Cybercrime, identity theft, delete
Entities

California (31)

Consumer Reports (4)
Topics and Issues

Data brokers (44)

Deletion (2)

In 2023, CDIA engaged on California S.B. 362, a bill that, as summarized by a DWT blog, “will amend California’s existing data broker law by subjecting all data brokers to mandatory registration with the California Privacy Protection Agency (CPPA), imposing new disclosure obligations, and requiring data brokers to comply with a ‘one-stop’ mechanism to be established by the CPPA whereby California consumers can request data brokers to delete their personal data. This one-stop deletion mechanism would have to be established by January 1, 2026, and honored by data brokers starting August 1, 2026.” This requirement is, of course, only if Gov. Newsom signs the bill.

Third-party deletion is of increasing interest to and importance for CDIA and members. For example, the U.S. Administrative Office of the Courts has contracted with delete me to facilitate compliance with Daniel’s Law (see Daniel’s Law, A Primer and Daniel’s Law Passes Congress). Delete Me called S.B. 362 called S.B. 362 “a big win for consumer rights.” Now, Consumer Reports has a new service, How to Take Back Control of Online Data With Apps Like Consumer Reports’ Permission Slip. Consumer Reports acknowledges states are now empowering “authorized agents” to help consumers take back control of their information. CR’s new tool, Permission Slip, is motivated by the CCPA, “the first state law to empower people to designate a third party to make data requests on their behalf; several other states now also require companies to accept requests from authorized agents. Companies have to respond as if the requests came straight from you—and most big ones will honor requests no matter where you live in the U.S.” CR is promoting the free app which “provides information on how more than 100 companies use your personal information, and lets you request that they stop selling it, or that they delete it.”

In March 2022, CR issued a

study [that] found that companies were often completely unprepared to deal with authorized agents. In the study, volunteers submitted more than 200 data requests via CR—but fewer than a quarter were successful. (Those were requests to access data, which are more complicated to comply with than opt-out or deletion requests.

Since then, things have gotten much better: Most authorized agent requests filed through Permission Slip are resolved quickly. “We do our best to let companies know when they will be added to Permission Slip, and often take calls with their privacy teams to figure out how we can best deliver requests,” says Ginny Fahs, a research director at CR who helped launch Permission Slip.

CR has been working to smooth the way, together with a group of other privacy-focused organizations, companies that get a lot of data requests, and software providers that process those requests on the companies’ behalf. Together, this group has developed a ‘data rights protocol’ to standardize authorized agent requests, making it easier for companies to respond.

Three of CR’s data rights protocol collaborators have their own authorized agent services.

The CR story noted other deletion enterprises: Incogni by the privacy company, Surfshark; Mine; Yorba; Kanary; Optery; and PrivacyBee.

Additional Resources: