Top Arguments For/Against California SB 362
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
Data brokers have woken up and now realize that California Senate Bill 362 — the California Delete Act — may have a chance to become law after it has passed the California Senate and is now before the Assembly Appropriations Committee. So, naturally, data brokers are now very actively lobbying against it.
So, what is SB 362? SB 362 would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. It builds upon California’s existing data broker registry law, the California Consumer Privacy Act (as amended by Proposition 24, the California Privacy Rights Act), and California’s inalienable right to obtain and pursue privacy which was added in the early 1970s to our State Constitution.
In this blog post, I will look at data brokers’ leading argument that SB 362 somehow will “destroy” California’s “data-driven economy” and compare that to the argument for SB 362.
But First, Just What Are Data Brokers?
Data brokers are defined in SB 362 as the following:
“Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
The key thing to point out is that this only applies to a very narrow set of entities. In fact, approximately 500 companies worldwide (based on the current number of data broker registrations we have here in California). Here’s why:
Because we as consumers don’t have a direct relationship with data brokers, that means that they are, for the most part, nameless and faceless entities that scoop, scrape, and otherwise collect our personal data. So, one must understand that the vast majority of businesses don’t fall into that category, as we interact directly with those businesses through visits to their websites and brick-and-mortar stores, we use their mobile apps, etc. So, this applies to a narrow band of businesses.
And data brokers are also further defined as businesses that explicitly sell our personal data to third parties. You, me, and all consumers are in effect the products they sell. Not all businesses that we have an indirect relationship with will turn around and sell our data.
And to further clarify, the definition of data broker solely references personal information as the type of data the bill cares about. That is a defined term under CCPA/CPRA. Personal data uniquely identifies you and also includes sensitive personal data such as social security, driver’s license, state identification card, or passport number. It also includes our precise geolocation and our racial or ethnic origin, religious or philosophical beliefs, or union membership. Plus, our genetic data. Many businesses may collect vast amounts of data, but their focus may be operational or non-personal data, so they are excluded.
Finally, a “business” is further defined as an entity greater than $25 million (or has certain thresholds of data being collected) and given that the definition includes this concept of indirect relationship plus the other items mentioned, this bill does not apply to the vast majority of most small-and-medium businesses in California. Thus, this bill applies to only a very narrow slice of companies in the entire world.
Under the Spotlight
Data brokers and their practices are certainly under the spotlight. Just today, the White House hosted a roundtable on harmful data broker practices. As Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra noted:
“Reports about monetization of sensitive information—everything from the financial details of members of the U.S. military to lists of specific people experiencing dementia—are particularly worrisome when data is powering ‘artificial intelligence’ and other automated decision-making about our lives.”
And just recently an internal Office of the Director of National Intelligence report revealed that numerous US Federal government agencies have been purchasing “vast amounts” of U.S. citizens’ personal information from data brokers. This followed recent reporting that researchers in 2023 found a spreadsheet on ad platform Xandr’s website that, per The Markup, “revealed a massive collection of “audience segments” used to target consumers based on highly specific, sometimes intimate information and inferences.” Their analysis of this database of 650,000 audience segments — populated by data obtained from data brokers — showed that:
“The trove of data indicates that advertisers could also target people based on sensitive information like being “heavy purchasers” of pregnancy test kits, having an interest in brain tumors, being prone to depression, visiting places of worship, or feeling “easily deflated” or that they “get a raw deal out of life.” Many of the Xandr ad categories are more prosaic, classifying people as “Affluent Millennials,” for example, or as “Dunkin Donuts Visitors.””
And of course, over the last few years, there has been plenty of reporting of these data brokers selling and sharing very sensitive personal data such as our location (e.g., people going to/from abortion clinics), what types of healthcare apps we have installed (e.g., pregnancy trackers), our religion (e.g., people who have a Muslim prayer app installed), our sexuality (e.g., if you are using a gay/bi dating app), etc.
Legislative Responses
Not surprisingly, legislation is being considered at the federal and state level to better regulate data brokers and allow consumers to take control over their personal data. Proposal at the federal level includes the DELETE Act (proposed by Senators Cassidy and Ossoff — so a bipartisan proposal — and in part what the California Delete Act is modeled on) and the Fourth Amendment is Not for Sale Act. The latter was reintroduced in the 2023 legislative session and in mid-July passed its first test by passing through the House Judiciary Committee. This bill would prevent government agencies from buying phone location data and other sensitive data from data brokers and thus circumventing the need to get a warrant. And there are rumblings that a bill is being proposed that would allow members of Congress and their staff and family (versus the general public) to “delete” themselves from data brokers ala the California Delete Act.
And at the State level, besides California SB 362, the Massachusetts legislature is considering as of July 2023 a bill that would ban the sale of residents’ mobile location data.
Data Brokers' Top Argument Against SB 362
The lead argument from data brokers to “say no to SB 362” is that California is a “data-driven economy,” and if you give consumers rights that make it easy for them to delete their data, this could “easily destroy its data-driven economy and negatively impact everyone in the marketing ecosystem, consumers included.” So, in sum, and quoting them directly, “third-party data sources” are the “lifeblood” of our economy, and please don’t stop the blood flowing.
Rebuttal
Somehow, I think the only industry that thinks that data brokers are the “lifeblood” of the US or California economy is the data brokers themselves. And no doubt telemarketers, when faced with legislation that would create the FTC Do Not Call registry (which the California Delete Act also drew inspiration from), spun a similar story about how critical unsolicited cold calls at our dinner time were to our economy.
But unlike telemarketing, we now see an explosion of weaponization of data as I documented above and in blog posts regarding the risks of data brokers vis a vis immigrant rights, domestic violence survivors, reproductive rights, and kids’ online safety. So, the stakes are actually much higher than with telemarketers.
So as much as they may spin this will cut off all “data,” this bill only applies to our personal information. It does not include publicly available information or data about socks or cats or cows or wind turbines or stock trades or the solar power being generated on a roof. If they truthfully said this would impact the “personal data” driven economy — where our most intimate personal data is sold to anyone with a credit card — then it would be more of an accurate description and would get limited sympathy. So, we get this sleight of hand of abstracting regulations around personal data to entities that we don’t have a direct relationship with to the broader “data” economy as a whole.
Furthermore, even when it comes to personal information, the supporters of the bill have put forth amendments that will be incorporated into the bill by the time it is voted on in the Appropriations Committee that provides for all the exemptions regarding personal information collection that the tech industry has previously negotiated through the years. Specifically, Section 1798.145 is now cross-referenced in SB 362. This means that the type of personal data covered under the Fair Credit Reporting Act, HIPAA, GLBA, Farm Credit Act, Driver's Privacy Protection Act, the Federal Policy for the Protection of Human Subjects, etc. is exempted. So, what they are also not telling you is that this bill not only involves personal data (vs. all data), and very few companies, but only a subset of personal data involving things like our precise geolocation.
The point is that they are putting their thumb on the scale, and if they truly described what data gets impacted and who gets impacted, it would be a significantly less compelling argument. But they are obfuscating by claiming this impacts the entirety of the economy.
Top Argument for SB 362
So, let’s get to the core of SB 362 and also discuss what our society should prioritize. Consumer frustration with the use of personal data, especially by data brokers, has reached a fever pitch. Consumers do want privacy protection. For example, in 2020, over 9.3 million Californians voted Yes on Proposition 24, the California Privacy Rights Act (CPRA) that upgraded the CCPA. [Full disclosure: I was a full-time volunteer on this campaign.] Which is more votes than the population of 10 US states, and Prop 24 got more votes than Barack Obama or Hillary Clinton got in California in prior elections. And when allowed to block third-party tracking, 96% of Apple users turned on App Tracking Transparency.
The problem is that when it comes to getting our personal data deleted from data brokers, it is virtually impossible. Here’s why:
CCPA/CPRA says that a consumer can request deletion of data "which the business has collected from the consumer." But per the definition of data broker, all the data they have on us was not collected “from” us, they collected it indirectly, so they are not actually obligated to delete the personal data they have on us.
There are 500 registered data brokers in California. It may take 20-30 minutes for a consumer to contact one data broker and go through the deletion request process, which has been in the past described as a “scavenger hunt.” Does anyone have time to spend 500 x .5 hours = 250 hours to get their data deleted? That’s 10 full days of work.
The deletion request is effective at the time of the request. Any new data that a data broker gets on a consumer after the deletion request can be kept and sold. So, the consumer has to rinse and repeat say every 6 months or so. Note that a big source of data brokers’ data is from other data brokers, so it is very possible that data brokers can play shell games and sell data back and forth amongst themselves, so deletion requests become moot as new imports of data override any deletion request.
To quote the bill analysis by the Assembly’s Privacy Committee:
“First, in order to ensure data broker deletion of their personal information, a person would have to direct a deletion request to every business that has ever collected personal information about them. Compiling such a list is likely an impossible task. Second, as discussed … deletion requests are only effective at the point in time they are made; once new personal information about the consumer reaches a data broker, it can resume using and selling information about the consumer.
The analysis summarizes the core of SB 362 with this statement:
“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned.”
This bill addresses these issues and makes what is currently “impossible” to be possible, in a simple and easy-to-use portal. There is also flexibility in the bill for consumers to select and unselect what brokers are selected.
But let’s not make this abstract, for whom is the current situation “impossible” for?
A woman visiting a Planned Parenthood and not wanting her location data sold or her use of a period tracking app also being up for sale.
A person with a medical condition like cancer or depression not wanting their health care data being sold.
A domestic violence survivor not wanting their current address posted on the dozens of people search websites.
A cop, judge, or county official not wanting to be doxxed.
A regular person like me who finds it creepy that I am not able to limit the use and distribution of my personal data by 100s of entities that I have not chosen to have a business relationship nor consented to their collection of my personal data.
Summarizing the Arguments
So, we need to ask ourselves, what is more important, having the ability to actually see our constitutional privacy rights be fulfilled? Because again, the current situation is that it is “impossible” as “it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned.” SB 362 makes it easy to exercise the privacy rights we have been granted by the CCPA/CPRA and state constitution, much like the Do Not Call registry makes it easier to say no to telemarketers (and over 250 million Americans have signed up for it, so it is very popular).
Or is it more important to have our intimate personal data continue to be collected by unknown entities and sold to anyone with a credit card, all in the name of what is really a smaller “personal data-driven” industry involving ~500 companies (vs. the entire economy that they are trying to convince us is impacted), but with no reasonable or effective ability to say please delete my data as I don’t want to be your product?
I will close with the observation that in the recent past, we as a society decided to limit telemarketing with the Do Not Call list — to restrict those with whom we don’t have a direct relationship from calling us. At least telemarketers were trying to sell us a product, but with data brokers, we and our most sensitive data are the product. The stakes are much higher today in terms of how data can and is being weaponized versus an annoying phone call during dinner.