, how much does this impact people's lives daily?
Asking as a non-ca resident.

by magicalhippo

0 subcomment

The word "request" sounds very passive, but it seems data brokers actually have to abide to be in accordance with the law?

by userbinator

0 subcomment

This is a dangerous precedent for the boundaries of ownership.

by anonymousiam

1 subcomments

I'm feeling left out. I've got a house in California, but I'm no longer a resident. I wish this law was also applicable to me.

by shadowgovt

0 subcomment

"Request," sure.
Enforce?

by ChrisArchitect

0 subcomment

[dupe] Discussion: https://news.ycombinator.com/item?id=46449694

by pilastr

4 subcomments

The webform can't be completed becaus erequired Date of Birth can only be input by selecting from a calendar widget which requires paging back 12 times per every year ylu've been alive. This is one more cynical bad faith ruse from advertisers.