California gives residents control of their personal data

california-bear-data-broker-files — Image by Cybernews

Californians can now request that data brokers delete their personal information as a part of the Delete Act.

Residents of California can now request that their data be deleted from the records of data brokers.

The new regulations, effective from January 1st, 2026, allow California residents to delete their data using CalPrivacy’s new Delete Request and Opt-out Platform (DROP).

DROP is a platform where residents can submit deletion requests that are sent to current and future data brokers registered in California.

However, a resident’s data isn’t automatically deleted upon request.

grey file cabinet, pilk, green ad red notes on wall behind, grey wood floor — Image by Cybernews.

The bill, passed in October last year, requires data brokers to begin processing requests starting August 1st, 2026, and requires the broker to delete information at least once every 45 days, according to the California Legislative Information website.

However, starting from August 1st, data brokers must delete users' data within 90 days, according to the DROP website.

Businesses are allowed to keep hold of Californians’ first-party data, which is data collected through direct interactions with the company’s websites or apps. This could be purchase history, clicks, or emails.

Although companies are required to delete data “non-first party data” which is characterized by DROP as data collected “through an interaction where you did not intend or expect to interact with the data broker.”

Data collected by brokers that can be deleted includes Social Security numbers, browsing history, email addresses, and phone numbers.

This information is highly sensitive and, if exposed, could be leveraged by malicious actors to commit identity theft and fraud.

Requesting that data brokers delete residents’ personal information could reduce spam and scam calls as they’ll “have less unwanted texts, calls, or emails,” the agency said.

Furthermore, CalPrivacy claims that this will only enhance security, as there will be a decreased “risk of identity theft, fraud, and AI impersonations” alongside reducing the impact of fraud when data is leaked or hacked.

An unidentified hacker with British flag on the background — Image by Cybernews.

Data brokers must register with the US government agency CalPrivacy, following each year in which their business meets the definition of data broker,” the CalPrivacy website reads.

Those brokers who fail to register by January 31st, 2026, may incur administrative fines and may be investigated by the privacy agency.

Data brokers who don’t register or fail to delete data within the allotted time frame could face a penalty of $200 per day plus other costs.

money umbrella with keyboard keys raining, red background

The dangers of data brokers

Data brokers are companies that scrape personal information from all parts of the web, which they then sell on to other companies for profit.

In an interview with Cybernews, CEO and co-founder of DeleteMe, Rob Shavell, said that data brokers don’t discriminate when it comes to selling your data.

These companies can sell your information to anyone who wants it, whether that’s an advertising company trying to peddle you products or an angry ex-partner who wants to create a digital profile to exploit you.

The problem with data brokers is that they’re in it for the profit, so protecting your personal information from bad actors isn’t their top priority.

For example, data brokers could sell data to specific political parties to target voters, a practice allegedly observed in countries such as Russia, North Korea, and China.

While there are strict rules in areas like the UK and the European Union, the US is still massively unregulated when it comes to data brokers selling users’ data.

That’s until California enforced the Delete Act, which demonstrates a shift in attitude towards data brokers in the US.