California Data Privacy & Data Broker Removal
California gives you more control over your personal data than any other state — including a free tool that deletes your information from every registered data broker in one request.
Your rights in California
California residents are protected by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
- Right to Access & Know — Request a copy of the personal information a company holds about you.
- Right to Delete — Ask a company to delete your personal information.
- Right to Correct — Request corrections to inaccurate personal information.
- Right to Opt Out of Sale — Tell a company to stop selling your personal information.
- Right to Opt Out of Sharing — Stop companies from sharing your data for targeted advertising.
- Right to Limit Sensitive Data Use — Restrict how companies use your most sensitive data.
- Right to Data Portability — Get your data in a portable format you can take to another service.
- Right to Appeal — Opt out of significant decisions made about you by algorithm, and request human review.
- Non-Discrimination — Companies cannot penalize you for using your privacy rights.
Does this cover the company that has my data?
Only very large companies are covered by this law.
A company is covered if it meets any of these thresholds:
- Annual revenue of at least $25 million
- DROP live for consumers Jan 1, 2026; mandatory broker processing every 45 days from Aug 1, 2026; first independent audits Jan 1, 2028.
- SB 361 (2025) expanded broker disclosures.
- AB 45 reproductive-health-data law effective Jan 1, 2026.
- New CCPA regulations (risk assessments, cybersecurity audits, ADMT) operative Jan 1, 2026 and phased to 2030; ADMT opt-out from Jan 1, 2027.
- AB 566 'Opt Me Out Act' requires browser opt-out signals by Jan 1, 2027.
- Active CPPA data-broker enforcement.
How to remove yourself from data brokers in California
California gives you more tools than most states. Here is how to use them, ordered from strongest to most practical.
1. Use DROP — one request covers every registered broker
This is the single strongest tool available to any US consumer. California's DROP (Delete Request and Opt-out Platform) lets you submit one verified request that directs every registered data broker — roughly 500 companies — to delete your personal information. It is free, state-run, and went live January 1, 2026.
DROP only covers brokers registered in California and only works for California residents. Hundreds of brokers operate nationally without registering — that gap is where the remaining steps (and services like Delist) come in.
2. Enable Global Privacy Control
Global Privacy Control is a free browser setting that automatically tells every website you visit not to sell or share your data. It takes two minutes to enable and works silently in the background on every site. California law requires covered businesses to honor it — so this is not just a request, it carries legal weight.
3. Submit direct opt-out requests
For brokers not covered by the registry or GPC, you can submit requests directly. Look for the "Do Not Sell My Personal Information" link in each company's website footer — most major brokers have one. You can also submit formal access, deletion, or correction requests through each company's privacy policy page.
Under California's law, covered companies must respond within the statutory deadline. If they don't, you have grounds to file a complaint with the California Privacy Protection Agency + Attorney General.
4. Automate ongoing removal
Here is the part nobody tells you: even after you complete every step above, brokers re-ingest your information from public records, data-sharing networks, and commercial databases. Within a few months, your profiles reappear. Staying removed from hundreds of brokers is not a one-time task — it is an ongoing commitment that most people cannot maintain manually.
Delist finds your exposed data and files removals on your behalf — then monitors so it stays down. Start with a free scan to see where your information is exposed.
Run a free scan →California's data broker law: what it means for you
California has the strongest data-broker law in the country. The Delete Act (SB 362, 2023) requires every data broker to register with the state, and gives consumers a free one-request deletion tool (DROP) that covers all of them.
Here is what the law actually requires:
- Annual registration is due by January 31 each year; the 2026 registration fee is $6,000 plus any payment-processing fee, confirmed against two official sources (cppa.ca.gov/data_brokers/ and privacy.ca.gov) as of 2026-06-21; an earlier $6,600 figure circulated in secondary sources but the CPPA set the 2026 fee at $6,000.
- Public registry: https://cppa.ca.gov/data_brokers/ (approximately 500–545 brokers registered as of early 2026).
- Penalties: $200 per day for failure to register by the January 31 deadline (in effect since the 2024 registration period), plus CalPrivacy's investigation costs.
- The CPPA stood up a dedicated Data Broker Enforcement effort and has issued penalties (e.g., a $55,400 settlement with Accurate Append, Inc. announced July 29, 2025; a maximum $46,000 penalty sought against Jerico Pictures/National Public Data in Feb. 2025 for registering 230 days late).
Other privacy protections in California
Beyond the comprehensive privacy law, California has additional protections that may apply to you:
- Safe at Home address-confidentiality program for survivors of domestic violence, stalking, sexual assault, and reproductive-health/elected-official threats (administered by the CA Secretary of State).
- AB 45 (2025, effective Jan 1, 2026) restricts collection/use of personal data near family-planning/reproductive-health facilities and bans certain geofencing.
- Strong minors' provisions — opt-in required to sell/share the personal information of consumers under 16 (and parental consent for under 13).
- The Confidentiality of Medical Information Act (CMIA) protects medical information.
- No standalone judicial 'Daniel's-Law' statute, though the federal Daniel Anderl Act protects federal judges nationwide.
- Biometric data — No standalone biometric statute with a private right of action — biometric information is treated as 'sensitive personal information' under the CCPA/CPRA and enforced by the CPPA/AG (contrast Illinois BIPA, which has a private right of action).
How to file a privacy complaint in California
California Privacy Protection Agency — https://cppa.ca.gov/ (consumer complaint portal); California Attorney General — https://oag.ca.gov/privacy/ccpa
Most state agencies enforce privacy laws in the aggregate — they investigate patterns of violations rather than resolving individual disputes. Filing a complaint still matters: it creates a record that helps trigger enforcement actions.
Frequently asked questions
Does California have a data privacy law?
Can I sue a company for violating my privacy in California?
How do I opt out of data brokers in California?
Does California require websites to honor Global Privacy Control?
Is there a data broker registry in California?
What is DROP and how do I use it?
Sources
This page is privacy-rights information, not legal advice. Privacy law changes frequently; verify current rules with your state privacy agency or a licensed attorney before acting. Last verified 2026-06-22. We re-check state privacy laws quarterly.