Blog

The privacy of Internet users is fundamental to security in democratic and free societies.  Preventing our data from being collected and used presents unique challenges, and allowing that data to be arbitrarily sold to third parties is a risk many do not want to take. The Electronic Frontier Foundation (EFF) is a global organization with the fundamental goals of consumer privacy, free speech, transparency, and innovation that recently announced a huge victory for privacy advocates and citizens in California. 

The EFF-supported California Delete Act was passed on October 12, 2023, and promises to streamline the process of having your personal information removed from the repositories of data brokers. Those interested in EFF can explore a range of research white papers, annual reports on their activities, privacy tools, and tools for IT administrators such as the popular Let's Encrypt and CertBot HTTPS toolkit, making website encryption both accessible and straightforward. 

Let's explore this recent win and what it means for privacy advocates:

The Problem Presented By Data Brokers

Despite being a hot topic among the tech and cybersecurity community, many individuals remain unaware of the critical role that data brokers play in shaping our online experiences and more broadly our collective society. Data brokers are businesses that specialize in the collection, aggregation, and sale of personal information from a wide range of sources. In 2023, the primary source of this information is digital interactions - i.e. the Internet.

This data includes everything from simple online browsing history, consumer behavior such as purchases as well as social media activity and even sensitive details like geolocation data, healthcare records, employment history, or history of interactions with law enforcement.

What Security Risks Do Data Brokers Pose?

Firstly, the very existence of these data brokers raises concerns about privacy invasion. When companies aggregate personal information from multiple sources, a risk for abuse and misuse of that data is created which would otherwise not exist. Making collections of data about individuals can lead to the manipulation of individuals through targeted advertising or even political campaigns and even worse, intrusive profiling, and discriminatory practices.

Furthermore, data brokers are very attractive to cybercriminals seeking to steal sensitive information for malicious purposes, and a breach represents a high risk to all individuals whose personal data is stored there. A single breach at a data broker can expose the personal details of millions of individuals potentially leading to profound consequences for those affected. Stolen personal data goes on to be used for identity theft, fraud, social engineering attacks, and, in some cases, doxxing or extortion. Cybercriminals often make stolen data available on the dark web, where it is easily accessible to other crime groups.

A recent report by Incogni indicates the true scope of the problem: at least ten data broker breaches have been recorded, exposing almost 450 million records. The true impact of the problem is likely much higher.

The New CA Delete Act

On October 12, 2012, California enacted a new bill to protect the privacy of all Internet users. Since California is home to the highest number of registered data brokers in North America, it makes sense that California is home to the first bill limiting data brokers.

Commonly referred to as the "Delete Act" (SB 362), this legal framework empowers residents with a convenient "delete button" accessible through the California Privacy Protection Agency (CPPA) website. This represents a significant step towards accountability among data brokers and granting individuals more control over their personal data, simplifying the exercise of privacy rights for individuals.

This measure will have a profound impact on approximately 113 registered data brokers operating within California and includes penalties to be enforced against non-compliant brokers by 2026.

How the CA Delete Act Works

The CA Delete Act simplifies the process for Californians to request the deletion of their data by requiring all data brokers in the state to register with the California Privacy Protection Agency (CPPA). The CPPA will establish an easy and free method for residents to submit a single request to have their data deleted from all data brokers, regardless of how these brokers acquired the information.

Starting in August 2026, data brokers must regularly access deletion requests at least once every 45 days. Upon receiving a deletion request, data brokers are required to delete the consumer's personal information within 45 days. Data brokers must also establish and implement monitoring protocols. At the same time, the California Privacy Protection Agency (CPPA) may charge data brokers a fee for accessing the deletion mechanism, provided that the fee does not exceed the reasonable costs associated with providing such access.

Defining "Data Broker"

Exemptions within the new law have sparked discussions and raised questions about the extent and effectiveness of the regulations. A "data broker", as per the Delete Act, refers to any business that knowingly collects and sells the personal information of a consumer with whom the business does not have a direct relationship with third parties, meaning that companies do not face further restrictions for collecting data about those directly visiting their website or using their online services.

Additionally, the definition of a data broker excludes certain entities and situations, including:

• Entities covered by the Fair Credit Reporting Act (FCRA): The FCRA regulates the collection and use of consumer credit information, and entities subject to FCRA regulations are not considered data brokers under the Delete Act

• Entities covered by the Gramm-Leach-Bliley Act (GLBA): The GLBA governs the privacy and security of consumer financial information, and entities complying with GLBA requirements are not classified as data brokers

• Entities covered by the Insurance Information and Privacy Protection Act (IIPPA): The IIPPA regulates the handling of personal information in the insurance industry, and compliance with IIPPA provisions exempts entities from being labeled as data brokers

• Entities or business associates of covered entities exempt under California Civil Code § 1798.146: This exemption includes entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA) and process personal information in a manner that qualifies for exemption under California law. Such entities are not categorized as data brokers under the Delete Act

Conclusion

Data brokers represent a complex challenge. While some may argue they only provide marketing insights and services to businesses, their practices raise significant ethical and security concerns that must be addressed to safeguard the privacy and security of the general public.

Recently the EFF's efforts proved victorious, resulting in the newly passed California Delete Act that gives Internet users a leg up on data brokers by streamlining the process of having their personal data deleted. The legal victory represents a significant waypoint in the ongoing battle for consumer privacy and gives hope to privacy advocates elsewhere that they will gain more support from the government when it comes to protecting their privacy.

Looking to stay abreast of current cybersecurity happenings and news? Subscribe to our newsletter today for more insights from our ethical hackers.