SAN FRANCISCO — You may not know it, but thousands of often shadowy companies routinely traffic in personal data you probably never agreed to share — everything from your real-time location information to private financial details. Even if you could identify these data brokers, there isn’t much you can do about their activities, even in California, which has some of the strongest digital privacy laws in the U.S.
That’s on the verge of changing. Both houses of the California state legislature have passed the Delete Act, which would establish a “one stop shop” where individuals could order hundreds of data brokers registered in the state to delete their personal data — and to cease acquiring and selling it in the future — with a single request.
The Delete Act isn’t law yet; it still needs to pass a second vote in the state Senate, after which its fate is up to Gov. Gavin Newsom, a Democrat who hasn’t said whether he’ll sign it. But if enacted, its impact could extend well beyond state lines given California’s history of setting trends of this sort.
Here’s what you need to know.
What the bill does
While California law already gives individuals the right to request data deletion, doing so currently require making separate requests to hundreds of data brokers registered in the state, many with their own unique requirements for drafting and handling such requests. Even then, nothing stops these companies from simply reacquiring that data once they delete it.
The Delete Act would require the state’s new privacy office, the California Privacy Protection Agency, to set up a website where consumers can verify their identity and then make a single request to delete their personal data held by data brokers and to opt out of future tracking. Proponents call it a “do not track” signal similar to the “do not call” list for telemarketers maintained by the Federal Trade Commission.
California already regulates data brokers, but the Delete Act would strengthen those provisions by requiring the companies to disclose more information about the data they collect on consumers and beefing up the state’s enforcement mechanisms.
Meet the data brokers
The Electronic Privacy Information Center, a Washington, D.C., nonprofit focused on bolstering the right to privacy, defines data brokers as companies that collect and categorize personal information, usually to build profiles on millions of Americans that the companies can then rent, sell or use to provide services. The data they collect, per EPIC, can include: “names, addresses, telephone numbers, email addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned.”
That’s not to mention “information on an individual’s purchases, where they shop, and how they pay for their purchases,” plus “health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.”
Privacy advocates have warned for years that location and seemingly non-specific personal data — often collected by advertisers and amassed and sold by brokers — can be used to identify individuals. They also charge that the data often isn’t well secured and that the brokers aren’t covered by laws that require the clear consent of the person being tracked. They’ve argued for both legal and technical protections so that consumers can push back.
Are data brokers that bad?
Data brokers say they get a bad rap for serving a vital need. The president of the Consumer Data Industry Association, which describes itself as “the voice of the consumer reporting industry,” called the Delete Act “severely flawed” and warned in a Wednesday release that it could lead to unintended consequences by undermining consumer fraud protections, hurting the competitiveness of small businesses and entrenching big platforms such as Facebook and Google that collect vast amounts of consumer data but don’t sell it.
That CDIA official, Dan Smith, also argued that the heart of the bill — the one-stop data deletion program — could potentially allow malicious outsiders to impersonate consumers and delete their data without permission, although he didn’t explain what a third party might have to gain by deleting a consumer’s data without permission. (The Delete Act specifically exempts credit reporting agencies such as Experian, Equifax and TransUnion, whose reports are often required for big-ticket consumer purchases such as homes or cars.)
The CDIA did not immediately reply to a request for clarification.
What abuse of data broker information looks like
In other respects, though, the information collected by these companies can be startlingly easy to abuse. The general lack of U.S. restrictions on what brokers can do with the vast amount of data they collect means there’s aren’t many legal protections to prevent outsiders from spying on politicians, celebrities and just about anyone that’s a target of idle curiosity — or malice.
Back in mid-2021, for instance, the U.S. Conference of Catholic Bishops announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar that probed his private romantic life. The Pillar said it obtained “commercially available” location data from a vendor it didn’t name that it “correlated” to Burrill’s phone to determine that he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.
The Pillar alleged “serial sexual misconduct” by Burrill, as homosexual activity is considered sinful under Catholic doctrine and priests are expected to remain celibate.
Following an extended leave, Burrill has since resumed his ministry in the small town of West Salem, Wisconsin, according to the Catholic News Service.