alt.hn

1/1/2026 at 12:02:14 AM

The Delete Act

 https://privacy.ca.gov/drop/about-drop-and-the-delete-act/

by weaksauce

1/1/2026 at 1:09:59 AM

Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form. Then make data customers (e.g. marketing agencies, major retailers) and data collectors (e.g. those that collect telemetry data from libraries included in their app, auto manufacturers, wireless providers) civilly liable for any privacy violations dealing with uncertified brokers, making sure there’s an uncapped modifier based on the company’s annual revenue. That seems like it puts the bulk of the compliance responsibility on the parties that can do the most wide-scale damage with unethical and dodgy practices, while leaving some out there for others that need incentive to not ignore the rules.

Haven’t really thought this through and I’m not a policy wonk… just spitballin’.

by DrewADesign

1/1/2026 at 1:48:14 AM

Bonding and/or insurance.

Make this cost and practices will change.

by dredmorbius

1/1/2026 at 2:19:47 AM

Yeah good call.

by DrewADesign

1/1/2026 at 3:20:19 PM

I would hope for something stronger. Put a currency value on some kinds of info. To store my SSN and full name and military ID totals 20 units. Maybe a full name and home address is 15 units. If I agree to give you my info, you agree that I can keep the CEOs home address, stored as safely and hygienically as I can. Part of our contract mandates when we mutually delete. Because of course we trust each other.

by sigwinch

1/2/2026 at 2:21:42 AM

Sure, but that will never happen, and we shouldn't let perfect be the enemy of good.

by DrewADesign

1/1/2026 at 1:42:49 AM

> Maybe there should be some kind of annual ISO privacy certification for companies that resell any customer data in any form

Why is this better than requiring deletion?

by JumpCrisscross

1/1/2026 at 1:49:53 AM

For starters, it provides protection and accountability for those who don't have the prior presence of mind to demand deletion.

An act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question. But the Delete Act isn't that.

by dredmorbius

1/1/2026 at 1:55:47 AM

> it provides protection and accountability for those who don't have the prior presence of mind to demand deletion

Perhaps. I just see another compliance-industrial tax on consumers backed up by a nonsense checklist.

> act which mandated deletion in all cases for data once business needs are addressed (often 30--90 days for much data), might address your question

Or opt out by default.

Perhaps California should give counties the power to do that. Then we can watch the experiment for unintended consequences.

by JumpCrisscross

1/1/2026 at 2:19:20 AM

I work in a specialty in an industry that requires a fairly stringent annual ISO certification. Even preparing for the audit it is a completely worthwhile exercise in seeing things that maybe got swept under the rug or left by the wayside. Customers having clearly defined criteria to prove in court or even business negotiations, that our lapse was negligent or in bad faith keeps us from straying too far to begin with. Our having clear criteria to show that we followed industry guidelines shuts down customers trying to accuse us of something in bad faith, or even trying to make a mountain out of a molehill to get leverage in a contract negotiation or something.

I’ll bet most of it depends on how good the certification is. My bosses think it’s annoying, and sure not 100% of the requirements make a difference for us, but most do, and from my vantage point, I can see how much of a difference it makes.

by DrewADesign

1/1/2026 at 5:51:40 AM

This is a family-run business with about 20 employees BTW. Not some red tape behemoth.

by DrewADesign

1/1/2026 at 12:52:37 AM

Excited to see this! Because completing the CCPA "delete my data" process for 300+ data brokers just isn't feasible.

Though I wonder what the second order effects of this might be. Imagine a service that vets tenants for landlords. If I've had all my data deleted, might I start failing background checks because the sketchy data brokers have no records of me? I fear a future where the complete absence of my data leads to bad side effects.

by varenc

1/1/2026 at 1:00:36 AM

It's the same as credit checks, I know people who no credit (because they don't own a credit card) get denied housing for rent.

by satvikpendem

1/1/2026 at 1:02:37 AM

Not all data brokers are sketchy, some are very good. Data brokers help assess who is creditworthy and lowers rates for more trustworthy people, and allow the creation of more specialty lending products.

by arpinum

1/1/2026 at 1:15:04 AM

The big US credit score trio, Transunion, Equifax and Experian, have all had multiple, massive data leaks. This is not very good at all.

by dafelst

1/1/2026 at 1:18:31 AM

and for the ones you know about, there's more you don't.

cough un-ecrypted experian backups getting stolen from a UPS truck at gun-point and nothing else stolen cough

by flutas

1/1/2026 at 1:41:53 AM

Credit checks, and the 3 big companies that do it, are already pretty regulated. I don't think they're counted as data brokers that'll have to comply with Delete Act. Can anyone confirm?

by varenc

1/1/2026 at 4:05:02 AM

update: Looked it up and this seems right. The credit bureaus have specific exemptions in the Delete Act, specifically because they're already covered by the "Fair Credit Reporting Act". But it does apply to adjacent "people search" features from the same credit bureaus.

Also you can't delete your own credit history data unless it's proved inaccurate. Though you can't delete freeze it.

by varenc

1/1/2026 at 1:09:17 AM

Are Experian, Transunion and Equifax included in the one-click deletion?

by breadwinner

1/1/2026 at 4:05:28 AM

They don't let you delete credit history data unless it's incorrect. But you can freeze it.

by varenc

1/1/2026 at 1:11:42 AM

Well they should have found a more transparent way to run their business, so they are still sketchy to me.

by amelius

1/1/2026 at 8:18:53 PM

> Before submitting a deletion request, you will be required to verify you are a California “resident,” as defined in section 17014 of Title 18 of the California Code of Regulations as that section read on September 1, 2017. Verification is made with assistance from state contracted third-party vendors, including Socure and Login.gov, through the California Identity Gateway.

-- https://consumer.drop.privacy.ca.gov/

by cormorant

1/2/2026 at 4:38:15 AM

Went through all the rigamarole of texts and verifications and backup codes and was met with a:

This auth.cdt.ca.gov page can’t be found

-- blank page from Chrome.

Imagine that, a government website that's broken. Wait, and I just put in all my personally identifiable info. Grrrrrreat.

by blobbers

1/1/2026 at 6:37:59 AM

Does this apply to political lists too? I know political calls/text are excluded from Do Not Call and hence I get a crap ton of political spam texts (most recently from "Adam Miller for Congress OH-15", despite never living in Ohio). I'd really, really like to remove myself from all these political lists.

by wdr1

1/1/2026 at 3:16:53 PM

I've had that, though it was from a different state. Also recently started getting texts from some MAGA related organization, though I'm about as far from MAGA as it's possible to be. How does my number get on these lists, anyway?

by amanaplanacanal

1/2/2026 at 3:21:59 AM

Typically pure spam not even from MAGA phishing cc info from the most gullible. Replying STOP usually does the trick.

I think of it as the side effect of first amendment protections that people do not report it for what it is.

by LexGray

1/1/2026 at 12:28:27 AM

There’s a link to submit a DROP request at the bottom of the page. Is this live? I want to sign up.

Unfortunately following the link results in an infinite redirect.

by WD-42

1/1/2026 at 12:49:57 AM

Per the timeline, the DROP service is supposed to be live by August 1, 2026.

by varenc

1/1/2026 at 9:12:32 PM

You can submit your request now. They aren't processing requests until August.

by temp0826

1/1/2026 at 3:59:26 AM

This is a great first step, but I’m actually interested in

1. Getting a list of everyone that bought my records from data brokers 2. Reverse record linking to know who joined me, when, where, and how

Just deleting myself from 500 of these databases is a good start that’s decades over due.

Time to flip the scripts.

by tylerchilds

1/1/2026 at 11:41:21 AM

Word

by hackable_sand

1/1/2026 at 12:52:21 AM

Sounds an awful like The Right to be Forgotten under GPDR Article 17

by firesteelrain

1/1/2026 at 12:56:28 AM

Absolutely. What sound pretty cool, and different, here is CalPrivacy would be required to build a request mechanism that's one request sent to every data broker.

by scsh

1/1/2026 at 12:59:40 AM

Dare I ask, what happens to data brokers that don't care about Californian laws? Must be many such instances operating from outside the USA?

by mikestorrent

1/1/2026 at 1:04:33 AM

They open themselves up to a lot of risk, but more likely they only comply when CA residents are concerned or stop collecting for CA residents. Good question about outside the USA. Makes me wonder if there may end up being some sort of data broker safe havens setup, like we've seen with banking.

by scsh

1/1/2026 at 1:09:58 AM

California will take them to court and/or block them from doing business in the state, have various ways to penalize them, etc. California is big enough that many will want to play game with them and having a state as powerful as California on board will get other states to jump on board and pass their own legislation and take up the same tactics with non-complying companies. Once it gets enough traction at the state level, the fed will step in because this will affect interstate commerce and that is federal jurisdiction. This is how state sovereignty works, it is not that states can do as they please, they can only do it up until the point it affects other states or crosses the line with federal law.

by ofalkaed

1/1/2026 at 1:43:46 AM

> Sounds an awful like The Right to be Forgotten under GPDR Article 17

Does DROP let you censor search records?

I’d encourage anyone in Europe to compare California’s CCPA to the EU’s GDPR. It was inspired by the latter, and fixes a lot of its problem. (The Swiss referendum system was based on learning from and improving on California’s.)

by JumpCrisscross

1/1/2026 at 1:13:33 AM

More like The Right to Rewrite History

by userbinator

1/1/2026 at 1:10:19 AM

According to that page Texas also requires data brokers to register. As a Texan it seems unlikely that they do this to protect consumers. It feels more like they want to know who their market is as they surveil their citizens and rake in as much moola as possible. Identifying which broker will pay the highest premiums for real-time information about Texans' travel from license plate and traffic cameras, which businesses they visit, etc will allow them to get sweet kickbacks from the industry lobbyists who can openly pass around envelopes of cash on the floor of the legislature.

by doodlebugging

1/1/2026 at 2:23:38 AM

>information about Texans' travel from license plate and traffic cameras, which businesses they visit

Texas is already doing this to track women seeking out-of-state healthcare. Whatever "side" you're on (for that argument): THIS. IS. WRONG.

In addition to ditching your cell phone, consider ditching Texas, too (as a Native™, I did so almost a decade ago). Still toying with the idea of expatriation, but honestly I feel too old for that, now =P

----

We seem to have a lot in common, fellow retired Xeon user. My PO Box is in my profile.

by ProllyInfamous

1/1/2026 at 2:51:40 AM

I’m pretty sure the “abortion is murder” side will not consider it wrong to track women who travel out of state to, as they see it, murder a baby.

by wat10000

1/1/2026 at 7:16:21 AM

I just wish this pro-birth crowd were actually pro-life (e.g. child care, health care, education).

It seems mostly all they actually want is replacement slaves, chattel.

by ProllyInfamous

1/1/2026 at 3:21:52 PM

Recently saw a video of some pro-life preacher explaining that he would not donate baby formula for a young mother that he saw as "whoring around". If the hell that he professes to believe in is real, he's definitely going there.

by amanaplanacanal

1/1/2026 at 6:01:40 PM

Forever and ever, amen...

I believe it was that same "baby formula survey" that showed the non-christian facilities had a higher chance of donating formula.

Hell is real — it's here on earth — and we create it best for ourselves.

by ProllyInfamous

1/1/2026 at 8:08:45 AM

Right? Pro-birth pro-guns.

by W0lfEagle

1/1/2026 at 4:01:08 PM

It’s a rules-based morality. The rules say, punish those who get abortions. The rules don’t say, provide public assistance for health care.

There’s a massive disconnect between people with rules-based morality and people with outcome-based morality. I often see people arguing against abortion bans by saying that they don’t actually cut down on the number of abortions, they just make them more dangerous. Which is entirely missing the point.

They don’t want any particular outcome. They don’t want to save babies, nor do they want replacement slaves. They want the state to punish abortions. That’s the goal in and of itself, it’s not the means to an end.

I don’t endorse any of this. But I think it’s important to understand how people actually think. If you imagine your understanding of morality in someone with a completely different approach, and try to reverse engineer their thinking from their actions on that basis, you’ll end up with something completely wrong.

by wat10000

1/1/2026 at 6:04:55 PM

>There’s a massive disconnect between people with rules-based morality and people with outcome-based morality ... it’s important to understand how people actually think.

My most-sobering book read in 2025 was Tim Urban's What's Our Problem — it definitely helped me better understand my two lawyerbros — there is an inner gollum driving everybody, and we need to ascend towards higher thinking.

[•] <https://www.amazon.com/Whats-Our-Problem-Self-Help-Societies...>

Thanks for your perspective.

by ProllyInfamous

1/1/2026 at 3:21:33 AM

Texas has robust laws against facial recognition (and biometrics in general), including winning a major lawsuit against Facebook. Texas also has pretty good privacy laws in general. Right now, flock cameras are still permitted - but there's been talk about cracking down on them. There are also a first set of restrictions on ALPRs - not as restrictive as I would like, but generally data can only be retained for people suspected of committing a crime.

If you are a Texas resident, you also have a right to request data deletion (or correction) from brokers or other sellers of data, and permanently opt out of personal data profiling for a wide swath of industries including insurance and finance purposes.

Texas is one of the best states for privacy laws, even though we can obviously do better. I'd still like to see a general prohibition on things like flock and more restrictions on ALPRs, but much better than most states.

by vorpalhex

1/1/2026 at 1:07:09 AM

Data brokers made in California can now wreck all the world but California.

by Antwan

1/1/2026 at 1:42:05 AM

< Red Hot Chilli Peppers Song >

Yes only CA residents can use this.

by nrhrjrjrjtntbt

1/1/2026 at 12:03:30 AM

I wonder how well this will work without other the states not being in on it and what other unintended consequences this may bring. sounds like a good start though.

by weaksauce

1/1/2026 at 12:08:08 AM

If a data-collecting company doesn't do business in California, that tells me a lot.

by RiverCrochet

1/1/2026 at 12:36:37 AM

One of the ways federal legislation gets passed is by state's passing their own laws, eventually industry gets fed up with having to comply with a dozen or more variations of the same law and starts harassing congress to take care of it.

by ofalkaed

1/1/2026 at 1:03:37 AM

> without other the states not being in on it

California represents 12% of USA population, 14% of US GDP. Effectively that means CA can throw its weight around and companies are forced to at least pretend to comply. Whether they actually comply depends on enforcement.

Now if Delaware were to adopt such a law for every company “headquartered” there …

by Swizec

1/1/2026 at 12:46:59 AM

what other unintended consequences this may bring.

A "right to rewrite history" that will distort reality for historians in the future.

How did HN become effectively pro-DRM?

by userbinator

1/1/2026 at 3:25:06 PM

How do you see that working?

by amanaplanacanal

1/1/2026 at 2:24:09 AM

hmm (thinking) infinite loop, eh?

  $ curl -i -A - 'https://consumer.drop.privacy.ca.gov/maintenance.html'
  HTTP/2 307
  content-type: text/html
  location: https://consumer.drop.privacy.ca.gov/coming-soon.html
  date: Thu, 01 Jan 2026 02:22:37 GMT
  […]

  $ curl -i -A - 'https://consumer.drop.privacy.ca.gov/coming-soon.html'
  HTTP/2 307
  content-type: text/html
  location: https://consumer.drop.privacy.ca.gov/maintenance.html
  date: Thu, 01 Jan 2026 02:22:46 GMT
  […]

by guessmyname

1/1/2026 at 1:04:42 AM

Can only hope this spreads like wildfire throughout the world.

by nineteen999

1/1/2026 at 1:03:33 AM

When the CCPA launched in 2018 companies had to comply when a consumer requested a Data Subject Access Request (DSAR). Because the consumer had to request a DSAR not all companies felt this compliance pain acutely (e.g. it was mostly big companies with A LOT of users that got more DSARs, so they adopted workflows and tools to alleviate the pain).

The Delete Act has more teeth. Independent compliance audits begin in 2028 with penalties of $200 per day for failing to register or for each consumer deletion request that is not honored. GDPR spurred organizations to compliance, partly because of the steep penalty (up to €20 million or 4% of revenue, whichever is higher), maybe The Delete Act (and its much smaller penalty) will also spark organizations to comply.

by smurda

1/1/2026 at 6:38:58 AM

Saw the domain "ca.gov" and mistook it for Canada. Then wondered why it started mentioning California a lot.

by Dwedit

1/1/2026 at 12:53:13 AM

Is Facebook a data broker? Reddit? Google?

by metabagel

1/1/2026 at 12:59:08 AM

They define data broker as someone who collects and sells your data. Companies like Facebook and Google do not sell data they collect, contrary to what a lot of people assume.

The page refers to 500 data brokers, but I’d like to find the complete list they use.

by Aurornis

1/1/2026 at 1:06:18 AM

Google does "sell" your data to other Alphabet companies except they call it "partnership" or "strategic sharing" and it should be completely illegal and be called data brokerage too. Same with Meta.

There is a reason the FTC and DOJ force this companies to break up, except they have hordes of lawyers and the law will always be catching up to reality so it doesn't do much in this day and age.

by weli

1/1/2026 at 2:00:04 AM

> Google does "sell" your data to other Alphabet companies

That doesn't match the definition of data broker. It's also a huge stretch, as many companies have subsidiaries and different divisions that are separate legal structures.

by Aurornis

1/1/2026 at 1:14:46 AM

It would be unexpected if signing the form meant that your gmail is deleted and your facebook account is closed.

by amelius

1/1/2026 at 12:59:09 AM

> 1798.99.80. (c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. [1]

If you want to be both obtuse and pedantic about it, the answer is yes to all three.

[1] https://legiscan.com/CA/text/SB362/id/2845350

by throwup238

1/1/2026 at 12:28:13 AM

Sounds similar to GDPR here in Europe.

by sonu27

1/1/2026 at 12:30:56 AM

They adopted gdpr some years ago. This goes further and creates infrastructure to delete records at scale.

I hope this is good and turns global. We need this, because consent banners do not work.

by oaiey

1/1/2026 at 12:49:05 AM

The GDPR lets someone request deletion of their data and there are legal teeth to force a business to comply, but that's 1:1. Maybe I need to dig deeper, but this specifically applies to data brokers it seems. That's great and it being a one to many request is fantastic, but sounds like it may not apply to just anyone who has data on you like the GDPR...

by scsh

1/1/2026 at 12:54:17 AM

> They adopted gdpr some years ago.

The CCPA is far better than the GDPR. For one, they actually managed to make an effective privacy law that didn't have the knock-on effect of polluting the entire internet with pointless cookie banners. The EU is already making moves to scrap huge parts of their misguided privacy regulations and adopt rules more like what California did with the CCPA.

California lawmakers "adopted the GDPR" only insofar as they studied it to learn what not to do.

by petcat

1/1/2026 at 12:01:45 PM

FYI, it was the ePrivacy Directive that brought about the cookie banners, not GDPR

by WickyNilliams

1/1/2026 at 12:35:59 AM

Only tangentially releated but I thought the EU required that you can delete selective data. Example: Being able to delete a single email vs having to delete all emails.

And yet, Gemini does not seem to let me delete queries. This is unusual for Google who provides ways to delete pretty much all data on selective basis. Maybe I just can't find the option. Or maybe this option only exists if I'm in the EU

by socalgal2

1/1/2026 at 12:43:42 AM

The gist of the GDPR in that respect is it allows someone to request a record of what data a particular business has gathered about them as well as request deletion of that data. It also introduced a lot of restrictions around what can be done with a particular subject's data, like sharing with third parties.

by scsh

1/1/2026 at 1:51:51 AM

glad the timelines are short and hope its user friendly

by nee1r

1/1/2026 at 1:50:29 AM

> one of four states (also Oregon, *Texas*, and Vermont) who require data broker registration.

This does feel like an area where there could be useful bipartisan agreement if packaged properly.

by petesergeant

1/1/2026 at 12:55:31 AM

[flagged]

by UpstairsEmpire

1/1/2026 at 1:24:07 AM

California is a real country, United States is a joke

by iwontberude

1/1/2026 at 4:52:51 AM

It seems anti-free speech. If the same thing were done via physical media, would we still support this? I am definitely no fan of data brokers, but I also am no fan or suppressing speech. This seems like the equivalent of banning old phone books before the internet.

by diogenescynic

1/1/2026 at 8:06:20 AM

The equivalent is that you could ask to be removed from the phone book.

by owisd

1/1/2026 at 9:56:54 PM

I guess, but even that I don't think I'd support making that a legal requirement. If it's public data I have no problem with it being searchable on the internet. I know that's not always convenient but I think to do anything different starts to set bad legal precedents which will not be in favor of the public.

by diogenescynic

1/1/2026 at 12:54:54 AM

This is the kind of thing the federal goverment would be doing if it gave a shit about its people.

by UpstairsEmpire

1/1/2026 at 1:06:15 AM

I suppose that these records of personal data does not constitute "speech" in a First Amendment context?

by Meneth

1/1/2026 at 3:09:15 PM

That’s right, and haven’t for a long time.

by sigwinch

1/1/2026 at 1:24:30 AM

I don't know why this is downvoted, it's a great question.

1st Amendment: Congress shall make No Law

14th Amendment: Due process... incorporate the Bill of Rights against the states

I often wondered whether the next case after MacDonald vs Chicago and Heller would do the same for the 2nd amendment, i.e. wipe away the ability of cities to require gun licensing and registration.

by EGreg