Data Broker Industry Plans to Use Californians’ Data to Challenge Bill That Threatens Their Industry
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
I have written a lot about the California Delete Act — Senate Bill 362 (SB 362) — that would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. It builds upon California’s existing data broker registry law, the California Consumer Privacy Act (as amended by Proposition 24, the California Privacy Rights Act), and California’s inalienable right to obtain and pursue privacy which was added in the early 1970s to our State Constitution.
I have been hitting on two main themes with respect to California SB 362. The first is that data being collected by data brokers is increasingly being weaponized. I have documented some of the risks of data brokers vis a vis immigrant rights, domestic violence survivors, reproductive rights, and kids’ online safety. So, there is increased awareness by consumers and politicians that we as a society probably don’t want all this sensitive personal data of our sloshing around and being bought and sold, e.g., data brokers are selling lists of people with dementia or using adult diapers.
The second major theme is that, and, to quote the California Assembly Privacy Committee, it is impossible for a consumer to get their data deleted from the 500 data brokers registered in California. The staff committee wrote:
“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned. But deletion is a must if one is concerned with protecting oneself from the risks set forth above. Even if one were to instead, say, exercise the CCPA right to opt-out of sale or sharing of personal information by a data broker, one would still have to (i) exercise that right 496 times and (ii) continually monitor the data broker registry for new data brokers with which to submit “opt-out” requests. This would be a difficult task for most people, and likely impossible for those who urgently need to safeguard their privacy, such as domestic violence victims. It would also require faith that no data broker holding one’s information were ever the victim of a data breach.”
So it was very interesting to see that Politico came out with an article today documenting how an “Ad giant plans to use people’s data to knee-cap bill regulating data.” For example, the CEO of the data broker firm Acxiom was quoted in the article as in effect saying in an internal email that “Acxiom would provide data to target the ad campaign against SB 362.”
This means that data brokers are planning to use Californians' data to lobby against Californians being able to more easily delete their data.
So, we now have a new “weaponization” to draw attention to — that these companies will use the data they collect to stop bills that threaten their industry.
As the reporter of the article noted in a Tweet,
“The campaign raises concerns about how ad companies can use people's personal data that they've collected to challenge legislation that threatens their industry.”
Another way to look at it as I put in a Tweet:
SB 362: We believe data brokers' data is being weaponized & it is hard for you to get your data deleted.
Data Brokers: we plan to weaponize your data to convince you that a bill that makes it easier to delete your data should not be passed.
The reality is that data brokers’ top argument for “no to SB 362” is easily knocked down. But when you drill down to their main technical argument, that SB 362 is “duplicative of rights already afforded Californians” that also falls flat. The reality is that when it comes to getting our personal data deleted from data brokers, it is virtually impossible. Here’s why:
CCPA/CPRA says that a consumer can request deletion of data "which the business has collected from the consumer." But per the definition of data broker, all the data they have on us was not collected “from” us, they collected it indirectly, so they are not actually obligated to delete the personal data they have on us.
There are 500 registered data brokers in California. It may take 20-30 minutes for a consumer to contact one data broker and go through the deletion request process, which has been in the past described as a “scavenger hunt.” Does anyone have time to spend 500 x .5 hours = 250 hours to get their data deleted? That’s 10 full days of work.
The deletion request is effective at the time of the request. Any new data that a data broker gets on a consumer after the deletion request can be kept and sold. So, the consumer has to rinse and repeat say every 6 months or so. Note that a big source of data brokers’ data is from other data brokers, so it is very possible that data brokers can play shell games and sell data back and forth amongst themselves, so deletion requests become moot as new imports of data override any deletion request.
To quote the bill analysis by the Assembly’s Privacy Committee:
“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them where data brokers are concerned.”
This bill addresses these issues and makes what is currently “impossible” to be possible, in a simple and easy-to-use portal. And it will reduce the weaponization of our data, for which we now have a new example.