You can feel helpless when you don’t have control over your personal data, especially while data brokers with little concern for your privacy are making billions buying and selling hoards of consumer data collected from various sources.
The largely opaque data broker industry is worth an estimated 278 billion dollars and has been operating in the United States with little regulatory oversight until now. The responsibility of keeping data brokers’ rampant information collection in check falls predominantly on consumers themselves, and the process of submitting a deletion request isn’t always necessarily the most transparent or straightforward.
However, thanks to the California Delete Act and its newly launched Delete Request and Opt-out Platform, or DROP, California residents now have access to an online tool that can help them automatically file a data deletion request to over 500 data brokers at once. This is a major privacy win if you’re a Californian because it can help severely reduce the amount of your personal information that data brokers have at their disposal to sell and share to other third parties at their will. In turn, it also limits the risk of your personal information being exposed to cybercriminals in a data breach, sold across the dark web or used against you in a phishing attack — all of which can lead to identity theft and other real-life harms.
Although DROP could be a game-changer for the privacy rights of Californians, it’s not a magic pill that automatically eliminates all cyber risks. At the very least, I still recommend a VPN to prevent your internet provider from monitoring your browsing habits, a password manager to ensure your login credentials remain secure and an antivirus program to keep your device safe from malware.
What is DROP?
In 2023, the California legislature passed the California Delete Act, which required the California Privacy Protection Agency, or CPPA, to “establish, by Jan. 1 2026, an accessible deletion mechanism that … allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.”
That deletion mechanism became DROP, which went live at the beginning of the year. In addition to giving California residents an easy way to file deletion requests, DROP also requires data brokers to register annually with the CPPA, pay an annual registration fee and process deletion requests every 45 days, beginning on Aug. 1, 2026. The status of deletion requests must then be sent to the CPPA. Fines are set at $200 a day for failing to register by Jan. 31 of each year and $200 a day per consumer, plus enforcement costs, for failure to comply with the deletion request. Additionally, data brokers must undergo a third-party audit every three years, beginning on Jan. 1, 2028.
To benefit from the service, California residents need to access the DROP portal, verify their residency, create a profile and submit requests. According to the California Code of Regulations, a resident is any individual who “is in the State for other than a temporary or transitory purpose, and … every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” In other words, if you live in California, you should be able to use DROP (even if you’re outside of the state temporarily), but if you’re just visiting California for the short term, then probably not.
When you create your profile, you can include whatever amount of personal information you’re comfortable with, including your name, address, email address, date of birth, phone number and even things like your mobile advertising ID or vehicle identification number. The CPPA advises that the more information you submit, the better the chances that data brokers will be able to match you to their records, and, therefore, delete your data. Once you’ve entered your information, you can submit your request and track its status using your unique DROP ID. You can update your deletion request at any time with additional or new information.
If a data broker detects a match based on the information you submitted with your request, all of your information held by that data broker will be deleted, except for exempted data such as publicly available data or first-party data you’ve shared directly with the company.
Why is DROP important?
Data brokers collect and share an alarming amount of data, ranging from the relatively lower-stakes to the highly sensitive, often without the consumer’s direct consent or knowledge. They collect information such as your name, email address, physical address, date of birth, marital status, household information, IP address, shopping habits, online browsing activity, location history, financial information, social security number and health data.
Brokers obtain this information from various sources, including social media platforms, public records, internet providers sharing customer browsing data, online trackers and cookies, credit bureaus, GPS data, and apps and services that share user data.
Data brokers then sell all this data to other entities, such as advertisers, people search sites, other data brokers, debt collectors, political campaigns, recruiters, lenders, insurance companies, government entities and law enforcement.
That’s a lot of data being distributed in many directions, with plenty of opportunities for data breaches or other misuse of personal information. That breadth of data can potentially be stolen by cybercriminals for identity theft or phishing. Aside from cybercrime, your personal data can be used by stalkers to find information about specific targets, by law enforcement to take action without a warrant and by insurance companies to inflate your premiums.
DROP lets Californians force data brokers to delete much of that data, and therefore drastically reduce the risk of their data being misused. Having all that information floating around is of little benefit to consumers, while being a goldmine for entities without your best interests in mind. DROP helps California residents tip the scales back in their favor.
What about non-California residents?
At this time, a mechanism like DROP is only available to residents of California, meaning that everyone else in the US is left basically with two options — one that’s cumbersome and time-consuming, and another that’s potentially expensive, especially over the long term.
One way is to manually submit deletion requests to each data broker individually. With hundreds of data brokers operating in the US and thousands globally, this manual method could be time-consuming and might ultimately be a futile pursuit, even if only a fraction of those data brokers actually have your data.
Another option is to use a data removal service, which is a paid service that can submit data removal requests to the data brokers on your behalf. However, these services can vary in effectiveness, might not cover the full gamut of data brokers and can become expensive because they require a long-term commitment. Data removal is a continuous process because your data may be collected again, so you’ll need to keep paying for the data removal service, which can cost a couple of hundred dollars per year.
By comparison, DROP automatically files deletion requests to over 500 data brokers with data on California residents for free and on a rolling basis — meaning that Californians only have to submit a single request, and DROP takes care of the rest. Until other states follow suit or similar legislation gets passed at the federal level, residents of other states are left with decidedly less appealing options.
How a VPN can and can’t help
Using a VPN can help you prevent your internet provider from monitoring your online browsing activity and, therefore, sharing that information with data brokers. Additionally, the top VPNs typically include tracker-blocking functionality that can help stop cookies and other trackers from following you around the web, and, in turn, from data brokers scooping up that information about your online activity.
A VPN encrypts your internet traffic while running your connection through a server in a different location. By doing so, it hides what you’re up to online from your internet provider, network administrators, government entities and other online snoops — while also changing your IP address to that of the VPN server you’re connected to. This means that the websites and services that you use online will register the IP address (and location) of the VPN server rather than your true IP address and location. This can help prevent sites and services from sharing your IP address and location with data brokers.
However, while a VPN is an important privacy tool and can help prevent a certain subset of data from ending up in the hands of data brokers, it can’t stop all data collection. A VPN can’t stop Big Tech companies like Google or Meta from collecting and sharing data related to your activity on their platforms while you’re signed in. A VPN also can’t prevent you from downloading malware or entering your personal information into a phishing site, even if some offer surface-level malware and virus protections. For more comprehensive privacy and security online, you’ll need to take a holistic approach.
Proper cyber hygiene requires more than a single tool
Using a VPN, DROP or a data deletion service is great, but each is just one part of the bigger cyber hygiene puzzle. In addition to these tools, you should be using a password manager and an antivirus program. A password manager can help you create strong, unique passwords for each of your individual online accounts, ensuring that you’re better protected from cybercriminals accessing them and stealing your sensitive information. Some password managers include phishing protections, including 1Password, which recently rolled out a new anti-phishing feature. An antivirus service can help block malware from infecting your computer and, therefore, prevent criminals from getting their hands on your data.
Additionally, I recommend using a secure email provider such as Proton Mail, encrypted messaging such as Signal, a tracker blocker like Privacy Badger, a private web browser such as the Mullvad browser and a private search engine such as DuckDuckGo. All of these tools can help reduce your digital footprint and minimize the amount of personal data you’re exposing online, and ultimately what data brokers can collect.
Some of these solutions are free, including some VPNs and antivirus software, while others are paid services that you can purchase individually or as part of a bundled suite of tools. A handful of VPN companies, including NordVPN, Surfshark, Proton and ExpressVPN, offer bundled privacy and cybersecurity tools as a part of their subscription packages, which can be a convenient solution if you don’t mind committing to a single provider.
Whichever route you take, having a full arsenal of privacy and security tools at your disposal is a prudent move and an important step in regaining control over your data at a time when it’s being flippantly tossed around and traded between outside entities for their own benefit.
Read the full article here