Advertisement

California passes first-in-the-nation data broker deletion tool

Lawmakers in California are continuing to speed ahead of the federal government in writing legislation to address privacy concerns.
A California flag flies in front of 555 California Street on May 09, 2023 in San Francisco, California. (Justin Sullivan / Getty Images)

A privacy bill that passed in the California legislature this week would create a first-of-its-kind, centralized mechanism allowing consumers to request brokers to delete their personal information. The legislation represents the latest example of U.S. states zooming ahead of the federal government in trying to protect Americans’ data.

After passing the California Assembly on Wednesday, on Thursday the state Senate advanced the Delete Act, which would create a one-stop-shop for residents to opt out of data broker collection, rather than submitting individual requests to the hundreds of brokers registered in the state. The bill now heads to Gov. Gavin Newsom’s desk.

Data brokers’s collection of data belonging to Americans poses a number of harms, and policymakers in Congress and in the White House are becoming increasingly interested in writing more stringent rules regulating the industry. A number of proposals in Congress would create an opt-out mechanism similar to the California measure, but these bills have failed to advance amid a fractious legislative climate in Washington for privacy-focused bills.

California has proved a pioneer in writing privacy rules — its 2018 privacy law encouraged other states to pass similar measures — and this week’s rules regarding data brokers could prove similarly influential.

Advertisement

“If Californians get a right to centrally opt-out from data brokers, there’s a big question of what this would mean for these ongoing federal conversations,” Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, wrote in a comment to CyberScoop. “It could mean more pressure for federal action, either to spread this mechanism to citizens of other states, or otherwise standardize something similar across the country.”

The opt-out mechanism in the Delete Act will be run by California’s Privacy Protection Agency, which was established in 2020. If a consumer submits a deletion request, the law would require all registered data brokers to delete the personal information of consumers every 31 days and prohibit data brokers from sharing or selling new data of the consumer. Data brokers that fail to comply with the law would be liable for civil penalties and administrative fines.

“We really hope that California, in particular, and other states will look at this as a good step towards a better privacy regime,” said Hayley Tsukayama, the associate director of legislative activism at the Electronic Frontier Foundation.

The framework of the Delete Act echoes sections of the American Data Privacy Protection Act, which advanced out of committee in the U.S. House of Representatives last year. However, the bill faced opposition in the Senate and has yet to be reintroduced this year. ADPPA, if passed, would pre-empt state privacy laws, including California’s.

It’s not the only effort in Congress to regulate data brokers. Sens. Bill Cassidy, R-La., Jon Ossoff, D-Ga., and Reps. Lori Trahan, D-Mass., and Chuck Edwards, R-N.C., reintroduced legislation this summer that would direct the Federal Trade Commission to create a similar one-time data deletion request mechanism.

Advertisement

Legislative interest in regulating the data broker industry comes amid growing recognition of harms associated with widespread data collection and sale. Researchers have found that data brokers market and sell highly sensitive data, including mental health data and geolocation data that could be traced to abortion clinics, often without consumers’ awareness. Data brokers also sell information to law enforcement, allowing for surveillance that in the view of critics bypasses Fourth Amendment protections. 

California’s 2018 privacy law already gives residents the right to request companies delete any information they collected from consumers, and the Delete Act, introduced by California state Sen. Josh Becker, a Democrat who represents a Silicon Valley district, builds upon the landmark privacy law.

The Delete Act expands data eligible for deletion to include all data covered under California’s definition of personal information, which could include things like geolocation data but not certain types of public records. There are other limitations to the bill: entities already covered by the Fair Credit Act and HIPAA are exempt, for instance.

“It can be great to have a right to delete but, it can be pretty onerous for individuals,” said Hayley Tsukayama, associate director of legislative action at the Electronic Frontier Foundation.

Emory Roane, policy counsel at Privacy Rights Clearinghouse, a nonprofit that supported the Delete Act, likened the new requirements to the Do Not Call registry, a national database of phone numbers that have opted out of telemarketer calls, and said the measure could expose some of the industry’s more dubious practices to greater scrutiny. The bill, for instance, requires that all data brokers release reports of which requests they completed and which they denied and why.

Advertisement

The law would also require data brokers to register with California’s Privacy Protection Agency. California’s Consumer Privacy Act of 2018 already requires data brokers to register with the Attorney General. California is one of just a handful of states, including Vermont, Texas and Washington, that require data brokers to register with the state.

“We desperately need strong privacy protections at the state and federal level,” Roane said. “The past year has shown states have been stepping up to bat.”

Ad tech and marketing firms, including IPG, Acxiom, the Consumer Data Industry Association, and the National Federation of Independent Businesses, opposed the Delete Act and said it would hurt consumers and businesses.

“The bill undermines consumer fraud protections, hurts small businesses’ ability to compete, and solidifies the big platforms’ data dominance,” Dan Smith, president and CEO of the Consumer Data Industry Association, said in a statement. “It also empowers third parties to request to delete consumers’ data with no guardrails. That could incentivize a cottage industry of groups to mislead consumers into paying for services they don’t understand.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts