APRA Draft 2 Still Falls Far Short of California’s Data Broker Law
The US House Commerce and Energy Committee released “version 2” of the draft discussion document of the American Privacy Rights Act (APRA) on May 21st. Even though this V2 draft added a consumer-facing global data deletion mechanism to its proposed data broker registry — which Reps. Pallone and Trahan had loudly criticized the V1 draft for not having — the current V2 draft favors the data broker industry so greatly that consumers will not be able to fully exercise their APRA rights granted to them with respect to data brokers. I will walk through where APRA V2 falls yet again way short of the California Delete Act and how V2, in fact, favors the data broker industry over consumers.
Here are the 5 ways that APRA V2 falls short of the California Delete Act
1. APRA V2 has no fines for data brokers not registering and no fines for not abiding by the Do Not Collect or Delete My Data requests. Given the above, why would any data broker even bother to register, let alone fill a request initiated through the APRA data broker registry? Contrast the California Delete Act, which has a $200 for each deletion request that data brokers blow off. Say a data broker under the Delete Act blows off 100,000 deletion requests. The fines will be huge. Yes, in theory, consumers have a private right of action under APRA, but it is expensive for the average consumer to initiate such a right, and given the opaque nature of data brokers, they won’t know if the data broker actually processed their requests or not.
As you can see from this IAPP comparison document of V1 and V2, the penalties in V2 were completely nuked, a major gift to the data broker industry to let them ignore the Do Not Collect and Delete My Data requests. My prior criticism was that the fines were too low, so instead of raising them, they eliminated them!
2. APRA V2 blocks vulnerable members of our society from getting assistance in dealing with data brokers by explicitly banning third parties from using the Do Not Collect and Delete My Data mechanism in Section 112. On page 97 (Section 112 (c)(4)(A)) of APRA V2 document, APRA explicitly blocks a third party from assisting someone in using the Do Not Collect and Delete My Data requests. Authorized agents are critical for parents wanting to protect their children, adult children protecting their elderly parents, domestic violence civil society organizations protecting a recent victim, a security or identity fraud company protecting a consumer from identity theft, etc. An analogy for authorized agents is tax preparation service providers such as Intuit TurboTax and H&R Block that bridge the gap between individuals and tax filing processes that are ever more complex and changing. Does anyone think an elderly parent with dementia or a child can figure out how to initiate these requests on the APRA registry site? Having this language on page 97 will purposely limit the number of consumers utilizing this capability, which is a big win for data brokers who no doubt slipped this language in. And this impact falls disproportionately on society’s most vulnerable, who need help protecting themselves. Even Page 112 (Section 112 (A)(2)(b)) states that only an individual should be told how they can exercise their rights — not an authorized agent.
Note under the definition of “verification,” APRA does allow “an individual authorized to make such a request on behalf of the individual whose covered data is the subject of the [consumer privacy] request.” So, APRA does allow authorized agents for one-off consumer privacy requests, but when it comes to bulk deletions from data brokers, hey the data brokers get another gift at the expense of society’s most vulnerable.
3. It is unclear if the Delete My Data is a permanent ongoing request or a point-in-time request, thus allowing the data broker to continue to collect net new data. This ambiguity is yet another gift to the data broker industry to continue to collect our data if the consumer has not initiated a Do Not Collect request.
4. Provides definitional loopholes to enable data brokers to skirt around being considered data brokers and, therefore, not register. Page 14 (Section 101 (17)) still allows businesses to make up to 49.9999% of their annual revenue from data brokering to avoid being called a data broker. Also, there is our continued concern about the service provider exemption, in which data brokers start saying contractually they are a service provider to every one of their customers. See this prior blog post for a discussion of this. These loopholes will facilitate non-registration in the APRA data broker registry, which in turn means that the Delete My Data will apply to significantly fewer data brokers.
5. There is no transparency reporting or auditing, like in the California Delete Act. For example, there are no specific callouts for reproductive healthcare or minors’ data or if the data broker has recently been breached as called for in the Texas Data Broker Registry law, and we are pretty sure brokers will be creative with their descriptions of information categories to avoid admitting to that. See this prior blog post for a discussion of this.
Here is what you see with the California Data Broker Registry. Within seconds I can see what data brokers are collecting kids’ data. With APRA you lose that. This lack of reporting and transparency is a gift to the data broker registry to allow them to continue to operate in the shadows and force consumers to hunt and peck through 100s of privacy policies.
In summary, draft 2 of APRA — specifically Section 112 and the definition of data broker — gives the optical illusion of APRA being somewhat equal to the California Delete Act (“See, they both do deletions, we added it in V2, etc.”). A close inspection, in fact, reveals that APRA V2 disproportionately favors the data broker industry to the detriment of consumers, especially those most vulnerable in our society, meaning yet again, APRA V1 and V2 are not close to California when it comes to the regulation of data brokers. For a law that its authors said is “stronger than any state law on the books” (voiceover: it is not) it is clear that more time needs to be spent looking at what is on the books in California concerning data brokers.
And don’t get me started on preemption.