How to Opt Out of Data Brokers (2026)
Hundreds of companies are profiling and selling your personal data right now without ever asking your permission. You have legal tools to stop them, and the most powerful one in 2026 is free, takes ten minutes, and reaches every registered California data broker at once.
What Is a Data Broker and Why Should You Care?
A data broker is a business that collects personal information about consumers from various sources and sells that information to other companies, without a direct relationship with the consumer whose data is being sold. That definition comes directly from California Civil Code section 1798.99.80, the statute at the heart of the state's DELETE Act.
Data brokers obtain your information from dozens of sources: public records, loyalty card programs, social media activity, smartphone location data, purchase histories, credit headers, and data purchased from other brokers. They combine those inputs to build detailed consumer profiles that get sold to marketers, employers, landlords, private investigators, political campaigns, and in some cases law enforcement agencies and foreign actors.
The California Privacy Protection Agency's data broker registry requires each registered broker to disclose the categories of personal information it collects. The list is striking: Social Security numbers, precise geolocation, health information, browsing history, financial data, biometric identifiers, and information about children all appear. These are not abstract risks. Data broker profiles fuel spam calls, enable stalking, expose people fleeing domestic violence, power discriminatory targeted advertising, and create the raw material for identity theft.
The good news is that the legal landscape shifted meaningfully in 2025 and 2026. California's centralized deletion platform is live. Texas and Oregon added registration requirements. And browser-level opt-out signals now carry legal weight in multiple states. The steps below use every tool currently available.
Step 1: Enable Global Privacy Control in Your Browser
Time required: About five minutes. Reach: 66,000+ participating websites. Legal effect: Legally binding opt-out under California law for covered businesses.
Global Privacy Control is a browser-level signal you enable once. Under California Civil Code section 1798.135(b) and the California Attorney General's CCPA guidance, covered businesses must treat an enabled GPC signal as a valid opt-out of the sale or sharing of your personal information, with the same legal weight as clicking "Do Not Sell or Share My Personal Information" on every covered site individually. You do not need to fill out a form, create an account, or identify yourself. The signal does the work automatically.
GPC currently reaches over 66,000 participating websites. It is legally required to be honored as an opt-out signal in California and is also recognized in Colorado, Connecticut, Montana, Oregon, and Texas. Virginia's VCDPA does not mandate GPC recognition, so also click "Do Not Sell" links manually on Virginia-regulated sites.
How to enable GPC by browser:
- Brave: GPC is enabled by default. Confirm it is active under Settings > Privacy and Security.
- DuckDuckGo (mobile and desktop): GPC is enabled by default. No action needed.
- Firefox: Go to Settings > Privacy and Security > scroll to "Website Privacy Preferences" > check "Tell websites not to sell or share my data."
- Chrome or Edge: Install the Global Privacy Control extension from the Chrome Web Store or Edge Add-ons store. The EFF's Privacy Badger and Disconnect extensions also implement GPC and add tracker blocking.
Once GPC is enabled, every California-covered business you visit must halt the sale or sharing of your personal information with no additional steps required. Under the CCPA, businesses must comply as soon as feasibly possible, with a maximum of 15 business days from receipt. They cannot require you to also complete a manual opt-out form.
GPC is the single highest-leverage action for most people because it works passively and continuously across the entire web. Do this step first, then continue with the steps below for data that brokers already hold about you.
Step 2: Use California's DROP Platform
Who can use it: California residents only. Reach: All brokers registered with the CPPA. Status: Consumer submissions accepted since January 1, 2026; broker processing required beginning August 1, 2026.
The DELETE Act (Senate Bill 362, signed into law 2023, codified at California Civil Code section 1798.99.80 et seq.) created the most powerful consumer data broker tool in the country: a single request that reaches every registered broker simultaneously. The platform is called DROP (the Delete Request and Opt-Out Platform), and the California Privacy Protection Agency operates it at cppa.ca.gov.
As of January 1, 2026, any California resident may use DROP to submit a single deletion request to all active registered data brokers at once, rather than contacting each broker individually. That is the step that no other state yet offers.
The critical two-part timeline you must understand: DROP is live and accepting consumer submissions now. However, registered data brokers are not required to begin processing DROP deletion requests until August 1, 2026. That is the statutory compliance date under the DELETE Act. Requests submitted before August 1, 2026 are queued and must be honored as of that date. Do not interpret broker silence before August 1 as non-compliance; the processing obligation does not begin until then.
How to submit a DROP request:
- Go to cppa.ca.gov/data_broker_registry/ and locate the DROP submission link on the data broker registry page.
- Confirm your California residency. The platform is restricted to California residents under the DELETE Act.
- Complete the deletion request form. You will need to provide basic identifying information so brokers can locate your records. The CPPA's form is designed to be completed without creating a new account.
- Submit and save your confirmation. Take a screenshot or save the confirmation email with the date of submission. This is your evidence that your request was received before August 1, 2026.
- After August 1, 2026, if a registered broker has not deleted your data or responded to your request within the statutory period, that is a CPPA enforcement matter.
The CPPA publishes the California data broker registry with details for every registered broker, including business name, categories of personal data collected, and categories of entities to whom data is sold. The 2025 registry (reporting 2024 activities) is the operative list for consumers using DROP. The CPPA oversees registration, compliance monitoring, and enforcement of the DELETE Act with civil penalty authority under California Civil Code.
If you live outside California, you cannot use DROP. Proceed to Steps 3 and 4.
Step 3: Check Your State's Data Broker Registry
Even if you use DROP, some data brokers operate outside California's registry. And for residents of other states, per-broker registries are the primary research tool for finding which companies hold your data and what opt-out mechanisms they offer.
California CPPA Registry (cppa.ca.gov/data_broker_registry/)
All qualifying data brokers must register annually with the CPPA between January 1 and January 31, reporting their prior calendar year's data practices. The registry lists each broker's business name, contact information, categories of data collected, categories of entities to whom data is sold (including law enforcement, government agencies, GenAI developers, and foreign actors), and statistics on consumer requests received. After August 1, 2026, you can also use the registry to verify which brokers have responded to DROP requests and to identify non-compliant actors to report to the CPPA.
Vermont Secretary of State Registry (legislature.vermont.gov)
Vermont requires data brokers to register annually by January 31 with the Vermont Secretary of State under 9 V.S.A. section 2446. Each registered broker must disclose its opt-out method, which data practices consumers can and cannot opt out of, whether the broker vets purchasers of data, and the number of security incidents. The registration fee is $100. Brokers that fail to register face civil penalties up to $10,000 per year plus unpaid fees, and the Vermont Attorney General may seek injunctive relief.
Vermont's opt-out process is broker-by-broker: there is no Vermont equivalent of DROP. Use the registry to locate each broker, then use its disclosed opt-out method (email, web form, or mail address) to submit your request directly. Vermont consumers may also authorize a third party to submit opt-outs on their behalf under 9 V.S.A. section 2446.
Oregon Department of Consumer and Business Services (oregonlegislature.gov)
Oregon requires data brokers to register with the Oregon Department of Consumer and Business Services under ORS 646A.593. The department has rulemaking authority and may impose penalties for operating without registration. Oregon's broader consumer data rights, including the right to request deletion of personal data, are also found in the Oregon Consumer Privacy Act at ORS 646A.570 through 646A.589. To identify Oregon-registered brokers and locate their opt-out mechanisms, check the DCBS registry and each broker's privacy policy.
Texas Secretary of State Registry (sos.state.tx.us/statdoc/data-brokers.shtml)
Texas requires data brokers to register with the Texas Secretary of State under Business and Commerce Code Chapter 510 (originally enacted as Chapter 509 by SB 2105 in 2023, redesignated Chapter 510 effective September 1, 2025). Registered brokers must disclose their data collection practices and opt-out mechanisms, and pay a $300 annual registration fee. Use the Texas SOS registry to identify which brokers are active in Texas, then use each broker's disclosed opt-out page to submit your request. Texas also requires covered businesses to honor GPC signals under the Texas Data Privacy and Security Act effective January 1, 2025; if GPC is enabled, many Texas-covered businesses are already subject to opt-out obligations for online data sales and targeted advertising.
For a detailed look at how CCPA opt-out rights work alongside these registries, see the CCPA right to opt out of sale and sharing. For a comparison of all major US state privacy laws, see the US state privacy laws comparison.
Step 4: Submit Per-Broker Opt-Out Requests
For data brokers not covered by DROP (including brokers operating outside California's registry and all brokers for non-California residents), you will need to submit opt-out requests directly to each broker using its disclosed mechanism.
How to find each broker's opt-out link:
- Search the relevant state registry (California, Vermont, Oregon, or Texas) for the broker by name.
- Look at the broker's registered contact information and disclosed opt-out method.
- Go directly to the broker's website and look in the footer or privacy policy for a link labeled "Do Not Sell or Share My Personal Information," "Your Privacy Rights," "Opt Out," or "Consumer Privacy Request."
- Under the CCPA, covered businesses cannot require you to create an account to submit an opt-out request and should avoid demanding burdensome identity verification, though they may ask basic identifying questions to locate your record.
What to include in your request:
Provide your full name, email address, phone number, and any other identifiers the broker is likely to have used to profile you (your city and state, your approximate age if you are comfortable sharing it, and past addresses if you have moved). The more specific you are, the easier it is for the broker to locate your record, and the harder it is for the broker to claim it could not find you.
Prioritize high-risk broker categories first:
- People-search sites (sites that publish name, address, relatives, phone, and background-check summaries): These are the most directly harmful to individuals. Look for sites that appear when you search your own name.
- Marketing data brokers: Companies that aggregate purchase behavior, demographic profiles, and interest segments for ad targeting.
- Data aggregators: Companies that compile comprehensive consumer files from multiple sources and license them to other businesses.
The CCPA response clock: For California-covered businesses, once they receive your opt-out request, they must act as soon as feasibly possible, with a maximum of 15 business days from receipt. After you opt out, the business cannot resume selling or sharing your data unless you provide explicit re-authorization, and it must wait at least 12 months before requesting that re-authorization. Document the date of every request you submit.
The CCPA "Do Not Sell or Share My Personal Information" opt-out right applies to businesses that sell personal information or share it for cross-context behavioral advertising under California Civil Code section 1798.120 and 1798.135. "Sharing" is defined specifically as sharing for cross-context behavioral advertising, meaning targeting you based on online activity across multiple websites. Both the sale right and the sharing-for-ads right are covered by the single "Do Not Sell or Share" mechanism.
Step 5: Escalate If a Broker Ignores Your Request
Most reputable data brokers will comply with opt-out requests, especially from California residents where the legal exposure is clear. Some will not. If a broker ignores your request or delays beyond the statutory deadline without explanation, you have escalation options.
California Privacy Protection Agency
For California residents dealing with California-registered data brokers, the CPPA is your primary enforcement contact. The agency oversees registration, compliance monitoring, and enforcement of the DELETE Act and CCPA with civil penalty authority. Visit cppa.ca.gov to find the agency's contact and complaint mechanisms. After August 1, 2026, DROP non-compliance becomes directly actionable.
Vermont Attorney General
For Vermont-registered brokers that fail to honor opt-out requests or fail to maintain registry compliance, the Vermont AG has civil penalty and injunctive authority under 9 V.S.A. section 2446. File a consumer complaint through the Vermont AG's consumer assistance program.
Oregon Department of Justice
For Oregon-registered brokers, file a consumer complaint with the Oregon DOJ at oregonconsumer.gov. The department coordinates with DCBS on broker registration enforcement.
Texas Attorney General
For Texas-covered businesses that ignore TDPSA opt-out requests or CCPA obligations, the Texas AG's consumer protection division handles privacy complaints. The AG filed the first state privacy enforcement action in the United States against Allstate in January 2025, and the office is actively enforcing.
Federal Trade Commission
File a complaint at ftc.gov/complaint. The FTC does not enforce state privacy laws directly, but it tracks complaint patterns across companies and uses them to prioritize federal investigations under its Section 5 unfair or deceptive practices authority. A well-documented FTC complaint contributes to the public record against repeat offenders.
What to include in any complaint:
Document the date you submitted your request, the broker's name, the response (or lack of response), and any written exchanges. The more specific your documentation, the more useful your complaint is to enforcement agencies.
Step 6: Understand the Limits and Maintain Your Opt-Outs
Data broker opt-outs are not permanent unless you actively maintain them. Understanding the limits of each tool prevents you from assuming protection you do not have.
DROP covers only registered California brokers. Not every data broker is registered with the California CPPA. New brokers register each January. Brokers that operate below the qualifying threshold or that violate the registration requirement may not appear in the registry at all. The DELETE Act gives the CPPA enforcement tools against non-registering brokers, but gaps exist. Check the registry annually and resubmit DROP requests when the CPPA processes new registrations.
GPC only reaches online interactions. GPC signals apply to covered businesses that process your data through a website or online service. They do not reach offline data collection, data already held before you enabled GPC, or brokers that have no direct online interaction with you. Per-broker opt-outs remain necessary for the full picture.
FCRA-covered entities are a separate category. The three major credit bureaus (Equifax, Experian, TransUnion) and background-check agencies subject to the Fair Credit Reporting Act are not covered by CCPA opt-out or DROP. Their data practices are governed by the FCRA, which gives you separate rights: the right to dispute inaccurate information, the right to place a free security freeze blocking new credit accounts, and annual free credit reports at AnnualCreditReport.com. A security freeze is one of the most effective privacy tools available to any U.S. consumer. Use it alongside data broker opt-outs, not as a substitute for them.
Opt-outs can expire or be reset. Some brokers re-acquire your data from new sources after you opt out and re-profile you. The CCPA's 12-month re-solicitation bar applies to businesses asking for your re-authorization, but it does not prevent brokers from building new profiles from new data sources. Set a calendar reminder to recheck the registries and resubmit DROP requests annually.
Non-California residents face more friction. Vermont, Oregon, and Texas all have registration laws and some consumer rights, but none yet offer a DROP equivalent. Federal law provides no comprehensive data broker opt-out right as of 2026. The strongest protections remain California-specific.
For a full overview of the California Consumer Privacy Act and its protections, see California Consumer Privacy Act (CCPA). For how state privacy laws compare on data broker obligations, see US state privacy laws comparison.
Related guides
- How to Submit a Data Deletion Request (2026)
- How to File a Data Privacy Complaint (2026)
- US State Privacy Laws Comparison Chart (2026)
- CCPA Opt-Out Rights: Do Not Sell or Share My Personal Information (2026)