As my readers know, I have been writing on privacy for a while and even proposed what is now California Senate Bill 1059 (aka SB 1059) that is focused on improving visibility and transparency with respect to data brokers. So, it was fascinating to see on April 10th that John Oliver had an entire episode dedicated to the problems with data brokers and see the huge social media reaction that it got.
In this episode The Last Week Tonight host discussed in detail the “sprawling, unregulated ecosystem” that lets businesses known as data brokers — entities we don’t have a direct relationship with and frankly never heard of — collect vast amounts of our personal data (that may include sensitive data such as precise geolocation, sexual orientation, etc.). They then profile us and then either sell that personal data OR share our personal data with other companies so we can be targeted and tracked across the web. In this blog post I will discuss the key points that Oliver hit upon and how SB 1059 will help some key pain points with respect to Data Brokers.
As noted by the Guardian, Oliver kicks off the episode by discussing
“… the “unsettling moments” that often happen throughout the day online, as we discover that companies are “monitoring our activities a little bit closer than we would like”.”
“He called attention to data brokers, who are part of a multibillion-dollar industry that encompasses “everyone from credit reporting companies to these weird people-finding websites whenever you Google the name of your friend’s sketchy new boyfriend”.
They “collect your personal information and then resell or share it with others” and have once been referred to as the “middlemen of surveillance capitalism”. It’s a sprawling, unregulated ecosystem”, and looking into what they do and how they do it can get “very creepy, very fast”.”
Oliver provided a clear definition of what data broker is, taking the definition from the FTC that discusses how data brokers both sell AND share our personal data.
Oliver then gives examples of what is supposed to be “anonymized” data held by data brokers can become “de-anonymized” pretty fast and gave examples of how easy it was to find out people who were pregnant, had cancer or diabetes, or even had depression — all examples of highly sensitive personal information collected and then sold or shared by data brokers.
He also gave examples of how data brokers were involved in stalking incidents. And then brought up recent headlines of a Gay/Bi dating app and a Muslim Prayer app selling data on people’s location to a data broker, and a gay priest being outed based on location data bought from a data broker.
He also pointed out how data brokers make it a “complex process” for consumers to opt out or delete their data. This echoes Consumer Reports comprehensive study in which 543 California residents made Do Not Sell requests to 234 data brokers listed in the California Attorney General’s data broker registry. The survey found the following:
“Consumers struggled to locate the required links to opt out of the sale of their information.”
“Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out.”
“Some Do Not Sell processes involved multiple, complicated steps to opt out, including downloading third-party software.”
“Consumers were often forced to wade through confusing and intimidating disclosures to opt out.”
“About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes.
Finally, he discusses how Congress has failed to act on a federal privacy law and quite humorously claimed to have a dossier on various Congressmen based on data collected by data brokers.
How SB 1059 Can Help
First and foremost, Californians should have visibility into those businesses with whom they have no direct relationship with that may be selling and/or sharing our personal data that includes our precise geolocation. After AB 1202 passed in 2020 to establish the California Data Broker Registry, the California DOJ estimated that over 4000 data brokers exist and at least 1000 would register, but two years later only approximately 400 have registered. We as Californians are thus deprived of the sunlight into these shadow companies that are selling and sharing our personal data. And based on a comprehensive survey of Californians done by Consumer Reports that I referenced above, many Californians are finding it a “scavenger hunt” when it comes to figuring out how to even get our data deleted from those businesses.
Here’s how SB 1059 addresses the above:
- Provides Californians with better visibility into data brokers that may be collecting, selling, and sharing/trading their personal info. It does this by increasing fines for non-registration and requiring those data brokers that share/trade (vs. just sell as in the current law) to also register.
- Requires more transparency from data brokers in terms of how Californians can exercise their privacy rights to delete their data, opt-out of sales, etc. Consumer Reports has clearly documented the struggles consumer face (e.g., a “scavengers hunt”) to exercise their rights; this requires the data brokers to provide specific instructions on how to delete, opt-out, etc.
- Gives Californians additional privacy rights including the right to know if a data broker has been breached as well as if the data broker collects/sells/shares data regarding minors. Knowing if a data broker has been breached is a key privacy right being added that will significantly help consumers know if they are at risk for identity fraud.
- Unifies the registration and regulation of data brokers under the Privacy Protection Agency, thereby providing “one-stop shopping” for protecting consumers’ privacy. This addition of the ability to regulate data brokers is new and can be a powerful future path to protecting consumers. And having oversight of data brokers in the PPA should also increase registrations.
Can more be done? Sure, but SB 1059 takes a major step forward by improving visibility into the data brokers out there (where we are currently mostly in the dark), will greatly improve transparency regarding how to exercise our privacy rights, and centralizes registration and regulation under a privacy-centric agency.
Once you have these pieces in place, then there can be additional steps taken, but my philosophy is let’s not make perfect the enemy of pretty good. Let’s move the ball forward in a meaningful way, take our wins, and press on.
And frankly, once State Senators and Assemblymembers see the John Oliver segment on Data Brokers, they will want to pass SB 1059 and look to do more, which is the good news.
Californians have direct relationships with businesses such as Google and Uber, and we give them explicit permission to collect, for example, our precise geolocation (e.g., give us directions or drive us from point X to Y). And if we no longer want these companies to continue to have our past precise geolocation information (e.g., they dropped us off at a site that hosts AA meetings or a cancer clinic or a Mosque, etc.), we can tell them to delete that data because we know they have our data.
But what about the businesses we have no relationships with — and never even heard of — that are either selling or sharing our precise geolocation information to track and advertise to us because we visited any of the above locations? We have no clue who these businesses are, and I think all Californians would like the basic right to have visibility into who may be brokering their most sensitive personal data, so we can potentially contact them to exercise our privacy rights. And if we do contact them, those businesses should be transparent and not obfuscate but instead provide clear instructions to let us see if they have our data, and if yes, let us delete.
John Oliver does a great job of comprehensively showing the problems with respect to data brokers, and SB 1059 takes a good step forward in addressing some of these problems and lays the foundation to solve others down the road.