That’s on the verge of changing. Both houses of the California state Legislature have passed the Delete Act, which would establish a “one stop shop” where individuals could order hundreds of data brokers registered in the state to delete their personal data – and to cease acquiring and selling it in the future – with a single request.
Elevate Your Tech Prowess with High-Value Skill Courses
|Northwestern University||Kellogg Post Graduate Certificate in Digital Marketing||Visit|
|Indian School of Business||ISB Professional Certificate in Product Management||Visit|
|Indian School of Business||ISB Digital Transformation||Visit|
|Indian School of Business||ISB Digital Marketing and Analytics||Visit|
The Delete Act isn’t law yet. Democratic Gov. Gavin Newsom still has to decide whether to sign the measure, which potentially could extend well beyond state lines given California’s history of setting similar trends.
Here’s what you need to know.
WHAT THE BILL DOES
While California law already gives individuals the right to request data deletion, doing so currently require making separate requests to hundreds of data brokers registered in the state, many with their own unique requirements for drafting and handling such requests. Even then, nothing stops these companies from simply reacquiring the data after they delete it.
The Delete Act would require the state’s new privacy office, the California Privacy Protection Agency, to set up a website where consumers can verify their identity and then make a single request to delete their personal data held by data brokers and to opt out of future tracking. Proponents call it a “do not track” signal similar to the “do not call” list for telemarketers maintained by the Federal Trade Commission.
Discover the stories of your interest
California already regulates data brokers, but the Delete Act would strengthen those provisions by requiring the companies to disclose more information about the data they collect on consumers and beefing up the state’s enforcement mechanisms. MEET THE DATA BROKERS The Electronic Privacy Information Center, a Washington, D.C., nonprofit focused on bolstering the right to privacy, defines data brokers as companies that collect and categorize personal information, usually to build profiles on millions of Americans that the companies can then rent, sell or use to provide services.
The data they collect, per the EPIC, can include: “names, addresses, telephone numbers, email addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned.”
That is in addition to “information on an individual’s purchases, where they shop, and how they pay for their purchases,” plus “health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.”
Privacy advocates have warned for years that location and seemingly non-specific personal data – often collected by advertisers and amassed and sold by brokers – can be used to identify individuals. They also charge that the data often isn’t well secured and that the brokers aren’t covered by laws that require the clear consent of the person being tracked. They have argued for both legal and technical protections so consumers can push back.
ARE DATA BROKERS THAT BAD?
Data brokers say they get a bad rap for serving a vital need.
Dan Smith, president of the Consumer Data Industry Association, which describes itself as “the voice of the consumer reporting industry,” called the Delete Act “severely flawed” and warned in a Wednesday release that the change could lead to unintended consequences by undermining consumer fraud protections, hurting the competitiveness of small businesses and entrenching big platforms such as Facebook and Google that collect vast amounts of consumer data but don’t sell it.
Smith also argued the heart of the bill – the one-stop data deletion program – could potentially allow malicious outsiders to impersonate consumers and delete their data without permission, although he didn’t explain what a third party might have to gain by deleting a consumer’s data without permission.
The Delete Act specifically exempts credit reporting agencies such as Experian, Equifax and TransUnion, whose reports are often required for big-ticket consumer purchases such as homes or cars.
The CDIA did not immediately reply to a request for clarification.
WHAT ABUSE OF DATA BROKER INFORMATION LOOKS LIKE
In other respects, though, the information collected by these companies can be startlingly easy to abuse. The general lack of U.S. restrictions on what brokers can do with the vast amount of data they collect means there’s aren’t many legal protections to prevent outsiders from spying on politicians, celebrities and just about anyone who is a target of idle curiosity, or malice.
In mid-2021, for instance, the U.S. Conference of Catholic Bishops announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar probing his private romantic life. The Pillar said it obtained “commercially available” location data from an unnamed vendor that was “correlated” to Burrill’s phone to determine he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.
The Pillar alleged “serial sexual misconduct” by Burrill, as homosexual activity is considered sinful under Catholic doctrine and priests are expected to remain celibate. Following an extended leave, Burrill resumed his ministry in the small town of West Salem, Wisconsin, according to the Catholic News Service.