Draft CPPA Regulations Puts Some Heat on Data Brokers

Even with the silent killing of SB 1059 —  the proposed bill to strengthen California’s Data Broker Registry law by requiring more accountability and transparency from data brokers — there is a little bit of good news in terms of regulating data brokers in Californians. The California Privacy Protection Agency (CPPA) has released a draft of its initial Regulations and this draft provides some needed controls and transparency vis a vis businesses selling or sharing data with data brokers.  I will go through the additions to the regulations vis a vis data brokers in this blog post.  For a detail analysis of the changes put forth in the proposed regulations, you can see this write up on how they would change business obligations and enforcement or this high-level writeup.  I will add that as the person who wrote and advocated for SB 1059 and also recently advocated to the CPPA to do more with respect to data brokers, that I want more done vis a vis regulations in this area, but after SB 1059 got shot down I will take any incremental improvements I can get.

Restrictions on Collection and Use of Personal Information vis a vis Data Brokers

The first mention of data brokers is in the context of Section (§) 7002 regarding the “Restrictions on the Collection and Use of Personal Information.”  This section makes it clear that the collection of a consumer’s personal information should be “reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed.”  And that the consumer’s explicit consent needs to be had if data is being collected that  “is unrelated or incompatible with the purpose(s) for which the personal information collected or processed.”  And here’s an example they give:

(3) Business C is an internet service provider that collects consumer personal information, including geolocation information, in order to provide its services. Business C may use the geolocation information for compatible uses, such as tracking service outages, determining aggregate bandwidth use by location, and related uses that are reasonably necessary to maintain the health of the network. However, Business C should not sell to or share consumer geolocation information with data brokers without the consumer’s explicit consent because such selling or sharing is not reasonably necessary and proportionate to provide internet services, nor is it compatible or related to the provision of internet services.

This is a great addition, in that now if a business is going to also to also sell data collected to a data broker, they explicitly have to notify the consumer that they plan to do that and get consent.

Requirement for Obtaining Consumer Consent vis a vis Data Brokers

Next, in § 7004, the section on “Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent” it lists out the principles for obtaining consent including making the choice easy to understand and not forcing more steps to “exercise a more privacy-protective option … than the path to exercise a less privacy-protective option.”   Another principle is to “avoid manipulative language or choice architecture” which means “the methods should not use language or wording that guilts or shames the consumer into making a particular choice or bundles consent so as to subvert the consumer’s choice.”  They then give an example involving data brokers:

(C) It is manipulative to bundle choices so that the consumer is only offered the option to consent to using personal information for reasonably expected purposes together with purposes that are incompatible to the context in which the personal information was collected. For example, a business that provides a location-based service, such as a mobile application that posts gas prices within the consumer’s location, shall not require the consumer to consent to incompatible uses (e.g., sale of the consumer’s geolocation to data brokers) together with the expected use of providing the location-based services, which does not require consent. This type of choice architecture is manipulative because the consumer is forced to consent to incompatible uses in order to obtain the expected service. The business should provide the consumer a separate option to consent to the business’s use of personal information for unexpected or incompatible uses.

This is huge in that the agreement to allow the business to sell data to a data broker should not be bundled in with the choice to collect data for the use of the app or website.   So, the consumer has the right to separately give consent if they want their data to be sold to a data broker.  That’s a biggie.

Requests to Correct vis a vis Data Brokers

Next, § 7023 provides clarifications regarding “Requests to Correct.”  On of the regulations is that if a business corrects data based on a consumer request, it needs to ensure the data remains corrected.  Then it gives this example:

(1) Business L maintains personal information about consumers that it receives from data brokers on a regular basis. Business L generally refreshes the personal information it maintains about consumers whenever it receives an update from a data broker. Business L receives a request to correct from a consumer and determines that the  information is inaccurate. To comply with the consumer’s request, Business L corrects the inaccurate information in its system and ensures that the corrected  personal information is not overridden by inaccurate personal information subsequently received from the data broker.

The good news here is that data broker has been found to be very inaccurate — e.g., NATO did an analysis and found that “quantity overshadows quality in the data broker industry” and “that on average only 50–60% of data can be considered precise.” — so this will help in the replication of bad data from data brokers overriding good data.

Requirements vis a vis Service Providers and Data Brokers

§ 7050 that deals with service providers and contractors makes it clear that those entities “shall not retain, use, or disclose personal information obtained in the course of providing services.”  But there are some exceptions, including the ability to improve the quality of its services, but as long as “the service provider or contractor use does not use the personal information to perform services on behalf of another person.”   It then gives this example:

(B) A shipping service provider that delivers businesses’ products to their customers may use the addresses received from their business clients and their experience delivering to those addresses to identify faulty or incomplete addresses, and thus, improve their delivery services. However, the shipping service provider cannot compile the addresses received from one business to send advertisements on behalf of another business, or compile addresses received from businesses to sell to data brokers.

This addition makes it very clear that service providers and data contractors can and should not sell data to data brokers from their work with businesses.

Concluding Thoughts

Do these regulations “fix” the problems we have with data brokers?  No.  We need to first make the data broker registry representative of who is really a data broker and put the regulation of data brokers under a regulatory agency (which was the goal of SB 1059 in California).  We then need to add the ability to create an online dashboard for consumers to submit a one-time data deletion request that would be sent to all data brokers registered — which is the goal of the DELETE Act introduced by Senators Cassidy and Ossoff.  In other words, we need fulfill the vision spelled out by Apple’s CEO Tim Cook who said the following in a 2019 TIME Magazine opinion piece: 

“That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.”

But in light that SB 1059 was killed, and the DELETE Act at the Federal level is not making any progress, we should not poo-poo any incremental improvement that we can get. The CPPA’s CPRA regulations provide needed transparency and accountability with respect to the selling to and sharing of data with data brokers by businesses.  To me it is a big deal that a business must separately notify that they plan to sell or share data with a data broker and then separately ask for consent to doing that.  I also like those businesses are on the hook for not allowing data feed in from data brokers to override corrected consumer data.  And it is helpful that service providers are put on notice to not sell data to data brokers.