Tech Firms Silently Kill SB 1059, Bill to Enhance California’s Data Broker Registry

On May 19th, the State Senate Appropriations Committee did not mention SB 1059 — the proposed bill to strengthen California’s Data Broker Registry law by requiring more accountability and transparency from data brokers — in its “suspense file” hearing. In doing such they “silently euthanized” this and other bills that were also not mentioned. The bill is officially labeled as “Held in committee and under submission” meaning SB 1059 is officially dead for the legislative year.  

As documented by Cal Matters, approximately 20% of bills are “victims of the seasonal culling of bills known as the suspense file.” The article added that it is a “opaque process” that is led by the Senate and Assembly appropriations committees and happens with “no explanations in their decisions and, in many cases, no formal announcement at all that a measure was held.”  The results had been pre-determined in private deliberations — i.e., the Hamilton “room where it happened” — and this process “allows legislative leaders to not only shelve proposals that are too expensive, but to also more quietly dispatch those that are controversial or politically inconvenient, particularly in an election year.”

Clearly SB 1059 was likely “politically inconvenient” in light that it had a very small price tag.  That evening Politico mentioned SB 1059 as one of the “notable” bills that “got the boot,” so nice to hear it was considered a “notable” bill but I take no solace in that.  Only a few people will ever know the reason why, if there was a quid pro quo, etc.  This is how the sausage is made.

The next day the main opponent, CalChamber, did a victory lap posting that SB 1059 was one of 7 “oppose bills” that it helped to get killed and explained that “SB 1059 (Becker; D-Menlo Park) would have undermined purpose and efficacy of existing Data Broker Registry with overly broad expansion of the definition of “data broker” that makes it harder for consumers to identify third-party entities selling their information.” 

Motivation Behind SB 1059

What inspired me to draft this bill was reading news reports on how location data was being harvested from apps on phones, sold to data brokers who aggregated that data with other personal data and then were offering to third parties the ability to precisely track a consumer’s movements. It felt wrong that anyone with a credit card could now track who is visiting an abortion clinic, an Alcoholics Anonymous meeting place, a mosque, etc.  Seeing that California’s existing data broker law was not particularly effective, and further inspired by Alastair Mactaggart’s citizen-led approach to writing California’s recently passed privacy law with Proposition 24 (the California Privacy Rights Act), I drafted an upgrade to the current law that would give consumers some more visibility into data brokers that were collecting, sharing and selling their data. 

To be candid, the bill was more of an incremental improvement versus a major oversight measure. In light that no one else was proposing anything at my State level with respect to the problems with data brokers, I figured shining a light on the problem and doing something was better than nothing and incrementalism would more likely pass than a big bang. I was then fortunate to be able to bend the ear of Josh Becker, my State Senate representative, and got him excited about this bill. To Josh’s credit he took it on and introduced the bill in February of 2022 as California State Senate Bill 1059. I started evangelizing the bill and was able to line up supporters among the major privacy advocacy organizations.

So, here’s what I wanted to do with SB 1059:

First, I wanted to give increased visibility to Californians regarding the data brokers that collect, sell, and share their personal information. As previously discussed, I had noted that only 400 of the 4,000 data brokers in the world had in fact registered with California. Part of that reason was that it was clear that some data brokers were looking at the definition of data broker in the California law and saying “well, we technically are not ‘selling’ this data, we actually are ‘sharing’ the data in various ways.”

But of course, they were finding ways to monetize what they were doing and using a perceived loophole to not register. This in fact was the same loophole that businesses were exploiting in the California’s original privacy law (the California Consumer Privacy Act or CCPA) that was specifically closed with the passage of the California Privacy Rights Act (CPRA).  So, like was added in the CPRA, I added the concept of “sharing” to the definition of data broker alongside “selling.”  The proposed definition reads (with changes in italics):  “’Data broker’ means a business that knowingly collects and either sells or shares to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  I figured closing this loophole would increase the number of registrations.  I also thought the fines of $100 per day were low, so I doubled them. So, the goal was first and foremost get data brokers to actually register, and hopefully closer to the 1,000 data brokers that the California DoJ had originally projected would register.

Second, I thought more transparency from data brokers was needed in terms of how Californians can exercise their privacy rights to delete their data, opt-out of sales, etc.  Consumer advocacy organizations such as Consumer Reports had found that many data brokers are putting up roadblocks that impede consumers ability to exercise their privacy rights. So, SB 1059 would force data brokers to be more transparent by requiring data brokers to provide clear instructions on how consumers can exercise their privacy rights to delete, correct, opt-out, know who has purchased their personal data and the limit the use of sensitive personal information.  I also wanted data brokers to also disclose if they have been breached and if they collected, sold or shared information regarding children — data that Vermont’s law asks them for but not California’s. 

Third and final, I wanted SB 1059 to unify the registration and regulation of data brokers under the newly created California Privacy Protection Agency, thereby providing “one-stop shopping” for protecting consumers’ privacy. 

Opposition

The primarily objection the opposition voiced was they did not like the change to the definition of data brokers, saying that the addition of “sharing” would turn “the common understanding of this term [data brokers] both in law and society upside down” and would force more companies who were not data brokers to register as such.

This is kind of a funny argument of this bill turning the world upside down in that the FTC — the nation’s foremost enforcer of privacy rights — explicitly defines a data broker as a business that also “shares” personal information.  Plus, California’s current privacy law had been upgraded to add the concept of “sharing” along with “selling” to impacted businesses, so SB 1059 would simply harmonize with existing law. Even data brokers make it clear in their privacy notices that they actually share your information with third parties, so they flat out admit that they do share, and of course their goal in doing that sharing is to monetize.  And the examples CalChamber used of potentially impacted businesses from this bill were actually of businesses having direct relationships with consumers, versus indirect, so by definition their examples would not be covered by the bill. 

I covered this sell vs. share discussion in a prior blog.  To me the addition of “sharing” in the context of this bill was key to the bill to get more data brokers to not skirt around registration.  If you threw that out, there would be no progress with the core element of the bill which was to improve visibility for consumers in terms of getting data brokers to not loophole their way out of registering. 

On to the Senate Judiciary Committee

The first step in the bill’s journey was on to a hearing with the State Senate Judiciary Committee on April 19, 2022.  The bill did catch what I thought was a momentum boost in that comedian John Oliver had an entire episode on data brokers and their associated threats on his show Last Week Tonight that aired on April 10, nine days before the committee hearing.  And like they do with all bills, the committee staff did publish an analysis of the bill before the hearing, and to me it read very favorable.  The bill passed the Judiciary Committee 9-1. 

On to the State Senate Appropriations Committee

The next step was on to the Appropriations Committee.  The bill moved forward with a 6-1 vote to be put in the “suspense file” which means that the California high-level budget needs to gets sorted out first before passing through the committee.  This happens with bills that spend money.  There was no discussion of the bill, and no one came forward with any support or opposing comments to SB 1059 from the public.  So, the real vote would come in a subsequent hearing on May 19, 2022, to determine if it passed through the Appropriations Committee. 

Silently Killed

So, on May 19th, State Senator David Portantino, Chair of the Appropriations Committee, started his hearing by saying there was not to going to be any comments taken on any bills, as the prior hearing was the time for discussion, and if a bill was not mentioned, then it was to be held in Committee.  Which meant that it was dead for the year.  Then the Committee started flying through dozens of bills.

When it came time to go through Senator Becker’s bills, SB 1059 was not mentioned at all, so it was dead.

Thanks

I would like to thank everyone who wrote letters of support of SB 1059 — including ACLU, Consumer Reports, Consumer Watchdog, Californians for Consumer Privacy, Privacy Clearinghouse, EFF, EPIC and the 5 Rights Foundation.

No doubt the problems associated with data brokers will continue to be looked at in a post-Abortion rights America, as it is continuously discovered that data brokers are selling data on people coming and going into abortion clinics and/or have period tracking apps on their phones, etc.  Hopefully legislation will eventually emerge victorious that better regulates these companies that sell AND share our most sensitive personal information without us even knowing that they are doing that.