Introducing the California Delete Act
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
I am very pleased that California State Senator Josh Becker has introduced Senate Bill 362 (SB 362) — the California Delete Act — that would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. One can think of this bill as the equivalent of legislation that gave us the incredibly popular “Do Not Call” registry (operated by the Federal Trade Commission with over 240 million registrants). In this case, this bill applies to Californians’ data stored and collected by data brokers. I am very pleased to have proposed this bill to Senator Becker and subsequently co-drafted the bill along with Emory Roane at the Privacy Rights Clearinghouse. The California Delete Act is based on bipartisan proposals at the Federal level and, in fact, this same type of measure was even proposed by the CEO of the largest Big Tech firm — Tim Cook at Apple. In this blog post, I will give an overview of the bill.
Executive Summary
The California Delete Act would direct the California Privacy Protection Agency (CPPA) to create an online tool where California consumers can submit a one-time data deletion request to all registered data brokers that hold their personal data. The proposed bill would also create a ‘do not track list’ to prohibit data brokers from collecting these users’ data in the future. Data brokers are businesses that collect, use, and sell personal data without a person’s knowledge.
Background
As I discuss in great detail in my upcoming book Containing Big Tech, data brokers are companies that we don’t have a direct relationship with — and likely have never even heard of — that collect data from various offline and online sources. These sources range from property records, purchase history, social media profiles, and online web and mobile app activity tracking. Data brokers then aggregate our data and then either sell or share our data with third parties.
Data brokers have been making a lot of headlines of late as it relates to these companies selling and sharing very sensitive personal data such as our location (e.g., people going to/from abortion clinics), what types of healthcare apps we have installed (e.g., pregnancy trackers), our religion (e.g., people who have a Muslim prayer app installed), our sexuality (e.g., if you are using a gay/bi dating app), etc. In a post-abortion rights America, there is significant concern that this data can be weaponized. There is also significant concern regarding the mass collection of this type of data facilitating identity theft.
Currently only two states — California and Vermont — have data broker registry laws, but they do not provide global deletion or do not track enforcement for consumers.
The Need for a Data Broker Clearinghouse
This new bill is modeled after various calls for the Federal Trade Commission (FTC) to create a data broker registry and further allow consumers to make global deletion requests of data brokers in the registry. For example, Apple CEO Tim Cook proposed in a 2019 TIME magazine opinion piece that the FTC should establish a “data-broker clearinghouse.” This would facilitate consumers being able to track the data brokers “that have bundled and sold their data from place to place.” And the clearinghouse would also give consumers “the power to delete their data on demand, freely, easily and online, once and for all.”
This is a Broadly Supported and Bipartisan Proposal
A bipartisan federal proposal came out in February of 2022 to provide such a data-broker clearinghouse. Introduced by US Senators Bill Cassidy (Republican Senator from Louisiana) and Jon Ossoff (Democratic Senator from Georgia) and Representative Lori Trahan (Democratic House member from Massachusetts), the bill is the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act. The bill would “direct the Federal Trade Commission (FTC) to create an online dashboard for Americans to submit a one-time data deletion request that would be sent to all data brokers registered.” In addition, it would also create a “do-not-track list” to protect registrants from future data collection. Underpinning this proposal is the creation of a federal data broker registry.
This proposed California bill is modeled after the bipartisan Federal proposal. In light that California already has a data broker registry, the California Delete Act would extend the registry to allow consumers to request that their data be deleted, and data brokers no longer track them. A variation of this same bill was included in a proposed Federal omnibus privacy bill (the American Data Privacy and Protection Act or ADPPA) that passed its House Committee 53-2, so dozens of House Republicans voted for this concept (the omnibus bill never made it to the floor because of concerns that it would preempt state law, e.g. CCPA). I am also pleased to have worked with the advocacy Texas Appleseed which has also proposed a similar data broker clearinghouse, so this is not just a need for Californians. And finally, this data broker clearinghouse parallels the incredibly popular FTC Do Not Call Registry.
Why This is Needed
We live in a world where shadowy data brokers collect all our online activity and merge it with our credit purchase history, property records, location data, and more. And anyone with a credit card can buy this information about us, and unfortunately, that data can be weaponized against us and get insight into our sexuality, reproductive health, and even our precise geolocation. Data brokers also profile and score us, which is then used by others to make crucial decisions impacting our lives, such as loans, housing, jobs, etc., despite the underlying data being incorrect half the time.
California has had a data broker registry. But the onus is still up to the consumer to contact every data broker to request opt-out and deletion. Assuming it takes thirty minutes per broker and there are five hundred brokers registered across the two states, opting out from all of them would require 250 hours of work per Californian!
Now, in theory, you could pay an opt-out service that removes you from data brokers’ databases, the most I could find that an opt-out service would cover was approximately two hundred data brokers. In light that there are over 400 data brokers registered with California, this would (a) be a massive time saving; (b) cover more data brokers than a paid service; (c) is free; and (d) goes beyond the deletion of your data but tells data brokers to stop tracking you.
Added Delivers Added Transparency
The bill also requires more transparency from data brokers regarding what kind of data they collect. The bill requires data brokers to reveal:
Whether the data broker collects the personal information of minors.
Whether the data broker collects consumers’ precise geolocation.
Whether the data broker collects consumers’ reproductive health care data.
This transparency is critical when considering the risks associated with kids’ online safety and protecting the privacy of women.
Summary
This is a commonsense, bipartisan proposal that puts consumers in control over their own data. And again, note that the largest Big Tech firm, Apple, had their CEO propose this exact same idea! So even large tech firms know we need this. Congrats to State Senator Josh Becker for backing this bill, and thanks to Senator Becker for letting me propose and contribute to its drafting.
Imagine this: by letting us do a simple registration on a government web page, we could tell every data broker to delete our data and, moving forward, never collect, sell, or share it again. And in doing so, we can reduce the weaponization of our data, reduce identity theft and fraud, and finally take control over who collects and sells our most sensitive data. Very powerful and very much needed!
In upcoming blog posts I will drill down on the finer points of SB 362 — the California Delete Act.