SAN FRANCISCO – You may not know it, but thousands of often shadowy companies routinely traffic in personal data you probably never agreed to share — everything from your real-time location information to private financial details. Even if you could identify these data brokers, there isn't much you can do about their activities, including in California, which has some of the strongest digital privacy laws in the U.S.
That's on the verge of changing. Both houses of the California state Legislature have passed the Delete Act, which would establish a “one stop shop” where individuals could order hundreds of data brokers registered in the state to delete their personal data — and to cease acquiring and selling it in the future — with a single request.
The Delete Act isn't law yet. Democratic Gov. Gavin Newsom still has to decide whether to sign the measure, whose impact could potentially extend well beyond state lines given California's history of setting similar trends.
Here's what you need to know.
WHAT THE BILL DOES
While California law already gives individuals the right to request data deletion, doing so currently require making separate requests to hundreds of data brokers registered in the state, many with their own unique requirements for drafting and handling such requests. Even then, nothing stops these companies from simply reacquiring the data after they delete it.
The Delete Act would require the state's new privacy office, the California Privacy Protection Agency, to set up a website where consumers can verify their identity and then make a single request to delete their personal data held by data brokers and to opt out of future tracking. Proponents call it a “do not track” signal similar to the “do not call” list for telemarketers maintained by the Federal Trade Commission.
California already regulates data brokers, but the Delete Act would strengthen those provisions by requiring the companies to disclose more information about the data they collect on consumers and beefing up the state's enforcement mechanisms.
MEET THE DATA BROKERS
The Electronic Privacy Information Center, a Washington, D.C., nonprofit focused on bolstering the right to privacy, defines data brokers as companies that collect and categorize personal information, usually to build profiles on millions of Americans that the companies can then rent, sell or use to provide services.
The data they collect, per EPIC, can include: “names, addresses, telephone numbers, email addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned.”
That is in addition to “information on an individual’s purchases, where they shop, and how they pay for their purchases,” plus “health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.”
Privacy advocates have warned for years that location and seemingly non-specific personal data — often collected by advertisers and amassed and sold by brokers — can be used to identify individuals. They also charge that the data often isn't well secured and that the brokers aren't covered by laws that require the clear consent of the person being tracked. They have argued for both legal and technical protections so consumers can push back.
ARE DATA BROKERS THAT BAD?
Data brokers say they get a bad rap for serving a vital need.
Dan Smith, president of the Consumer Data Industry Association, which describes itself as “the voice of the consumer reporting industry,” called the Delete Act “severely flawed” and warned in a Wednesday release that the change could lead to unintended consequences by undermining consumer fraud protections, hurting the competitiveness of small businesses and entrenching big platforms such as Facebook and Google that collect vast amounts of consumer data but don't sell it.
Smith also argued that the heart of the bill — the one-stop data deletion program — could potentially allow malicious outsiders to impersonate consumers and delete their data without permission. The organization also argues that the cost of the legislation will be much greater than California regulators currently suggest.
WHAT ABUSE OF DATA BROKER INFORMATION LOOKS LIKE
In other respects, though, the information collected by these companies can be startlingly easy to abuse. The general lack of U.S. restrictions on what brokers can do with the vast amount of data they collect means there's aren't many legal protections to prevent outsiders from spying on politicians, celebrities and just about anyone who is a target of idle curiosity, or malice.
In mid-2021, for instance, the U.S. Conference of Catholic Bishops announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar probing his private romantic life. The Pillar said it obtained “commercially available” location data from an unnamed vendor that was “correlated” to Burrill’s phone to determine he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.
The Pillar alleged “serial sexual misconduct” by Burrill, as homosexual activity is considered sinful under Catholic doctrine and priests are expected to remain celibate. Following an extended leave, Burrill resumed his ministry in the small town of West Salem, Wisconsin, according to the Catholic News Service.