By: Josephine Laing

Personal information is the newest and shiniest coin of the realm. The more personal the data, the more valuable it may be. While most consumers are aware that their data is worth its weight in gold, it is not always clear who is mining this data and what can be done to protect it. Luckily, efforts have been made to create consumer protections that shine a light on the notorious data broker industry. 

Data brokers collect personal information about consumers. Personal information is not directly gathered from consumers. Rather, personal information is collected from commercial entities, government, and other sources – unbeknownst to the consumer. This data is constantly being sold. For a consumer to track down their personal information, they would have to follow an ever-winding trail of sales between data brokers. As a result, this industry is commonly critiqued for its lack of transparency. While public awareness of this industry is crucial, the key issue is what consumer deletion rights are available to combat the collection. If consumers’ deletion rights are not extended to affect data brokers, deletion rights become meaningless. Meaningless deletion rights prevent consumers from exerting control over their personal information. Consequently, privacy rights are directly linked to one’s ability to require data brokers to delete information. Without this right to delete, there is no true right to privacy. 

The Delete Act 

On October 10^th, 2023, California’s Governor Newsom signed the Delete Act into law. The Delete Act promises consumers a new age of data control. Starting in August 2026, California consumers will have the ability to effectively exercise their deletion rights. This might come as a surprise to some, as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) already granted Californians deletion rights in 2018 and 2020 respectively. These deletion rights, however, were caveated by exceptions that were, until recently, abused by the data broker industry. 

The Delete Act, introduced by Senator Becker and sponsored by Privacy Rights Clearinghouse, amends and adds to Section 1798.99.80-87 of the California Civil Code. These amendments create important changes in the data broker provisions included in the CCPA. The changes embrace a more inclusive definition for data brokers, preventing a notoriously shifty industry from evading jurisdiction. This Act requires data brokers to disclose when they collect personal information about minors, consumers’ precise geolocations, and consumers’ reproductive health care data. Data brokers must also include informational links on their websites about collection techniques and deletion rights. Interestingly, brokers are forbidden from using dark patterns. While data brokers are already required to register in California, the penalty for failing to register has increased to $200 per day from $100. These daily penalties also apply for each deletion request that goes unheeded by the broker. These fines can add up, especially as many consumers in California are ready to make deletion requests.

The Delete Act addresses the Sisyphean task of data management. Consumers are constantly producing data. Thus, the management of data is never-ending. This law includes a provision that makes the deletion right effective. Data brokers must access the deletion mechanism and reassess the mechanism at least once every forty-five days. When a data broker accesses the mechanism, they must: (1) process all deletion requests; (2) direct all service providers or contractors to delete personal information related to the request; (3) send an affirmative representation of deletion to the California Privacy Protection Agency indicating number of records deleted and what service providers or contractors were contacted. After a consumer has submitted a deletion request, data brokers must continue to delete the consumer’s data every forty-five days unless otherwise requested. By requiring monthly engagement with the deletion mechanism, the Act actively protects consumer data.

Who cares? 

Why is this Act necessary? Why weren’t the original deletion rights enough? Through the CPRA’s amendments to the CCPA, California citizens are granted preliminary rights to delete their data. California consumers’ right to delete was limited to data retained by businesses providing services to Californians. And the CCPA only affects businesses that handle 50,000 California consumers, make $25 million in gross revenue, or profit primarily (50% or more) by selling data. This means that if a business qualifies, there are many exceptions the business can claim to avoid facing enforcement. Section 1798.145 outlines the right-to-delete exceptions and allows for businesses to “collect, use, retain, sell, share, or disclose consumers’ personal information that is identified or aggregate consumer information.” 1798.145(a)(6). Such exceptions allow for consumers’ personal information to be excluded from privacy protections. Information can still be used to identify consumers via aggregation efforts. Once the personal data is sold to a data broker (service provider or contractor) the consumer’s right to delete is vastly reduced. Thus, the exceptions carved out for data deletion effectively reduce consumer privacy protections. 

The Delete Act addresses the gaps in consumer privacy by empowering consumers to delete their personal information from data brokers. Since personal information is constantly collected from consumers, expecting consumers to repeatedly delete their information from data brokers is unreasonable. Accordingly, for consumers to efficiently utilize a right to delete they must be able to delete information at scale. The Delete Act calls for the right for consumers to delete “any personal information related” to them “held by the data broker or associated service provider or contractor” through a “single verifiable consumer request.” The bill addresses the persistence of data collection by eliminating the consumer’s need to continually and repetitively request deletion. 
So where is Washington’s Delete Act? Emory Roane of Privacy Rights Clearinghouse hopes that the Delete Act can “serve as an impetus – if not a direct model – for other states to model… [as] there is a massive blind spot when it comes to businesses that don’t have a direct relationship with the consumer.” Emory notes that data brokers are a bipartisan issue, pointing to the passing of data broker registries in both Texas and Oregon in 2023. Washington has yet to establish a data broker registry. Getting to the heart of the issue, Emory states that: “Republican or Democrat, old or young, across the country and across every demographic, everyone rightfully feels like they’ve lost control of their personal information and privacy and data brokers are a huge part of that problem.” Tackling the data broker industry is a tall task, and creating an effective right to delete is a necessary start. As California tries out its deletion portal, Washington should take heed.