Why the California Delete Act Matters

Bill 362 is a perfect template for a nationwide win against data brokers and the privacy infringements they cause.

Rob Shavell, CEO, Abine/DeleteMe

August 1, 2023

4 Min Read
Eye on a digital background -- privacy concept art
Source: Skorzewiak via Alamy Stock Photo

A new California privacy bill should make it easier for residents to take their personally identifiable information (PII) off data brokers. But Californians won't be the only ones to benefit if the California Delete Act (Senate Bill 362) passes. Like other tech developments, where California goes, the rest of the nation tends to follow. Bill 362 provides a perfect template for a nationwide win against data brokers and the dangerous privacy infringements they cause. 

One of the largest sources of online exposure (i.e., how your phone number pops up when someone Googles you), data brokers are companies that aggregate information about consumers. They, mostly legally, take this data from various different sources (public records, credit card transactions, social media, etc.) and then sell it to third parties.

Data brokers rarely vet their customers. As a result, anyone — from marketers and law enforcement agencies to cybercriminals — can get their hands on our personal information, such as contact details, family information, sexuality, reproductive health, and even geolocation. We know that criminal groups use data brokers for reconnaissance and targeted phishing emails. 

If Senate Bill 362 passes (which looks likely), it could trigger a sequence of state copycat laws. Get enough of these over the line, and a federal data broker opt-out process will likely follow.

What Is the California Delete Act?

Current state laws allow citizens to request that data brokers remove any information they have collected from them directly, but not from third-party sources. The California Delete Act closes this loophole. 

The California Delete Act would do the following:

  • Require data brokers to register with the California Privacy Protection Agency (CPPA) public registry, pay a registration fee, and disclose the information they collect 

  • Call for data brokers to provide and adhere to a one-time universal opt-out process made through the California Privacy Protection Agency dashboard 

  • Require data brokers to disclose the requests they receive from consumers 

  • Create a "do not track" list similar to the federal "do not call" list to limit robocalls

The California Delete Act would create an online portal where Californians could opt out of data broker tracking and remove information already collected about them.

Why Does the California Delete Act Matter? 

After being the first state to pass comprehensive privacy legislation in 2019, multiple other states have enacted their own versions of these laws. 

As a result, if the California Delete Act passes, it's more than likely that other states will follow suit — especially considering that some states have already floated comparable measures. 

Pressure for nationwide equivalence might even come from data brokers themselves. For data broker businesses, managing different rules for different jurisdictions can get complex and costly. 

Multiple overlapping sets of rules are also not a desirable outcome at the federal level. Congress has already taken a closer look at data broker industry practices and even proposed a similar federal law. A simple regulation that requires consumer transparency and simple opt-out processes would provide an easy win for Congress without necessarily stepping directly on the toes of major tech vendors. 

Is the California Delete Act Likely to Pass?

Yes. The California Delete Act passed the California Senate 32–8 on May 31 and has now moved to the Assembly. The bill also has support from reproductive rights groups like Planned Parenthood, which gives it political relevance and visibility. 

How Will the Act Affect the Broader Data Broker Industry?

It is a warning shot that the Wild West days of indiscriminate data collection and sale are over. The bill will require data brokers to facilitate simple, universal opt-out methods. Data brokers that do not comply with consumer requests will be fined $200 per day, per consumer — that is, if they get caught. 

How Will Compliance Be Enforced Under this Act?

The California Delete Act is not self-enforcing. Although compliance can be enforced through the California Attorney General's office, the reality is that the state does not have the resources to audit and enforce the bill's stipulations. 

Private-Public Enforcement 

The California Delete Act would make it easier for Californians to stop data brokers from collecting and selling their information. It may also be just what's needed to trigger a national clampdown on the ongoing data-harvesting economy. 

Having reached out to hundreds of thousands of data brokers with opt-out requests on behalf of our customers in the past decade, compliance has always been the biggest issue. 

The companies we monitor are not legally compelled to agree to our requests. This will change if the California bill (and hopefully — eventually — federal bill) passes. It means that data brokers on the list will have a legal requirement to comply with opt requests. However, with enforcement likely to be relatively weak, individuals will need to count on the private sector to ensure opt-outs actually happen and report noncompliance.

About the Author

Rob Shavell

CEO, Abine/DeleteMe

Rob Shavell is CEO of Abine/DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights