Exclusive: For $3, a ‘robot lawyer’ will sue data brokers that don’t delete your personal and location info
In January, a new law gave consumers the power to stop companies collecting their personal information. The law, known as the California Consumer Privacy Act (or the CCPA), can be a powerful tool for privacy, but it comes with a catch: Consumers who want to exercise their CCPA rights must contact every data broker individually, and there are more than a hundred of them. But now they have an easier option.
On Thursday, a startup called DoNotPay unveiled a service it calls Digital Health that automates the data-deletion process. Priced at $3 a month, the service will contact more than 100 data brokers on your behalf and demand they delete your and your family’s personal information. It will also show you the types of data the brokers have collected—such as phone number or location info—and even initiate legal proceedings if the firms fail to comply. The monthly fee also gives subscribers access to DoNotPay’s other automated avenging services, like appealing parking tickets in any city, claiming compensation for poor in-flight Wi-Fi, and Robo Revenge, which sues robocallers.
The data deletion service is the latest brainchild of Joshua Browder, who launched DoNotPay as a way to fight parking tickets when he was a 19-year-old at Stanford University. The startup has been hailed in the media as a time-saving “robot lawyer” and has reportedly saved consumers over $4 million in fines.
In an interview with Fortune, Browder says he was inspired to extend CCPA’s services to data deletion after receiving numerous robocalls on Christmas Day. Browder says data brokers are a key source of information for robocallers as well as being a threat in their own right.
The technology that underlies DoNotPay’s parking ticket and CCPA services are the same: bots. The bots send emails on customers’ behalf and also reply to any follow-up requests companies might send back.
In the case of companies who receive a CCPA data deletion request, they might ask for additional information such as a photo or a birthdate. In such cases, DoNotPay’s bots will contact the customer for the additional data, and then use the new information to respond to any other data brokers that make similar requests. And while the CCPA is a state law that technically only covers California residents, many companies are acting as if it applies country-wide—and, in any case, Browder says DoNotPay uses a California P.O. Box when it reaches out to companies.
Browder also emphasizes that DoNotPay will never sell consumer data itself, and that the company’s own terms of service allow it to be sued if it ever does. He also believes data brokers do no good for consumers.
“There’s no reason an average person wants one of these privacy brokers to have their data,” he says.
Location and facial recognition: A creeping threat
DoNotPay’s service comes at a time of mounting concern over how the Internet and cell phones are letting companies track people all the time, online and in the real world. In December, for instance, the New York Times obtained files that showed how a data broker could see and record the movements of millions of people. The exposé, which included sensitive records such as people moving from the White House to their homes, belied claims by the ad industry that data is anonymous.
Browder describes companies that amass such data as “truly shady.” He has a similar view of firms like Clearview, a facial recognition company that has gained notoriety by scraping billions of personal photos from the public Internet.
Such stories are one reason laws like the CCPA are gaining traction around the company. But while such laws shift a measure of power back to the consumer, most people haven’t even heard of the most invasive information gatherers in the first place. These companies have names like SkyHook and NinthDecimal and make their money selling data to marketers. Others, including Clearview, sell the data to law enforcement as well.
According to Browder, DoNotPay lets consumers purge their data from most of the 20 or so companies named in the New York Times exposé. He says the remaining firms cited in the Times story do not collect significant data and that the only to block them is by changing your default phone settings.
Browder says DoNotPay will also send requests to facial recognition companies, including Clearview, which has amassed a decade’s worth of photos on millions of people by scraping social media and other sites.
All of this suggests consumers may finally be able to avail themselves of the same automated tools to delete data that companies use it to collect it in the first place.
How data deletion works
The CCPA provides consumers with a number of clear rights: the right to see what data most companies have collected, the right to have that data deleted, and the right to tell companies not to collect it in the future.
But while the broad principles of the CCPA are clear, there is still uncertainty of how it will work in practice. This is in part because the law only went into effect in January, and the California Attorney General has yet to issue final regulations about how it will work in practice.
According to Glenn Brown, an authority on data issues at the law firm Squire Patton Boggs, many companies are still grappling with how to identify the personal data they collect, and to provide a process for consumers to file CCPA requests.
There is also the question of what sort of demands companies can make of consumers—such as requests for photo identification. While such demands might amount to unjustified obstacles in some cases, Brown notes that they well might be legitimate. For consumers with common names, like John Smith, a company is within its rights to require more details, to ensure it is handling the data for the correct person.
Browder says that DoNotPay’s lawyers have told him that certain requests—such as a demand for a drivers license—are illegal and that his company is ready to sue companies that demand them.
Those who sign up for DoNotPay’s data service can begin the process with simply an email address—or several of them, including those for family and friends. The company will also permit customers to pay $3 to delete their data once, rather than sign up for a monthly subscription.
DoNotPay is also encouraging consumers to view the CCPA as a financial weapon that they can wield against broader forms of corporate wrong-doing. Browder says deletion requests cost companies $10 on average, and he envisions consumers running campaigns to punish firms that misbehave.
“We see this as a tool to help consumers fight back against any injustice that they experience,” Browder says. “For example, if an airline makes you wait in a long line to check in, you can cost them $10 with a data deletion request.”
All of this suggests the CCPA, and automated tools like DoNotPay, may be inaugurating a new era where personal information—long treated as an economic commodity by companies—may be becoming personal again.
More must-read stories from Fortune:
—How 5G promises to revolutionize farming
—Did the ‘techlash’ kill Alphabet’s city of the future?
—College backlash against facial recognition technology grows
—In A.I., what would Jesus do?
—Coronavirus is giving China cover to expand its surveillance. What happens next?
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.