The CA Delete Act (SB 362) Passed the California Legislature Sept 15, 2023 – Why It Matters 

The Delete Act is a legal framework that gives consumers powerful new rights restricting the collection and use of personal information by a diverse range of data brokers.

This framework for regulating the data broker industry was first proposed in congress in 2022, and was re-introduced in early 2023 in California, who has been leading the way in passage of new consumer data privacy law since 2018.

The core provision of the Delete Act is that it will require all data brokers operating in California to register with the new state privacy agency, and provide a single, universal opt-out mechanism for all CA residents.  

All registered companies will be required to delete and no longer track any information they have on individuals who exercise their rights via the state privacy agency. 

The law will not come into effect overnight: the provisions will not begin to be enforced until July of 2026.

There is always the possibility of “death by amendment” – where between passage and enforcement, the law is eventually watered down.  But we believe this is unlikely because of the strong, and still growing support from California voters for improved data privacy protections.

Today’s passage of the law in CA dramatically increases the likelihood that other states – and potentially Congress, who reintroduced their own version in June – will quickly follow suit, and enact similar standards. This is exactly what has happened with state data privacy laws after California first passed the CCPA. 

The implications for consumers, our data-driven economy, and our consumer privacy industry, are enormous.  

This is a big win for consumer rights

The passage of the Delete Act framework is a huge advance for consumer data privacy and signals continued momentum for stronger data privacy rights across the country.  

Exercising data brokers opt-outs is complex (by design), and laws like the Delete Act will require the industry to simplify and standardize processes, giving both consumers – as well as DeleteMe as a leader in Privacy as a Service – greater ability to protect personal information.

That said, individual state privacy agencies like California’s will remain under-resourced when it comes to monitoring and redressing the vast range of consumer data misuse that happens daily. And its why we strongly believe that the Privacy as a Service industry will continue to play an important role in helping provide transparency and confirmation of compliance to consumers and regulators.

Data broker warnings about economic harms are mostly overblown

The promised negative impacts warned about by the data broker industry are – for the most part – either minor, or simply wrong.  Claims of “increased risk of identity theft” are the most absurd, given the industry’s enablement of a vast expansion of consumer fraud and social engineering over the last decade.  The kinds of ‘knowledge-based authentication’ methods which data brokers pretend still functions as fraud-prevention have long been obsolete.

The law will be a significant blow to the digital advertising industry, as well as a range of data-mining services they rely upon; and it will affect some currently “free” service offerings where “consumer data is the real product”; but these costs are coming after a decade of wild-west abuse of sensitive personal information, and the data broker industry is more than capable of surviving and adapting to a world where consumers have stronger controls over their personal information.

The ‘Privacy as a Service’ industry that DeleteMe pioneered is empowered by this law

Things like Federal “Do Not Call Registry” (which is a comparable legal framework) did not end the robocalls problem for consumers. Similarly, the Delete Act will not end widespread collection and monetization of sensitive personal information.  Regulations are only ever as good as their enforcement mechanisms, and the problem that state privacy agencies are taking on will ultimately require the kind of auditing and active-intervention that the Privacy as a Service industry already does every day. 

Privacy protection for both individuals and executives/employees requires continuous monitoring and diligence.  Data brokers count on this – because the work required to opt out and protect your privacy at every place with your data is too great for 99% of individuals today to deal with. This underscores the need for legislatures to pass privacy protection laws that give voters privacy rights AND which enable Privacy-as-a-Service providers to help make it easy for people to continuously enforce these rights.