CCPA: Make Data Brokers Delete Your Info

California law gives you a statutory right to disappear from data broker databases

California residents hold something most Americans do not: a legally enforceable right to demand that data brokers delete their personal information and stop selling it. That right comes from the California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), and it applies to the same marketing databases that fuel the catalog mail flooding your mailbox.

The law did not ask data brokers to opt you out voluntarily. It gives you the mechanism to compel them. The California Attorney General's office enforces the CCPA and publishes guidance for residents at https://oag.ca.gov/privacy/ccpa. The California Privacy Protection Agency (CPPA), the dedicated enforcement body created by the CPRA, provides additional resources and oversees the expanding data broker registry at https://cppa.ca.gov/.

If you are a California resident, you have a lever most people do not know exists. Using it is a practical step — not a legal exercise — and the results ripple beyond California's borders.

What the CCPA gives you

The CCPA, as amended by the CPRA, establishes four core rights for California residents in relation to businesses that collect and trade in personal information:

Right to know. You can ask any covered business what personal information it holds about you, where it came from, who it has been shared with, and for what purpose. Businesses must respond with a disclosure, not a runaround.

Right to delete. You can request that a business delete the personal information it has collected from you. The business must also tell its service providers and contractors to delete that information. Exceptions apply — a business may retain data needed to complete a transaction, detect fraud, or comply with a legal obligation — but for most marketing-data contexts, the deletion right is effective.

Right to correct. You can request that a business correct inaccurate personal information it holds about you. For data brokers, this matters beyond just accuracy: correcting a profile can disrupt downstream matching.

Right to opt out of sale or sharing. You can tell a business to stop selling or sharing your personal information with third parties. Data brokers whose core business is exactly that — selling consumer records to catalog companies, retailers, and list vendors — must honor opt-out requests.

The 45-day response window. A business that receives a verifiable consumer request must respond within 45 calendar days. If it needs more time, it can extend by another 45 days but must notify you of the extension and the reason within the original 45-day window. Ninety days total is the outer limit. If a company goes silent past that point, the CPPA and California AG have enforcement authority.

How to send a CCPA deletion and do-not-sell request

Sending a CCPA request is not complicated, but doing it correctly increases the chance the broker processes it promptly.

Step 1: Identify the brokers. Start with the high-volume marketing data brokers that feed catalog prospecting lists. The CPPA maintains a registry of data brokers that have registered with the state; browsing it gives you a working list. High-priority targets include Acxiom, Spokeo, LexisNexis, Epsilon, Experian Marketing Services, and Intelius — all known suppliers of compiled consumer lists.

Step 2: Locate the CCPA request mechanism. Nearly every covered business is legally required to provide a "Do Not Sell or Share My Personal Information" link and a designated privacy request channel. Look in the site footer, the privacy policy, or search the site for "CCPA request" or "privacy request." Many brokers now offer web forms; others accept requests by email to a dedicated privacy address.

Step 3: Submit your request. State clearly: "I am a California resident. I request deletion of all personal information you hold about me, and I request that you stop selling or sharing my personal information." Include your full name, current mailing address, and any prior addresses you have used. Some brokers ask for a phone number to match records; providing it can improve match accuracy and lead to more complete deletions.

Step 4: Expect identity verification. Businesses are allowed — and generally required — to verify that you are who you say you are before processing a deletion. They may ask you to confirm information they already hold, respond to an email, or submit a verification code. Complete this step promptly; the 45-day clock typically starts from the point the request is verifiable, not from initial submission.

Step 5: Track your requests. Keep a log with the broker name, submission date, confirmation number or email, and follow-up deadline. If a broker does not respond within 45 days, you have grounds to file a complaint with the CPPA.

For detailed walkthroughs of two major brokers, see the guides on this site:

• How to opt out of Spokeo
• How to opt out of Acxiom

The DELETE Act and the DROP platform

In 2023, California went further. Governor Newsom signed SB 362, the California DELETE Act, which created a mechanism for residents to submit a single deletion request that reaches every registered data broker in the state simultaneously.

The vehicle is called the Data Broker Removal and Opt-out Platform, or DROP. The CPPA is responsible for building and operating it. Under the DELETE Act, data brokers registered with the CPPA must honor deletion requests submitted through DROP and must delete matching records within 45 days of a request.

The broker registration requirement predates DROP: data brokers doing business in California have been required to register annually with the CPPA and pay a registration fee since 2020. The registry is public and searchable on the CPPA website. If a broker is registered — and covered brokers are legally required to register — a DROP request will reach them.

The rollout is phased. The DROP platform became available to consumers in phases beginning in 2026, with broker compliance requirements staggered to accommodate the scale of the operation. As the platform matures, it represents the most efficient path for California residents: one request, one identity verification, complete coverage of all registered brokers.

Until DROP is fully operational for a given broker, direct requests remain valid and are enforceable under the existing CCPA framework.

What to expect after submitting

Realistic expectations help. Here is what typically happens and where the friction points are.

Deletions are not instant. Even with a 45-day window, many brokers process requests in batches. You may not see your profile disappear from search results immediately. Give it the full cycle before following up.

Re-addition can happen. Data brokers continuously ingest new records from public sources, government filings, and purchase transactions. A deletion removes your current profile; it does not block re-ingestion of new data about you in the future. Periodic re-submission — every 12 to 18 months — is a reasonable maintenance cadence for the highest-volume brokers.

Opt-out survival varies. Some brokers maintain suppression lists that exclude opted-out individuals from future data sales. Others treat deletions as point-in-time removals. Sending a combined deletion and do-not-sell request addresses both angles. The CPPA guidance at https://cppa.ca.gov/ clarifies the obligations brokers carry for honoring ongoing opt-out preferences.

California residency is required for CCPA rights. The CCPA applies to California residents. If you live in another state, the CCPA does not give you a legal right to compel compliance. However, when a data broker deletes a California resident's record, that deletion frequently removes the record from national files shared across all markets — the record is the record, regardless of which state's customers eventually buy the list. The ripple effect is real.

Paid services such as Incogni, Optery, and DeleteMe automate the submission process across multiple brokers, which can be efficient if you want to cover a large list quickly. They do not provide rights that California residents do not already have — they provide execution at scale.

How this stops catalog mail

Catalog companies do not build their own prospect lists from scratch. They rent and purchase compiled mailing lists from data brokers — Acxiom, Epsilon, and their peers — who segment consumers by purchase history, income estimate, household composition, and hundreds of other variables. A catalog retailer looking for "women 45–65 with household income above $80,000 who have purchased apparel by mail in the past 24 months" buys that list from a broker.

When you submit a CCPA deletion request to Acxiom or Epsilon and they remove your record, you are no longer in the pool that catalog companies draw from. The deletion does not stop the catalog company from mailing to people who are on the list — it removes you from being on the list in the first place.

This is upstream intervention. Opting out directly from catalog mailers works, but it operates one mailer at a time, and your address can be re-added when the mailer rents a fresh list from a broker. Deleting from the broker removes you from the source. Each subsequent list the broker sells — to any mailer, in any category — excludes your record.

The DELETE Act's DROP platform, when fully operational, extends this to every registered California broker in a single request.

Related resources

• Remove yourself from data brokers: a complete guide
• How to opt out of Acxiom
• How data brokers get your address

Official sources:

• California Attorney General — CCPA: https://oag.ca.gov/privacy/ccpa
• California Privacy Protection Agency: https://cppa.ca.gov/

References

1. California Attorney General. "California Consumer Privacy Act (CCPA)." https://oag.ca.gov/privacy/ccpa (retrieved 2026-06-08).
2. California Privacy Protection Agency. Home and data broker registry. https://cppa.ca.gov/ (retrieved 2026-06-08).
3. Federal Trade Commission — Consumer Advice. "Data Brokers." https://consumer.ftc.gov/ (retrieved 2026-06-08).