The Delete Act

211 pointsposted a month ago
by weaksauce
(privacy.ca.gov)

92 Comments

DrewADesign

a month ago

Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.

Haven’t really thought this through and I’m not a policy wonk… just spitballin’.

dredmorbius

a month ago

Bonding and/or insurance.

Make this cost and practices will change.

sigwinch

a month ago

I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.

DrewADesign

a month ago

Sure, but that will never happen, and we shouldn't let perfect be the enemy of good.

JumpCrisscross

a month ago

> Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form

Why is this better than requiring deletion?

dredmorbius

a month ago

For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.

An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.

JumpCrisscross

a month ago

> it provides protection and accountability for those who don't have the prior presence of mind to demand deletion

Perhaps. I just see another compliance-industrial tax on consumers backed up by a nonsense checklist.

> act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question

Or opt out by default.

Perhaps California should give counties the power to do that. Then we can watch the experiment for unintended consequences.

DrewADesign

a month ago

I work in a specialty in an industry that requires a fairly stringent annual ISO certification. Even preparing for the audit it is a completely worthwhile exercise in seeing things that maybe got swept under the rug or left by the wayside. Customers having clearly defined criteria to prove in court or even business negotiations, that our lapse was negligent or in bad faith keeps us from straying too far to begin with. Our having clear criteria to show that we followed industry guidelines shuts down customers trying to accuse us of something in bad faith, or even trying to make a mountain out of a molehill to get leverage in a contract negotiation or something.

I’ll bet most of it depends on how good the certification is. My bosses think it’s annoying, and sure not 100% of the requirements make a difference for us, but most do, and from my vantage point, I can see how much of a difference it makes.

DrewADesign

a month ago

This is a family-run business with about 20 employees BTW. Not some red tape behemoth.

JCattheATM

a month ago

> compliance-industrial tax on consumers backed up by a nonsense checklist.

That's...a really weird phrase. Efficient regulation isn't a tax on consumers, it's protection against unchecked immoral corporations.

user

a month ago

[deleted]

varenc

a month ago

Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.

Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.

satvikpendem

a month ago

It's the same as credit checks, I know people who no credit (because they don't own a credit card) get denied housing for rent.

user

a month ago

[deleted]

arpinum

a month ago

Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.

dafelst

a month ago

The big US credit score trio, Transunion, Equifax and Experian, have all had multiple, massive data leaks. This is not very good at all.

flutas

a month ago

and for the ones you know about, there's more you don't.

cough un-ecrypted experian backups getting stolen from a UPS truck at gun-point and nothing else stolen cough

varenc

a month ago

Credit checks, and the 3 big companies that do it, are already pretty regulated. I don't think they're counted as data brokers that'll have to comply with Delete Act. Can anyone confirm?

varenc

a month ago

update: Looked it up and this seems right. The credit bureaus have specific exemptions in the Delete Act, specifically because they're already covered by the "Fair Credit Reporting Act". But it does apply to adjacent "people search" features from the same credit bureaus.

Also you can't delete your own credit history data unless it's proved inaccurate. Though you can't delete freeze it.

breadwinner

a month ago

Are Experian, Transunion and Equifax included in the one-click deletion?

varenc

a month ago

They don't let you delete credit history data unless it's incorrect. But you can freeze it.

amelius

a month ago

Well they should have found a more transparent way to run their business, so they are still sketchy to me.

cormorant

a month ago

> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.

-- https://consumer.drop.privacy.ca.gov/

MetaWhirledPeas

a month ago

Wow this is a huge negative. I wonder if this was necessary to make it workable, or if this was done to placate corporations.

WD-42

a month ago

There’s a link to submit a DROP request at the bottom of the page. Is this live? I want to sign up.

Unfortunately following the link results in an infinite redirect.

varenc

a month ago

Per the timeline, the DROP service is supposed to be live by August 1, 2026.

temp0826

a month ago

You can submit your request now. They aren't processing requests until August.

wdr1

a month ago

Does this apply to political lists too? I know political calls/text are excluded from Do Not Call and hence I get a crap ton of political spam texts (most recently from "Adam Miller for Congress OH-15", despite never living in Ohio). I'd really, really like to remove myself from all these political lists.

amanaplanacanal

a month ago

I've had that, though it was from a different state. Also recently started getting texts from some MAGA related organization, though I'm about as far from MAGA as it's possible to be. How does my number get on these lists, anyway?

LexGray

a month ago

Typically pure spam not even from MAGA phishing cc info from the most gullible. Replying STOP usually does the trick.

I think of it as the side effect of first amendment protections that people do not report it for what it is.

tylerchilds

a month ago

This is a great first step, but I’m actually interested in

1. Getting a list of everyone that bought my records from data brokers 2. Reverse record linking to know who joined me, when, where, and how

Just deleting myself from 500 of these databases is a good start that’s decades over due.

Time to flip the scripts.

firesteelrain

a month ago

Sounds an awful like The Right to be Forgotten under GPDR Article 17

scsh

a month ago

Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.

mikestorrent

a month ago

Dare I ask, what happens to data brokers that don't care about Californian laws? Must be many such instances operating from outside the USA?

scsh

a month ago

They open themselves up to a lot of risk, but more likely they only comply when CA residents are concerned or stop collecting for CA residents. Good question about outside the USA. Makes me wonder if there may end up being some sort of data broker safe havens setup, like we've seen with banking.

ofalkaed

a month ago

California will take them to court and/or block them from doing business in the state, have various ways to penalize them, etc. California is big enough that many will want to play game with them and having a state as powerful as California on board will get other states to jump on board and pass their own legislation and take up the same tactics with non-complying companies. Once it gets enough traction at the state level, the fed will step in because this will affect interstate commerce and that is federal jurisdiction. This is how state sovereignty works, it is not that states can do as they please, they can only do it up until the point it affects other states or crosses the line with federal law.

JumpCrisscross

a month ago

> Sounds an awful like The Right to be Forgotten under GPDR Article 17

Does DROP let you censor search records?

I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)

userbinator

a month ago

More like The Right to Rewrite History

doodlebugging

a month ago

According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.

ProllyInfamous

a month ago

>information about Texans' travel from license plate and traffic cameras, which businesses they visit

Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.

In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P

----

We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.

wat10000

a month ago

I’m pretty sure the “abortion is murder” side will not consider it wrong to track women who travel out of state to, as they see it, murder a baby.

ProllyInfamous

a month ago

I just wish this pro-birth crowd were actually pro-life (e.g. child care, health care, education).

It seems mostly all they actually want is replacement slaves, chattel.

amanaplanacanal

a month ago

Recently saw a video of some pro-life preacher explaining that he would not donate baby formula for a young mother that he saw as "whoring around". If the hell that he professes to believe in is real, he's definitely going there.

ProllyInfamous

a month ago

Forever and ever, amen...

I believe it was that same "baby formula survey" that showed the non-christian facilities had a higher chance of donating formula.

Hell is real — it's here on earth — and we create it best for ourselves.

wat10000

a month ago

It’s a rules-based morality. The rules say, punish those who get abortions. The rules don’t say, provide public assistance for health care.

There’s a massive disconnect between people with rules-based morality and people with outcome-based morality. I often see people arguing against abortion bans by saying that they don’t actually cut down on the number of abortions, they just make them more dangerous. Which is entirely missing the point.

They don’t want any particular outcome. They don’t want to save babies, nor do they want replacement slaves. They want the state to punish abortions. That’s the goal in and of itself, it’s not the means to an end.

I don’t endorse any of this. But I think it’s important to understand how people actually think. If you imagine your understanding of morality in someone with a completely different approach, and try to reverse engineer their thinking from their actions on that basis, you’ll end up with something completely wrong.

ProllyInfamous

a month ago

>There’s a massive disconnect between people with rules-based morality and people with outcome-based morality ... it’s important to understand how people actually think.

My most-sobering book read in 2025 was Tim Urban's What's Our Problem — it definitely helped me better understand my two lawyerbros — there is an inner gollum driving everybody, and we need to ascend towards higher thinking.

[•] <https://www.amazon.com/Whats-Our-Problem-Self-Help-Societies...>

Thanks for your perspective.

W0lfEagle

a month ago

Right? Pro-birth pro-guns.

vorpalhex

a month ago

Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.

If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.

Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.

Antwan

a month ago

Data brokers made in California can now wreck all the world but California.

nrhrjrjrjtntbt

a month ago

< Red Hot Chilli Peppers Song >

Yes only CA residents can use this.

weaksauce

a month ago

I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.

RiverCrochet

a month ago

If a data-collecting company doesn't do business in California, that tells me a lot.

ofalkaed

a month ago

One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.

Swizec

a month ago

> without other the states not being in on it

California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.

Now if Delaware were to adopt such a law for every company “headquartered” there …

userbinator

a month ago

what other unintended consequences this may bring.

A "right to rewrite history" that will distort reality for historians in the future.

How did HN become effectively pro-DRM?

user

a month ago

[deleted]

blobbers

a month ago

Went through all the rigamarole of texts and verifications and backup codes and was met with a:

This auth.cdt.ca.gov page can’t be found

-- blank page from Chrome.

Imagine that, a government website that's broken. Wait, and I just put in all my personally identifiable info. Grrrrrreat.

guessmyname

a month ago

hmm (thinking) infinite loop, eh?

  $ curl -i -A - 'https://consumer.drop.privacy.ca.gov/maintenance.html'
  HTTP/2 307
  content-type: text/html
  location: https://consumer.drop.privacy.ca.gov/coming-soon.html
  date: Thu, 01 Jan 2026 02:22:37 GMT
  […]

  $ curl -i -A - 'https://consumer.drop.privacy.ca.gov/coming-soon.html'
  HTTP/2 307
  content-type: text/html
  location: https://consumer.drop.privacy.ca.gov/maintenance.html
  date: Thu, 01 Jan 2026 02:22:46 GMT
  […]

petesergeant

a month ago

> one of four states (also Oregon, *Texas*, and Vermont) who require data broker registration.

This does feel like an area where there could be useful bipartisan agreement if packaged properly.

nineteen999

a month ago

Can only hope this spreads like wildfire throughout the world.

smurda

a month ago

When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).

The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.

metabagel

a month ago

Is Facebook a data broker? Reddit? Google?

Aurornis

a month ago

They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.

The page refers to 500 data brokers, but I’d like to find the complete list they use.

weli

a month ago

Google does "sell" your data to other Alphabet companies except they call it "partnership" or "strategic sharing" and it should be completely illegal and be called data brokerage too. Same with Meta.

There is a reason the FTC and DOJ force this companies to break up, except they have hordes of lawyers and the law will always be catching up to reality so it doesn't do much in this day and age.

Aurornis

a month ago

> Google does "sell" your data to other Alphabet companies

That doesn't match the definition of data broker. It's also a huge stretch, as many companies have subsidiaries and different divisions that are separate legal structures.

amelius

a month ago

It would be unexpected if signing the form meant that your gmail is deleted and your facebook account is closed.

throwup238

a month ago

> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]

If you want to be both obtuse and pedantic about it, the answer is yes to all three.

[1] https://legiscan.com/CA/text/SB362/id/2845350

sonu27

a month ago

Sounds similar to GDPR here in Europe.

oaiey

a month ago

They adopted gdpr some years ago. This goes further and creates infrastructure to delete records at scale.

I hope this is good and turns global. We need this, because consent banners do not work.

scsh

a month ago

The GDPR lets someone request deletion of their data and there are legal teeth to force a business to comply, but that's 1:1. Maybe I need to dig deeper, but this specifically applies to data brokers it seems. That's great and it being a one to many request is fantastic, but sounds like it may not apply to just anyone who has data on you like the GDPR...

petcat

a month ago

> They adopted gdpr some years ago.

The CCPA is far better than the GDPR. For one, they actually managed to make an effective privacy law that didn't have the knock-on effect of polluting the entire internet with pointless cookie banners. The EU is already making moves to scrap huge parts of their misguided privacy regulations and adopt rules more like what California did with the CCPA.

California lawmakers "adopted the GDPR" only insofar as they studied it to learn what not to do.

WickyNilliams

a month ago

FYI, it was the ePrivacy Directive that brought about the cookie banners, not GDPR

Dwedit

a month ago

Saw the domain "ca.gov" and mistook it for Canada. Then wondered why it started mentioning California a lot.

socalgal2

a month ago

Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.

And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU

scsh

a month ago

The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.

nee1r

a month ago

glad the timelines are short and hope its user friendly

UpstairsEmpire

a month ago

This is the kind of thing the federal goverment would be doing if it gave a shit about its people.

iwontberude

a month ago

California is a real country, United States is a joke

Meneth

a month ago

I suppose that these records of personal data does not constitute "speech" in a First Amendment context?

sigwinch

a month ago

That’s right, and haven’t for a long time.

EGreg

a month ago

I don't know why this is downvoted, it's a great question.

1st Amendment: Congress shall make No Law

14th Amendment: Due process... incorporate the Bill of Rights against the states

I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.

diogenescynic

a month ago

It seems anti-free speech. If the same thing were done via physical media, would we still support this? I am definitely no fan of data brokers, but I also am no fan or suppressing speech. This seems like the equivalent of banning old phone books before the internet.

owisd

a month ago

The equivalent is that you could ask to be removed from the phone book.

diogenescynic

a month ago

I guess, but even that I don't think I'd support making that a legal requirement. If it's public data I have no problem with it being searchable on the internet. I know that's not always convenient but I think to do anything different starts to set bad legal precedents which will not be in favor of the public.