APRA Falls Way Short of California When It Comes to Regulating Data Brokers
[Update 4/18/24: Many of my critiques in this blog post were echoed in the first APRA hearing on April 17, 2024. For example, Rep. Pallone said, “Without such a provision [universal deletion mechanism], consumers who don't want brokers retaining and selling their data would have to visit hundreds of data broker websites and opt out of each one." See also this article on legislators thinking APRA’s data broker provisions are “too weak.”]
The need to better regulate data brokers is a top privacy focus in the United States, as evidenced by recently proposed federal legislation to stop them from selling to foreign adversaries, the Biden Executive Order looking to do the same, and FTC “crackdowns” on data brokers selling location data. This focus makes sense given recent data broker headlines such as the sale of chemotherapy patients' data to cremation companies, the disclosure of 600 Planned Parenthood clinics' visitor lists to anti-abortion groups, and the unauthorized sharing of military personnel's sensitive health information with foreign entities. So, we should definitely judge any new federal privacy law proposals — such as the recently announced American Privacy Rights Act (APRA), which its co-authors say is “stronger than any state law on the books” and preserves “those standards that California” and other states have — in the context of how well do they regulate data brokers given the above.
So I did, and comparing the APRA “discussion draft” to current California law “on the books” vis-à-vis data brokers reveals that APRA, in its current iteration, falls far short of what California offers (i.e., the California Delete Act). This, in turn, calls into question APRA boosters’ argument that we should accept APRA’s preemptions of state privacy laws because APRA is so much “stronger” than existing state laws. But it isn’t, at least in its current form and especially in this important area of privacy, and no doubt others will document how it falls short in other areas, so a key argument for accepting preemption in APRA is negated. Thus, one could plausibly argue that if a supporter truly thinks APRA is really the best across the board, then those supporters should not be afraid of removing preemption from it.
Below is an executive summary of APRA versus the California Delete Act, followed by a more detailed analysis. I will then close with some thoughts on preemption. But first, I will answer a question I have gotten from reporters: Does the Delete Act go away if APRA passes? And BTW, for those who don’t know me, my analysis is based on my experience advising state legislators and civil groups on two of the four State data broker laws in the United States (Texas SB 2105 and California SB 362).
Will the California Delete Act Go Away with APRA?
Yes. For two reasons
The Delete Act is an extension of the CCPA. It fully leverages CCPA’s definitions, exemptions, regulations (e.g., for authorized agents), and even the enforcement agency (the California Privacy Protection Agency or CPPA) created when the CCPA was amended by voters with Proposition 24. So, if APRA preempts CCPA, then the framework that the Delete Act is based on goes away, and the Delete Act can't stand alone; and
The proposed data broker registry in the APRA conceptually overlaps with the Delete Act's registry. Therefore, APRA preempts the Delete Act's registry, which is the basis for the deletion mechanism found in the Delete Act.
So, if APRA passes, CCPA and the Delete Act will all disappear. It will also likely be challenging to determine what small pieces of these significant pieces of legislation could remain in an APRA world and no doubt there would be litigation by industry if California tried to continue any of the pieces.
Executive Summary of APRA versus California Delete Act
APRA in its current form (as introduced as a draft discussion document) is not even in the same league as the California Delete Act when it comes to regulating data brokers:
The Delete Act does what it says – “DELETE” – via its accessible centralized deletion mechanism which APRA does NOT do with its registry and “Do Not Collect” directive.
The Delete Act is NOT chockful of loopholes that APRA is full of, meaning APRA’s loopholes will result in hardly any data brokers registering compared to the nearly 500 data brokers whom the Delete Act will initiate deletion requests on behalf of consumers. For example, data brokers under APRA will exploit the service provider loophole that California has closed. Because there will be very few registrations under the APRA, this means consumers will not truly be able to take advantage of APRA’s "Do Not Collect" directive for the vast majority of data broker entities that collect and sell their data.
The Delete Act has significant transparency reporting requirements that data brokers must adhere to (e.g., do they collect and sell the personal data of kids), while APRA leaves consumers in the dark.
The Delete Act supports the concept of authorized agents with robust regulations in this area, while APRA’s “Do Not Collect” directive is unclear if it does. Thus, under APRA, individuals or third parties would likely be unable to initiate a “Do Not Collect” directive on behalf of others (e.g., kids, elderly parents, and other vulnerable members of society).
It has such a long way to go that I would be surprised if it can truly evolve in this legislative cycle into something that is even in the same zip code as the Delete Act. But let’s get into the nitty-gritty details.
Detailed Comparison
The APRA, in its current form, is a massive step back in regulating data brokers compared to the California Delete Act, and it makes me truly wonder if the drafters were even aware that California has significantly and rapidly innovated in this area (and in other areas of privacy, including the CPPA’s recent regulatory work). Below are four concrete reasons why APRA is not at the Delete Act’s level by any objective measure:
#1 APRA has no CENTRALIZED deletion MECHANISM.
APRA has a “Do Not Collect” directive in Section 12 – “any registered data broker shall ensure that the data broker no longer collects covered data related to such individual without the affirmative express consent” – which the Delete Act also has as part of a consumer’s request to delete via its centralized portal. However, APRA does not delete any data on behalf of consumers via its “Do Not Collect” mechanism, which the Delete Act does do. So, existing reams of personal data that data brokers have on consumers can still be sold and/or transmogrified via AI. And consumers’ data will be at risk if a data broker is hacked, as the data still sits there.
That’s my explanation, but if I am not clear, here is how Emory Roane from Privacy Rights Clearinghouse describes the differences:
“The centralized consent mechanism in APRA only lets consumers opt out of further data collection. It's missing the key piece — a centralized way to delete the data brokers already have on you, which is what the Delete Act provides. The Delete Act mandates deletion and an opt-out preference signal wrapped up in one, or at the very least an opt-out preference signal if brokers claim they can't fulfill a deletion because they can't identify the user. Thus APRA’s "Centralized Consent and Opt-out Mechanism" is, on its face, weaker than what is required under the Delete Act.”
Louis Brandeis defined privacy as the “right to be left alone,” and it is hard to be left alone if your personal data is still in the hands of hundreds of data brokers and can still be sold. And yes, under APRA and under CCPA, a consumer can certainly go to each and every data broker and make a deletion request. But does anyone think that a consumer (e.g., a domestic violence survivor who does not want their current address to be known) will have the time and patience to contact hundreds of data brokers to make those requests? This problem was the fundamental issue that the California Delete Act solved and why it passed so lopsidedly. And given the loopholes I describe below (service provider, under 50% revenue doing data brokering, etc.), the APRA data broker registry will be barely populated compared to the California data broker registry, so Americans under APRA will be in the dark regarding who is a data broker and whom even to contact to request deletion on a painful one-by-one manual basis. APRA is not in the same ballpark compared to the accessible deletion mechanism under the California Delete Act that lets a consumer make a single request in an easy-to-use web form and then have their data deleted from approximately 500 data brokers once and for all, i.e., APRA’s “Do Not Collect” mechanism is not at all comparable to the Delete Act’s “accessible deletion mechanism.”
#2 APRA has many significant loopholes that would result in the vast majority of data brokers not even registering, so the “do not collect” directive becomes moot for the vast majority of data brokers.
Not all registries are equal. Below are several examples of loopholes in APRA that would result in the vast majority of data brokers not registering. None of these loopholes exist under the Delete Act. So even if you think deletion is not a big deal in light that data brokers can no longer collect our data, if the vast majority of data brokers don’t have to register because of loopholes, then consumers really can’t take advantage of this “Do Not Collect” directive option that APRA gives you.
First, the definition of data broker in Section 2 of APRA “means a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to such covered data.” Which means that if a large conglomerate categorizes itself as a “covered entity” and has 49% of its revenue doing data brokering, it does not have to register and therefore no “do not collect” directive would ever apply to them. The California Delete Act does not factor in what % of a business is doing data brokering, so if a business is doing data brokering, it must register with the CPPA and then fall under the deletion mechanism.
Second, the APRA says that the term ‘‘data broker’’ does “not include an entity to the extent that such entity is acting as a service provider.” This reintroduces the “everybody is a service provider loophole” that was closed under CCPA. So, we will see that data brokers will say they are service providers for all their customers and tweak their contracts to portray themselves as such. Thus, there will be no registration and opt-out directive. Others have spotted this as a glaring sore thumb, e.g., Shoshana Wodinsky’s tweet here and this article from The Drum.
Third, APRA has a huge data broker loophole for “large data holders” that transfer personal mailing/email addresses or phone numbers. Companies that do this are exempt under APRA. Under California law, email addresses and phone numbers are part of personal data, so California has no exemption for vendors such as data brokers who collect and sell both. Others noticed this, too: Zach Edwards tweeted this out here, as did Shoshana Wodinsky here.
Fourth, APRA has low fines for data brokers not registering. Data brokers will pay the $10k fine for not registering and be done with it. And there appears to be no fines for not fulfilling the “do not collect” directive. The Delete Act has CPPA as the enforcement agency that can levy significant fines. Specifically, $200 for each deletion request that data brokers blow off. Say a data broker under the Delete Act blows off 100,000 deletion requests. The fines will be huge. The APRA lacks significant fines concerning data brokers to encourage compliance. See also Zach Edwards’ tweet here.
Given the above, the result is that you will have very few opt-out directives occurring with the APRA. Contrast this with up to 40 million Californians deleting all their data from approximately 500 data brokers under the California Delete Act, with the opportunity for more states to join in by enacting their own Delete Act.
#3 The APRA lacks any reporting requirements by data brokers, thus leaving consumers in the dark about their data collection practices and responses to consumer requests.
APRA does not have the transparency reporting that the Delete Act has, which is critical for consumers to know which data brokers are collecting sensitive data about them. For example, the Delete Act forces data brokers to reveal if they collect data on minors, reproductive health, geolocation, etc. This is documented in a central location (the registry), as opposed to forcing consumers to visit and read hundreds of privacy policies to figure this out. For example, thanks to the California Delete Act, parents now know that over two dozen data brokers self-reported to the California Privacy Protection Agency that they collect and sell the personal data of minors, thus allowing consumers to prioritize whom they want to delete their kids’ personal data from. APRA just asks for generic information (website, mailing address, etc.) upon registration, and forces consumers to hunt and peck at hundreds of privacy policies to figure out who is selling kids’ data, who is tracking precise geolocation, who is selling reproductive health data, etc.
Also, under the Delete Act, data brokers must annually report the number of deletion requests they received, processed, etc., and get audited for these numbers every few years. None of these valuable self-reporting metrics that give consumers needed transparency is required of data brokers under the APRA.
Emory also noted this:
“The required reporting metrics in this bill (Sec. 5.(f)) only apply to large data holders, not all data brokers. It's a much weaker level of transparency than what the Delete Act provides. There is a sub-issue of this: Because this is separate from the data broker registration requirements and only applies to large data holders, there's no requirement that these reporting metrics be sent to anyone, just hidden on the website or privacy policy. This divorces it from the data broker registry, making it harder for consumers to decide where/when to opt-out/exercise privacy rights.”
#4 APRA’s “do not collect” directive does not support authorized agents.
The California Delete Act and the CCPA support authorized agents who can assist people in initiating deletion requests and opt-out requests. Authorized agents can be individuals (e.g., a parent for a child, or an adult child for their elderly parents) or business entities who offer value-added privacy and cybersecurity solutions. This is important as there are vulnerable members of our society who may not feel comfortable directly interacting with data brokers or may not have the wherewithal or capacity to do so and would want help.
APRA does not mention authorized agents in the context of its “Do Not Collect” mechanism (i.e., it just refers to an individual making a request), so it is not clear that it would support this concept. Furthermore, the CPPA has a robust set of regulations on authorized agents that the APRA does not have.
I am probably missing a few other major points, but just with these points above, APRA, as currently drafted, is not at all equivalent to the Delete Act when it comes to regulating data brokers. APRA would be a major step backward by creating an incredibly low ceiling with respect to putting guardrails on data brokers and would result in huge numbers of data brokers continuing to fly under the radar and sidestep consumers' desires to stop having themselves surveilled and their data deleted.
Some Misc. Thoughts on Preemption
APRA will also stop states from innovating and coming out with new privacy laws that protect their residents. For example, we see states right now considering copying the robust capabilities of the Delete Act (e.g., Connecticut) but that ability would be taken away from them with APRA because of preemption. Here are some further thoughts on preemption:
California has always led when it comes to consumer protection — aka the "California Effect" — and I am very concerned that neutering California is not a good thing in the long run for not only citizens in California but also the entire US. I agree with this quote from Justice Brandeis: “it is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.” i.e., I believe that states should be the laboratories of Democracy when it comes to consumer protection, which California has historically done for the betterment of the nation (e.g., auto emissions). Shutting down this laboratory in the new world of AI is not a good thing to do.
The APRA takes a ceiling approach (vs. a floor approach) to consumer privacy. This is in stark contrast to other Federal consumer protection legislation, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Why is this precedent being thrown out for something so consequential?
Federal privacy laws have a history of not getting updated, which is bad for consumers in this fast-moving technology area. We are entering an era of massive technological innovation, and we need speed and flexibility in our laws to keep up, which Congress has historically yet to show an ability to do so. For example, Congress has either been years late or missing in action on privacy, regulating social media, kids’ online safety, disinformation, etc. California, on the other hand, is rapidly innovating and iterating, with multiple privacy bills being passed each year, and the CPPA is now fully online and creating rich and robust regulations and enforcement advisories.
We have seen the massive amounts of lobbying by large tech firms in DC to historically bottle up progress on privacy and antitrust and other matters, while the same lobbying groups have, in many cases, lost comparable battles at the State level. A case in point is … the California Delete Act, which was able to pass despite fierce lobbying by tech groups, while the comparable federal DELETE Act has not progressed. Another example is the recent passage of the Maryland Kids Code (hopefully to be signed soon by the Governor), while the federal Kids Online Safety Act (KOSA) still lingers.
I know the counterargument will be, “What about folks in XYZ state that don’t have a privacy law … this is the only way we can get it for those states’ residents,” etc. Sorry, I don’t do Faustian bargains. And isn’t this on state legislators to meet the needs of their constituents? And why do 40 million Californians need to lose their robust rights that are expanding every year through constant iteration so the entire nation can be given lesser rights that would let data brokers — one of the biggest privacy issues we face — run amok and also knowing that it is likely we can never gain more rights in a timely manner? No thanks.
I do truly appreciate the effort to develop a federal privacy law, and I hope APRA improves and ditches preemption. Now that would be awesome.