California Residents Can Now Request All Data Brokers Delete Personal Info
Key topics
California has rolled out a new platform allowing residents to request data brokers delete their personal info, sparking a lively discussion about the law's implications and limitations. Commenters pointed out that this isn't entirely new, as the law already existed, but the state's own platform makes it more accessible, and data brokers are now required to register with the state. While some users praised the move, others lamented the law's residency restrictions and technical hiccups, such as CloudFlare blocking certain browsers. A federal version of this law is being wished for, but others are pessimistic about its likelihood given the current regulatory landscape.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
35m
Peak period
59
0-6h
Avg / period
11.9
Based on 83 loaded comments
Key moments
- 01Story posted
Jan 4, 2026 at 11:00 PM EST
6d ago
Step 01 - 02First comment
Jan 4, 2026 at 11:35 PM EST
35m after posting
Step 02 - 03Peak activity
59 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Jan 7, 2026 at 1:10 PM EST
4d ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
I’d like to see data on this. Obviously Oracle and Meta and companies that agressively track you would be impacted, but how much would Google search be changed if it wasn’t personalized? Would there be a meaningful financial impact?
Also as far as I understand, data brokers tend to exclude meta, Google, et al because they don’t sell their data they just use it internally. This could further entrench these players more.
Asking 300M people to leave country and move to europe instead of fixing problems here is just stupid and at best a shoddy attempt at victim blaming.
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
Every single financial institution relies on these data-brokers. U-haul needs data brokers to be able to verify your driver's license, the TSA needs data brokers to let you on a flight without an ID. There are simply countless of reasons for why you wouldn't want to break this system for people who haven't opted in for breakage.
Not unique to a person
> email address, phone number
Also often not unique to a person, although email addresses probably tend to have much longer lifespans as identifiers than phone numbers.
If the idea is to have a true opt-out system, it's really really difficult to implement given how these systems work.
If you look at the data provided by services like accurint, you'll frequently see the same SSNs used for decades by multiple different individuals, often with IDs from different states with the same name and DoB despite obviously being different people. With how the system works in the US, it can often be impossible for anyone to determine which physical person the SSN was actually originally assigned to.
Same obviously applies to other identifiers you suggested, but even the seemingly good ones are not very good at uniquely identifying people.
It's not like brokers wait around for you to sign up for something new.
Old data is resold, merged with new data, mixed, stolen, discovered, reformatted... etc...
Your actions of course do have an impact, but does changing your behavior prevent the outcome of your data being collected?
Not even close.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
If you ever stumble upon such an obvious loophole and oversight, it's best not to immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
Asking as a non-ca resident.
Even if your only activity was commenting in disagreement
I'm seeing a problem here...
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
Unless you are just an anarchist, then I can't see how it's unreasonable for a government to know who it represents. That's why governments do censuses. Heck, that's needed just for the basic function of making sure you aren't voting in multiple districts.
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
Could you create legal entities fast enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.
Enforce?