As I wrote in a prior blog post, a bill that I proposed back in December 2020 to strengthen the California Data Broker law has been adopted by State Senator Josh Becker and introduced as California Senate Bill 1059 (aka SB 1059) on March 9, 2022. Here’s the press release and the text of SB 1059. In this blog post I am going to go over Frequently Asked Questions regarding SB 1059.
Question: What does Senate Bill 1059 actually do?
Answer: SB 1059 does the following:
- Provides Californians with better visibility into data brokers that may be collecting/selling/trading their personal info.
- Requires more transparency from data brokers in terms of how Californians can exercise their privacy rights to delete their data, opt-out of sales, etc.
- Gives Californians additional privacy rights including the right to know if a data broker has been breached as well as if the data broker collects/sells/shares data regarding minors
- Unifies the registration and regulation of data brokers under the California Privacy Protection Agency, thereby providing “one-stop shopping” for protecting consumers’ privacy
- Complements Federal legislative initiatives and proposals
- Does not put any burden on taxpayers as SB 1059 is funded through annual registration fees that data brokers already pay under current law.
Question: What are some of the problems that SB 1059 is trying to address?
Answer: This addresses a bunch of problems including:
- Data brokers are not in fact registering with the State of California. Only 10% of the estimated 4000 brokers have registered. This is because the penalties are small and/or they “share” data vs. sell data so technically they don’t have to register. So, Californians are blind to who is in the business of selling and sharing their personal information.
- Data brokers are making it very difficult for consumers to exercise their privacy rights. Consumer Reports reported that consumers are dealing with a scavenger hunt vis a vis the exercise of their privacy rights.
- Consumers do not know if a data broker has been breached and/or if data brokers are collecting data regarding children.
Question: Is this an unfunded mandate? And/or won’t this cost taxpayer’s money?
Answer: SB 1059 funds the Privacy Protection Agency’s (PPA) ability to administer the California Data Broker registry via annual registration fees paid by data brokers. So, there is no burden on California taxpayers. So, this bill is in effect fully funded. Note this contrasts with the unfunded additional costs added to the PPA by both Assembly Member Gabriel’s AB-2486 bill that adds an Office for the Protection of Children Online to the PPA, and Assembly Member Wick’s AB-2273 that has the PPA creating the California Children’s Data Protection Taskforce.
Question: But is not SB 1059 an added “tax” on data brokers?
Answer: Data Brokers already pay a registration fee under current law. The annual registration fee was initially $360 and was raised to $400 by the AG. This is a nominal fee for the billions of dollars that the data broker industry makes. So, this does not add any “additional” expenses, as data brokers were already paying this fee irrespective of SB 1059, although the PPA may determine that the annual registration fee may nominally increase to cover costs, as the AG has determined in prior years.
Question: Do any major advocacy and/or privacy groups support SB 1059?
Answer: Yes! Leading advocacy and privacy groups including Consumer Reports, EPIC, Californians for Consumer Privacy and Consumer Watchdog support SB 1059.
Question: SB 1059 forces data brokers to specify if they have ever been breached and/or if they collect data on minors. Is this not an undue burden on data brokers?
Answer: Vermont’s data broker registration law already requires this same information to be provided, and California is simply asking for the same information that data brokers already provide to another regulatory body. Furthermore, data breach notification laws require data brokers to publicly communicate if they have been breached anyway.
Let’s not lose sight that if Californians know this information, then they can better protect their identity and children. Furthermore, it raises awareness with the data brokers themselves that they should better protect Californians’ data and not collect data regarding minors.
Question: SB 1059 requires data brokers to carefully document how consumers can delete their information, opt-out, etc. Is this not an undue burden on data brokers?
Answer: The CPRA already requires data brokers to support these privacy rights afforded Californians. This is a simple requirement to provide instructions on how a consumer can take advantage of these privacy rights that data brokers must already respect. The reality is that data brokers have historically made it difficult to allow consumers to exercise and this law makes it easier. For example, Consumer Reports noted that consumers have struggled to “to locate the required links to opt out of the sale of their information” and that “many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out.”
Question: Does not SB 1059 take away the ability for the Cal AG to enforce California’s privacy laws vis a vis data brokers?
Answer: No. The Cal AG still retains enforcement under SB 1059 in conjunction with the PPA. Furthermore, the CPRA allows any enforcement actions regarding the violation of Californians privacy rights, which includes violations by data brokers, to also be handled by the Cal AG office.
Question: Will SB 1059 limit the ability for the California Attorney General to have access to the data provided by data brokers to the PPA?
Answer: No. Under current law, the registration information provided by data brokers is shared with the public (currently on https://oag.ca.gov/data-brokers). This does not change with SB 1059. What has changed is some additional information is requested in the registration process, namely: (a) has the data broker either been breached and do they collect information re: children — information that the data brokers already need to supply the State of Vermont as part of their registration program; and (b) specific instructions on how the consumer can exercise their CPRA privacy rights like the right to delete and correct. SB 1059 requires this registration data to be published for access by consumers. So, the AG and the public will have complete visibility into the registration data provided by data brokers, as is the case under current law.
Question: Will SB 1059 really increase the number of data broker registrations?
Answer: With the current law, data brokers can skirt around being considered a data broker as the current law only refers to entities that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” But many data brokers share information and get commiserate value from the sharing, so they can skirt around being considered a data broker and not registering with California. In fact LawFareBlog said this about data brokers: “Some data brokers may also offer economic opportunities to businesses through the use of this information, without actually selling the information to the business client—for example, allowing a client insurance firm to run ads through the data broker’s platform, but without ever handing over the underlying data on particular individuals.”
This was cleaned up in CPRA to add selling and sharing, and the proposed changes in SB 1059 would do the same. Hence this harmonization would increase the data brokers needing to register and give more sunlight to Californians on who is selling and sharing their data. Data brokers should not complain about this addition of “sharing” to the definition of a data broker in the registration process, as they already have to adhere to the concept of “sharing” vis a vis their business obligations and consumer privacy rights in the CPRA.
In addition, the proposed enhancements in SB 1059 would double the daily fines from $100 to $200 for failing to register, thereby providing more motivation to get Data Brokers to register and making Californians better aware of who may have their data and is selling it.
Question: Why consolidate the registration and regulation of data brokers with the PPA?
Answer: By putting the registration and regulation process under the California Privacy Protection Agency, who is the State agency that “lives and breathes” privacy, it gives California the most knowledgeable entity that can adjust to how data brokers may be violating Californians’ privacy rights down the road. In other words, the PPA is probably in the best position given its protection of consumer privacy to determine what regulations are required of data brokers. Furthermore, this change puts the PPA more in line with what Europeans have with their Data Protection Agencies. Businesses and consumers will also appreciate dealing with a single agency regarding privacy issues, i.e., “one-stop shopping.”
Question: Does SB 1059 conflict with Federal proposals around the regulation of data brokers?
Answer: No. SB 1059 fully complements proposed Federal legislation in the regulation of data brokers, including Senators Ossoff’s, Kennedy’s and Representative Trahan’s DELETE Act (for a global data deletion request) and Senator Wyden’s Protecting Americans’ Data from Foreign Surveillance Act (that prohibits data brokers from selling personal data to foreign countries). SB 1059 does not provide global deletion capabilities, nor does it touch upon national security issues such as limiting data brokers from selling to foreign countries.
Question: Does SB 1059 do enough vis a vis the issues with data brokers? i.e., we want it to do more!
Answer: My philosophy is and was let’s not make perfect the enemy of good enough. SB 1059 does in fact move the ball significantly forward:
- Provides Californians with better visibility into data brokers that may be collecting, selling, and sharing/trading their personal info. It does this by increasing fines for non-registration and requiring those data brokers that share/trade (vs. just sell as in the current law) to also register.
- Requires more transparency from data brokers in terms of how Californians can exercise their privacy rights to delete their data, opt-out of sales, etc. Consumer Reports has clearly documented the struggles consumer face (e.g., a “scavengers hunt”) to exercise their rights; this requires the data brokers to provide specific instructions on how to delete, opt-out, etc.
- Gives Californians additional privacy rights including the right to know if a data broker has been breached as well as if the data broker collects/sells/shares data regarding minors. Knowing if a data broker has been breached is a key privacy right being added that will significantly help consumers know if they are at risk for identity fraud.
- Unifies the registration and regulation of data brokers under the Privacy Protection Agency, thereby providing “one-stop shopping” for protecting consumers’ privacy. This addition of the ability to regulate data brokers is new and can be a powerful future path to protecting consumers. And having oversight of data brokers in the PPA should also increase registrations.
- Complements Federal legislative initiatives and proposals. People may want a “do not call” registry equivalent for data brokers, but there is already a federal proposal to specifically add that, and the authors of SB 1059 did not want this bill to be rejected by lawmakers because there is overlap with potential federal legislation.
Question: Does not the proposed Senator Ossoff ‘s DELETE Act overlap with SB 1059? So, should we not just wait until what happens with that Federal bill and therefore punt on SB 1059?
Answer: There is a little overlap in the area of registering data brokers, but the two bills have different focuses and primarily complement each other.
Before we go into the differences, the reality is that the Federal government has not passed any comprehensive privacy legislation, so it is probably unlikely that given the Congress’ track record vis a vis privacy that the Ossoff bill will pass. California on the other hand leads the nation in privacy, and SB 1059 furthers that leadership with the most comprehensive data broker law of any state.
Stepping back, the DELETE Act’s primary goal is to create an equivalent to the Do Not Call registry, namely it is aimed at allowing consumers to go to a single website and put in their email address or mailing address and get the data brokers to delete the consumer’s information from their respective systems. The primary goal of SB 1059 is to (a) provide Californians with better visibility into data brokers that may be collecting/selling/trading their personal info; (b) require more transparency from data brokers in terms of how Californians can exercise their enhanced California privacy rights to delete their data, opt-out of sales, etc.; (c) give Californians additional privacy rights including the right to know if a data broker has been breached; and (d) unify the registration and regulation of data brokers under the Privacy Protection Agency.
The DELETE Act does call for the creation of a registry, ala the existing registry in California that SB 1059 enhances and the Vermont registry, but the DELETE Act registry is mainly focused on Deletion and does not force the data brokers to provide guidance on how to exercise privacy rights that CCPA and CPRA give Californians (and obviously these privacy rights are not available to non-California residents given the lack of a federal privacy law). So, for example, the DELETE Act registry does not facilitate the ability for consumers to correct their data, nor does it require the data broker to reveal if they have been breached. Furthermore, SB 1059 has a more expansive definition of what constitutes a data broker (and the DELETE Act has numerous exceptions that SB 1059 does not have) and also what constitutes personal information, so California’s registry would be more comprehensive if the Ossoff bill were to even pass. Finally, given the powers given to the PPA by California voters, combined with the addition of regulation of data brokers as given to the PPA by SB 1059, there is more comprehensive regulation of data brokers with SB 1059 than what is under the DELETE Act. So, at the end of the day, even if the DELETE Act where to pass, it would be highly complementary to SB 1059.