California Governor Gavin Newsom has signed into law the first bill in the US compelling data brokers to delete all personal data of state residents upon request.
Dubbed the “Delete Act” (SB 362), this legislation will equip residents with a single “delete button” accessible via the California Privacy Protection Agency (CPPA) website, affecting roughly 113 registered data brokers in the state and imposing penalties on non-compliant brokers by 2026.
As collectors of vast amounts of personal information, data brokers are often prime targets for data breaches.
According to a recent report by Incogni, there have been at least ten data broker breaches to date, resulting in the exposure of over 444.5 million records, with California home to the highest number of registered data brokers and a significant share of these data breaches.
Maurice Uenuma, a cybersecurity strategist and Blancco's VP & GM, Americas, expressed mixed sentiments regarding the legislation.
“From a privacy standpoint, this is a wonderful, consumer-friendly concept; it addresses many of the pain points for privacy-conscious citizens to limit their data exposure. However, this will be very difficult to implement and enforce,” Uenuma said.
According to the security expert, one of the central obstacles is the ability to verify and prove that the deleted data is truly gone, a process dependent on:
-
Finding and collecting all of the consumer’s data.
-
Permanently and verifiably deleting that data.
Uenuma suggested that the right mix of technological solutions will be essential for a successful implementation.
“Ultimately, implementation will require substantial organizational, procedural, and technological changes,” he added.
For consumers seeking assurance that their personal data has been permanently eliminated, Uenuma recommended requesting a certified “proof of erasure” at the conclusion of the data deletion process.
The Delete Act represents a significant step towards empowering individuals to regain control over their data. Still, its long-term success hinges on the ability of data brokers to adapt to the new regulation and provide the transparency and proof consumers need to trust that their data is genuinely erased. This new legislation sets a precedent that could inspire similar privacy initiatives nationwide.
Read more on these breaches: Initial Access Broker Activity Doubles in a Year