California has become the latest state to enact a special law regulating how consumers can remove themselves from data brokers.

The Delete Act was passed this week and it’s now up to Governor Gavin Newsom to sign it into law. But it has already led to similar laws and bills being proposed in other states in next year’s legislative sessions.

The law provides residents with a web portal that links to the hundreds of registered data brokers. From there, one can remove personal information and continue to delete new entries every 45 days. The portal will be maintained by the California Privacy Protection Agency, and will save residents immense amount of time and effort.

There are a number of commercial privacy data deletion services that sell their services, including JoinDeleteMe.com and Optery.com. These generally don’t delete the data but hide it from being used by third parties. The new law tries to take things a step further.

The law was bitterly fought by the data brokers, who said in effect it would put them out of business. One trade association leader said the law’s real name should be the Delete Small Business Act, “making it impossible for these smaller companies to attract new customers.” That is perhaps an exaggeration.

A similar law was introduced to the U.S. Congress this summer, but chances are near zero that anything will happen, and previous attempts at the federal level went nowhere, like numerous other privacy laws.

The power and pain of data brokers

Data brokers are a little-known but robust segment. DeleteMe says it has identified more than 750 different ones, for example. They operate in a legal limbo since they aren’t as regulated as the platform companies such as Google LLC and Meta Platforms Inc.’s Facebook, which can collect all kinds of information on users.

The situation has gotten worse over time as more people use smartphones, which collect precise location data and can be used to target individuals for very specific advertising. As the Electronic Frontier Foundation states on its website, “Once an app has location access, it typically has free rein to share that access with just about anyone.”

That’s where the brokers come into play, selling this data for all sorts of commercial applications. The data collected is wide-ranging and can include names, ages, gender, email addresses, birth dates and buying habits, just to name a few of them. Just before the 2020 general elections, I wrote a blog post for Avast that described how brokers use consumers’ data to target political ads purchased by various campaigns.

Earlier this month, the U.S. Federal Trade Commission sued the location data broker Kochava for unfair business practices. The suit mentioned that the company in one day collects 300 million data points from 60 million devices. Given the number of brokers in business, this route is probably an uphill battle.

“The information collected by these brokers can be startlingly easy to abuse,” David Hamilton wrote in a recent Fortune article. “The general lack of U.S. restrictions on what brokers can do with the vast amount of data they collect means there’s aren’t many legal protections to prevent outsiders from spying on politicians, celebrities and just about anyone who is a target of idle curiosity, or malice.”

The new California law joins similar laws that go into effect next January in Oregon. Laws in Texas, which will eventually have a similar online portal to California’s for consumers to opt out, and Virginia have been passed but need more fine-tuning in terms of compliance issues.

These laws are the latest in various state privacy legal efforts in what turned out to be a busy legislative period. Half of the states considered privacy bills this year, and eight states enacted new laws. State lawmakers are still considering bills in Pennsylvania and Massachusetts.

Interestingly, many of the new state laws are structured like bills that were under consideration in Washington state, but it failed to pass its own law. Washington did pass a law entitled My Health My Data (HB 1155) with parts of it already in effect. It broadly defines consumer health data, such as collecting nutritional consumption, along with requiring consent to share data. As the Washington state analysts say, “the act is the first privacy-focused law in the country to protect personal health data that falls outside the Health Insurance Portability and Accountability Act.”

The new Delete Act continues California’s leadership in the privacy arena. Another recent privacy-related development was the $93 million settlement of a lawsuit between the state and Google LLC. At issue is the search giant’s deceptions around managing users’ location data.

Google originally appeared to allow users to choose the granularity and details of their location history data that could be used for ad targeting. No matter which of numerous configuration options that were chosen, Google still used location data to target its ads. Google admitted no wrongdoing but will be more transparent about its location tracking going forward.

If that sounds somewhat familiar, contrast Google’s situation with that of Apple Inc., which has been also trying to improve its privacy perceptions. Last summer the company ran a series of TV ads called Data Auction that shows how consumers’ personal data is being traded by the data brokers. And although the company continues to improve its privacy protection settings, finding and setting them is still not for the faint of heart and will require lots of effort to get all the parameters right.

Given all that, California’s delete portal is a step in the right direction for consumers.

Image: geralt/Pixabay