.webp)
Your personal data is sitting on dozens of data broker sites right now. Your name, phone number, home address, employer, and more, all bundled together and sold to anyone willing to pay. The good news is that state privacy laws now give you the legal right to demand that those brokers delete your information. The bad news is that every state does it a little differently.
California, Colorado, and Virginia each have their own privacy laws with rules about how you can opt out of data sales. If you are trying to figure out which rights you actually have and how to use them, the differences matter. Here is a plain breakdown of each law and what it means for getting your data off broker sites.
How Each State Defines Your Right to Opt Out
State privacy laws give residents the legal right to opt out of data broker sales and request deletion of their personal information. California (CCPA/CPRA), Colorado (CPA), and Virginia (VCDPA) are three of the most established, each with different rules for how consumers can submit requests, how brokers must respond, and what enforcement looks like when companies fail to comply.
Each of these three states gives residents the right to tell data brokers to stop selling their personal information. But the scope and mechanics differ in ways that affect what happens after you submit a request.
California: CCPA and the Delete Act
The California Consumer Privacy Act, updated by the California Privacy Rights Act, gives California residents the broadest set of data removal rights in the country. You can request access to your data, demand deletion, and opt out of both the sale and sharing of your personal information. Under the CCPA, "sharing" includes sending your data to advertisers for targeted ads, even if no money changes hands. That catches a lot of activity that other state laws miss.
California also passed the Delete Act in 2023, which created a one-stop deletion tool called the Delete Request and Opt-Out Platform (DROP). As of January 1, 2026, California residents can submit a single request through DROP to direct all registered data brokers in the state to delete their personal information. Starting August 1, 2026, brokers are required to check DROP for new deletion requests at least every 45 days and process deletions within 90 days.
Key California details:
- Enforced by the California Privacy Protection Agency (CPPA), the only dedicated state privacy agency in the country
- Brokers must register annually and pay a $6,000 fee
- The CPPA has already fined companies like Honda, Todd Snyder, and Tractor Supply for CCPA violations
- California's definition of "sale" is the broadest, covering any exchange for valuable consideration
What enforcement looks like in practice: In February 2025, the CPPA forced data broker Background Alert to shut down its operations through 2028 after the company failed to register under the Delete Act. Background Alert had collected billions of public records and sold profiles about individuals through its website. The CPPA also pursued a $46,000 fine against National Public Data, a Florida-based data broker that experienced a breach in 2024, exposing up to 2.9 billion records, including Social Security numbers. National Public Data had registered 230 days late, and only after the CPPA contacted them during an investigation. The company filed for bankruptcy in October 2024. In December 2025, the CPPA fined ROR Partners, a Nevada marketing firm, $56,600 for using "billions of data points" to build consumer profiles on more than 262 million Americans without registering as a data broker.
If you are looking up how the California Privacy Rights Act data broker rules work, the short answer is this: under the CCPA, brokers generally have 45 days to respond to a direct deletion request. DROP simplifies the process by letting you submit one request that reaches all registered brokers at once.
Colorado: The Colorado Privacy Act
Colorado's CPA went into effect in July 2023, and enforcement has gotten sharper since. The 60-day cure period that used to give companies a grace window expired on January 1, 2025. Now, the Attorney General can pursue violations immediately.
Colorado stands out for one major reason: it was among the first states to require businesses to honor universal opt-out signals, specifically Global Privacy Control (GPC). If you turn on GPC in your browser, every website you visit in Colorado must treat that signal as a valid opt-out of data sales and targeted advertising. No forms, no searching for a "Do Not Sell" link.
Colorado also defines "sale" more broadly than Virginia. If a company receives discounts or any other benefit in exchange for your data, that counts as a sale under the CPA.
For anyone researching Colorado privacy act enforcement 2026, the takeaway is that the state is actively enforcing. In July 2023, Attorney General Phil Weiser publicly announced the start of CPA enforcement and began mailing warning letters to businesses about their legal obligations. With the cure period now expired, the AG can impose fines of up to $2,000 per violation, per consumer, with a maximum penalty of $500,000. The universal opt-out requirement through GPC is fully in effect.
Virginia: The VCDPA
Virginia was the second state to pass a comprehensive privacy law. The VCDPA gives residents the right to access, correct, delete, and opt out of the sale of personal data and targeted advertising. Enforcement is handled by the Virginia Attorney General, who can pursue civil penalties of up to $7,500 per violation.
One important difference: Virginia amended its deletion rules for data brokers. Brokers that did not collect your data directly (they bought it from someone else) can comply with a deletion request by opting you out of all processing instead of actually deleting the original data. That means your data may still exist in their systems, but they can not use it or sell it going forward.
Virginia also does not require businesses to honor GPC or any other universal opt-out mechanism. You need to submit opt-out requests directly to each company. In February 2026, Attorney General Jay Jones publicly stated that the VCDPA is "now being fully enforced with no additional grace periods for businesses." As of early 2026, no major public enforcement settlements have been announced under the VCDPA, but the AG's Consumer Privacy Unit is actively receiving and investigating complaints.
Side-by-Side Comparison: CCPA vs. CPA vs. VCDPA
Here is how the three laws stack up on the issues that matter most for data broker opt-outs:
How to Actually Opt Out Under Each Law
Knowing your rights is one thing. Using them is another. Here is how to actually submit data broker opt-out requests under each state's law.
Step 1: Find Out Where Your Data Is
Start by searching your name on common people-search sites like Spokeo, WhitePages, BeenVerified, and Radaris. You will likely find your name, address, phone number, and more listed across multiple brokers.
Step 2: Submit Opt-Out or Deletion Requests
For California residents, the fastest path is the CPPA's DROP tool at privacy.ca.gov/data-brokers. One request covers all registered brokers. Keep in mind that brokers are required to start processing DROP requests beginning August 1, 2026, so early submissions may take longer to see results. You can also submit individual requests through each broker's opt-out page.
For Colorado residents, enable Global Privacy Control in your browser. GPC automatically communicates your opt-out preference to every site you visit. For brokers that do not operate websites you visit, submit individual deletion requests.
For Virginia residents, use the privacy links on each company's website to opt out of data sales and request deletion. Companies have 45 days to respond, with a possible 45-day extension if they notify you. If the extended window passes with no response, file a complaint with the Virginia Attorney General.
Step 3: Follow Up and Repeat
Data brokers frequently re-collect your information from public records and other sources. A one-time opt-out does not stay permanent. You need to check back and resubmit requests, sometimes every few months.
Why Manual Opt-Outs Only Go So Far
The state privacy laws data broker opt-out process sounds straightforward on paper. In practice, manually opting out of dozens or hundreds of brokers takes 20 to 40 hours of work. And because brokers can re-list you within weeks, you are looking at a recurring time commitment.
The 2024 National Public Data breach showed just how much is at stake. A single data broker exposed up to 2.9 billion records, including full names, addresses, and Social Security numbers, to hackers who posted the data on the dark web. Most of the people affected never signed up for the service or even knew it had their information.
Even California's DROP tool only covers brokers that have registered with the state. Plenty of companies that trade in personal data operate outside that registry. State-by-state data broker compliance varies significantly, and keeping up with the differences across California, Colorado, Virginia, and the growing list of other states with privacy laws is a full-time job on its own.
That is exactly why legal data removal services to submit opt-outs on my behalf exist. Automated tools can handle the repetitive work of filing requests, monitoring for re-listings, and resubmitting when your data reappears.
How Cloaked Helps You Take Back Control
Cloaked removes your personal data from 300+ data brokers and people-search sites, handling the opt-out process so you do not have to chase down each broker individually. Beyond removal, Cloaked lets you generate unique email aliases and phone numbers for every account, so your real information never ends up on broker databases in the first place. Add Dark Web & SSN Monitoring and $1M in identity theft insurance, and you have a layered defense that goes well beyond what any single state law can provide.
Run a free safety scan to see how exposed your data already is, or contact Cloaked to learn more.
FAQs
What is a CCPA opt-out for data brokers?
A CCPA opt-out lets California residents tell data brokers to stop selling or sharing their personal information. For direct requests, brokers generally have 45 days to respond. California's DROP tool now lets you submit one request that covers all registered brokers in the state, though brokers are required to begin processing DROP requests starting August 1, 2026.
Which states require businesses to honor Global Privacy Control?
California, Colorado, and Connecticut all require businesses to treat GPC browser signals as valid opt-out requests. Virginia does not mandate GPC recognition, so residents there need to submit opt-out requests directly to each company.
Can a data broker ignore my deletion request?
Not legally, but responses vary. California brokers must delete your data or face fines from the CPPA. Virginia brokers can opt you out of processing instead of deleting. Colorado brokers must comply or risk enforcement by the Attorney General. If a broker ignores your request, file a complaint with your state's enforcement body.
Do I need to live in California, Colorado, or Virginia to use these laws?
You need to be a resident of the state whose law you are invoking. A California resident can use the CCPA, but a Texas resident cannot. However, nearly 20 states now have some form of comprehensive privacy law, and the list keeps growing. Check your own state's rules.
How often do data brokers re-collect my information after I opt out?
Most brokers continuously acquire new data from public records, other brokers, and online activity. Your information can reappear within weeks or months after a successful opt-out. Regular monitoring and repeated requests are necessary to stay off their lists long term.
What is the difference between opting out and deleting my data?
Opting out means a broker must stop selling or using your data going forward, but may still retain it. Deletion means the broker must actually remove your personal information from their systems. California and Colorado require full deletion. Virginia allows brokers to choose between deletion and opting you out of all processing.
How do I remove my information from data brokers for free?
Under the CCPA, VCDPA, CPA, and similar state laws, data brokers must honor your deletion or opt-out request at no charge. You can submit requests directly through each broker's opt-out page, or California residents can use the CPPA's free DROP tool at privacy.ca.gov. The process is free, but covering dozens of brokers manually can take 20 to 40 hours of your time.
