Kanary on the California Delete Act

A New Privacy Agency with New Motives

In June 2024, the California Privacy Protection Agency (CPPA) asked our team to discuss the implementation of the universal deletion mechanism outlined in the California Delete Act, passed at the end of 2023. We jumped at the chance to share what we’ve learned working with thousands of members on privacy monitoring and data deletion. This isn’t our first time discussing regulation’s role in digital safety and identity. Last year, we wrote a recommendation to the Consumer Financial Protection Bureau, backed by our members. Our stance was—and still is—that state legislators should focus on creating a legal system where, at the state level, individuals can seek to recover damages caused by tech companies like social media platforms and data brokers.

Gov. Gavin Newsom, D-Calif. (pictured above), signed Senate Bill 362, colloquially known as the “California Delete Act,” on October 10, 2023. Image courtesy of Gage Skidmore.

However, many of the damages driven by digital platforms are time-related or emotional. And our state governments don’t yet have clear legal frameworks to help people reclaim what they’ve lost. How much should you value being locked out of your business account on Instagram? Is that situation comparable to a landlord locking out a tenant for days on end? How much of your earning potential is lost if Google distributes explicit photos with your likeness? Regulators must structure a legal system that serves individuals and small businesses, and to do so, they must consider these sorts of questions. Platforms have proven they cannot be trusted to regulate themselves.

Unfortunately, we didn’t have the chance to talk to the CPPA about punishment or arbitration. Instead, we spoke to them about the Universal Deletion Mechanism, a tech project they are undertaking. Under the Delete Act, the CPPA must build a system requiring all data brokers to register with California. Then, that system, run by the state, will signal the brokers to delete your data monthly in a privacy-preserving way.

If you’re curious about the legalities, trust the legal experts. Check out Skadden’s thorough summary of the California Delete Act.

Preserving Privacy, Technically

Our conversation with the CPPA focused on the government agency’s approach to the Delete Act’s requirement that they manage deletion requests in a “privacy-preserving way.” What exactly does that mean? The team responsible for designing this system, as passed by lawmakers, was trying to figure it out. Our interpretation is that the CPPA needs to inform data brokers that an individual has requested their data be deleted without revealing any personal information about the individual making the request. This challenge is complex because it requires verifying the individual’s identity and request without exposing their data to the brokers.

We have faced this same challenge and decided to only work with brokers who verify they have the data before requiring us to share any member info. We write more about this process in our guide on how to not get spammed when sending removal requests. This conservative approach ensures that when we request deletion on behalf of our clients, we do not inadvertently expose their personal information to the brokers, maintaining their privacy throughout the process.

The heart of our discussion focused on new encryption techniques to achieve this privacy-preserving goal. The CPPA could work with a company like Envail that builds technology to allow parties to search and compute data while never gaining “read access” to the actual data. Suppose the CPPA used this type of homomorphic encryption technology; they’d be able to encrypt their data, let a broker search it for anyone in their data sets, and then suppress those records. When it comes time for the CPPA to Audit, they could use a similar approach to scan the broker’s data for any leaked data that should have been suppressed. This type of implementation would be experimental and costly but would be critical in preventing data brokers from registering for this universal opt-out mechanism and having free rein to all registered Californian data.

Ashkan Soltani (pictured above), the CPPA’s executive director, faces the difficult task of protecting individuals’ data privacy while managing deletion requests. Image courtesy of Peretz Partensky.

The Best Intentions

According to the CPPA’s plans, Californian taxpayers are ready to finance a multi-million dollar technology platform to solve the trust problem between you and data brokers. And they want to do this for every data broker, requiring them to register by mail with the state and then integrate with an unspecified API. If that works, maybe they’ll extend this model to other websites or social networks. It is in its early days, but this project is ambitious and poses challenging questions for businesses that manage customer data in California. It also raises questions about whether the government should focus on building compliance technology like this or enforcement frameworks like the right to private action. We believe there is a need for both, but they should first focus where only the government can: on legal systems that allow regular people to seek and attain justice against laws put in place.

Ultimately, even if the CPPA implements a system in a “privacy-preserving way,” your personal data will continue to flow through unregistered data broker systems, specifically through internationally owned and operated entities.

An Ounce of Prevention

At Kanary, we are realists about how far data removal can go. So much hinges on prevention and having a response ready in case you are attacked so that you and your loved ones can stay safe.

To see our full list of recommendations, read over the PDF of our response. We’re committed to helping the CPPA in their journey, but we hope they can prioritize the frameworks that make our legal system take digital losses seriously.