Data brokers have a file on you. California is making them delete it.

Companies you've never dealt with sell lists of who's pregnant, who has Alzheimer's, and who might fall for a scam. Starting August 1, Californians can make them delete it. There are steps for the rest of us, too.

Share
A human figure formed from thousands of scattered red line fragments against a pale blue sky

There's an industry that knows your name, your address, your phone number, and a guess at your income and your health. You've never bought anything from it. You've never signed up for anything it runs. On August 1, it has to start answering to a delete button.

These companies are called data brokers. A data broker collects information about people it has no relationship with, then sells it. Google and Facebook are not considered data brokers; you use them, and that's a different conversation. Data brokers are the companies you've never heard of: Acxiom, Epsilon, LexisNexis, and the people-search sites that hand your home address to anyone who types your name. Market researchers estimate the industry at around $300 billion a year worldwide. Most of us couldn't name three of the companies in it.

The product

Your name and address are the cheap part. They're on a thousand lists already and cost almost nothing to re-collect. The money is in the conclusions brokers draw from the raw facts, or what the industry calls inferences. Some of those inferences include whether you're pregnant, behind on bills, or the kind of person who answers a sweepstakes letter.

This sounds like an exaggeration until you read the government's own reports. The FTC studied nine brokers and found one holding 3,000 separate data points on nearly every consumer in America. A Senate report found brokers selling marketing lists with names like "Rural and Barely Making It." And this January, California fined a Texas broker that had been reselling lists of people with Alzheimer's, substance-abuse problems, and bladder incontinence.

When it goes wrong

In 2021 the Department of Justice fined Epsilon, one of the biggest marketing brokers in the country, $150 million. Its salespeople had spent years selling consumer lists to mail-fraud operations that target the elderly. More than 30 million people landed on lists sold to scammers. The industry calls those "sucker lists," and they're built from the same data that fills your mailbox with catalogs.

That same year, a Catholic priest was identified through location data from the dating app Grindr, bought from a data broker. He resigned within days. Nobody hacked anything. The data was for sale.

And then there's what happens when a broker gets breached. National Public Data was a Florida background-check broker almost nobody had heard of. That is, right up until 2024, when its database showed up for sale online. Social Security numbers and addresses for roughly 270 million people. It later leaked outright, free for anyone to download. The company went bankrupt with less than $75,000 in assets. The data outlived the company.

What California built

California passed the Delete Act in 2023, and the delete button it ordered is now live. It's called DROP, the Delete Request and Opt-out Platform, and it sits at privacy.ca.gov. A California resident files one request, free, and every data broker registered with the state (more than 580 of them now) has to check that list, find you, and delete what it holds. Including the inferences. And they can't do it once and move on: brokers have to re-check the list every 45 days and delete whatever they've re-collected, indefinitely. Ignoring a request costs $200 per person per day. More than 242,000 Californians are already queued up.

The dome of the California State Capitol with the United States and California flags flying
The Delete Act passed in Sacramento in 2023. The delete button went live this January.

Residents have been able to file since January 1. August 1 is the day brokers are required to start acting.

There are exemptions, and most are reasonable. A broker can keep data it needs to prevent fraud, meet a legal requirement, or finish something you asked it to do. Your credit file at the bureaus lives under separate federal rules entirely, which is one reason a credit freeze still makes the list below.

What it can't do

I'll make the skeptic's case, because it's fair. DROP only reaches brokers that registered with the state, and researchers comparing state registries believe plenty never have. A broker that never registered never sees your request. Matching is strict, too: a broker deletes you when your submitted details line up with its records exactly. So a thin profile gets a thin deletion. And the law's definition has a hole in it: a company with a direct relationship to you isn't a "data broker" at all. Google, Meta, the loyalty program at your grocery store, all outside this law.

So no, it isn't a vanishing act. What sold me on the design anyway is the 45-day cycle. Older privacy laws let a broker delete your file on Tuesday and rebuild it from fresh sources by Christmas. This one turns deletion into a subscription the broker can't cancel. Whether it gets enforced is an open question, and the early signs look good. California has already brought at least nine enforcement actions against brokers just for failing to register. The bigger fines start after August 1.

If you live in California

File now, before August 1, so you're in the queue the day brokers have to start processing. It's free at privacy.ca.gov, takes a few minutes, and you can check your request's status on the same site. You choose how much identifying information to give. More identifiers means more matches, and more matches means more deletion. You can also file on behalf of a family member who lives in California. If your parents are the ones getting the sweepstakes mail, that might be the most useful ten minutes of your month.

For the rest of us

No other state has a delete button yet. Connecticut just passed one that starts in 2027, and more statehouses will copy it. In the meantime, a few steps you can take, in order of payoff for the effort:

  • Turn on Global Privacy Control. It's a browser setting that tells every site you visit not to sell your data, and twelve states (Oregon and Texas included) legally require businesses to honor it. It's built into Firefox, Brave, and DuckDuckGo, and a free extension adds it to Chrome. Five minutes, once. It pairs well with the rest of our browser privacy checkup.
  • Opt out of prescreened credit offers. OptOutPrescreen.com is run by the credit bureaus themselves. It shuts off the preapproved-card mail at the source for five years, or permanently if you mail in the form. Free.
  • Freeze your credit. A freeze is damage control rather than removal: stolen data gets much harder to use when nobody can open an account in your name. Free at all three bureaus, and we have a full walkthrough.
  • If you'll pay for removal, pay small. Consumer Reports tested the paid removal services, and the results were humbling. Doing the opt-outs yourself beat every service they tested. The best performers, Optery and EasyOptOuts, cleared about two thirds of the profiles they went after within four months, and EasyOptOuts runs about $20 a year. Services charging ten times that did worse. Some did far worse.
  • Put it on the calendar. Whatever you remove comes back as brokers buy fresh data. DeleteMe's own CEO says about 42 percent of customer information reappears within six months. Re-run your opt-outs a couple of times a year, the way you'd change smoke-detector batteries.

Think maintenance, not purge

The brokers will keep collecting, because collecting is the business. What changed is that one state can now make almost 600 of them un-collect, every 45 days, under penalty. If it works, your state will hopefully copy it. If you're in California, a few minutes this week puts you in the first wave. Everywhere else, GPC, the prescreen opt-out, and a credit freeze cost nothing. The industry will keep guessing about you either way. Make it guess with less.

Sources:

[ Free guide, free Tuesday email ]
Tech news without having to be tech savvy.
Subscribe ×