It is not just Big Tech companies that surveil and target us based on the mass collection of our personal data. There’s an unseen industry keeping tabs on us, operating in the shadows with minimal oversight.
Hundreds of companies, known as data brokers, scrape and collect our personal details from various online and offline sources. They aggregate this information and then sell it. We have no direct relationship with these companies — and it is unlikely most of us have even heard of them.
A recent study from researchers at Duke University revealed just how far some data brokers will go. For as little as 12 cents per record, almost anyone can purchase intimate data on active-duty military, their families and veterans, including health, financial and religious affiliations. Even more disturbing, some of these data brokers had no problem selling this information to overseas entities. Add to that numerous reports documenting instances of location data harvested from mobile apps, sold to data brokers, combined with additional personal information, and offered to third parties to precisely track a person’s every movement.
These include location data from an LGBTQ dating app that could be used to identify individual users and a Muslim prayer app that sold data to brokers, which in turn allegedly sold to a government contractor.
Despite years of negative press, it took the fallout from the June 2022 Dobbs Supreme Court decision for many to fully recognize the threats data broker business practices pose to our civil liberties. When data brokers can collect and sell sensitive data like health care-related websites visited (e.g., Planned Parenthood), online searches performed (e.g., “How to get the morning-after pill?”), precise geolocation information (e.g., visits to a medical clinic) and the apps people have on their devices (e.g., period trackers), it feels to many like a further attack on individual health decisions.
Despite these concerns, the data broker industry has resisted changing its practices.
Much like it led the nation with the passage of the United States’s first comprehensive privacy law, the California Consumer Privacy Act, the California legislature acted this year to curtail data brokers and respond to the growing concern. Signed into law by Gov. Gavin Newsom in October 2023, the California Delete Act gives consumers more control over their personal information collected and sold by data brokers — a victory akin to what the Federal Trade Commission’s Do Not Call Registry achieved against telemarketers.
By 2026, the California Privacy Protection Agency will develop an easy-to-use website allowing Californians to submit a single deletion request to hundreds of data brokers. Unless a person indicates otherwise, data brokers will be obligated to honor the request indefinitely, meaning any newly collected information must be deleted and not sold or shared. This is a significant step in advancing privacy rights.
Everyone deserves this opportunity; however, without further state or federal action, this victory is limited to California residents. The United States has no comprehensive baseline federal privacy law, and state privacy laws (in the handful of states that have enacted them) are not created equal.
As proponents of the California Delete Act, we believe it is critical to build broad support beyond privacy advocates or political parties to advance these rights. This is not a partisan issue.
In the case of data brokers, it is people versus an underregulated industry that can sell sensitive personal information serving any politicized — or nonpoliticized – interest. Purchasers may have good or bad intentions. The same business that sells data about military servicemembers could also sell location data revealing an individual’s medical visits, social media or search history data revealing sexual orientation, or data that labels a person as highly susceptible to falling victim to a scam. When harms range from individual autonomy to national security, it is time to address the problem.
A federal Delete Act was introduced in 2022 and again in 2023, gaining little traction. The responsibility now lies with the states to hold data brokers accountable and provide their residents with meaningful and accessible privacy rights.