While the list of states enacting comprehensive privacy legislation continues to grow, progress toward federal data privacy regulation has been slow-moving at best. However, a bipartisan group of legislators in the Senate and House of Representatives hope to change that by introducing the DELETE Act to the Senate.
On June 22, 2023, US Senators Bill Cassidy (R-LA) and Jon Ossoff (D-GA), along with House of Representatives members Lori Trahan (D-MA) and Chuck Edwards (R-NC), introduced the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act to the Senate in an effort to give Americans more control over their personal data. The bill is a revised version of a similar bill, sponsored by Cassidy, Ossoff, and Trahan, that failed to pass through Congress in 2022.
The defining element of the DELETE Act is that it gives individuals the right to force data brokers to delete their data and prohibit its future collection. If signed into law, the Federal Trade Commission (FTC), which has considerably stepped up its efforts to enforce privacy protections, would enforce the act, with mechanisms including:
- A system to track deletion requests, including a dashboard for consumer submissions
- Requirements for data brokers to register with the FTC
- A “Do Not Track” list to protect individuals’ data privacy
The DELETE Act defines a data broker as “an entity that knowingly collets or obtains the personal information of an individual with whom the entity does not have a direct relationship” and either sells the data or uses it to perform services for other businesses. In this context, businesses do have a direct relationship with their current, prospective, and recent customers, and therefore can collect and retain that information for up to 18 months after the last transaction.
Exceptions cover some business uses, if the consumer has consented to sharing data for a specific purpose, background checks, and news or consumer reporting.
Personal information includes “any information held by the data broker … that is linked or reasonably likable by the data broker to a particular individual, including:
- Financial data including credit cards and bank accounts
- Name, address, email addresses, IP numbers, and phone numbers
- Identification numbers such as drivers’ licenses, passport numbers, and Social Security numbers
- Biometric data, genetic information, geolocation data, web history, and other digital artifacts
Most websites and mobile apps practice invasive tracking and data collection of consumers. The DELETE Act could make it possible to put a stop to this tracking. It would be a major change for data brokers—one that could grind the entire data brokerage business model to a halt.
The current state privacy legislation approach makes it very difficult to pursue cases against brokers, resulting in consumer distrust with the digital economy and undermining the fundamental principles of choice and consent. The DELETE bill aims at rectifying the balance of power between consumers and those who benefit from their data (unbeknownst to them) and effectively makes it easy for the consumer to opt out via one click, under the watchful eye of the FTC.
While the European Union is one step ahead of the US with the GDPR, it is unclear how successful they have been in preventing large-scale data “trafficking.” Five years on, in the very recent case of Criteo the CNIL found many infringements including the lack of evidence of the consent of individuals to the processing of their data, information and transparency as well as respect for the rights of individuals. If the DELETE bill passes, it remains to be seen if the FTC is capable of what the EDPS was not in the five years since the GDPR came into force.
National Laws
Make sure you understand the requirements of data subject access requests—including requests for deletion—with Exterro’s guide The Basics of Data Privacy: Data Subject Access Requests.
Download the PDF version of this Data Privacy Alert here.