Open in app

Sign in

Write

Sign in

Analysis of the California Delete Act (SB 362) — Signed by Governor Newsom into Law

Tom Kemp
14 min readOct 10, 2023

With California Governor Gavin Newsom’s signature on October 10, 2023, California Senate Bill 362 (SB 362) — the California Delete Act — is now law. SB 362 will create a free, easy-to-use online portal operated by the California Privacy Protection Agency (CPPA) that will first securely verify consumers and then let them request that data brokers delete any personal information they have on them and no longer track them. Data brokers are defined in the bill as businesses that we don’t have a direct relationship with — and likely have never even heard of — that scrape and collect our personal information from various offline and online sources, and then aggregate our personal information, and then sell it to third parties.

The bill explicitly and carefully targets “personal information,” a term rigorously defined under California law. Personal information can include a consumer’s social security number, driver’s license number, passport number, biometric information, precise geolocation, genetic data, etc. Note that this definition excludes any data that is public information (e.g., social media postings and property or other government records). The definition also includes “internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application.” But the key thing here is that this type of data uniquely identifies you or can be directly or indirectly linked to you, i.e., this data represents the keys to your identity and digital kingdom, and right now is being sold by hundreds of data brokers to anyone with a credit card.

SB 362 received a cumulative vote of 153 for it and 38 against it the various times it was voted on the floor of the two houses and in multiple committees. That’s over 80%-win rate. It received a Republican vote on the Assembly floor, making it bipartisan. Finally, it was signed by Governor Newsom. The net-net is that it won in a landslide and was not even close.

In this blog post, I will give some final thoughts on the significance of this bill, but the TLDR executive summary is that starting in 2026 this will give tens of millions of Californians the ability to gain further control over their personal data, will likely spark other states to pass comparable legislation, and it could impact the size of the US data broker market by billions of dollars given that 1 out of 8 Americans resides in California.

THE FOUNDATION AND ROOTS OF SB 362

SB 362 has a set of core foundations. The main foundation is that each citizen has an inalienable right to pursue and obtain privacy in California. “Inalienable” right means something that can’t be sold. While the word “privacy” is not defined in the California Constitution, it is broadly interpreted in the US as matching Justice Louis Brandeis and his law partner Samuel Warren’s definition of “the right to be left alone.”

This addition of privacy was added to the California Constitution as a result of Proposition 11 in 1972. The arguments in favor of the amendment were written by Senator George Moscone and Assembly member Kenneth Cory. The ballot pamphlet stated in part:

“At present, there are no effective restraints on the information activities of government and business. This amendment creates a legal and enforceable right of privacy for every Californian. The right of privacy . . . prevents government and business interests from collecting and stockpiling unnecessary information about us and from misusing information gathered for one purpose in order to serve other purposes or to embarrass us. . . . The proliferation of government and business records over which we have no control limits our ability to control our personal lives. . . .”

In 1977, the Legislature reaffirmed that the right to privacy is a “personal and fundamental right” and that “all individuals have a right of privacy in information pertaining to them.” It then documented that:

· “The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies.” …

· “In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.”

As the California Senate Judiciary Committee noted in a bill analysis, it is amazing how prescient the voters and legislature were in the 1970s.

Fast forward 50 years, the other big foundation for SB 362 is the California Consumer Privacy Act (CCPA) of 2018, which was amended in 2020 by the Consumer Privacy Rights Act (aka Proposition 24). It gives Californians a set of rights over the collection and use of our personal information, including the right to know what personal data is being collected on us and the right to delete our personal information. It also created the California Privacy Protection Agency (CPPA), a dedicated enforcement agency. Another big foundation for SB 362 was the passage in 2019 of the California data broker registry, where over 500 data brokers are now currently registered, and to whom SB 362 will apply to.

With privacy as an inalienable right, and the CPPA and the data broker registry in place, SB 362 was able to take root. One such small root of SB 362 was some ideas I had in 2020 (e.g., see here and here) of putting a consumer-facing portal on top of the California data broker registry and moving over management of the data broker registry to the newly formed CPPA. Some of these ideas were incorporated into Senate Bill 1059 which was introduced in 2022 and broadened the definition of data broker and moved the data broker registry over to the CPPA. I proposed and worked with California State Senator Josh Becker’s team on this on this. (I am a constituent of Senator Becker, and he really does take ideas from his constituents!) The bill got killed, but in effect acted as a great reconnaissance mission and trial run of educating legislators on the issues with data brokers, learning what groups would oppose such a bill, and what it would take to get something broader through the next time around.

SB 362 is also firmly rooted in various federal proposals and a very popular law. In 2022 data broker bills were being proposed at the federal level that provided the ability for consumers to request mass deletion of their personal data from data brokers, namely the bipartisan DELETE Act (put forth by Senator Cassidy, a Republican, and Senator Ossoff, a Democrat) and Section 206 of the American Data Privacy and Protection Act (ADPPA). Both of these gave us great models to base SB 362 on and point to. However, the most significant model and parallel for SB 362 is the popular Federal Trade Commission’s Do Not Call registry, which represented a great analogy for lawmakers to visualize what SB 362 would do for consumers. So, SB 362 emanated from many sources and is built upon 50 years of work in privacy in California and beyond. The bill itself definitely is not an original idea, but one I was able to bounce as a potential idea for a bill to my local State Senator, who to his credit decided to run with it and drive it home.

WHY DID SB 362 PASS?

It passed because of a few key reasons, the first of which was timing.

Consumers have historically barely tolerated the collecting and selling of their personal data by data brokers. I encourage you to watch this John Oliver video cataloging the issues with data brokers. Despite the negative headlines over many years, nothing legislatively had been done of significance to regulate data brokers better, but the proverbial envelope has always been pushed very close to the edge of the desk.

Then came the Dobbs in June of 2022. When people heard that data brokers were selling sensitive data such as what reproductive healthcare websites you visit (e.g., Planned Parenthood), what searches you do (e.g., “how to get the morning-after pill?”), your precise geolocation (e.g., visits to an abortion clinic), and what apps you have on your phone (e.g., period trackers), it quickly made this collection and selling of our personal data intolerable for many people. And it has become a bipartisan issue, with even people like Matt Gaetz calling data brokers “creepy.”

This post-Dobbs angst is being further accelerated given concerns that our personal data (e.g., biometric data) will also be fed into generative AI — which is somewhat analogous to the concerns musicians and artists now have about their copyright material being scraped and fed into large language models. Even the X/Twitter account of Steak-umm articulated this:

So, in the last year, the ground has shifted under the data broker industry regarding what consumers would tolerate, but the industry was defiant in efforts to moderate its practices (e.g., Politico headline: “Data brokers resist pressure to stop collecting info on pregnant people.”). Count this law as being an aftereffect of the overturn of Roe and the generative AI revolution that finally pushed the envelope over the edge, but it was years of data brokers’ irresponsible use of consumers’ personal data that through the years in headline after headline put the envelope on the edge to begin with.

The data broker industry’s response to this concern raised by SB 362 was to not ‘fess up to the type of data involved in the bill because if they did, they knew people would be reminded of the above issues. Their “No to SB 362” site did not mention the word “personal” as in “personal data” or “personal information” which was what this bill was about. Or they would use the expression “consumer data” and use as examples car models owned or high schools attended, so what’s the big deal of this stuff being sold? Of course, this type of data is not personal data that the bill covers, so a red herring. Or they would say because of the bill data brokers could no longer use public information, but of course that is a false argument as public info is exempted per the definition of personal information.

The reality is that when consumers were surveyed and told that data brokers collect and sell personal data, and here are some examples of personal data, 91% in a survey said this is concerning, with over 50% saying they are very concerned. i.e., people don’t like “personalized advertising” if they know that personal information (as defined under California law) is being collected to facilitate it. At the end of the day, California lawmakers and the Governor clearly saw through this deflection of what type of data this bill actually involved and knew this was a significant problem in a post-abortion rights America.

The second reason that SB 362 passed is that lawmakers and the Governor knew, just like every consumer, that getting their data deleted from data brokers is a journey of dark patterns, slow or non-existent responses, and a lot of time playing whack-a-mole chasing 100s of data brokers. Plus, it is painfully obvious that even if you are able to make a deletion request, data brokers will simply repopulate your personal data from other data brokers, or new data on you will be scrapped and collected, so it is rinse and repeat for you to have to make the deletion requests constantly. On this topic, not once did I see a reporter writing about SB 362 ever challenge the industry by asking them what they would recommend to a domestic violence victim who wants to have their data deleted from data brokers, in light of the above limitations. If the question were ever to be asked, the answer would not be pretty. The analysis of SB 362 by the Privacy Subcommittee staff summed up the situation nicely by saying

“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned. But deletion is a must if one is concerned with protecting oneself from the risks set forth above. Even if one were to instead, say, exercise the CCPA right to opt-out of sale or sharing of personal information by a data broker, one would still have to (i) exercise that right 496 times and (ii) continually monitor the data broker registry for new data brokers with which to submit “opt-out” requests. This would be a difficult task for most people, and likely impossible for those who urgently need to safeguard their privacy, such as domestic violence victims. It would also require faith that no data broker holding one’s information were ever the victim of a data breach.”

Data brokers’ response was to wave away this issue by telling lawmakers that SB 362 is “duplicative” and “unnecessary” given pre-existing deletion rights. Lawmakers and the Governor saw through the “this is fine” argument and preferred SB 362’s ability to facilitate a deletion across all data brokers in a matter of a minute vs. spending dozens of days trying to manually replicate what SB 362 could offer consumers.

The third reason for SB 362 was that consumers are increasingly concerned about identity theft in light of the proliferation of their personal data by data brokers. As noted by Consumer Reports:

“The more data you have out there, the more attack surface there is for security breaches and for data to leak.”

In response, the data broker industry claimed that the vast majority of data brokers are involved in fraud detection and that consumers get “downstream” benefits in this area. But a cursory glance at the data brokers registered with California would quickly reveal that the vast majority of data brokers have nothing to do with fraud detection.

Furthermore, it is clear that the “upstream” data broker system is itself susceptible to significant fraud and hacking well before any potential consumer benefits emanate “downstream.” For example, say your personal data is with 250 data brokers, and they sell it to 400 businesses. This means your personal data is now sitting in 100,000 different databases, with no possible control or oversight of how that data is being used or any guarantees that the 100,000 databases would never be hacked or sold to the bad guys [e.g., if you don’t want your money stolen, maybe not hand it out to 100,000 people who you don’t know and have no control over.] I won’t go into detail on the significant number of hacks of data brokers themselves or the FTC settlements with data brokers who sold personal data to known fraudsters, but hopefully, you get the point. So, telling lawmakers and the Governor that the best way to reduce fraud is that consumers must not be able to delete their data easily and they must remain trapped in a business model that is ripe with massive opportunities for fraud (i.e., by selling and proliferating our personal data to tens of thousands of entities) was not a winning argument.

Finally, the fourth reason for SB 362 being signed into law was that it was a focused team effort by the proponents. Senator Becker, other legislators who put their names on the bill (Senators Weiner and Min, and Assembly Members Gabriel, Hart, Lowenthal, and Wicks), Senator Becker’s amazing staff, legislative counsel, the two co-sponsors (Privacy Rights Clearinghouse and Californians for Consumer Privacy), and approximately 30 other civil groups who supported the bill all contributed to this. But like any major piece of legislation submitted by a legislator, at the end of the day, it was Senator Becker who had to influence his fellow legislators and the Governor to make this happen, so big kudos to him. And of course, big thanks to Governor Newsom for signing this bill. I am very glad that Senator Becker asked me to be part of the team and contribute. The team’s results speak for themselves in terms of getting this turned into law especially when considering the potential magnitude of the bill that may now give California the strongest privacy protections in the world per one pundit.

WHAT’S NEXT?

In 2026 Californians will now have the ability to use this accessible deletion mechanism that the CPPA will set up over the next two years. A survey showed that 80% of California consumers would use it, showing how popular this idea is. SB 362 will also have national reverberations with consumers and policymakers, acting as a great precedent that other states will likely be inclined to follow, as Californians at the Christmas or Thanksgiving dinner circa 2026 will be telling their out-of-state relatives about their ability to delete their data from data brokers, and no doubt non-Californians will want the same.

The data broker industry will need to meet the enhanced registry requirements by January 2024. Namely, they will have to reveal if they collect reproductive healthcare data, data of minors, and consumers’ precise geolocation. The knowledge of which data brokers are collecting reproductive healthcare data may make headline news by itself.

In addition, now that the data broker registry is also under the umbrella of a dedicated enforcement agency (i.e., the CPPA), it should also act as a further motivation for data brokers who have avoided registering to register now, as there is more of a dedicated “cop on the beat.” And given that 1/8 of Americans live in California, and apply that potential 80% usage, that means that potentially up to 10% of personal data stored by data brokers (and corresponding data broker revenue) could be impacted by SB 362, so data brokers will have to support by mid-2026 the large number of consumer deletion requests that will be facilitated by SB 362.

Another impact of SB 362 is that services that offer functionality that facilitate data broker opt-outs and deletions on behalf of consumers have now been commoditized (at least for the large California market and then beyond when the “California Effect” kicks in). This is because SB 362 makes data broker deletion requests free and easy and in perpetuity, so why would a Californian pay $150/year to a 3rd party for that exact functionality? These companies will likely have to pivot to other consumer privacy needs.

FINAL THOUGHTS

I am so happy that Californians will be able to take more control of their personal data. This will lead to a meaningful reduction of their personal data footprint that will both reduce the identity attack surface and blunt the potential weaponization of their data against consumers. I am also excited that the vision behind Justice Brandeis and Samuel Warren’s definition of privacy as the “right to be left alone” and the addition of privacy as an inalienable right to the California Constitution in 1972 is now taking a giant step forward in being fulfilled. And no doubt other states will want this as well, so great to see California acting as the catalyst, and I am proud to have helped make this happen.

Sb 362
California
California Delete Act
Data Brokers
Privacy

--

--

Tom Kemp

Written by Tom Kemp

2.1K Followers

Silicon Valley-based entrepreneur & seed investor. Author of Containing Big Tech (ContainingBigTech.com). Policy advisor (e.g. CPRA, California Delete Act).

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams