California Senate Bill 1059 (aka SB 1059) is a proposed California law that enhances California’s existing data broker registry law by improving visibility and transparency and transfers most of the relevant duties from the California Attorney General (AG) to the California Privacy Protection Agency (PPA). The bill saw its first hearing with the California Senate Judiciary Committee on April 19th, and the bill passed the Committee 9-1 and is now moving on to the Senate Appropriations Committee. Prior to the hearing opponents of SB 1059 revealed themselves to be various industry groups such as the California Chamber of Commerce, TechNet and the Internet Coalition — groups that receive funding from Big Tech companies such as Meta/Facebook, Amazon, etc.
The opposition brought up four points against the bill, with the first and probably the most signification objection involving the addition of the concept of “sharing” being added to the definition of data brokers. Namely they don’t like what is in underline below in the proposed bill:
“Data broker” means a business that knowingly collects and either sells or shares to third parties the personal information of a consumer with whom the business does not have a direct relationship.
In this blog post I will scrutinize their main argument against inclusion of the word share and look at the examples of the “potential” negative impact of SB 1059 that they provided. But first let me give an executive summary of my thoughts on their argument and examples, then provide some background and context, and then get into the nitty gritty details.
The opponents claim that adding the concept of “sharing” to the definition of data brokers will turn “the common understanding of this term both in law and society upside down.” This is not a compelling argument in that the FTC — the nation’s foremost enforcer of privacy rights — explicitly defines a data broker as a business that also “shares” personal information. Plus, California’s current privacy law (the California Privacy Rights Act or CPRA — that California voters overwhelmingly approved in 2020 that upgrades the California Consumer Privacy Act or CCPA) explicitly added the concept of “sharing” along with “selling” to impacted businesses, so SB 1059 simply harmonizes with the CPRA and closes the same loophole that businesses were using to say they did not have to comply with the CCPA. So, law and society are in the camp that data brokers are entities that we don’t have a direct relationship with that also “share” personal information vs. just “sell” it.
Furthermore, their examples of “potentially” too broad of nets being cast by SB 1059 are also not compelling, as the examples given are either of (a) businesses that in fact have direct relationships with consumers (and hence would not be considered a data broker as by definition data brokers have indirect relationships with consumers) or (b) entities not interacting with a third party but in fact acting as a service provider or contractor (so in this scenario the business is also not covered under SB 1059 as the definition of data broker only applies to the context of sharing with third parties).
Thus, it is my opinion that the opponents of SB 1059 are employing a strategy of throwing mud at the wall to get the addition of share either removed or, barring that, watered down. We will talk in the Background section below on why “share” was added.
Background of SB 1059
The data broker industry is what John Oliver calls a “sprawling unregulated ecosystem.” It is comprised of businesses that we don’t have a direct relationship with — and likely have never even heard of — whose business model is to (a) collect vast amounts of our personal data (that may include sensitive data such as precise geolocation, sexual orientation, etc.), (b) profile us, and (c) either sell that personal data OR share our personal data with other companies so we can be targeted and tracked across the web. Recent headlines of a Gay/Bi dating app and a Muslim Prayer app selling data on people’s location to a data broker as well as a gay priest being outed based on location data bought from a data broker has brought the spotlight on data brokers, culminating in a recent John Oliver expose on data brokers that gives even more examples.
As the Senate Judiciary Committee’s analysis of SB 1059 writes:
“In order to bring this industry into the light and more fully inform consumers about who is collecting their personal information and how, a data broker registry was established in California law requiring data brokers to register annually with the Attorney General. The data brokers are required to pay a fee and provide certain information about their location, email, and internet website addresses. Responding to concerns that existing law does not do enough to bring this industry into the light and to provide consumers more control over their personal information, this bill expands the definition of data broker, requires more information to be reported, increases the civil penalties for violations, and transfers much of the relevant duties from the Attorney General to the California Privacy Protection Agency (PPA).”
So why expand the definition of data brokers? After AB 1202 passed in 2020 to establish the California Data Broker Registry, the California DOJ estimated that over 4000 data brokers exist and at least 1000 would register, but two years later only approximately 400 have registered. We as Californians are thus deprived of the sunlight into these shadow companies that are selling and sharing our personal data.
Experts believe that with the current data broker law that data brokers can skirt around registration as the current law only refers to an entity that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” But many data brokers share information and in turn do not register with California. LawFare said this about data brokers:
“Some data brokers may also offer economic opportunities to businesses through the use of this information, without actually selling the information to the business client—for example, allowing a client insurance firm to run ads through the data broker’s platform, but without ever handing over the underlying data on particular individuals.”
So, in effect data brokers are using this “share” loophole to not register, which was a similar loophole closed by the CPRA. As Consumer Reports noted in its support letter for SB 1059:
“Further, Consumer Reports has found that some companies have sought to avoid the CCPA’s opt out by claiming that much online data sharing is not technically a “sale.” Importantly, Prop. 24 expands the scope of California’s opt-out to include all data sharing. This bill would update the definition of data broker in order to include data sharing, better ensuring that all data brokers are required to register for the registry.”
I will talk more about “share” vs. “selling” in the context of CPRA and SB 1059 in a future blog post, but suffice to say the goal of SB 1059 to include sharing in the definition of data broker is simply to harmonize what the voters of California enacted into law in 2020 and close the same loophole. But let’s get into the nitty gritty details of their objection.
Argument #1: Uncompelling Claim that SB 1059 Turns the Definition of Data Broker Upside Down
Right of the bat they say “SB 1059 incorporates an overly broad definition of “data broker” that turns the common understanding of this term both in law and society upside down” and then further claim that “this expanded definition potentially captures the activities of a business that has a first party (as opposed to third party) relationship with a consumer and that did not sell the consumer’s data to another entity.” The screenshot of this section of their argument is below.
Well, the second half of the above paragraph is easily batted down, in that if a business has a “first party” relationship with a consumer, that means a business has a direct relationship with the consumer. So, this business is not a data broker, as a data broker “does not have a direct relationship” with a customer.
Now let’s look more closely at the claim that SB 1059 “turns the common understanding of this term both in law and society upside down.”
First of all, the definition of a data broker in SB 1059 harmonizes with the definition of a data broker provided by the Federal Trade Commission — that specifically has the word “share” — that was highlighted in John Oliver’s April 10, 2022 show:
The FTC happens to be United States’ foremost regulator and enforcer of privacy. That definition comes from their landmark 2014 report on data brokers. That report also highlights that data brokers have indirect relationships with consumers:
“data brokers typically collect, maintain, manipulate, and share a wide variety of information about consumers without interacting directly with them.”
In fact, the Senate Judiciary Committee bill analysis also quotes the FTC report where it clearly says data brokers also share:
“Many of these findings point to a fundamental lack of transparency about data broker industry practices. Data brokers acquire a vast array of detailed and specific information about consumers; analyze it to make inferences about consumers, some of which may be considered sensitive; and share the information with clients in a range of industries. All of this activity takes place behind the scenes, without consumers’ knowledge.”
So given the FTC’s role in society vis a vis privacy, and that it defines a data broker as an entity that will also share personal information, I am not sure how SB 1059 turns society upside down.
Looking at California law, when AB 1202 was passed into law in 2020 and created our Data Broker Registry, the definition of a data broker just had the concept of “selling” which harmonized with the then current privacy law, California Consumer Privacy Act (CCPA).
But California privacy law has changed with the passage of the California Privacy Rights Act (CPRA) with over 9 million votes in November of 2020. One of the more significant chances was that the CPRA explicitly added the concept of “sharing” along with “selling” to address loopholes that businesses were exploiting to not be covered by the CCPA. For example, Section 8 of the CPRA explicitly gives Californians the “Right to Know What Personal Information is Sold or Shared and to Whom” (where italics represents CPRA’s change to CCPA). Another example is the “Do Not Sell My Personal Information” link that CCPA requires on the home page of websites has been explicitly changed to “Do Not Sell or Share My Personal Information.” To be clear, both sharing and selling have separate and unique definitions in the CPRA, and SB 1059 explicitly references both definitions, so to state the definition of “selling” covers what is in the definition of “sharing” in the CPRA is not correct.
The change in SB 1059 to include sharing in the definition of data broker is simply to harmonize what the voters of California enacted into law in 2020 and close the same loophole. So why did CPRA add this concept of “sharing”? Per Alastair Mactaggart, the author of the CPRA, it provided clarification that covers consumers’ expectations, namely if someone wants their information not to be sold, they generally also mean “and also, don’t share my personal information with companies so they can track me and advertise to me.” Contrary to what opponents of SB 1059 claim, in fact the definition of “sharing” is narrow and is only used in the context of cross-context behavioral advertising. As noted in this analysis:
“CPRA introduces ”sharing” as an activity different from “selling”. “Sharing” is defined as disclosing, making available, transferring, or communicating a consumer’s personal information to a third party for “cross-context behavioral advertising”, whether or not for monetary or other valuable consideration. The new definition is especially relevant to affiliate advertising networks, advertisers and data brokers in the context of re-targeting and behavioral advertising, in which advertisements are targeted to a consumer based on information derived from information collected about that consumer’s activities across different websites, applications or services.”
Finally, the Senate Judiciary bill analysis does a nice job reminding us that the right of privacy is part of the California Constitution. As noted by the analysis:
“In 1977, the Legislature reaffirmed that the right of privacy is a “personal and fundamental right” and that “all individuals have a right of privacy in information pertaining to them.” (Civ. Code § 1798.1.) The Legislature further stated the following findings … “In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits.”
Although written almost 50 years ago, these concerns seem strikingly prescient.”
Note that it says that “maintenance and dissemination of personal information be subject to strict limits.” Clearly if you “share” or “sell” personal information, you are “disseminating” that information. So, I think between the CPRA and the above quoted 1977 law shows that the addition of “sharing” to the definition of data broker does not turn our laws upside down but is completely in sync.
Argument #2: Uncompelling Examples
The section of their letter that gives their examples is shown below. As noted to me by Justin Brookman with Consumer Reports, who testified at the Senate Hearing in support of the bill, the opposition’s examples are not very compelling. E.g.:
- Regarding the example of a website sharing with an ad tech company for a first-party ad: In that case, the ad tech company is not going to be a third party — by definition in California law they’re going to be a service provider or contractor. The data broker registry only applies to sharing with third parties, so this scenario isn’t covered.
- Regarding the example of joint loyalty programs: this too is not limited by the registry. If United has a provision where I can use my United miles to get a room at Marriott, that transfer shouldn’t be covered by this bill — in that case, the consumer will have a direct relationship with both companies, so the transfer isn’t within scope of the bill.
Not much more to say here besides their examples actually don’t poke any holes in SB 1059, but are examples of either businesses that have direct relationships with consumers, or scenarios with service providers and/or contractors, so I just don’t see after you scratch the surface that their examples prove their point here.
SB 1059’s definition of “data broker” with the inclusion of “sharing” is simply consistent with both the CPRA and the FTC and is a commonsense addition that experts such as Consumer Reports believe will provide more visibility into the companies who are collecting, selling or sharing our data and that we don’t have a direct relationship with. Not adding “sharing” to the definition of data brokers will leave the loophole in place and keep the number of data broker registrations far below what Californians should be seeing.