Connect with us

Hi, what are you looking for?



Imagine Making Shadowy Data Brokers Erase Your Personal Info. Californians May Soon Live the Dream

California state Legislature has passed the Delete Act to allow individuals to order data brokers to delete their personal data — and to cease acquiring and selling it in the future.

You may not know it, but thousands of often shadowy companies routinely traffic in personal data you probably never agreed to share — everything from your real-time location information to private financial details. Even if you could identify these data brokers, there isn’t much you can do about their activities, including in California, which has some of the strongest digital privacy laws in the U.S.

That’s on the verge of changing. Both houses of the California state Legislature have passed the Delete Act, which would establish a “one stop shop” where individuals could order hundreds of data brokers registered in the state to delete their personal data — and to cease acquiring and selling it in the future — with a single request.

The Delete Act isn’t law yet. Democratic Gov. Gavin Newsom still has to decide whether to sign the measure, whose impact could potentially extend well beyond state lines given California’s history of setting similar trends.

Here’s what you need to know.

What the Bill Does

While California law already gives individuals the right to request data deletion, doing so currently require making separate requests to hundreds of data brokers registered in the state, many with their own unique requirements for drafting and handling such requests. Even then, nothing stops these companies from simply reacquiring the data after they delete it.

The Delete Act would require the state’s new privacy office, the California Privacy Protection Agency, to set up a website where consumers can verify their identity and then make a single request to delete their personal data held by data brokers and to opt out of future tracking. Proponents call it a “do not track” signal similar to the “do not call” list for telemarketers maintained by the Federal Trade Commission.

Advertisement. Scroll to continue reading.

California already regulates data brokers, but the Delete Act would strengthen those provisions by requiring the companies to disclose more information about the data they collect on consumers and beefing up the state’s enforcement mechanisms.

Meet the Data Brokers

The Electronic Privacy Information Center, a Washington, D.C., nonprofit focused on bolstering the right to privacy, defines data brokers as companies that collect and categorize personal information, usually to build profiles on millions of Americans that the companies can then rent, sell or use to provide services.

The data they collect, per EPIC, can include: “names, addresses, telephone numbers, email addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned.”

That is in addition to “information on an individual’s purchases, where they shop, and how they pay for their purchases,” plus “health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.”

Privacy advocates have warned for years that location and seemingly non-specific personal data — often collected by advertisers and amassed and sold by brokers — can be used to identify individuals. They also charge that the data often isn’t well secured and that the brokers aren’t covered by laws that require the clear consent of the person being tracked. They have argued for both legal and technical protections so consumers can push back.

Are Data Brokers That Bad?

Data brokers say they get a bad rap for serving a vital need.

Dan Smith, president of the Consumer Data Industry Association, which describes itself as “the voice of the consumer reporting industry,” called the Delete Act “severely flawed” and warned in a Wednesday release that the change could lead to unintended consequences by undermining consumer fraud protections, hurting the competitiveness of small businesses and entrenching big platforms such as Facebook and Google that collect vast amounts of consumer data but don’t sell it.

Smith also argued that the heart of the bill — the one-stop data deletion program — could potentially allow malicious outsiders to impersonate consumers and delete their data without permission. The organization also argues that the cost of the legislation will be much greater than California regulators currently suggest.

What Abuse of Data Broker Information Looks Like

In other respects, though, the information collected by these companies can be startlingly easy to abuse. The general lack of U.S. restrictions on what brokers can do with the vast amount of data they collect means there’s aren’t many legal protections to prevent outsiders from spying on politicians, celebrities and just about anyone who is a target of idle curiosity, or malice.

In mid-2021, for instance, the U.S. Conference of Catholic Bishops announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar probing his private romantic life. The Pillar said it obtained “commercially available” location data from an unnamed vendor that was “correlated” to Burrill’s phone to determine he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.

The Pillar alleged “serial sexual misconduct” by Burrill, as homosexual activity is considered sinful under Catholic doctrine and priests are expected to remain celibate. Following an extended leave, Burrill resumed his ministry in the small town of West Salem, Wisconsin, according to the Catholic News Service.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.