Beyond Privacy Consent: How ‘Delete Act’ Changes Game for Companies

Companies provide data privacy consent to consumers as part of a “safe harbor” practice, but time may be running out.

After all, the common ritual of privacy consent is flawed.

Let’s say a consumer goes online and wants access to some information on your company’s website. Up pops a window with a privacy consent form that needs a signature. The convoluted language seemingly goes on forever, but clicking a box for approval makes it all go away.

Viola!

Now, the consumer can review their long sought-after information by checking a box. But let’s stop right there.

Private data, which is more valuable than oil these days, is a lot like medication. Yet, we don’t let people take medicine without prescriptions because we know people can’t possibly understand all the particulars of medical terminology and decide for themselves.

In other words, we are putting privacy content into the hands of people who don’t understand it. Meanwhile, consumers are granting access to companies with legacy systems that may not have the ability to categorize the inventory—let alone identify it—even though the surging volume may rival the Library of Congress.

The court of public opinion is catching on. In a recent poll from Pew Research Center, a majority of Americans are concerned about their privacy in the hands of companies:

  • 81% of US adults are concerned about how companies use the data collected about them.
  • 67% of US adults have little to no understanding of how companies use the data they collect about them.
  • 72% of Americans say there should be more regulation than there is now.

Well, the people may get what they want, so companies should begin protecting their assets now. Remember, the rest of the Bill of Rights don’t count if you don’t have privacy. If you can’t say what you want to someone without it becoming public, then that is really a violation of your First Amendment rights. Everything flows from privacy—even though it is not written in the US Constitution.

So why is the status quo changing for companies when it comes to privacy consent? One word: California.

The Golden State’s Long Legislative Arm

California Governor Gavin Newsom recently signed the Delete Act (Senate Bill 362) into law, which gives consumers the ability to have companies delete their personal information with a single request.

The new law requires “data brokers”—companies that sell or rent the personal data that they collect from customers—to register with the newly created California Privacy Protection Agency (CPPA) public registry and disclose the information they collect from consumers, as well as ongoing opt-out requests.

The Delete Act also charges CPPA to create a website and database where state residents can opt out from tracking and request data removal from a set process.

From a consumer perspective, the new law creates a sea change in California. Currently, there isn’t a uniform approach for consumers to request data removal from a data broker. And once it happens, private information can resurface due to the nature of ongoing data collection.

From a corporate perspective, the new law has a long reach. If California were its own country, it would have the fifth-largest economy in the world. In other words, it carries sway. In addition to data privacy, California has a long track record of influencing legislative issues involving labor, the environment and marijuana just to name a few.

Since the CPPA was signed into law in 2018, another ten states have enacted comprehensive data privacy laws. Bloomberg Law reports that at least 16 states have introduced privacy bills that include protections for health and biomedical identifiers in the 2022-2023 legislative cycle.

Of course, different states with different laws could motivate Congress to streamline data privacy on a national scale. Most likely, certain differences will be settled in a court of law, which is why an ounce of prevention now will be worth a pound of data.

A Golden Opportunity for Companies

The CPPA may have until January 1, 2026, to create a database that will allow quick data deletion, but companies should act now to get out in front of the new norm for doing business.

While the government can step in and create a national system to safeguard data privacy, it would be best for companies to take the lead and show consumers how it can be done while protecting Corporate America’s most valuable assets.

In the dawn of the new age of data privacy, companies need to go beyond providing data privacy consent. Instead, corporations need to set up their own internal systems—privacy by design—

that documents where the data is being stored, how it is used and who has access to it.

Most importantly, companies need to conduct internal reviews of their data inventory to make sure what they are using as privacy protection is actually providing protection. This is where the potential legal problem arises. If a company complies with the law in such a way that it is not complying—and management is unaware—the company will be accountable and pay the price, which could be steep.

Moving forward, think about personal information like a book in the library. When someone needs it, it will need to be checked in and checked out. If someone wants to know my birthdate, there should be a record of who, why and when.

Companies should work with a legal team with data-privacy experience that could conduct a privacy analysis of their existing processes and inventory. The outcome should be a report that identifies areas of exposure—possible causes of action—from the mindset of a plaintiff’s attorney, as well as recommendations to proactively address any looming surprises.

As the notion of privacy is reimagined in a digital world, providing data privacy consent forms will no longer be enough to protect a company’s balance sheet.

(Julie D. Blake, JD, LLM, CIPP, CIPM, is an experienced commercial litigator and data privacy expert with expertise in cybersecurity, data privacy breaches, risk assessment and data privacy policy review.)