Consumer Reports, Access Now, Consumer Federation of America, The Electronic Frontier Foundation, Electronic Privacy Information Center, U.S. PIRG, and Virginia Citizens Consumer Council write in respectful opposition to HB 381, which would allow data brokers to disregard deletion requests and instead merely treat them as requests to opt out of the sale, targeted advertising, and profiling of personal data. This bill is not necessary, and would be harmful to consumer privacy.
This summer, data broker RELX testified before the Virginia Consumer Data Privacy Working Group requesting to amend the CDPA so that data brokers—entities that collect and purchase consumer data from entities other than the consumer itself—may treat deletion requests as an opt out of sale out of concerns that they could not comply with deletion requirements. However, there is no logical reason that data brokers cannot comply with deletion requests. As an active member of the Privacy Shield agreement, RELX has self-certified that they are able to comply with its provisions, which include providing consumers with access to the information held about them, and the ability to delete that information when it is inaccurate or processed in violation of the Privacy Shield principles. Now that the courts have declared the Privacy Shield inadequate, businesses like RELX that process and transfer Europeans’ data to the United States may have to comply with the European Union’s General Data Protection Regulation (GDPR), which includes a data deletion requirement.
Further, even if the CDPA did raise compliance concerns for these businesses, there are more privacy-protective ways of addressing it than treating a deletion request as an opt out of sale. A narrower exemption based on CCPA regulations might read: “A business may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from the business’s records.” This would help ensure that data brokers are able to delete a consumer’s information in the future if it is re-purchased.
Allowing data brokers to disregard deletion requests and instead treat them as an opt out of sale is inappropriate, especially because the retained data is vulnerable to data breaches. Indeed, RELX subsidiary LexisNexis, for example, has been breached, exposing consumers’ personal information, multiple times. Further, consumers typically are unable to control whether their information is collected by data brokers, as these companies buy and sell consumer data from other entities without having a direct relationship to the consumer. Consumers should have the choice to decide whether these companies keep their data within their systems.
For the full letter, please see the attached PDF.