In 2024, major automakers, including Ford and GM, made national headlines when they were caught secretly sharing consumers’ “driving behavior data” (including detailed dossiers of their movements) with the data broker LexisNexis. As it turned out, LexisNexis subsequently shared drivers’ information with several insurance companies, who, in some cases, used it to raise consumers’ premiums. For many of those affected, the price hike came as a shock since they never knew that their car company would share their personal data to this type of company, let alone that it could cause them to pay more.
These types of business practices tend to elicit a sense of powerlessness from consumers. Little-known data brokers like LexisNexis amass consumer profiles containing incredibly detailed information about virtually every American — sourced from retailers, mobile phone data, or government records — almost exclusively outside of our awareness or control. How can we stop our data from being collected and sold by entities that we’ve never even heard of? Luckily for California residents, a new tool launched on January 1 that should make it much easier.
In addition to LexisNexis, there are hundreds of data brokers listed on California’s data broker registry, including several that have been caught tracking consumers’ visits to sensitive locations, such as religious facilities, political protests, and military installations. Dozens more admit that they collect the personal data of minors or information about people’s reproductive health. This information is a goldmine for businesses attempting to predict your purchasing habits and responsiveness to marketing campaigns, and is equally enticing to those seeking to track people down, such as stalkers, fraudsters, and even law enforcement agencies. While you may find some of these entities more concerning than others, one of the key issues here is that many data brokers tend not to bother themselves with the distinction
To help consumers take back control, the state legislature passed the California Delete Act, a law that tasked the California Privacy Protection Agency (CalPrivacy) with creating a one-stop-shop to allow consumers to send deletion requests to all of the state’s registered data brokers in a single action. That system, dubbed the Delete Request and Opt-out Platform (DROP), is now live — and it should be a game changer for those who want to take more control over their personal data.
To make a request on DROP, consumers will first need to verify their California residency. Then they will be asked to provide basic information about themselves, such as name, date of birth, phone number, and email address; this information will be used to match consumers with the data dossiers held by data brokers. Crucially, beginning on August 1, 2026, data brokers listed on California’s registry will be required to delete the matching personal information they hold about consumers. After sending a request, consumers will be able to check the status of their deletion requests via the DROP.
So what’s the catch? Well, for one, there is that pesky gap between DROP’s launch date of January 1 and the August 1 deadline for data brokers to delete consumers’ data. However, that should be a short-lived problem: after August 1, data brokers will be required to process deletion requests once every 45 days, and will not be permitted to collect new information about consumers that have already made a deletion request. Another important caveat: under the law, data brokers are not required to delete “publicly available information” about consumers, such as property records, court filings, or even non-private social media posts. So keep in mind that even after a deletion request, data brokers may still have some information about you.
Despite these caveats, the Delete Act is a landmark win for consumers. Data brokers can use information they’ve collected about people for all sorts of purposes that they never consented to, ultimately facilitating important life decisions with very little accountability. Data broker records can influence loan terms, offers of employment, tenant screenings, and much more. Those same records can be used to facilitate personalized scams and put you at greater risk of identity theft and data breaches. And since this information often has not been thoroughly vetted for accuracy, decisions based upon it can leave consumers worse off for reasons completely outside of their control.
The DROP should significantly reduce the burden on consumers to protect themselves. While it won’t be completely frictionless, it dramatically improves upon the system we have now, where consumers must delete their information one business at a time. That means that to achieve the same effect as DROP, consumers would need to make hundreds of separate deletion requests — if they could even track down the names of all the data brokers collecting their personal data.
Until we can prevent shadowy intermediaries like data brokers from collecting and using our sensitive personal information in the first place (a goal still very much in the sights of many privacy advocates), the Delete Act will play an important role. And of course, the more consumers using DROP, the less viable the data broker business model becomes. In an age where we, and our data, are so often “the product” being sold by digital platforms, it’s rare to have a legitimate opportunity to reclaim our autonomy. We should seize it.
