As I wrote in my last blog post, a bill that I proposed back in December 2020 to strengthen the California Data Broker law has been adopted by State Senator Josh Becker and introduced as California Senate Bill 1059 (aka SB 1059) on March 9, 2022. Here’s the press release and the text of SB 1059. In this blog post I am going to go over the strategic rationale for SB 1059.
SB 1059 in Brief
SB 1059 significantly strengthens California’s existing data broker law by giving Californians increased visibility into businesses known as data brokers that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. SB 1059 also provides Californians additional privacy rights and empowers the California Privacy Protection Agency (PPA) to regulate data brokers. SB 1059 is funded through annual registration fees that data brokers pay under current law. Leading advocacy and privacy groups including Consumer Reports, EPIC, Californians for Consumer Privacy and Consumer Watchdog support SB 1059.
Data brokers are businesses that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. According to the privacy group EPIC, there are thousands of data brokers in the United States who buy, aggregate, sell, and trade billions of data points on Americans. Some data brokers advertise they collect and aggregate over 10,000 data points per consumer.
Because consumers don’t have a direct relationship with data brokers, consumers are often oblivious to who is selling and trading their personal data, as well as have no knowledge of which third parties are acquiring that data and what those third parties are doing with their data.
In October of 2019 California passed AB 1202 that requires “data brokers to register with, and provide certain information to, the Attorney General” and in turn the Cal AG office would provide a website that lists all the registered data brokers. This is and was the second type of data broker registry bill passed by a State — the first being Vermont that passed its data broker registry law in 2018.
The intent of the California law is “to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.” It went into effect on January 1, 2020. There is a nominal penalty of $100 per day for failure to register.
In 2020, the California Department of Justice projected that at least 1,000 data brokers of the estimated 4,000 worldwide data brokers would register with the DOJ.
Recent reporting has highlighted some highly problematic invasions of privacy being facilitated by data brokers. Recently, The Markup has done an expose documenting how location data is being harvested from apps on phones, sold to data brokers who aggregate that data with other personal data and then will offer to third parties the ability to precisely track a consumer’s movements. An example of this included an LGBTQ dating app and a Muslim prayer app selling data on people’s location to a data broker. LawFareBlog has also documented how data brokers were advertising how they can sell real-time location data of active military personnel.
These chilling violations of privacy highlights the fact that much of our sensitive personal data — gender, sexual orientation, political preference, financial transactions, websites we have visited, and even our precise geolocation — is used by data brokers to profile and score us. So, it is critical that consumers know who the data brokers are that out there that are collecting, aggregating, selling and trading their data.
Unfortunately, it appears California’s existing law needs more teeth to get more data brokers to register. The Cal AG determined per this document that the number of data brokers worldwide was 4,000 and projected that 1,000 would register with California. Yet nearly a year into the law only 400 data brokers have registered with the State per the Cal AG data broker registry website, or 40% of projected and 10% of the actual number of worldwide brokers. Which means there are likely hundreds of additional data brokers that sell and trade our personal information that Californians currently have no visibility into.
Part of the problem with the current law is that data brokers can skirt around being considered a data broker as the current law only refers to entities that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” But many data brokers share information and get commiserate value from the sharing, so they can skirt around being considered a data broker and not registering with California. In fact LawFareBlog said this about data brokers:
“Some data brokers may also offer economic opportunities to businesses through the use of this information, without actually selling the information to the business client—for example, allowing a client insurance firm to run ads through the data broker’s platform, but without ever handing over the underlying data on particular individuals.”
Equally problematic is that while the Cal AG requires each data broker to provide answers to how a consumer may opt of the sale of their personal information and how the consumer can demand deletion of their personal information, many data brokers give either vague and/or non-helpful answers (“through a link on our website”) and/or even ignore the questions. In fact, Consumer Reports asked volunteers to exercise their CCPA data subject rights with a variety of data brokers and many consumers found it be a “scavenger hunt” including the fact that there is no consistency amongst data brokers on how a consumer would go about exercising your data subject rights. The reality is that it takes dozens of hours to have one’s personal deleted from just a handful of data brokers’ databases and it may take weeks or months for the deletion to finally occur.
Finally, it is important that consumers know if a data broker has been breached and if the broker collects data on minors — information that would be of significant interest to California consumers. Currently that information is not required to be supplied by data brokers are part of their registration with the California Attorney General.
The Solution: SB 1059
Clearly given the problems documented above and to better protect against the potential misuse of personal data, Californians need more rights and better visibility regarding data brokers.
Here are the enhancements to California’s Data Broker Registration law found in SB 1059:
- Many data brokers are ignoring California law and not registering, thereby making it harder for Californians to tell a data broker to delete their data or stop selling their information if they don’t know who the data brokers are. The proposed enhancements to the existing law would double the daily fines from $100 to $200 for failing to register, thereby providing more motivation to get Data Brokers to register and making Californians better aware of who may have their data and is selling it.
- Data brokers can skirt around being considered a data broker as the current law only refers to entities that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” But many data brokers share information and get commiserate value from the sharing, so they can skirt around being considered a data broker and not registering with California. This was cleaned up in California Privacy Rights Act (CPRA) to add selling and sharing, and the proposed changes to the data broker law would do the same. Hence this harmonization would increase the data brokers needing to register and give more sunlight to Californians on who is selling and sharing their data.
- The current data broker law points to the old definition in the California Consumer Privacy Act (CCPA) of personal information. The CPRA has an enhanced and has a more modern definition of personal information. So, the current DBR law misses items in the CPRA definition of personal information such as internet activity information and commercial information such as purchasing histories, as well as “sensitive personal information” including genetic information and email and text messages. Thus, data brokers who sell and share internet activity information and purchasing history are not covered under current law. The proposed enhancements therefore clarify and expand upon what companies are considered data brokers.
- When the data brokers do in fact register, data brokers in effect hide the ball to consumers on how Californians can request deletions or stop selling their information. The proposed enhancements to the data broker law make the data brokers clearly document how to delete their information, stop selling, and even correct inaccurate information. This sunshine will increase the ability for Californians to take control over their data and in doing so reduce the risk of their data being misused.
- To get California on par with Vermont’s data broker law, the proposed enhancement specifically asks data brokers to answer in their registration if they have been breached AND if they collect data of minors. If Californians know this information, then they can better protect their identity and children. Furthermore, it raises awareness with the data brokers themselves that they should better protect Californians’ data and not collect data regarding minors.
- Finally, data brokers are not regulated beyond registration with the AG. By putting the registration process under the California Privacy Protection Agency (PPA), who is the agency that addresses privacy, and allowing the PPA to write regulations in this area, it gives the flexibility for California to adjust to how data brokers may be violating Californians’ privacy rights down the road.
The Bottom Line
SB 1059 significantly strengthens California’s existing data broker law by giving Californians stronger privacy rights and better visibility into the data brokers who collect, sell, and share our personal data, including real-time location and other sensitive information.