California State Capitol building showing data brokers and personal data

New California Personal Data Bill Grants State Citizens the Right to Have PII Deleted by Data Brokers

California governor Gavin Newsom has just signed the first bill in the US that gives residents the right to recover their personal information from data brokers. The Delete Act (SB 362) expands an existing right under state law to have personal data deleted, but streamlines the process so that one request will be sent to all brokers.

The catch is that this regulation only covers data brokers located in California. It requires brokers in the state to register with the California Privacy Protection Agency (CPPA), and the list is used to facilitate resident’s personal data requests. A number of major companies of this nature are located in the state, however, and they are already campaigning against the law on the grounds that it could be devastating to their industry.

Data brokers in California put on notice

The California Consumer Privacy Act (CCPA), now operating under the revised terms of the California Privacy Rights Act (CPRA), already had a provision allowing Californians to request that individual companies delete their stored personal data; however, those requests had to be filed individually. The new list of data brokers that can be compelled to remove personal information with a single request provides state residents with a powerful privacy tool, and one that is not yet available anywhere else in the country. Californians will also be able to add themselves to a “do not track” list when making requests, preventing other data brokers from opening new files on them.

Data brokers in California are already required to register with the Office of the Attorney General each year and pay a $400 fee to operate in the state. That registration information indicates that there are about 800 operating in the state in 2023, though the new terms might not apply to all of them. These companies are using advertising trade groups to lobby against the legislation, arguing that consumers will miss out on products of interest and that small businesses will take a heavy blow in lost revenue.

The data brokers serve a variety of niches, one of which is exploiting a legal loophole that allows law enforcement agencies to purchase collected information from them instead of obtaining warrants or subpoenas. In some cases, the US Immigration and Customs Enforcement Agency (ICE) has used these profiles to track immigrants that live in cities that offer protection from police investigations into their legal status.

In addition to having no reach beyond California, one other catch with the bill is that it was just introduced in April of this year. The state is giving data brokers until 2026 before they are subject to the new terms, and the full range of restrictions does not initiate until 2028.

California bill highlights lack of national personal data protections

Data brokers are subject to little regulation at the national level, and can create profiles that contain sensitive health and location information among other data points that can indicate demographic categories that often have special protections in other countries (such as sexuality and religion). California Senator Josh Becker, the creator of the bill, notes that all of this collected personal data can be put toward identity theft in the worst cases.

California’s new bill offers an even more powerful protection than some of the world’s leading national data laws have, but data brokers will not be required to conduct regular checks for opt-out requests (once every 45 days) until August 2026. And audits to verify compliance do not begin until the start of 2028. There are also income and size restrictions on the types of companies that are subject to the new regulation: they must process the personal data of at least 100,000 people or households per year and must have made at least $25 million in revenue the prior year (with at least 50% of that coming from sale of personal information).

This gives data brokers plenty of time to reorganize into smaller entities that might skirt the rules, or simply leave the state. At present there is no sign of comparable federal legislation appearing. The bill also grants consumers the ability to except certain data brokers from their deletion requests, something these companies may pursue with advertising or some sort of incentives.

Some privacy experts believe that the personal data market is headed for a massive contraction in the coming years, with large companies gobbling up smaller ones that are strained by costs, and that this regulation may well accelerate that process. Data brokers are also arguing that the new law will make identity verification much more troublesome and lead to an increase in fraud, and that there could be rashes of false personal data deletion requests aimed at attacking an individual rather than protecting privacy.