How SB 362 Protects Immigrants’ Rights
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
California Senate Bill 362 — the California Delete Act — would create an online portal for Californians to request that registered data brokers delete any data they have on them and no longer track them. It provides a “one-stop shopping” for a Californian to go to a single place and in less than a minute, make this global delete and not track request, versus the alternative of each consumer having to spend at least a hundred hours manually contacting hundreds of registered data brokers on a one-by-one basis.
I have previously given an overview of the California Delete Act and how SB 362 protects reproductive rights. With this blog post, I will discuss how SB 362 protects immigrants’ rights and in part addresses issues with government agencies buying their way around the Fourth Amendment.
Purchase of Data Broker Data on Immigrants
Data brokers are businesses that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. Because consumers don’t have a direct relationship with data brokers, consumers are often oblivious to who is selling and trading their personal data, as well as have no knowledge of which third parties are acquiring that data and what those third parties are doing with their data. Recent reporting has highlighted some highly problematic invasions of privacy being facilitated by data brokers. For example, The Markup has done an expose documenting how location data is being harvested from apps on phones, sold to data brokers who aggregate that data with other personal data, and then will offer to third parties the ability to precisely track a consumer’s movements.
Government purchase of sensitive personal data — i.e., warrantless searches — from data brokers is common. For example, Ars Technica reported in 2020 that the US Secret Service bought location history data from a data broker firm. The article further noted that “agencies under the Department of Homeland Security — including Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) — have purchased access to cellphone location activity for investigations.” Specific to ICE, it was also reported in 2022 that the agency skirted around state sanctuary laws that restricted its ability to get data from state and local enforcement. Instead, it utilized data brokers like LexisNexis to “provide real-time access to immigrants’ personal data and whereabouts.”
In addition, governments may not even need to purchase location data. Considering the overturning of Roe and some states criminalizing abortions, law enforcement in those states could subpoena from data brokers the personal data of a woman suspected of having an abortion, including location data that may show the woman visited an out-of-state abortion clinic. The same could apply to location data on immigrants and other groups.
Buying Around the Fourth Amendment
Now the Supreme Court held in 2018 that under the Fourth Amendment, the government must obtain a warrant before getting cell phone location data from telecommunications companies. But the purchase of data from data brokers lets the government “buy its way around the Fourth Amendment” as restrictions do not apply to “commercially obtained data,” even for US Citizens.
Federal Proposals Have Gone Nowhere
At the federal level, there have been various calls for the Federal Trade Commission (FTC) to create a data broker registry and further allow consumers to make global deletion requests of data brokers in the registry. For example, Apple’s CEO Tim Cook, said the following in a 2019 TIME Magazine opinion piece: “That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.”
A bipartisan federal proposal came out in February of 2022 to provide a “data-broker clearinghouse” suggested by Tim Cook and others. Introduced by US Senators Bill Cassidy and Jon Ossoff and Representative Lori Trahan, the bill is the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act. The bill would “direct the Federal Trade Commission (FTC) to create an online dashboard for Americans to submit a one-time data deletion request that would be sent to all data brokers registered.” In addition, it would also create a “do not track list” to protect registrants from future data collection. Underpinning this proposal is the creation of a federal data broker registry.
In April 2021, several US Senators introduced the bipartisan Fourth Amendment is Not for Sale Act. This bill “closes the legal loophole that allows data brokers to sell Americans’ personal information to law enforcement and intelligence agencies without any court oversight — in contrast to the strict rules for phone companies, social media sites, and other businesses that have direct relationships with consumers.”
As I have covered in my book Containing Big Tech, none of these popular and bipartisan proposals have progressed, thus leaving immigrants and frankly, all of us exposed to being tracked.
California Can Help Address This Problem
In light of the fact that data brokers directly help the government obtain sensitive data about Americans’ activities that the government would otherwise need a warrant for, what can we do? Clearly, issues around the Fourth Amendment need to be addressed at the Federal level.
But at the California state level, we do have a comprehensive privacy law (the California Consumer Privacy Act or CCPA, as amended by Proposition 24 aka the California Privacy Rights Act or CPRA) that gives us the right to delete data collected about us. We also have a data broker registry where data brokers have to register.
But the onus is on the consumer to go to each and every data broker and request the deletion and no longer sell or share their data. This may take 15 to 30 minutes per data broker to initiate this process. With over 400 data brokers registered, the burden is over 200 hours per person. Not practical.
But with the California Delete Act, we build upon the goodness of the CCPA and the data broker registry and give Californians the ability in a few seconds to say to all registered data brokers please delete my data and no longer track me.
So … this means that data brokers cannot sell sensitive geolocation data on you to governments or whomever who has a credit card if the data brokers don’t have the data. Nor can this data be leaked out in a data breach or asked for in a subpoena, because the data no longer exists. So, one way to avoid the skirting around the Fourth Amendment is to have nothing to skirt to.
Summary
The Washington Post documented how the Immigration and Customs Enforcement (ICE) used data brokers to ‘go around’ sanctuary laws and target immigrants. As we know, California cities have sanctuary laws to protect immigrants. We cannot stop data brokers from selling data if a Californian has not said don’t do that, and it is painful for consumers in California to one-by-one make those requests to hundreds of unknown entities. But the California Delete Act provides the ability to address that in a powerful one-stop shopping mechanism and gives Californians a delete button for the first time. To be clear, I am supportive of government agencies getting warrants for valid reaons, but we should not allow government entities to buy its way around the Fourth Amendment, and addressing this at the federal level with the Fourth Amendment is Not for Sale Act and giving Californians an easy way to tell data brokers to delete their sensitive data — including precise geolocation — is the way to go.