California has new rules - the DROP platform - that could interfere with the money being made by California data brokers.

The data brokers will find ways around the rules.

The profile they put together by spying on you is a tiny twig carried in a rushing river of data. 

The DROP platform puts a strong iron bar in the river right in front of your data, firm and unbending.

What happens to your data, to that twig dancing on the surface of the torrent?

It will go around the barrier and keep on flowing, copied, enriched, bundled, sold and resold with barely a ripple. Companies will continue to use it to advertise to you, to judge you, and to scam you.

You don’t understand how powerful the incentives are for companies to do absolutely anything required to keep making money, even if they have to go to some trouble to do it.

Here’s an example.

Did you know Apple, Google, and Microsoft are headquartered in Ireland?

On the one hand that’s a true fact. 

On the other hand, obviously they’re not Irish companies. 

A few decades ago Ireland’s political class decided to embrace corporate tax evasion. Any company that has enough money to pretend to be Irish can avoid 25%-35% in tax around the world.

For today’s sermon, the point is that companies are motivated to find ways around the rules if they can make a buck merely by going to some trouble.

The data brokers aren’t giant multinationals but there’s a lot of money at stake. The industry ranges from small niche firms up to massive publicly traded conglomerates. Revenue for the data broker industry is roughly $200 billion annually - bigger than the NFL, Hollywood, and the music industry combined.

The brokers will not surrender their data about Californians without a fight.

The California Privacy Protection Agency is doing wonderful work. Many other states are following California’s lead, and the GDPR in Europe is still the gold standard for protection of consumer privacy.

California’s DROP platform is a meaningful pushback against surveillance capitalism and the loss of privacy.

If you are a California resident, sign up for DROP to have your data deleted from registered data broker databases.

The rest of this article is relentlessly negative because when you want somebody to spoil your fun and convince you that we can’t have nice technology, I’m your guy. Blame the messenger. But don’t stop believing! We need all the hope we can get.

Nothing will happen quickly. Brokers don’t have to start processing deletion requests until August 1. They only have to access the system every 45 days after that, and they can take up to 90 days to report how a request was processed.

It takes much less than a second to duplicate your personal profile and copy it to a thousand databases, but it will be months before your request to be deleted will be processed.

Google and Facebook won’t erase your data. Neither will your bank, your hospital, your grocery store rewards program, your airline, or any of the companies collecting data from the apps on your phone. Verizon won’t erase its records of your location that it harvests from the cell towers your phone connects to as you move around. Comcast won’t delete its data about your browsing that it deeply and seriously promises it’s not collecting.

The law only applies to registered data brokers. A broker might operate through affiliates, subsidiaries, or partner companies that are technically separate legal entities. If enforcement is only possible against the registered entity, then information may just move sideways into entities that fall outside the definition or operate under different regulatory categories.

Data - your data - is not a physical object that disappears when it’s deleted. It’s more like a rumor: once it spreads it can exist in many places at once. A broker may sell or license a dataset to multiple buyers before a deletion request ever arrives. When the request comes in, the original broker may delete its copy, but downstream copies may persist.

Data doesn’t always travel in its original form. Brokers can combine, aggregate, or partially anonymize datasets. They might claim that transformed data is no longer “personal information” under a given legal definition, even if it can be re-linked to individuals with enough effort. In practice, this can create a gray zone where data is functionally about you, but legally described as something else.

Last year I wrote an article about ways your TV is spying on you. Let’s use connected TVs as an example of how data brokers will continue to do surveillance to work around the California data deletion laws.

A data deletion request in the DROP website is tied to you as an individual. If the broker gets a 100% match in their database, your data is deleted.

The data from a TV is household-based, not individual-based. It’s tied to a household, an IP address, instead of a named individual.

California’s framework does cover households to some extent, but enforcement and matching are much harder. Data brokers in California might delete the folder with my name on it, but they’ll keep a household-based folder labeled, “people who collect first edition books and ski at Alta.” 

There’s no smoking gun evidence that data brokers are intentionally conspiring to evade privacy laws. Let’s call it “evolution” toward collection of data from devices that are not tied to specific individuals. The data brokers are already well on their way.

Even if your name is removed from a California broker’s database, there are many ways for other systems to reconstruct you from clues. Your TV viewing habits, location patterns, device usage, and household characteristics are more than enough for advertising or profiling, and companies outside of California can almost certainly match you back to the other personal data they still hold and emerge triumphantly with your name attached once again.

We live in a world where data is combined and recombined constantly.

Big companies adapt to regulation by flowing into categories that are harder to regulate.

Water finding the cracks.

Data has value. The data brokers might not act illegally, but they are hardwired to pay attention to both compliance and business interests. Privacy laws are more like yellow lights than red lights.

The data ecosystem is built to distribute, duplicate, and persist. Privacy efforts like DROP push back against that, and they do make a difference.

But they are operating against a system that behaves less like a filing cabinet and more like a living network. You can prune it. You can shape it. You can even cut off major branches.

It just keeps finding ways to grow.

We don’t know yet what the effect will be of the penalties in California law for noncompliance with the DROP requirements. The California Privacy Protection Agency and the state Attorney General can bring enforcement actions. Penalties can run up to $2,500 per violation, or $7,500 for intentional violations or those involving minors.

Early enforcement actions have resulted in settlements for tens or hundreds of thousands of dollars. For many of these companies, that is less of a catastrophic event and more like an unexpected Tuesday expense.

Large, well-known companies with reputations to protect tend to comply more carefully. They hire lawyers, build systems, and worry about headlines. Most data brokers, though, are not household names. They operate in the shadows and they’re not frightened by loss of reputation.

California is paying attention to privacy. That by itself is sufficient to shift the conversation. Sign up for DROP, get that barrier in the data stream, make your profile more difficult to use and abuse.

But don’t expect miracles. The river isn’t going to stop flowing. The surveillance industry will continue to spy on you and engage in a mix of earnest compliance and strategic interpretation, like a toddler agreeing to bedtime while renegotiating every term of the treaty.