Doug Alexander

The right to erasure — the GDPR’s Article 17, the equivalent provisions in US state laws — is the privacy right that gets the most attention from individuals trying to manage their own digital presence. It’s easy to understand, it sounds powerful, and it produces a tangible result: you submit a request, you get a confirmation, your data is supposedly deleted.

The reality is more complicated. Erasure requests apply to the company you submit them to. They don’t apply to companies that have already received copies of your data, companies that acquired it before the request, or companies in jurisdictions where the right doesn’t apply. Data that has been shared downstream — sold, licensed, included in a data product — is not recalled by a deletion from the original source. The right to erasure is, in practice, a right to stop future data processing by a specific entity, with limited effect on existing distribution.

This isn’t an argument against using erasure requests. They’re worth submitting, especially to the major data aggregators that serve as upstream sources for others. But understanding what they do and don’t accomplish matters for setting realistic expectations.

The more durable protection is preventing data from being collected in the first place — through the kinds of practices that reduce the creation of linkable records rather than the deletion of records that already exist. This is harder, less legible, and doesn’t produce confirmation emails. It also works better over time. The deletion workflow is reactive; the minimization approach is structural. Both are worth doing, but the second one is doing more of the actual work.

The right to erasure is a useful tool in a larger toolkit. Treating it as the toolkit is where the disappointment comes from.

Massachusetts has a better consumer privacy framework than most people who live here realize. The state’s data privacy law — not the most recent legislation, but the existing framework built up over the past fifteen years — includes some provisions that are genuinely stronger than the California law that tends to get all the coverage.

The most important is the data security requirement. Massachusetts 201 CMR 17.00, the Standards for the Protection of Personal Information of Residents of the Commonwealth, requires any company that holds personal information about Massachusetts residents to maintain a written information security program — a WISP — with specific required elements. The standard is not just a notification requirement; it’s a security practice requirement, and it applies to any business that holds this information regardless of where the business is located.

This is more meaningful than a right-to-know or right-to-delete provision, which are the features that privacy advocates usually lead with, because it governs the baseline handling of data rather than individual remediation after something has already gone wrong. A right to delete your data from a company that has already had a breach is less valuable than a requirement that the company not have the breach in the first place.

The gaps: enforcement is inconsistent, the AG’s office is resource-constrained, and the private right of action is limited. The law doesn’t cover the full range of data practices that modern consumers are actually exposed to. It was written for a different era of data collection.

But the underlying logic — that security is a prior obligation, not an afterthought — is the right logic, and it’s worth noting that Massachusetts arrived at it earlier and more clearly than most other states. The newer comprehensive privacy bills moving through the legislature are more ambitious; whether they’ll be better in practice will depend on enforcement, which is where privacy law in the US consistently falls short.

Data brokers have been a known problem for long enough that the conversation about them has calcified into a predictable shape: journalists write the exposé, the company in question says something about industry practices and consumer choice, regulators express concern, nothing material changes. The cycle completes every eighteen months or so and we start again.

The reason nothing changes is not ignorance. The major data brokers — Acxiom, LexisNexis, Experian’s data business, the dozen smaller ones — are well understood by the people in a position to regulate them. The reason is structural. Data brokers serve industries that have significant lobbying power: insurance, financial services, background screening, direct marketing. The value proposition is clear and the customers are sophisticated. Regulatory pressure that would meaningfully constrain the data broker ecosystem would also constrain their customers, and those customers have resources to push back.

The opt-out regime that exists in most US states is not a solution. It’s a release valve. The process is deliberately difficult, the opt-outs don’t persist across company acquisitions, and the companies are not required to verify that the opt-out applies to all their downstream data products. A person who diligently opts out of every major data broker they can identify has reduced their exposure in ways that are meaningful at the margin but hasn’t actually removed themselves from the data economy.

What would actually change things is a data minimization requirement — a rule that says you can only collect and retain personal data that is necessary for a specific stated purpose, with enforcement that has real teeth. The EU’s GDPR has this in principle; the enforcement has been inconsistent, but the legal framework exists. The US doesn’t have an equivalent at the federal level, and the state-by-state patchwork isn’t a substitute.

In the meantime: the opt-out services are worth using, the major brokers are worth opting out of directly, and maintaining a clear-eyed view of what that does and doesn’t accomplish is the most honest starting point.