Why California's data broker registry matters more than its delete button

MirageC via Getty Images

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
How Dash Cams Reduce Risk and Deliver Clear ROI for the U.S. Public Sector
Presented By Carahsoft | Samsara
Download Now
Delivering Efficiency in Cyber Risk Management for Federal Agencies with a Risk Operations Center
Presented By Qualys
Download Now
By C.K. Redlinger

By C.K. Redlinger

|

COMMENTARY | The state’s Delete Request and Opt-Out Platform is not a complete solution, but nor is it a token gesture. Its true extent will become apparent.

Most of the coverage around California’s Delete Request and Opt-Out Platform has been centered on the one thing you would expect to be covered: Californians can submit one request to remove all of their personal info from the databases of registered data brokers. The real story here, though, is hidden in plain sight.

DROP is a tool for disclosure rather than for removal. As a result, there are substantial differences in the responsibilities of those charged with protecting people, organizations, or sensitive operations.

The Problem DROP Actually Solves

For years, we have been operating under the assumption that people can control their data exposure. Fill out one form to make your request, check off another box to opt out, etc. In theory, this system should be efficient; in actuality, few people have that much time.

Most people don’t know how many companies hold their personal information. Most people do not know who is selling their personal information, who is buying it, or where and when it will spread once it enters the brokerage market. Professionals, even those familiar with the issue, still encounter the same barrier: managing personal data is an insurmountable task for any individual.

DROP recognizes this reality. Rather than pretending that personal responsibility can be scaled to match the vastness of today’s data collection, California created something central to the issue: a centralized database (registry) with a single mechanism for submitting requests and a requirement for disclosure of data held by all companies collecting such data. It is not a perfect solution. However, it is an honest reflection of the issue's true nature.

What the Registry Actually Reveals

The Public Data Broker Registry makes DROP much more interesting. To participate in DROP, data brokers must report whether they collect data from minors, collect geolocation data, or process data from sensitive areas (e.g., reproductive health). These are not abstract categories. They are the kinds of data most closely tied to real harm.

Think about what this means for all those working in security or protective roles. Geolocation data could potentially create maps of an individual's movements. Data on children could potentially be used by predators to target them. Healthcare data could potentially be used as a weapon in ways that most people cannot even imagine.

The registry doesn’t capture every broker. It can’t. However, it will do something that has been missing to date: create a state-based disclosure record. This will provide regulators with something tangible to evaluate. It provides individuals with a better understanding of their own level of exposure. And it removes the ability for data brokers to claim compliance with a privacy policy while using generic terms.

For all of us who work on evaluating risks, that type of visibility is helpful.

Where the Limits Show Up

The removal of data does not solve the problem of data brokers; they continue to gather data (newly purchased), process data (data from third parties) and update consumer records on a continuous basis. Deletion requests delete data based on the date and time you made the request. It does not change how the data can be repurchased and appear again in your profile 30 days later.

The enforcement timeline represents this disconnect. Data brokers have 45 days to complete their deletion obligations; audits typically happen over multi-year cycles. When compared to the almost real-time collection by data brokers, these enforcement periods are nothing but a formality and do little to protect consumers.

The DROP regulation applies only to entities within California's jurisdiction, which presents another issue. Offshore data brokers, business entities subject to other regulatory schemes and businesses that collect data directly from consumers may not fall under the jurisdiction of the DROP regulation. As previously stated, these are not the result of oversight; these are simply the expected limitations of a state-wide regulation.

What This Means for Protection Professionals

If your job involves protecting people, whether that's executives, public figures, or organizations with sensitive operations, DROP offers a useful tool but not a solution.

Centralized deletion requests can reduce some exposure. The registry can help identify which brokers are holding what kinds of data. Both of these are worth using.

But the structural problem remains. Data ecosystems are persistent and adaptive. Regulation is episodic and bounded. That gap can't be closed through legislation alone.

What DROP signals is a shift in how regulators are thinking about the problem. Less emphasis on abstract rights. More emphasis on operational systems. Registries. Disclosure requirements. Centralized coordination. We'll probably see more of this approach over time.

A Realistic View

DROP is not a complete solution nor a token gesture. It will take action in accordance with the law. It creates transparency. It reduces barriers to consumer access.

DROP won’t prevent the data from being returned or eliminate the harm that has already been done. And it doesn't neutralize bad actors operating outside the system. Knowing the difference is important. At times, the most valuable contribution from a new program is not necessarily what it corrects immediately, but what it allows us to see about the true extent of the problem.

C.K. Redlinger is senior privacy and intelligence officer at 360 Privacy.

NEXT STORY: A new Oregon law regulates police use of license plate readers. Here’s how it works.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.