SB 1059 Introduced to Put More Teeth into California Data Broker Law
I am very pleased to announce that a bill that I proposed back in December 2020 to strengthen, enhance, and align the California Data Broker Register with the California Privacy Rights Act (CPRA aka Prop 24) has been adopted by State Senator Josh Becker and introduced as California Senate Bill 1059 (aka SB 1059). Big kudos and much appreciation to Josh, with whom I am a constituent, for hearing me out and taking the ball and running with it by introducing this bill, and his staff (Nicole, Leslie, etc.) for being great to work with. Here’s the press release entitled “Senator Becker Introduces Bill to Strengthen Consumer Privacy Protections and Toughen Penalties for Data Brokers Who Defy the Law”, the Tweet announcing it, and the text of SB 1059.
Let me provide a bit more context on SB 1059 in this blog post.
Executive Summary of SB 1059
SB 1059 significantly strengthens California’s existing data broker law by giving Californians increased visibility into businesses known as data brokers that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. SB 1059 also provides Californians additional privacy rights and empowers the California Privacy Protection Agency (PPA) to regulate data brokers. SB 1059 is funded through annual registration fees that data brokers pay under current law.
So … Why Strengthen California’s Existing Data Broker Registry Law?
According to the privacy group EPIC, there are thousands of data brokers in the United States who buy, aggregate, sell and trade billions of data points on Americans. As I discussed in prior blogs, some data brokers advertise they collect and aggregate thousands of data points per consumer. Here is a nice graphic from CrackedLabs that shows the type of data elements collected by one data broker (Oracle — and note they claim 30,000 attributes for 2 billion people!).
Because consumers don’t have a direct relationship with data brokers, consumers are often oblivious to who is selling and trading their personal data, as well as have no knowledge of which third parties are acquiring that data and what those third parties are doing with their personal data.
As noted by the California Department of Justice (DoJ), the unauthorized or harmful acquisition and misuse of consumer information can introduce risks to consumers. Recent headlines highlighting this include a Gay/Bi dating app and a Muslim Prayer app selling data on people’s location to a data broker, millions of workers’ paystubs being sold to data brokers, and data brokers advertising they can sell real-time location data of active military personnel.
What SB 1059 Delivers
First and foremost, SB 1059 gives increased visibility to Californians regarding the data brokers that collect, sell, and share their personal information. As noted by the DoJ, “consumers are generally not aware that data brokers possess their personal information.” With the passage of AB 1202 in 2020 and its creation of a Data Broker Registry, the DoJ projected that “at least” 1,000 data brokers of the estimated 4,000 worldwide data brokers would register with the DoJ. But as of February 2022, slightly only over 400 have registered, meaning there are likely hundreds of additional data brokers that sell and trade our personal data that Californians have no visibility into.
SB 1059 increases the fines for non-registration and broadens the definition of data brokers to include those businesses that also trade or share personal information (versus just selling — thereby harmonizing the “share” language added by CPRA). These changes will incentivize larger numbers of data brokers to register and give Californians greater awareness into data brokers that may be selling or trading their personal data.
Second, it requires more transparency from data brokers in terms of how Californians can exercise their privacy rights to delete their data, opt-out of sales, etc. Consumer advocacy organizations such as Consumer Reports have found that many data brokers are putting up roadblocks that impede consumers ability to exercise their privacy rights. Consumer Reports noted that consumers struggle to “to locate the required links to opt out of the sale of their information” and that “many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out.” SB 1059 forces data brokers to be more transparent by requiring data brokers to provide clear instructions on how consumers can exercise their privacy rights to delete, correct, opt-out, know who has purchased their personal data and the limit the use of sensitive personal information.
Third, SB 1059 also increases privacy rights and transparency by requiring data brokers to annually disclose if they have been breached and if they collect, sell, and/or share information regarding children.
Fourth, SB 1059 unifies the registration and regulation of data brokers under the Privacy Protection Agency, thereby providing “one-stop shopping” for protecting consumers’ privacy. SB 1059 transfers the administration of the data broker registry from the DoJ to the PPA — the agency that was created with the passage of the California Privacy Rights Act (CPRA) in 2020 — and enables the PPA to be able to regulate data brokers, thereby giving the PPA the enhanced ability to protect consumer privacy. SB 1059 is funded through annual registration fees that data brokers pay under current law.
Complementary to Federal Privacy Initiatives
SB 1059 fully complements proposed Federal legislation in the regulation of data brokers, including Senators Ossoff’s, Kennedy’s and Representative Trahan’s DELETE Act (for a global data deletion request) and Senator Wyden’s Protecting Americans’ Data from Foreign Surveillance Act (that prohibits data brokers from selling personal data to foreign countries).
SB 1059 is supported by leading advocacy and privacy groups including Consumer Reports, EPIC, Californians for Consumer Privacy and Consumer Watchdog. Here are some supporting quotes:
“Californians need an effective data broker registry so that they can better exercise their privacy rights at businesses that freely buy and sell their information, typically without their knowledge. Consumer Reports has found that this can be difficult for consumers with the current data broker registry. That’s why we support SB 1059, which provides key updates to the law, so that consumers will have more control over their personal information.” Maureen Mahoney, Senior Policy Analyst, Consumer Reports
“Data brokers collect millions of data points about us to build invasive profiles used to target us with targeted ads or worse — determine interest rates on mortgages and credit cards, eligibility for housing, and deny people jobs. SB 1059 will shed light on these exploitive practices by requiring transparency about which data brokers are buying, aggregating, selling and trading our personal information.” Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC)
“By unifying the registration and regulation of data brokers under the California Privacy Protection Agency (PPA), SB 1059 gives the PPA even more tools at its disposal to further protect Californians’ privacy rights. As we work to strengthen and codify consumer privacy rights in California, this legislation is an important next step.” Alastair Mactaggart, Founder, Californians for Consumer Privacy.
“SB 1059 gives California more tools at its disposal to better regulate data brokers who are selling and trading our most sensitive personal information that is used to profile and score each one of us.” Jamie Court, President, Consumer Watchdog.
I am excited that we have legislation that would give Californians stronger privacy rights and better visibility into data brokers who collect, sell, and share our personal data, including our real-time location. I will provide some more details in additional blog posts.