The Delete Act
privacy.ca.gov119 points by weaksauce 5 hours ago
119 points by weaksauce 5 hours ago
Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.
Haven’t really thought this through and I’m not a policy wonk… just spitballin’.
> Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form
Why is this better than requiring deletion?
For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.
An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.
> it provides protection and accountability for those who don't have the prior presence of mind to demand deletion
Perhaps. I just see another compliance-industrial tax on consumers backed up by a nonsense checklist.
> act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question
Or opt out by default.
Perhaps California should give counties the power to do that. Then we can watch the experiment for unintended consequences.
I work in a specialty in an industry that requires a fairly stringent annual ISO certification. Even preparing for the audit it is a completely worthwhile exercise in seeing things that maybe got swept under the rug or left by the wayside. Customers having clearly defined criteria to prove in court or even business negotiations, that our lapse was negligent or in bad faith keeps us from straying too far to begin with. Our having clear criteria to show that we followed industry guidelines shuts down customers trying to accuse us of something in bad faith, or even trying to make a mountain out of a molehill to get leverage in a contract negotiation or something.
I’ll bet most of it depends on how good the certification is. My bosses think it’s annoying, and sure not 100% of the requirements make a difference for us, but most do, and from my vantage point, I can see how much of a difference it makes.
Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.
Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.
It's the same as credit checks, I know people who no credit (because they don't own a credit card) get denied housing for rent.
Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.
The big US credit score trio, Transunion, Equifax and Experian, have all had multiple, massive data leaks. This is not very good at all.
and for the ones you know about, there's more you don't.
cough un-ecrypted experian backups getting stolen from a UPS truck at gun-point and nothing else stolen cough
Credit checks, and the 3 big companies that do it, are already pretty regulated. I don't think they're counted as data brokers that'll have to comply with Delete Act. Can anyone confirm?
update: Looked it up and this seems right. The credit bureaus have specific exemptions in the Delete Act, specifically because they're already covered by the "Fair Credit Reporting Act". But it does apply to adjacent "people search" features from the same credit bureaus.
Also you can't delete your own credit history data unless it's proved inaccurate. Though you can't delete freeze it.
Are Experian, Transunion and Equifax included in the one-click deletion?
They don't let you delete correct credit history data. But you can freeze it.
Well they should have found a more transparent way to run their business, so they are still sketchy to me.
There’s a link to submit a DROP request at the bottom of the page. Is this live? I want to sign up.
Unfortunately following the link results in an infinite redirect.
It's not live yet (https://consumer.drop.privacy.ca.gov/coming-soon.html), you can subscribe to email updates (https://cppa.ca.gov/webapplications/apps/subscribe/).
This is a great first step, but I’m actually interested in
1. Getting a list of everyone that bought my records from data brokers 2. Reverse record linking to know who joined me, when, where, and how
Just deleting myself from 500 of these databases is a good start that’s decades over due.
Time to flip the scripts.
Data brokers made in California can now wreck all the world but California.
According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.
>information about Texans' travel from license plate and traffic cameras, which businesses they visit
Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.
In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P
----
We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.
I’m pretty sure the “abortion is murder” side will not consider it wrong to track women who travel out of state to, as they see it, murder a baby.
Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.
If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.
Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.
hmm (thinking) infinite loop, eh?
$ curl -i -A - 'https://consumer.drop.privacy.ca.gov/maintenance.html'
HTTP/2 307
content-type: text/html
location: https://consumer.drop.privacy.ca.gov/coming-soon.html
date: Thu, 01 Jan 2026 02:22:37 GMT
[…]
$ curl -i -A - 'https://consumer.drop.privacy.ca.gov/coming-soon.html'
HTTP/2 307
content-type: text/html
location: https://consumer.drop.privacy.ca.gov/maintenance.html
date: Thu, 01 Jan 2026 02:22:46 GMT
[…]Sounds an awful like The Right to be Forgotten under GPDR Article 17
Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.
Dare I ask, what happens to data brokers that don't care about Californian laws? Must be many such instances operating from outside the USA?
They open themselves up to a lot of risk, but more likely they only comply when CA residents are concerned or stop collecting for CA residents. Good question about outside the USA. Makes me wonder if there may end up being some sort of data broker safe havens setup, like we've seen with banking.
California will take them to court and/or block them from doing business in the state, have various ways to penalize them, etc. California is big enough that many will want to play game with them and having a state as powerful as California on board will get other states to jump on board and pass their own legislation and take up the same tactics with non-complying companies. Once it gets enough traction at the state level, the fed will step in because this will affect interstate commerce and that is federal jurisdiction. This is how state sovereignty works, it is not that states can do as they please, they can only do it up until the point it affects other states or crosses the line with federal law.
> Sounds an awful like The Right to be Forgotten under GPDR Article 17
Does DROP let you censor search records?
I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)
Can only hope this spreads like wildfire throughout the world.
I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.
If a data-collecting company doesn't do business in California, that tells me a lot.
One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.
> without other the states not being in on it
California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.
Now if Delaware were to adopt such a law for every company “headquartered” there …
what other unintended consequences this may bring.
A "right to rewrite history" that will distort reality for historians in the future.
How did HN become effectively pro-DRM?
When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).
The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.
Is Facebook a data broker? Reddit? Google?
They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.
The page refers to 500 data brokers, but I’d like to find the complete list they use.
Google does "sell" your data to other Alphabet companies except they call it "partnership" or "strategic sharing" and it should be completely illegal and be called data brokerage too. Same with Meta.
There is a reason the FTC and DOJ force this companies to break up, except they have hordes of lawyers and the law will always be catching up to reality so it doesn't do much in this day and age.
> Google does "sell" your data to other Alphabet companies
That doesn't match the definition of data broker. It's also a huge stretch, as many companies have subsidiaries and different divisions that are separate legal structures.
It would be unexpected if signing the form meant that your gmail is deleted and your facebook account is closed.
> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]
If you want to be both obtuse and pedantic about it, the answer is yes to all three.
I suppose that these records of personal data does not constitute "speech" in a First Amendment context?
I don't know why this is downvoted, it's a great question.
1st Amendment: Congress shall make No Law
14th Amendment: Due process... incorporate the Bill of Rights against the states
I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.
Sounds similar to GDPR here in Europe.
They adopted gdpr some years ago. This goes further and creates infrastructure to delete records at scale.
I hope this is good and turns global. We need this, because consent banners do not work.
> They adopted gdpr some years ago.
The CCPA is far better than the GDPR. For one, they actually managed to make an effective privacy law that didn't have the knock-on effect of polluting the entire internet with pointless cookie banners. The EU is already making moves to scrap huge parts of their misguided privacy regulations and adopt rules more like what California did with the CCPA.
California lawmakers "adopted the GDPR" only insofar as they studied it to learn what not to do.
The GDPR lets someone request deletion of their data and there are legal teeth to force a business to comply, but that's 1:1. Maybe I need to dig deeper, but this specifically applies to data brokers it seems. That's great and it being a one to many request is fantastic, but sounds like it may not apply to just anyone who has data on you like the GDPR...
glad the timelines are short and hope its user friendly
Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.
And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU
The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.
> one of four states (also Oregon, *Texas*, and Vermont) who require data broker registration.
This does feel like an area where there could be useful bipartisan agreement if packaged properly.
California is a real country, United States is a joke
[flagged]
This is the kind of thing the federal goverment would be doing if it gave a shit about its people.