Getting your
Trinity Audioplayer ready...More than 300,000 Californians have demanded that hundreds of data brokers erase information about their locations, finances, health and personal lives as the state’s first-in-the-nation Delete Act requires brokers to start the mandatory process of removing data on Aug. 1.
Brokers must start accessing deletion requests within 45 days after Aug. 1, then once they have collected those requests, they have another 45 days to report what data they have purged to the agency — known as CalPrivacy — and people who have signed up.
Californians who sign up by Aug. 1 will see their data purged in the first round of deletions, and should start seeing results by late October, the agency said.
The law, and the Delete Request and Opt-out Platform, or DROP, run by CalPrivacy, allow state residents to have their data removed, via a one-time request, by hundreds of data brokers. Making the request also requires the brokers to purge, and not sell, any of a person’s data it collects in the future.
The information Californians are asking brokers to erase can be extraordinarily sensitive. Of the nearly 600 data brokers in CalPrivacy’s registry, 110 sell people’s precise locations, the registry shows. More than 40 sell identity data that can include Social Security numbers. Almost 70 sell information on people’s gender identity. Seven sell data related to reproductive health, and six sell information on union membership. Eighteen sell minors’ data — and Kemp said children can sign up for deletion using DROP, or parents can do it for them.
Many of the brokers build — and sell to advertisers and marketers — dossiers that are increasingly processed using artificial intelligence to draw conclusions about a person’s interests, family, politics, lifestyle, finances, sexual orientation and health.
The 322,292 Californians who signed up as of July 1 represent less than 1% of the state’s population, but the California Privacy Protection Agency’s chief expects the number to grow as companies begin purging data and word spreads.
About 50 data brokers sell people’s personal data to the federal government, with a similar number selling to state governments. Twenty-seven sell information to police agencies. More than 20 sell data to foreign entities. About 30 sell information to developers of generative artificial intelligence.
Brokers grab data when people use a loyalty card at a drugstore, browse the web, post on social media or even get married, including addresses, email addresses, phone numbers and location histories that can reveal where people live, work and travel. Brokers also sell information among themselves, broadening people’s exposure.
Many data brokers will sell to “anyone with a credit card,” including scammers, spammers, fraudsters and identity thieves, CalPrivacy Executive Director Tom Kemp said Thursday.
“Our data is their product, and they don’t sell it back to us,” Kemp said. “They sell it to other people. We don’t have control or say over who buys it. It’s not healthy to have all our personal information sloshing around. For the bad guys, it’s cheaper and easier for them to use data brokers and buy lists of people.”
Kemp urged those who haven’t signed up to take advantage of what he calls “the great delete button in the sky.”
“You will reduce your footprint out there, and you should see less targeted advertising based on your demographics, you will see less text scams and email spams, and you will see, potentially, less attempts to defraud you,” Kemp said. Signing up should also reduce the amount of junk mail delivered by the U.S. Postal Service, he added.
Companies whose data collection and sales are covered by other federal and state laws, mostly related to financial services and credit reporting but also including some medical information, are still allowed to collect and sell certain data.
The program, however, can only reach brokers the state knows about. CalPrivacy said its enforcement division is “actively investigating reports of unregistered data brokers” to help ensure as many companies as possible are purging Californians’ data. Kemp could not provide an estimate of the number of data brokers that haven’t registered, but said there are “clearly more than 600.”
Since the Delete Act took effect, the agency has reached settlements with data brokers that failed to register, with companies agreeing to pay $35,000 to $55,000 penalties, the agency said.
DataMasters of Texas, which bought and resold for targeted advertising the personal information of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence and other health conditions, agreed to pay a $45,000 fine and was ordered to stop selling all Californians’ personal information, CalPrivacy said.
DataMasters did not respond to requests for comment.
The fines appear to be spurring more brokers to register, Kemp said.
Companies that fail to register but have data requiring them to register also face the same penalties for not deleting information as the brokers that do register, Kemp said. Failing to delete data can net a fine of $200 a day for each person participating in the DROP program whose data is not removed.
“We will certainly exercise our right as an agency … to go and fine companies tens of millions of dollars,” Kemp said.
Personal data sold by data brokers can be “weaponized” by governments, employers or bad actors, Kemp said. “People search” websites can be useful, for example, when someone wants to do a quick background check on a potential dating partner, but they sell “digital dossiers” that contain someone’s address, email address and phone number, and show their relatives and the relatives’ contact information, Kemp said. The data can help criminals target elderly people through impersonation scams or enable stalkers to track victims, he said.
Kemp noted that the man who pleaded guilty in shootings last year that killed Minnesota state legislator Melissa Hortman and her husband, Mark, and wounded another state legislator and his wife, was alleged by the FBI, in a June 15, 2025, filing in Minnesota federal court, to have found their addresses through people-search websites.
The federal government has bought location data from brokers, Kemp said. In March, FBI Director Kash Patel said the agency had bought “commercially available information for investigations.” In 2023, Kentucky Republican Rep. Brett Guthrie’s office reported that the U.S. Department of Homeland Security had hired a data broker “to screen travelers, including U.S. citizens, by linking people’s social media posts to personal information like their Social Security number and location data.” According to Washington, D.C., nonprofit the Electronic Privacy Information Center, U.S. Immigration and Customs Enforcement, along with U.S. Customs and Border Protection, “purchase extensive personal data on immigrant communities from data brokers.”
“We see situations in which people are being tracked to find where immigrants live or where they go to work,” Kemp said.
Location data can also show if a person has visited an abortion provider or an Alcoholics Anonymous meeting, potentially giving would-be employers access to highly personal information they could use illegally in hiring decisions, Kemp said.
“You do not want anyone with a credit card buying the fact that you visited an abortion clinic,” Kemp said, adding that such information could also be used for blackmail.
Criminals can get into people’s online accounts without a password by answering, with information bought from data brokers, backup questions like, “What high school did you go to?” Kemp said.
The Delete Act builds on two earlier California privacy measures championed by Alastair Mactaggart, the Bay Area co-founder of Californians for Consumer Privacy: the 2018 California Consumer Privacy Act and the 2020 California Privacy Rights Act, which created CalPrivacy.
Although hundreds of thousands of Californians have signed up to have their data deleted, more than 30 million have not. Kemp said he believes many people aren’t aware of the program, while some are wary of providing the personal information the agency requires from people who sign up.
That information does not include driver’s license numbers or Social Security or credit card numbers, and is just the “bare minimum” the agency needs to match participants with broker records, Kemp said.
Pushing the “delete button” generally takes six to seven minutes, Kemp said. Participants need to verify they’re California residents by entering basic personal information or signing in on the federal government’s website, Login.gov, if they have an account on that site. Creation of a profile comes next, with participants choosing which data to include — the more data, the more comprehensive the deletion will be, the agency said. Data can include names, birth date, zip code, email addresses, phone numbers and vehicle identification numbers.
“It’s an investment,” Kemp said, “to make yourself more secure.”