https://cppa.ca.gov/regulations/pdf/20260101_ccpa_statute.pd...
https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_2026010...
https://cppa.ca.gov/data_broker_registry/
https://cppa.ca.gov/announcements/
Here's hoping other states follow suit.
All the big tech companies, Google, Meta, Netflix, etc make a huge amount of money by using Ads to push things people don't need onto them, brainwashing people. This brainwashing is massively more effective with data-collection.
If tech companies didn't hoard and sell people's data, the brainwashing would be less profitable, Google would pay lower salaries, and the entire industry's salaries would go down as a result.
Salaries in the US might drop from ~$500k to $250k for an average software engineer. Would you be willing to take that sort of cut?
You could also "vote with your feet" and move to europe where the GDPR protects everyone like you want, and your salary will drop to maybe $100k USD.
I’d like to see data on this. Obviously Oracle and Meta and companies that agressively track you would be impacted, but how much would Google search be changed if it wasn’t personalized? Would there be a meaningful financial impact?
Also as far as I understand, data brokers tend to exclude meta, Google, et al because they don’t sell their data they just use it internally. This could further entrench these players more.
Asking 300M people to leave country and move to europe instead of fixing problems here is just stupid and at best a shoddy attempt at victim blaming.
Do you have to keep submitting this every month as they recollect your info from databases in other states?
Seems great in concept but I am skeptical this will change much.
Data doesn't respect state lines.
I'm also skeptical it will have any real effect. The law requires them to process deletion requests at a 45 day interval:
> Data brokers are required to process deletion requests at least once every 45 days beginning August 1, 2026.
But what if Broker A (based in CA) has a contract with Broker B, who doesn't do business in CA, to sync data once a day. Now Broker A will have your data on 44 out of 45 days and still be fully compliant with the law. Furthermore, it's not difficult to figure out when that 45 day interval comes up, so I would expect customers to figure that out and time their purchases accordingly.
They could store a normalised, hashed version of your data and use it to filter any incoming datasets. But, of course, why would they?
Not unique to a person
> email address, phone number
Also often not unique to a person, although email addresses probably tend to have much longer lifespans as identifiers than phone numbers.
If the idea is to have a true opt-out system, it's really really difficult to implement given how these systems work.
If you look at the data provided by services like accurint, you'll frequently see the same SSNs used for decades by multiple different individuals, often with IDs from different states with the same name and DoB despite obviously being different people. With how the system works in the US, it can often be impossible for anyone to determine which physical person the SSN was actually originally assigned to.
Same obviously applies to other identifiers you suggested, but even the seemingly good ones are not very good at uniquely identifying people.
It's not like brokers wait around for you to sign up for something new.
Old data is resold, merged with new data, mixed, stolen, discovered, reformatted... etc...
Your actions of course do have an impact, but does changing your behavior prevent the outcome of your data being collected?
Not even close.
Some of the brokers do offer an easy removal process and will handle your request right away, but then your record will reappear after some amount of time, obviously purchased from another broker.
I would not be surprised to discover that these individual brokers are, in fact, owned by the same entity and they merely exchange records periodically.
This is the reason that I choose to use Optery. They have the bandwidth and tools to chase my records on my behalf, for as long as I pay them.
If I ever stumble upon such an obvious oversight/loophole, I find it's best to not immediately stop, but to ask: "How do they intend to solve this?"
In this case, the first part of the terms of use solves your conundrum:
> By submitting a deletion request through DROP, you consent to disclosure of your personal information to data brokers for purposes of processing your deletion request pursuant to Civil Code section 1798.99.80 et seq. unless or until you cancel your deletion request. Additionally, you acknowledge that data brokers receiving your deletion request will delete any non-exempt "personal information," as defined in Civil Code section 1798.140(v), which pertains to you and was collected from third parties or from you in a non-"first party" capacity (i.e., through an interaction where you did not intend or expect to interact with the data broker).
Asking as a non-ca resident.
Even if your only activity was commenting in disagreement
Enforce?
Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.
My phone number is on the national Do Not Call registry and that isn't stopping me from getting 1-2 calls a day from loan scam companies (and they are literally calling from a different phone number every time, so there's no real way to block them).
I'm seeing a problem here...
This is a very good example of the difference between a left policy and a liberal policy (actually neoliberal to be precise).
The left policy would have been to have some agency within the california government which ultimately does the verification... because why would you outsource that task to a 3rd party?
The neoliberal policy is "Well, we don't want to spend the time to set this up, so let's just pay 10 companies with some taxpayer money to do the job we really should do ourselves".
Unless you are just an anarchist, then I can't see how it's unreasonable for a government to know who it represents. That's why governments do censuses. Heck, that's needed just for the basic function of making sure you aren't voting in multiple districts.
- This needs teeth and they should inform you of what to do if you find out they ignored the request and what penalties they will receive. Tell people they can aid in the enforcement and I bet they will.
- I understand why the residency requirement is there but it just bums me out.
- The language is wrong. People are people, not 'consumers': "...In addition, the consumer must first have their residency verified as described in the Use of DROP section above..."
Could you create legal entities fast/cheap enough and delay compliance long enough so that any private data, requested for deletion, can be transfered from the old opted-out entity to the new one, over and over again?
This could render the entire opt-out approach useless, right? Because in order to reach your goal of deletion, you must get ahead of the transfer curve.
One of the best things I have done is sign up for DMAchoice and optoutprescreen.com which has completely stopped junk mail for me.
derektank•1d ago
repeekad•1d ago
lazide•19h ago
Paracompact•18h ago
lazide•17h ago