What the California Delete Act Will and Won’t Do

A response to data broker industry claims of economic and personal risks created by stronger consumer opt-out rights from Rob Shavell, CEO of DeleteMe.

On January 1, 2024, a new data privacy law will come into effect in California. The California Delete Act (SB 362), which Governor Gavin Newsom signed into law in October, will make it significantly easier for Californians to delete personal information held by data brokers and opt out of future data tracking. This is a huge privacy win for California state residents and consumer rights in general.

Not everyone across the industry agrees.

On its now defunct “NO to SB 362” website, the Consumer Data Industry Association (a lobbyist group serving the major consumer reporting agencies, credit unions, and the ‘people search/background check’ industry) outlined 15 reasons why the Delete Act will “destroy California’s data-driven economy.”

A strong claim, but does it have any merit?

The short answer: Not really.

The longer version: Some aspects of lobbyists' concerns are valid, but much of the risk they say the Delete Act creates is based on an “Internet 1.0” - a version of the world that is, for the most part, either already obsolete or on the way to becoming so.

What the Delete Act Will Not Do

A good place to start critically examining the argument(s) put forward by the “NO to SB 362” site is their claims about the Delete Act’s negative impact on ‘fraud prevention.’

To try and make a positive connection between data brokers and security, the lobbyists argued that:

“Data brokers help protect California consumers by providing data to verify digital identities and prevent fraud, saving senior citizens and other potential victims from having their accounts compromised... If data brokers are forced to delete data used for fraud prevention, criminals will be able to focus their scams and online attacks on California’s most vulnerable populations.”

Unfortunately, the argument that data brokers enable secure verification is long out of date. The use of consumer personally identifiable information (PII) alone, typically in “Knowledge-Based Verification/Authentication” (KBV/KBA) type processes, has, in fact, been decreasing in reliability as a form of fraud prevention for years.

A 2019 survey of fraud-prevention experts at financial institutions showed that more than half were already phasing out the use of knowledge-based processes. Another third were planning to. Multi-factor authentication and biometrics are becoming far more reliable standards of identity authentication.

If anything, overcollection, oversharing, and over-use of basic consumer PII have helped enable fraud at a massive scale.

This is because the PII used in customer processes is far more exposed than it should be. Decades of poor data collection and sharing practices among businesses have resulted in billions of data exposure events. And sometimes, data brokers have even facilitated fraud directly: In 2021, a data broker agreed to a $150 million settlement with the Department of Justice for selling lists of consumers to perpetrators of elder fraud schemes.

Everyone’s personal information is already freely available on the internet (dark web, social media, etc.) or can be bought for just a few dollars (data broker sites). (Some data brokers have also been breached, while others have left servers containing sensitive consumer data exposed to the internet).

Wannabe hackers can find your PII, like name, phone number, etc., and then use it to bypass knowledge-based questions, open up accounts in your name, file fraudulent tax returns, and send you phishing emails (one of the most highly reported crimes last year).

This isn’t some recent revelation, either. The New York Times wrote about the risks of relying on PII-based authentication back in 2017, and before that, a Google study reported that around a third of Texas residents’ mothers’ maiden names could be figured out from marriage and birth records.

If you look at other claims on the “NO to SB 362” list critically, most begin to fall apart in a similar way.

What the Delete Act Will Do

Not everything the lobbyists argued is false.

The Delete Act will cost some companies more money because it will necessitate changing how they do business. Specifically, the data broker law will:

1. Require some data broker customers to shift from third to first-party data.
2. Increase data brokers’ compliance costs.
3. Force some companies to modernize their identity verification processes.

1. Require companies to shift away from third to first-party data

Rather than passively collecting/buying consumer information from data brokers and then targeting people with ads, companies will have to start gathering data on their own customers.

Is that bad? That depends on who you are.

Contrary to what the lobbyists argued, the companies that will be most impacted by this change in the law are not SMBs or startups, which rely primarily on first-party data they collect from customers directly. It’s large corporations who tend to acquire insights from data brokers but will now have to spend more on first-party marketing data, i.e., understanding the people who actually buy from them.

However, research shows that even heavy third-party data users would welcome alternatives. According to a recent Forrester survey, 56% of companies that use third-party data would rather not do so.

With Apple limiting data collection by third parties and Google gearing up towards phasing out third-party cookies in Chrome, forward-thinking companies know the privacy charade, where consumers are given fake choices and then tracked anyway, is over.

First-party data will become the norm going forward; the Delete Act simply accelerates this trend.

2. Increase data brokers’ compliance costs

Although many data brokers let consumers opt out of their databases and are already legally obliged to do so in states like California (if the CCPA covers them), whether they actually take consumer choice into account is another matter.

Even if they remove people from their databases, most data brokers add the same people back in when they collect more information on them. DeleteMe’s privacy experts constantly find our customers’ data on data brokers who had previously complied with opt-out requests. This game of whack-a-mole isn’t what anyone would call compliance.

With the Delete Act, data brokers will legally have to honor consumer requests.

3. Force companies to update their ID verification to more modern processes

Because compromised credentials enable the majority of cybercrime, weak authentication has become one of the biggest risks in the modern economy.

We should have moved away from usernames, passwords, and KBA to some kind of new framework a long time ago. The reason we haven’t? PII-based authentication methods are cheaper.

With the Delete Act, companies will no longer be able to use PII as a sole source of authentication (note the use of “sole source” - the Delete Act makes exceptions for public records, which means that much of the claimed “fraud prevention/records confirmation” aspect will still be available). Instead, they’ll have to spend money developing more up-to-date identity verification methods.

Some of the largest tech companies in the world have already abandoned passwords or are in the process of doing so. The Delete Act will simply force companies to do what they know is inevitable.

Yes to SB 362

SB 362 won’t destroy California’s economy, nor will it make life for everyone - academics, lawyers, consumers, small business owners, etc. - really difficult.

The main reason industry opposes the Delete Act is that it will raise their costs by cutting off unfettered access to third-party data. But with the act not coming into force until 2026, there’s ample time for a large data mining industry to build workarounds - something we will undoubtedly see happen.