Published on October 06, 2023

Introduced by Senator Josh Becker (D-CA), Senate Bill 362, now referred to as the Delete Act, was created to close loopholes in the California Consumer Privacy Act (CCPA).

Under the CCPA, Californians are able to ask individual data brokers to delete any personal information that these brokers have obtained directly from them; however, neither the CCPA—nor the CPRA—requires brokers to delete personal information that has been acquired from third-party sources. Clearly, this is a loophole that does, indeed, need to be remedied.

Becker’s bill cleared the California legislature on September 14. Now, Governor Gavin Newsom has until next week (Oct. 14) to sign the bill, and there’s every indication he will do so.

What will the Delete Act entail?

Assuming Newsom signs the bill, the Delete Act will provide California residents with a one-stop system for data deletion. With a single request, Californians will be able to ensure that ALL their personal data is erased by ALL data brokers operating in the state.

Also, under the Delete Act, the regulation of data brokers will be transferred from the California Attorney General to the California Privacy Protection Agency (CPPA).

Creating this system is a tall task; however, the CPPA has some time. In fact, they have until January 1, 2026, to create the website or mechanism that allows residents to place their deletion requests. Tasked with administrating the Delete Act, the CPPA will enforce data broker registration and ensure that all brokers are deleting Californians’ personal information every 45 days after receiving a valid request.

New obligations for the data brokerage industry

Although it certainly provides new affordances for Californians, the Delete Act also brings a host of new obligations to businesses operating within the surveillance economy. The hundreds, if not thousands, of data brokerages operating in California will see additional workflows and costs.

Essentially, the Delete Act layers on top of the CPRA and strengthens existing data broker legislation. Importantly, the definition of “data broker” will not change under the new law. A data broker is a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” Thus, if a broker has a direct relationship with the consumer, they will most likely not have new obligations under the Delete Act.

As a quick caveat, brokers covered by the Fair Credit Reporting Act, Gramm-Leech-Bliley Act, or the Insurance Information and Privacy Protection Act are exempt.

On an annual basis, all non-exempt data brokerages will now have to disclose metrics, including the number of deletion requests and rejected requests. Every three years—starting in 2028—brokerages will have to undergo an independent audit, proving they have been in compliance with the new law.

Then, most taxing of all, is the brokers’ ongoing deletion obligation. Every 45 days, the brokerage will have to ensure that they have complied with all valid deletion requests. Needless to say, there has been a great deal of pushback from a host of entities in the surveillance realm.

Does the Delete Act go too far?

In my estimation, the short answer is no. However, I would be remiss if I didn’t give the law’s detractors their chance to weigh in. The Consumer Data Industry Association (CDIA), which is a lobbyist group for data brokerage companies, credit bureaus, and background check companies, has been particularly vocal in their opposition to the Delete Act. The CDIA’s website, “No to SB 362,” argues that the new law will harm Californian businesses—and supposedly, Californians as well.

The CDIA claims that small and mid-sized businesses in California will be unable to reach new customers, which will likely be true for some companies, including some digital advertising businesses. The CDIA’s website lists some other potential effects of the Delete Act, such as “blocking law enforcement agencies from using data to investigate crimes,” “erasing the data sets needed by academics to conduct research,” and “preventing government agencies from using data to evaluate and improve public services.” Of course, the CDIA isn’t the only entity claiming that there will be unintended downstream effects of the Delete Act.

Potential unintended consequences of the Delete Act

On September 21, the International Association of Privacy Processionals (IAPP) hosted a LinkedIn Live event with Jessica Lee, a partner at Loeb & Loeb, LLP and Jason Sarfati, chief privacy officer at Gravy Analytics—an enterprise location technology company that provides businesses with data about peoples’ physical movements, among other things.

Despite his clear alliance with the data brokerage industry, Sarfati makes some persuasive arguments during this event. He laments, “It’s regrettable that the benefits to consumers that data brokers provide is so frequently lost in this conversation, and if someone later in time submits a mass opt out request, I regret to say that I don’t think they’re going to be fully aware of the downstream consequences of that.”

Sarfati claims that some data brokerage companies do positive work in the anti-fraud and identity verification spaces. “By number, most data brokers are not part of the advertising or mar-tech ecosystem. There are a host of other data brokers that do great work in the anti-fraud or identity verification world.”

Sarfati continues,

“I truly believe that if an individual submits a mass opt-out request, they are going to be at greater risk at credit card fraud down the line, or they’re going to encounter frequently issues around job applications and verifying their identity because there’s a lot of other companies that just do a lot of work in the background on behalf of others.”

There’s no way to know if those risks are real. It will depend on how the law is written, the nature of the exemptions, and how it is enforced by the CPPA.

One thing is certain—the data brokerage industry is in for a colossal shake-up

Firstly, not all data brokers and companies that rely on their services will be able to remain in business. This isn’t the worst thing, although Sarfati tries to frame it as such. Sarfati opines, “Reducing the availability of third-party data is going to have a chilling effect on competition, and in particular, smaller and medium-sized companies that don’t have access to that rich amount of first-party data.” In response to that, I’d merely shrug.

Personally, I don’t have much empathy for companies with business models that rely on third-party user data. The surveillance economy needs to be disrupted. If some of the smaller players go out of business because they are unable to operate without surreptitiously accessing our third-party personal information, then so be it.

Secondly, we will begin to see a tidal wave of copycat laws at the state level. Just as other states followed California’s lead on earlier data privacy legislation (CCPA and CPRA), other states will follow California’s lead in the data brokerage space.

As dozens of states pass data brokerage legislation, big brokers and lobbyist groups like the Consumer Data Industry Association will begin to clamor for a federal data broker registry and a federal law. In fact, it’s already happening. Sarfati complains, “There needs to be a federal data broker registry. It just doesn’t make sense for us to have piece meal registrations.” I very much agree with him on this front.

Thirdly, given that access to third-party consumer data will dry up, businesses will have to change their business models to garner first-party consumer data. Put differently, brands will start to engage more directly with consumers. As Jessica Lee explains,

“We’re seeing third-party cookies getting sunset. So all these avenues to get additional information about someone to enhance your advertising, marketing, or other personalization efforts, they’re shrinking. And I think it’s also pushing a lot of power to the walled gardens who are not data brokers, who do have a direct relationship with the consumer and have the large volumes of data, and it will push brands to engage there.”

Lee suspects that businesses’ loyalty programs will evolve; not only will they grow larger in scope, but they’ll also focus more on enhancing the first-party consumer data that they’re already collecting. This makes sense.

Key takeaways

Although Sarfati has convinced me that there will be some unforeseen consequences, I ultimately believe the Delete Act is a much-needed crackdown on a largely unregulated industry that operates in the shadows. As Senator Becker succinctly put in his September press release,

“The time of uncontrolled gambling with our personal information is almost over. Data brokers currently have the ability to use data on reproductive healthcare, geolocation, and purchasing data to sell it to the highest bidder, and the Delete Act would protect our most sensitive information.”

If this bill becomes law, then we are moving in the right direction. Moreover, a federal law that quickly follows in the footsteps of the California Delete Act would be even better—both for consumers and the brokerage industry. That said, it’s still early days; we’ll have to wait and see how it plays out.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan

Elevate productivity: Achieving the essential balance of tech and human well-being

close icon