New Californian Law to allow residents to easily scrub all of their online data from in-state data brokers

[JustLovett0]

.

Summary

Signed into Law this past week, Californians will soon be able to request all of their data be deleted in an easy and free way from close to 500 Data Brokers based in the state. By January 1st, 2026, the California Privacy Protection Agency is working to implement this mechanism for residents. However, it is not until August 1st, 2026 that processing deletion requests must be done within 45 days of the request being made.

 

Quotes

Quote

Californians already have a right to request their data be deleted under current state privacy laws, but it requires filing a request with each individual company.

The new bill reinforces that all data brokers must register with the California privacy protection agency (CPPA), and it requires the CPPA to establish an easy and free way for Californians to request that all data brokers in the state delete their data through a single page

 

My thoughts

Shame that this act won't go into effect for two more years, but it is a great step in the right direction. Private companies like Incogni already offer a paid service to have this done on a larger scale, but if this "Free and Easy" data scrubbing becomes nationwide for the USA, it would allow a lot more people to easily regain some online privacy.

 

Sources

 Main Source: https://iapp.org/news/a/california-governor-signs-ca-delete-act-into-law/

 Secondary Source: https://www.theguardian.com/technology/2023/oct/10/california-delete-act-signed-newsom

[ThousandBlade]

This will do nothing, those data brokers will just go offshore by the time this law goes into effect.

[AnonymousGuy]

40 minutes ago, ThousandBlade said:

This will do nothing, those data brokers will just go offshore by the time this law goes into effect.

Yup.  This isn't even a step in the right direction it's a waste of time.  They won't even go offshore they'll just switch their AWS region for storage to Oregon or Texas and "oh look we don't have any data in CA anymore"

 

Prop 65...for data.

[HypixelBedwars]

this is stupid honestly. it isn't going to stop people from hoarding and selling peoples data. 

[Arika]

And coming up at 11: all data brokers move out of california

[TheLANguy]

Thank goodness all data brokers are in California and cannot move their data elsewhere.

[StDragon]

5 hours ago, ThousandBlade said:

This will do nothing, those data brokers will just go offshore by the time this law goes into effect.

 

1. Setup a shell "A" corporation
2. Proxy all data to another "B" corporation outside the state with "A" caching only a few minutes worth of data"
3. ????
4. PROFIT!!!

 

[Thaldor]

4 hours ago, ThousandBlade said:

This will do nothing, those data brokers will just go offshore by the time this law goes into effect.

Depends how the law is written. EU's GDPR is very similar, as in I as a EU citizen can demand even US companies to delete their data about me since the GDPR isn't written from the perspective where the data or company is but where the person, about who the data is, resides. As in, while Facebook tried to shovel their data from Ireland to US in hopes to run from GDPR and the fear of needing to give people access to their data with hopes that if the data is in US it would fall under US jurisdiction and EU couldn't set sanctions on Facebook for not giving GDPR accesses to EU citizens. However the GDPR isn't about where the data is but where the people are, Facebook just wasted bandwidth since if they wouldn't have given that GDPR access, EU could have fined and sanctioned them.

 

Same here if they were wise, they wrote the law the way that company must delete the data about Californian demanding it and not "Californian company must delete data in California if Californian demands it", it could be the same as GDPR and at least bigger companies won't try to fight it in fears of getting hefty fines.

[Zodiark1593]

1 hour ago, Thaldor said:

Depends how the law is written. EU's GDPR is very similar, as in I as a EU citizen can demand even US companies to delete their data about me since the GDPR isn't written from the perspective where the data or company is but where the person, about who the data is, resides. As in, while Facebook tried to shovel their data from Ireland to US in hopes to run from GDPR and the fear of needing to give people access to their data with hopes that if the data is in US it would fall under US jurisdiction and EU couldn't set sanctions on Facebook for not giving GDPR accesses to EU citizens. However the GDPR isn't about where the data is but where the people are, Facebook just wasted bandwidth since if they wouldn't have given that GDPR access, EU could have fined and sanctioned them.

 

Same here if they were wise, they wrote the law the way that company must delete the data about Californian demanding it and not "Californian company must delete data in California if Californian demands it", it could be the same as GDPR and at least bigger companies won't try to fight it in fears of getting hefty fines.

Out of curiosity, what’s stopping a company from encrypting a copy of personal data, and moving the blob elsewhere, where regulators are going to be unable to audit (even if they somehow got physical access)?

[Techstorm970]

2 hours ago, StDragon said:

 

1. Setup a shell "A" corporation
2. Proxy all data to another "B" corporation outside the state with "A" caching only a few minutes worth of data"
3. ????
4. PROFIT!!!

 

One of the oldest tricks in the book.  This business model (or something quite similar) was widely used by criminal gangs in the U.S. during Prohibition...100 years ago...and its effectiveness played a big role in getting that amendment repealed.

[williamcll]

Ireland will become the country with the most datacenters.

[Thaldor]

5 hours ago, Zodiark1593 said:

Out of curiosity, what’s stopping a company from encrypting a copy of personal data, and moving the blob elsewhere, where regulators are going to be unable to audit (even if they somehow got physical access)?

Mostly just common sense. Even Google doesn't really want to hold personal information that hard especially when there is the chance that if it leaks out and it's taken to EU court that could be up to 10M€ or 2% of annual global turnover (which one is higher) for violation or up to 20M€ or 4% of annual global turnover for severe violation, just not worth it to risk it. And if you get fined and don't pay the fines, you will get more fines and most likely you can say bye bye for any foothold on European markets until you pay your fines.

 

But in the US I don't know is even the California able and willing to really strong arm companies the way EU has shown to be willing to.

[darknessblade]

21 hours ago, AnonymousGuy said:

Yup.  This isn't even a step in the right direction it's a waste of time.  They won't even go offshore they'll just switch their AWS region for storage to Oregon or Texas and "oh look we don't have any data in CA anymore"

 

Prop 65...for data.

It would depend on how the law is worded.

 

the GDPR regulations for example do not make ANY kind of distinction on where the company handling YOUR data is located. if they provide ANY kind of service no matter how minor to even a single EU consumer, the GDPR will apply.

 

{Why else would many USA media sites do not offer service in the EU}

They rather want to avoid handling EU consumer data, than having to deal with the FALLOUT on any kind of GDPR fine/regulation