California’s ‘Delete Act’: The Loopholes Swallow The Law
[Disclaimer: The below contents are the personal opinion of the author, and should not be interpreted as legal advice.]
California’s attempt to regulate data brokers through SB 362, aka the CA ‘Delete Act’, is unlikely to have the effect of dramatically reducing third party marketing offers, at least the ones most people see in their mailboxes, email inboxes or online. Below are five reasons why the data broker industry will largely be unaffected by this law, and perhaps why the law is also unconstitutional as written.
Before getting to the reasons, it’s important to know that CA law defines ‘data broker’ quite broadly, and includes any entity that is in the business of ‘selling‘ data where it does not have a ‘direct relationship’ with the consumer. If you review the CA Data Broker Registry list, you’re likely not going to know most of the companies, but there will also be some surprising names, such as industry-leading adtech providers on both the sell-side and buy-side, market research companies, advertising measurement providers, website publishers, and even some well known ‘big’ consulting firms.
As of the date of this posting, there are 528 such entities on the list. Trying to regulate all of these entities with a ‘simple’ opt-out is an impossible task. Here’s why only a select number of these companies will be materially impacted:
- Data Brokers may collect data via consent. The word ‘consent’ does not appear in the text of this law. Of course, this could be intentional, but it leaves open a question of whether a data broker must comply with a deletion request if they have prior consent to ‘sell’ data. Understanding contract law, a court is more likely to rule on the side of the company with evidence of a request to receive commercial solicitations from third parties vs an interpretation of a material legislative omission.
Think you’ve had your share of website pop-up ‘consent’ requests - this may only be the beginning. The data reseller industry now has a two year head start to capture and synchronize 'consent-based' data the same way the adtech industry has done in response to the CCPA's cookie 'sales' requirements. In two years, most brokerage data may become just as easily refreshed and recycled as with 'consent-based' cookie-related data. - Most adtech data ‘sellers’ will ignore the registry. Doubling down on the cookie reference, it’s important to note that many of the leading web or mobile ad retargeting companies are registered as data brokers in California. Even with Chrome’s deprecation of third party cookies and Google/Apple’s limitation of mobile advertising identifiers, the adtech industry is moving towards a combination of device-specific recognition (either deterministic or probabilistic) and pseudonymization, both of which will either be technically impossible or against privacy-legal contractual requirements to comply with the 'Delete Act' Registry.
In order to fulfill an opt out via the Registry, companies managing tokenized pseudonymous data would have to use an identity resolution tool to ‘reverse identify’ their device-specific data from a token or pseudonym back to a name, email or other identifier provided by the Registry.
Unless the entire adtech industry coalesces around a common tokenization standard that the 'Delete Act' Registry supports, or the Registry is actually a cross-industry Data Clean Room with identity resolution, then it's highly unlikely the Registry will be relevant to most adtech companies.
In other words, those same retargeted display ads will keep following you, unless you opt-out through the same adtech-specific mechanisms you have today. - The law maintains the exemption for any GLBA and FCRA data use. As a result, any data brokers enabling credit or financial services offers will continue to enable direct mail, email, addressable and programmatic offers, and the data will also still be used for any sort of financial profiling and modeling, business development, joint marketing offers, etc. So your postal mailbox will still have all those same credit card offers you've come to expect from all those same companies.
- Large ‘household data’ exemption. There is one unique loophole in the Delete Act that cross references section 1798.145.(n)(1) of the CCPA where it states that the ‘obligations imposed on businesses shall not apply to “household data”’. My read of this exemption is that data brokers that are not targeting individuals by name, but rather by postal address, IP address, or other derivative data (eg; CTV ‘synthetic’ IDs), are also exempt from this law.
Coupled with the loss of cookie/browser-based signals, this may result in the IP address being the key 'household' key pair to third party data with no requirement to reference the Registry. - Many ‘Data Brokers’ have a direct relationship with consumers. A final note is that the definition of data broker exempts companies who have a “direct relationship” with CA residents. Many data brokers actually do operate lead generation websites, and the 'Delete Act' may further incentivize these direct relationships. While this point may be debatable, there’s nothing in the definition of data broker, or elsewhere in the ‘Delete Act’ that would prohibit data brokers from purchasing shares in, merging with, or partnering with website publishers who license data for resale.
This seems like an obvious loophole for the data brokerage industry to exploit. What is especially poignant is that the CCPA has been requiring all publishers who license data to boldly state that they 'sell' data for the past three years. The difference between a publisher ‘selling’ data and a data broker ‘selling’ data (of CA residents) may become even less relevant, and merge the two traditionally disparate entities together into common ownership 'coops'.
In 2005, I was the privacy officer for a large email service provider and was a close witness to the creation of state-specific ‘Do Not Email’ child-protection registries, which are analogous to this ‘Delete Act.’. The impetus behind these ‘Do Not Email’ laws was an academic lawyer turned entrepreneur who helped draft the laws in conjunction with his own business that would provide registry technology to the states that adopted these laws. (As an aside, this same entrepreneur went on to great success as the founder of Cloudflare. (NYSE:NET))
In Utah, the legislature adopted such a 'child protection' registry, and was challenged in court by the ‘Free Speech Coalition' (Free Speech Coalition, Inc. v. Shurtleff, No. 2:05CV949DAK (D. Utah Mar. 23, 2007). While the Federal District Court upheld the state’s use of the registry, the decision hinged exclusively on the state’s ‘police powers’ that were exempt from constitutional issues or the CAN-SPAM Act's preemption language.
Those same 'police powers' arguments will likely fail if the 'Delete Act' is challenged, as this law should be found to be a burden on interstate commerce, simply due to the mobility of CA residents and the perceived 'tax' on out of state businesses processing CA resident data – especially those with no 'knowledge' of CA residency. It should also be found to be preempted by the CAN-SPAM Act, as the law materially impacts email marketers who have a legal right to send third party commercial email solicitations and have no reasonable ability to verify CA residency (with or without ‘consent’).
And if the law survives any legal challenges, and the registry goes into effect in 2026, and is still in existence in 2028 when the new independent audit rights are required, then I know a top-notch privacy consultancy with some ‘independent third party auditors’ who are ready to inspect data broker compliance.