California Data Broker Opt-Out Guide: Your CCPA Rights Explained (2026)
California residents have the strongest data privacy rights in the US. This guide covers your CCPA deletion rights, how to formally invoke them against data brokers, and what the California Delete Act's DROP platform means for 2026.
California residents have the strongest data privacy rights of any US state. The California Consumer Privacy Act (CCPA), expanded by the California Privacy Rights Act (CPRA), gives California residents the right to know what personal data companies have collected, the right to request deletion, and the right to opt out of the sale of their personal information. For people dealing with data brokers — the companies that publish your home address, phone number, and background information — these rights are directly actionable.
This guide covers exactly what your California privacy rights are, how to exercise them against data brokers, and what the new California Delete Act means for 2026.
Your Core CCPA Rights Against Data Brokers
Right to Know: You can ask any company operating in California what personal information they have collected about you and how it is being used or shared.
Right to Delete: You can demand that a company delete your personal information. The company must comply within 45 days (with a one-time 45-day extension if they notify you).
Right to Opt Out of Sale: You can tell any company that sells or shares your personal information to stop doing so. This covers most data broker business models — they sell access to your data.
Right to Non-Discrimination: A company cannot penalize you (charge you more, provide inferior service) for exercising your privacy rights.
Right to Correct: Under CPRA, you can request correction of inaccurate personal information.
Private Right of Action: For data breaches involving certain types of sensitive data, California residents can sue directly without waiting for the CPPA to act.
How to Exercise CCPA Deletion Rights Against a Data Broker
Step 1: Identify the businesses subject to CCPA
CCPA applies to businesses that:
- Have annual gross revenues over $25 million, OR
- Annually buy, sell, or share personal information of 100,000+ consumers, OR
- Derive 50%+ of annual revenue from selling personal information
Most major data brokers (WhitePages, Spokeo, BeenVerified, Intelius, TruthFinder, Radaris, etc.) meet one or more of these thresholds and are subject to CCPA.
Step 2: Submit a CCPA deletion request
The formal way to invoke CCPA rights is to submit a "deletion request" or "request to delete personal information." Most data broker opt-out forms are designed to comply with CCPA requests. You can cite CCPA Section 1798.105 in your request.
For sites that are slow to comply or attempt to add friction:
"Pursuant to California Civil Code Section 1798.105, I am requesting the deletion of all personal information you have collected, maintained, or disclosed about me. Please confirm receipt of this request and the expected deletion timeline."
Step 3: Follow up within 45 days
If you have not received confirmation within 45 days (or 90 days if the company notified you of a 45-day extension), file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
The California Delete Act (SB 362, 2023)
The California Delete Act, signed into law in 2023 and becoming operational in 2026, creates significant new obligations for data brokers:
Mandatory registration: All data brokers operating in California must register with the CPPA annually.
Single deletion platform (DROP): Starting in 2026, the CPPA is required to establish a "Data Rights Opt-out Platform" (DROP) where California residents can submit a single request that applies to all registered data brokers simultaneously. This eliminates the current requirement to opt out from each broker individually.
Third-party deletion propagation: Data brokers that delete a consumer's data must instruct any companies they shared that data with to also delete it.
Fines: Data brokers that fail to register face fines of $200/day per violation. Non-compliance with deletion requests can result in fines of up to $7,500 per intentional violation.
Status in 2026: The DROP platform is being developed. California residents should monitor the CPPA's website for the official launch date.
Data Broker Registration Under the California Delete Act
Because the Delete Act requires registration, Californians can check the CPPA's public registry to see which data brokers are operating legally in California. A broker that is collecting and selling Californians' data without registering is in violation of the Delete Act.
Check the current registry at: cppa.ca.gov/data-broker-registry
Comparison: California Rights vs. Other States
| Right | California (CCPA/CPRA) | Virginia (VCDPA) | Texas (TDPSA) | Colorado (CPA) | No State Law |
|---|---|---|---|---|---|
| Right to know | Yes | Yes | Yes | Yes | No |
| Right to delete | Yes | Yes | Yes | Yes | No |
| Opt out of sale | Yes | Yes | Yes | Yes | No |
| Right to correct | Yes | Yes | Yes | Yes | No |
| Private right of action | Limited | No | No | No | No |
| Enforcement agency | CPPA | AG | AG | AG | FTC only |
| Data broker registry | Yes (2026) | No | No | No | No |
| Single deletion platform | Yes (2026) | No | No | No | No |
California's protections are substantially stronger than other states, particularly the private right of action and the upcoming DROP platform.
Practical Steps for California Residents in 2026
Immediate actions:
- Submit opt-out/deletion requests to all major data broker sites using the standard opt-out forms
- For non-compliant sites, send formal CCPA deletion requests citing Section 1798.105
- Monitor the CPPA website for the DROP platform launch date
When DROP launches:
- Register on the DROP platform
- Submit a single deletion request that propagates to all registered data brokers simultaneously
- Verify that registered brokers comply within the required timeframe
Ongoing:
- Annual check against the CPPA's registered data broker list for new entrants
- Report non-compliant data brokers to the CPPA
OfflistMe covers 500+ data brokers including all major California-registered brokers. One-time pricing starts at $7.00. Start your removal here.
Frequently Asked Questions
I am not a California resident. Do CCPA rights apply to me?
Strictly speaking, CCPA applies to California residents. However, many major data brokers extend CCPA-style rights to all US residents because managing state-by-state compliance is administratively impractical. Citing CCPA in a deletion request is often effective regardless of your state. Virginia (VCDPA), Texas (TDPSA), Colorado (CPA), Connecticut (CTDPA), and over a dozen other states have comparable rights.
What is the fine if a data broker ignores my California deletion request?
The CPPA can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. Each individual consumer whose rights are violated counts as a separate violation. For class action-level non-compliance, penalties can be substantial.
Does CCPA apply to the government data that data brokers source from?
CCPA applies to the data broker, not to the government agency that generated the original public record. The government's voter roll, property deed, or court record is not subject to CCPA because government agencies are exempt. But when a data broker collects that public record and incorporates it into a commercial profile, the data broker's handling of that information is subject to CCPA.
How do I know if a company is subject to CCPA?
Any company that does business in California and meets the revenue/data thresholds described above is subject to CCPA regardless of where the company is headquartered. A company headquartered in Florida that sells data about California residents to California-based customers is subject to CCPA.
What can I do if a data broker claims I am not a California resident?
You do not have to prove California residency to the data broker — the burden is on the broker to verify and comply. If a broker incorrectly denies your request, file a complaint with the CPPA at cppa.ca.gov. Include documentation of your request and the broker's denial.
AB 1391 vs. Individual Opt-Outs: The Difference
AB 1391, which took effect in January 2026, works alongside but is distinct from the broader CCPA/CPRA framework. Understanding what each mechanism actually does helps you decide where to focus your effort.
Individual opt-outs (current method): You submit a deletion or opt-out request directly to each data broker, one at a time. Under CCPA, each broker must respond within 45 days. This is the method most Californians are using right now — it works, but it requires submitting dozens to hundreds of separate requests.
AB 1391 and the DROP platform: AB 1391 is the legislation that created the mandate for the Data Rights Opt-out Platform (DROP). Once operational, a single DROP submission propagates to every registered data broker simultaneously. You do not need to contact each broker individually. The CPPA enforces broker compliance.
The key practical differences:
| Feature | Individual Opt-Outs | DROP (AB 1391) |
|---|---|---|
| Number of requests to submit | One per broker | One total |
| Scope | Brokers you find and contact | All CPPA-registered brokers |
| Response time | 45 days per broker | Same statutory 45-day window |
| Enforcement | You must file CPPA complaint | CPPA monitors automatically |
| Available now | Yes | In development (2026) |
| Covers unregistered brokers | Yes (via individual opt-out) | No (only registered brokers) |
The important caveat: DROP only reaches brokers that have registered with the CPPA. Any broker that is operating in California without registering — in violation of the Delete Act — will not receive your DROP request. Individual opt-outs remain the only way to reach non-compliant brokers.
The practical recommendation for 2026: Do not wait for DROP. Submit individual opt-outs now to cover both compliant and non-compliant brokers. When DROP launches, submit a DROP request as a secondary layer to catch any registered brokers you missed.
Which California Brokers Are Most Important to Remove From First
Not all data brokers carry equal risk. The priority list below is ordered by a combination of traffic volume, Google search visibility, and the depth of personal data exposed.
Tier 1 — Remove within 24 hours:
WhitePages is the most-trafficked address lookup site in the US. Californians' home addresses, phone numbers, and relative names appear prominently in WhitePages results and rank highly in Google for name searches. This is the single most important removal.
Spokeo aggregates data from social networks, phone records, and marketing databases. Its profiles include photos, email addresses, and estimated income. Spokeo pages rank in the top results for many name-plus-city searches.
BeenVerified is widely used for informal background checks and surfaces prominently in Google. Profiles include background report previews that reference criminal history, financial information, and court records.
TruthFinder has high Google visibility and runs aggressive remarketing campaigns. Its profiles include the same home address and relative data as WhitePages but with heavier criminal record framing.
Intelius powers background check lookups across multiple white-label sites — removing your Intelius record can cascade to several smaller sites that use Intelius as their data source.
Tier 2 — Remove within the same week:
Radaris has deep relative association graphs and historical address data. It is the source most commonly cited in domestic violence and stalking cases where a victim's new address was located.
FastPeopleSearch is a high-volume free people-search site with minimal friction for searchers — no account, no payment required to view basic profile data.
MyLife assigns a "reputation score" to individuals and displays it prominently. Even if the underlying data is sparse, the reputational framing creates the impression of negative findings and ranks well for name searches.
PeopleFinders has a large database of historical address data going back decades. It is a preferred tool for people trying to locate someone after a significant address change.
Tier 3 — Complete within 30 days:
The remaining 500+ brokers in OfflistMe's removal list cover the long tail of brokers that receive lower traffic individually but collectively represent meaningful exposure. These include data aggregators that sell to insurance companies, marketers, and other businesses — categories where your data is used commercially even if the broker is not consumer-facing.
A CCPA-informed approach: for Tier 1 sites specifically, cite California Civil Code Section 1798.105 in your request. This invokes the statutory deletion right, which carries a different compliance obligation than a standard "opt-out" request. Standard opt-outs allow the broker to stop selling your data but retain it; Section 1798.105 deletion requests require actual data deletion.
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 500+ data brokers · No subscription