BILL ANALYSIS Ó SB 1348 Page 1 Date of Hearing: June 24, 2014 ASSEMBLY COMMITTEE ON JUDICIARY Bob Wieckowski, Chair SB 1348 (DeSaulnier) - As Amended: June 23, 2014 SENATE VOTE : 24-8 SUBJECT : Data Brokers: FUTURE sale of personal information to third parties KEY ISSUE : Should californians GENERALLY be permitted to review the personal information that a data broker, as narrowly defined, holds about them, and SIMPLY HAVE THE OPTION TO REQUEST that the data broker NO LONGER sell or share their personal information IN THE FUTURE if they SO request? SYNOPSIS This bill, as recently substantially narrowed, would allow an individual to learn what personal information a data broker, as narrowly defined, holds about him or her and to request that the data broker no longer sell or share his or her information. At least one of the major data brokers - Acxiom - has stated and advertised that they already not only allow individuals to access personal information possessed by the data broker, but they go further and allow the requesting individual to correct and prevent the sharing of their personal information in the future, suggesting, contrary to claims by the bill's opponents, that this is not only technically feasible, but also a likely industry best practice as well. Although the term "data broker" is sometimes loosely used to describe any entity that collects and then shares or sells a consumer's personal data, this bill now as amended adopts a narrower definition essentially used by the Federal Trade Commission (FTC) in its recent studies and reports. For purposes of this bill, a data broker is a commercial entity that collects, assembles, and sells personal information of persons who have had no prior direct contact with the data broker, whether as user, customer, employee, or any other capacity. Under FTC usage, it is this lack of prior contact that defines a "data broker," and narrowly targets specific companies from other entities - such as online and offline retailers, or operators of Internet Web sites or online services. That is, a data broker collects an individual's person information from a variety of other sources - public SB 1348 Page 2 records, retailers, surveys, Internet Web sites, etc. - but not from the individual to whom the personal information pertains (i.e. the "subject individual" in the language of this bill.) The rationale for this distinction is clear: the user of an Internet Web site takes an affirmative step in using the site, and can read the privacy policy (if they so choose), ideally learn what information is collected and how it is used, and exercise any available opt-outs or, as a last resort, stop using the Web site to halt the sharing of their personal information. However none of this is true of a third party entity that collects personal information about people from other entities that have had no contact or relationship with that entity. The bill also limits its definition of "personal information" to exclude any information that could be obtained from public records. Finally, the bill exempts credit reporting and financial entities whose data collection and sharing practices are already regulated by state and federal law, exempts an entity if the requirements of this bill would interfere with the entity's requirements or authorizations under existing law, and exempts media organizations engaged in the news reporting process protected under the 1st Amendment. The bill is supported by privacy rights organizations and the California Police Chiefs Association. It is opposed by a coalition of business, retail, and high-tech industry groups. Should it pass this Committee, it will face a second bite at the proverbial legislative apple in the Assembly Arts, Entertainment, Sports, Tourism and Internet Media Committee. SUMMARY : Requires a data broker, as narrowly defined, to permit an individual to review the personal information that the data broker holds about them and to request that the data broker cease selling, or otherwise sharing, that personal information to third parties, except as specifically allowed. Specifically, this bill : 1)Requires a data broker, as narrowly defined, that sells or offers for sale the personal information of any resident of California to a third party to do both of the following: a) Permit a "subject individual" (the person to whom the information pertains) to review his or her personal information that has been collected, assembled, or maintained by the data broker by submitting an electronic demand through a secure online system, unless the data broker is required by law or authorized by statute to share SB 1348 Page 3 information with a third party. b) Conspicuously post an opt-out notice on its Internet Web site, which shall include specific and easily understood instructions for the subject individual to make a demand on the Internet Web site that his or her personal information not be shared with or sold to third parties, unless the data broker is required by law or authorized by statute to share information with a third party. 2)Provides that if the subject individual makes a demand that his or her personal information not be shared with or sold to third parties, the data broker will cease sharing or selling that information with third parties as soon as is reasonably possible, and in no event later than 30 days after receipt of the notice and the data broker shall thereafter retain only as much personal information as is reasonably necessary to comply with the subject individual's demand. 3)Specifies that, after receiving a removal demand from the subject individual, the data broker shall not transfer the subject individual's personal information to any other person or entity, and any information collected by the data broker to confirm the identity of the subject individual making the demand shall be deleted once the identity has been confirmed and the information collected shall not be used for any other purpose. 4)Makes it unlawful for a data broker to solicit or accept the payment of a fee or other consideration to review or remove personal information from the data broker's database. 5)Provides that, in addition to any other remedy available at law, a subject individual may bring a civil action for actual or statutory damages, as specified, against a person or entity that violates the provisions of this bill. 6)Defines "data broker" to mean a commercial entity that collects, assembles, or maintains personal information concerning individuals residing in California who are not customers or employees, or who have had no contact with that entity prior to contacting the entity pursuant to the provisions of this bill, for the purposes of selling or offering for sale, or other consideration, the personal information to a third party. SB 1348 Page 4 7)Specifies that a "data broker" does not include any of the following: a) A commercial entity that sells personal information to the subject individual. b) A "credit reporting agency" or a "consumer credit reporting agency" that is regulated by federal Fair Credit Reporting Act or the state Consumer Credit Reporting Agencies Act. c) A commercial entity that sells or provides for sale personal information to another entity that will use the information pursuant to purposes permitted by the federal Gramm-Leach-Bliley Act, including purposes such as identity confirmation and fraud prevention. d) A person or entity enumerated in subdivision (b) of Article I of the California Constitution or Section 1070 of the Evidence Code that publishes or broadcasts information obtained or prepared in gathering, receiving, or processing of information for the purpose of communicating information to the public. 8)Defines "personal information" to mean any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. "Personal information" does not include any information that is lawfully made available to the general public from federal, state, or local government records. EXISTING LAW : 1)Provides that, among other rights, all people have an inalienable right to pursue and obtain privacy. (Cal. Const., art. I, Sec. 1.) 2)Permits a person to bring an action in tort for an invasion of privacy and provides that in order to state a claim for SB 1348 Page 5 violation of the constitutional right to privacy, a plaintiff must establish the following three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by the defendant that constitutes a serious invasion of privacy. (Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.) Recognizes four types of activities considered to be an invasion of privacy giving rise to civil liability, including the public disclosure of private facts. (Id.) 3)Permits, under the federal Gramm-Leach-Bliley Act, financial institutions to share nonpublic customer information with non-affiliated third parties, unless the consumer "opts out" of such disclosure. The Act requires privacy statements to be disclosed by financial institutions and restricts their ability to disclose non-public personal information about consumers to third parties. (15 U.S.C. Sec. 6801 et seq.) 4)Requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its Web site to conspicuously post its privacy policy. (Business & Professions Code Section 22575.) 5)Requires a business with an established business relationship with a customer that has, within the preceding calendar year, disclosed specified personal information about the customer to third parties for direct marketing purposes to, after the receipt of a written request, disclose to the customer free of charge the categories of personal information disclosed to third parties for direct marketing purposes, the names and addresses of all third parties that received the personal information, and, if not reasonably discernable by the name, examples of the products or services marketed by the third parties. (Civil Code Section 1798.83.) FISCAL EFFECT : As currently in print this bill is keyed non-fiscal. COMMENTS : By now it has become a cliché to note that "Big Data" - the combination of massive amounts of data manipulated by ever faster and more powerful analytical tools - is transforming our world. A seemingly breathtaking array of amazing social media, mobile applications, and seemingly "free" Internet content and SB 1348 Page 6 services are made possible, for the most part, by the commodification of digital information. Virtually every time a consumer visits a website to make a purchase, book a hotel, reserve a rental car, search for information, play a game, communicate with loved ones, donate to a cause, or even post a video of a cat playing a piano, chances are the information is being collected, stored, analyzed, and eventually sold or shared to third parties without many consumers being aware of that background development. Without question, data collection and sharing increasingly drives modern commerce and improves the lives of so many in immeasurable ways. Not only does the selling and sharing of personal information permit much more targeted and relevant advertising, it pays for the ever-expanding wealth and breadth of "free" Internet content and services that one finds online or via mobile applications. Google, for example, of course does not provide users with free searches, personal e-mail accounts, and detailed maps and directions as a non-profit charitable enterprise, though such services are certainly helpful and awe-inspiring. In addition, "Big Data" is often reportedly used for many helpful non-marketing purposes, including medical and scholarly research. Yet many commentators agree that "the good and the bad" often are walking hand-in-hand with the evolution of the seemingly "no cost" Internet. Assembled, shared, and analyzed personal information can help consumers get the targeted product and service information they need or desire. But many commentators also note that this dramatically evolving "data analytics" industry also poses a growing potential threat to Americans' personal privacy, and it can create unprecedented opportunities for identity theft and other challenges to personal space and privacy. Although those who sell this amalgamated personal information to third parties, generally referred to as "data brokers," are of course not the only entities that collect and sell information (many retailers, websites, and political campaigns and many others do the same of course), the data brokers, as now narrowly defined in this bill, are unique in that they are primarily in the business of collecting and selling information of persons with whom they have had no prior contact or business relationship - unlike so many others who do business on the Internet. It is that much narrower group of companies upon SB 1348 Page 7 which this measure seeks to impose relatively modest public policy-based consumer protection protocols - consistent with the recently published and widely-discussed report, discussed next, by the Federal Trade Commission, calling for government to consider this and other more substantial types of government action. FTC's Important Data Brokers Report of Just Last Month : In May of this year, the Federal Trade Commission (FTC) released a report that discussed the results of its study of nine selected major national data brokers. (FTC, Data Brokers: A Call for Transparency and Accountability, May 2014.) The FTC report noted they chose to review these particular companies because "these companies generally never interact with consumers, consumers are often unaware of their existence, much less the variety of practices in which they engage." (FTC, Data Brokers, p. I, emphasis added.) Drawing from its 2012 report, Protecting Consumer Privacy in an Era of Rapid Change, the FTC noted that there are three different categories of data brokers: (1) credit reporting agencies subject to the Fair Credit Reporting Act (FCRA); (2) entities that maintain data for marketing purposes; and (3) non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of FCRA, such as entities that detect fraud or locate people. The FTC noted in its earlier 2012 report that the last two categories remain largely unregulated, except for the regulation of financial institutions under the Gramm-Leach Bliley (GLB) Act. FTC Report's Call for Legislative Action to Regulate Data Brokers and Provide Consumers Reasonable Choice and Control : In its report, the FTC called on Congress to consider enacting the very type of legislation reflected by this measure. In its report, it stated in this regard that "Congress consider legislation requiring data brokers to provide consumers with access to their data . . . at a reasonable level of detail, and the opportunity to opt out of having it shared for marketing purposes." (Emphasis added.) In order to help consumers identify which data brokers may have data about them and how they might exercise opt-out rights, the FTC also recommended that Congress create "a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs." (FTC, Data Brokers, p. viii.) In addition, the FTC recommended that Congress consider (1) requiring data brokers to notify consumers SB 1348 Page 8 that, not only do they collect core data, but that they use this raw core data to make certain inferences, sometimes about sensitive consumer preferences and characteristics; and (2) requiring data brokers to disclose the sources of their data, so that a consumer might know, for example, that they need not only to correct information that the data broker possesses, but also correct the data in the source (especially if it is a public record source). Finally, the FTC recommended that Congress consider preventing a data broker from collecting or sharing of certain especially sensitive information - such as health information - unless it obtains the consumer's express consent before collecting or sharing the information (allow a consumer opt-in mechanism). Data Broker Industry Response to the FTC Study and One Industry Leader's Courageous Decision Showing the Procedures Called for by This Measure Are Not" Pie in the Sky" And Appear to Be Quite Doable : Shortly after the FTC began its study, the data broker company Acxiom - one of the nine data brokers studied by the FTC - voluntarily decided to take the lead in consumer protection by arming consumers with greater say over the use of their personal information. Acxiom developed a new website, called "AboutTheData.com." This website allows any person to access the modeled profiles - and some of the core data - that Acxiom states it provides to its clients. Unlike the more modest approach taken in this bill, however Acxiom voluntarily allows the individual to correct any information. According to information provided by Acxiom to the Committee, about 500,000 people have visited the website, and of that number only about 2% have actually requested that Acxiom not share information for marketing purposes. Thus claims by some opponents of this measure that the measure unreasonably or impractically calls for business protocols that are either too difficult or expensive to undertake to vest consumers with some control over their personal data, appear to be refuted by this industry leader's own voluntary consumer protection actions. Nor does this company's reported "2% opt out" experience suggest, to say the least, that many consumers will flood companies with requests to "opt out" of the selling of their personal information, threatening the basic advertising model of the Internet. Very Limited Congressional Action To Date - The Rockefeller Bill : Not just due to the report's recent publication of SB 1348 Page 9 course, so far Congress has done little to implement the FTC's recommendations. Senator Jay Rockefeller's pending "Data Broker Accountability and Transparency Act" (S. 2025, 113th Congress, 2d Session) takes up one small component of the FTC recommendations: requiring data brokers, as defined, to permit consumers to review their data, make corrections and prevent data brokers from sharing that data for marketing purposes. Rockefellers S.2025 defines "data broker" to mean "a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or employee of that entity in order to sell the information or provide third party access to the information." Subject to certain exceptions, S.2025 requires a data broker to provide a means by which an individual may review information that pertains to him or her; request that the data broker correct inaccurate information, if, depending on the nature of the information, the accuracy can be verified; and permit the individual to request that the data broker not use his or her information for marketing purposes. These provisions can be enforced by the FTC, by the several state attorneys general, or by a civil action brought by a public official or agency of a state on behalf of the people of the state. At the time of this writing, S.2025 is still pending and the recent history of all data privacy bills introduced in Congress suggests that the bill will not be enacted any time soon. This bill, like the FTC's more recent 2014 report, clearly seeks to take up the FTC's call to action and attempts to address the likely inability of Congress to act - and the potential ability of states like California to fill this glaring consumer protection void. This Measure's Greatly Narrowed Definition of "Data Broker" As Recently Amended : Although Internet websites and retailers collect, share, and sell consumer's personal information to varying degrees, this bill, as amended, nevertheless seeks to narrowly limit its definition of data brokers to only those entities studied in the FTC report, namely those relatively few companies primarily engaged in the business of collecting, analyzing, and selling the personal information of persons with whom the data broker has had no prior contact or relationship. A data broker, as now narrowly defined by this bill, collects information about an individual from a wide variety of sources - public records, retailers, subscription lists, and information collected through the Internet Web sites of other persons or SB 1348 Page 10 entities - but it does so, as the FTC's recent study shows, without having any contact or business relationship with that individual. Why Not All Internet Sites That Sell Consumer Information Are Covered : As noted, the principal rationale for allowing the "subject individual" - the person to whom the information refers -- to review and prohibit sharing by the data broker, as narrowly defined, is that the subject individual has typically never interacted with the data broker and never had any opportunity to opt-out of data collection and sharing. In contrast, as the FTC study recently noted, an Internet Web site, as noted above, may also collect and sell a user's personal information -- but at least that collection and sharing was initiated (even if most often potentially unwittingly) by an affirmative act of the Web site user. The website's user at least had the opportunity to consult the mandatory privacy policy - required by California's Online Privacy Act - to try to get at least a general sense of the website's collection, sharing, and marketing policies (though such policies are admittedly often hundreds of words long, and are too often impenetrable to comprehend, even by those who attended law school.) With websites that consumers interact with directly, if the user is potentially uncomfortable with how his or her data will be used, and if the website offers no "opt-out" option for the user to say "don't share my data," then at least the user can, as a last resort, choose to not use that website anymore. But key to this proposal, a data broker that has no prior direct contact with the subject individual does not offer these very limited options. Indeed, almost by definition the consumer has no idea that his or her data is being sold or shared to that entity. It is therefore critical to understand the narrowness of this definition, for contrary to the claims of some of the opponents of this measure, this bill would not apply to private or public websites that collect information directly from the users of their websites, because in those situations the subject individual has made direct contact with the website, whether as a customer or merely a non-purchasing visitor to the website. Affirmative Effort to Avoid Any Possible Federal Preemption and Limit Bill's Reach : To avoid any preemption issues, this bill, as recently amended, wisely exempts from its definition of "data broker" any entity insofar as its activities are already SB 1348 Page 11 regulated by FCRA or GLB. (It also exempts consumer credit reporting agencies regulated under the California Consumer Credit Reporting Agencies Act.) How This Narrow Bill Differs from Congressional Legislation and Industry Self-Regulation : While the requirements of this bill are similar to the pending federal legislation by Senator Rockefeller and the practices of at least the one major data broker noted above, it nonetheless differs in some significant ways - in some ways providing more consumer protection, in some ways arguably providing less. Below are a few of the more significant similarities and differences: This Bill Allows Consumers To Review Information and Request That It Not Be Shared : Most substantively, this bill, as recently amended, would require a data broker, as defined, to permit the subject individual to (1) review the information that the data broker holds about him or her; and (2) demand that the data broker cease sharing his or her information with third parties. The bill does not, it should be stressed, prevent data brokers from engaging in the business of collecting, assembling, and selling personal information for profit. The bill simply says that if a person requests that the data broker cease sharing that information - and if the data broker is not otherwise required or expressly authorized by law to share the information - then the data broker must honor that request as to that single individual. If the reported Acxiom experience is any indication, only a fraction of the people about whom data brokers possess information will ever request to see their information, and only a minute percent of that limited subset will request that the data broker cease sharing his or her personal information. This Bill Does Not Allow a Consumer to Correct Information : Both the federal bill (if enacted) and Acxiom permit the subject individual to correct information that may be inaccurate. The author states he has decided to not include this requirement in the bill because it would introduce practical difficulties concerning just what a data broker must precisely do in order to confirm the accuracy of the subject individual's claim. Opting for the virtues of simplicity, this bill avoids the need to establish standards and criteria of proof and does not seek to impose any burden on data brokers to investigate the accuracy of data or the individual's claim that the data is inaccurate. A subject SB 1348 Page 12 individual may just see what information the data broker shares with third parties and request that the information not be shared at all, whether it is accurate or not. Definition of "Data Broker" More Consistent with FTC Report Than the Federal Bill : This bill also provides an arguably clearer definition of "data broker" than the federal legislation. As noted above, the defining characteristic of a "data broker," for purposes of the FTC study, was that the data broker collected and sold personal information about an individual with whom the data broker had no necessary relationship. The federal legislation defines a data broker as a commercial entity that collects, maintains, and sells information about an individual "who is not a customer or employee of that entity." However, what defines a data broker, as used in the FTC report, is not merely that the subject individual is not a "customer or employee" of the data broker, but that subject individual has not had any contact with the data broker, whether as a "customer" or not. This bill, therefore, appears to provide a very precise - and much more limited -- definition: a data broker is a commercial entity that collects, maintains, and sells personal information about a subject individual who is not a customer or employee of the entity, "or who has not contacted that entity prior to reviewing his or her information or demanding that information not be shared" pursuant to the provisions of this bill. This Bill Is Not Restricted to Sharing for "Marketing Purposes :" Both Senator Rockefeller's bill and Acxiom's voluntary policy only permits the individual to opt out of the sharing of data for "marketing" purposes. In other words, neither the federal bill nor Acxiom's practice currently allow the person to opt out of the "risk mitigation" or "people search" products discussed above. This bill is not as limited and would allow an individual to opt out of these other products as well if they so choose. Bill Does Not Appear, as the Opposition Claims, to Prohibit Any Particular Technology or Business Practice: Some opponents argue that the bill targets a particular technology instead of targeting bad behavior. Digitized information is not inherently bad, the opposition contends, even though "the actions that people take using information may be inappropriate if not in some cases unlawful." According to the opposition coalition, SB 1348 Page 13 "the lawful gathering of information serves a multitude of purposes. Many state and local government and law enforcement agencies use these services to fight fraud in eligibility determinations for benefits, locate deadbeat parents, find missing children, find witnesses, etc. Business and government both use these services to help verify job histories, eligibility for loans, and find individuals who deliberately try to avoid paying bills that they owe." The opponents contend that it "would be more effective to look for remedies that address the bad behavior of individuals rather than impose unreasonable restrictions on technologies that serve a useful purpose." However, contrary to what is implied by this opposition statement, this bill does not seek to ban a particular technology, nor does it aim to prohibit data brokers from doing what they currently do: collect personal information from a wide variety of sources and sell it to others for marketing and other purposes. The bill simply says that consumers have the right to find out what kinds of information a data broker possesses and, having determined that, to demand that it not be shared with third parties if that is the individual consumer's personal preference. To be sure, if every consumer contacted a data broker to demand that it cease sharing or selling the consumer's personal information, then that data broker, to the extent that its business model depended upon selling such information, might have to dramatically adjust its business model due to consumer demands. But, as Acxiom has discovered, only a minute percentage of individuals for whom they collect data actually appear likely to seek to have their personal data protected and stop being sold to others. Thus the author notes this bill should not affect the data broker industry any more than Acxiom's self-imposed policy has affected its business. Most consumers will apparently choose not to visit the site. If Acxiom's experience is typical, only a small proportion of those that do will ask the data broker to stop sharing the information. Moreover, the author notes that punishing bad behavior does not necessarily preclude the possibility of permitting an individual to take proactive steps to prevent the sharing and long-term retention of their personal information. Persons who may believe, for any number of reasons, that they are particularly SB 1348 Page 14 at risk of harm if personal information is disclosed to the wrong person will be able to avoid the time, cost, and stress of a criminal or civil action by taking steps that reduce the probability of harm occurring in the first place. Bill Does Not, As Some Opponents Appear to Claim, Prohibit Data Brokers From Sharing Critical Information : The opposition coalition also contends that this bill "curbs the exchange of critical information" between "government agencies, law enforcement, non-profit organizations, and businesses that currently utilize this information." Specifically, opponents claim that interrupting the flow of this information will prevent these organizations from performing a variety of critical functions, such as helping law enforcement locate missing children, fugitives, witnesses, and organ donors; administering public benefits and verifying applicant eligibility; notifying customers of product recalls; and improving disaster response through the cross-matched data bases. However, this bill does not appear to prevent any of these organizations from doing any of these things. First, the bill expressly exempts any sharing of data that is required or authorized by law. For example, existing law already authorize an automobile manufacturer, or its agent, to share confidential customer information for the purposes of notifying consumers in the event of a recall. This bill, as recently amended, also expressly states that an entity is not prohibited from sharing any information that is required by law, or expressly authorized by statute, to share. Second, this bill does not prohibit data brokers from doing any of the things that they currently do. This bill simply says that, unless sharing is otherwise required or authorized by law, that an individual may demand that a data broker - as narrowly defined to be an entity whom the individual has had no prior contact - not share his or her information. If law enforcement needed to obtain information it could obtain a court order or warrant to do so regardless of this measure. Finally, as to the opposition's claim that this bill would allow a "fraudster" or "criminal" to conceal his or her activities, if this is true, it is also true of industry leader Acxiom's voluntary policy of allowing individuals to correct information without providing any evidence that the information is SB 1348 Page 15 incorrect. This bill, however, does not allow a person to correct or alter this information. It simply says that the data broker, if requested by the individual, cannot share the information unless it is required or authorized by law to do so. Finally, it is worth noting that the California Police Chief's Association support this latest more narrow version of the bill, and no law enforcement agencies are opposed to it. Newspaper Concerns Addressed by Recent Amendments : The California Newspaper Publishers Association initially opposed this bill and expressed its concerns that the bill could conceivably allow a person who was the subject of a newspaper article or other published piece to demand that any personal information about them be removed, or that such a person could demand to review the information that was gathered about that person, thereby violating both statutory and constitutional protections afforded to the press. It does not appear that a newspaper publisher, whether paper or online, would ever be construed as a "data broker" under this bill's narrow definition. While a newspaper is a commercial entity that collects information, it does not sell that information. While it may sell the newspaper that contains an article that contains personal information, the newspaper does not sell the personal information as such. Nonetheless, given the high value that California places upon freedom of the press, the author agreed to an amendment that now clarifies that publishers, editors, reporters, or others who are employed by a newspaper, magazine, or other publication, or by a television or radio statute, are not "data brokers" within the meaning of this bill. Notwithstanding Some Opponents' Assertions, IMS Health v. Sorrell Does Not Appear to Be Applicable : Some opponents also contend that the measure is likely unconstitutional, citing the United States Supreme Court decision, IMS Health v. Sorrell (2011) 131 S. Ct. 2653. That case involved a 2007 Vermont law that banned the sale, transmission or use of prescriber-identifiable data (''PI data'') for marketing or promoting a prescription drug without the consent of the prescriber. The law also prohibited the sale, license or exchange for value of PI data for marketing or promoting a prescription drug. Three companies, including IMS Health, that collect and sell such data and a trade group for pharmaceutical manufacturers challenged the law. The U.S. Court of Appeals for the 2nd Circuit struck down the measure, holding that it violated the First Amendment because it restricts the speech SB 1348 Page 16 rights of the companies without directly advancing legitimate state interests. The U.S. Supreme Court agreed, holding by a 6-3 vote that the Vermont law was a content-based restriction that infringed upon the companies' commercial speech rights. However, as already noted, this bill does not, like the Vermont law, ban the sale, transmission, or use of personal data. It merely prohibits the data broker from sharing the information of a single individual if that individual requests that his or her information not be shared in the future once a secure and formal request is received from that individual. In short, the IMS Health ruling would not appear to render this bill unconstitutional in any way; and at any rate, such a suggested approach has not yet been tested in the courts. ARGUMENTS IN SUPPORT : Privacy Rights Clearinghouse (PRC) argues that "SB 1348 will help protect Californians from the largely unregulated practices of online data brokers. In doing so," PRC believes, "it will enable consumers to take better control over how their personal information is disseminated online, thereby helping to protect Californians from identity theft, stalking, and other invasions of their privacy." PRC notes that, over the past several years, it has been contacted by "hundreds of consumers" expressing their concerns about data brokers. These businesses are "particularly troublesome for victims of stalking or domestic violence, law enforcement and court personnel, and victims of identity theft." The American Civil Liberties Union supports this bill for substantially the same reasons. This bill is also supported by the California Police Chief's Association (CPCA), noting that data brokers can be "particularly troublesome for victims of stalking or domestic violence, law enforcement and court personnel, and victims of identity theft." CPCA believes that SB 1348 will protect Californians from the "largely unregulated practices" of data brokers by enabling them to "take better control over how their personal information is disseminated." ARGUMENTS IN OPPOSITION : A broad coalition of businesses and associations representing the data management, marketing, and retail industries, among others, opposes this bill for several reasons. In general, as noted above, opponents argue that this bill will have a chilling effect on the fluid exchange of critical information, pointing out that government agencies, law enforcement, non-profit organizations, and businesses all use information collected by data brokers for a variety of important SB 1348 Page 17 reasons: locating individuals, including missing children, fugitives, witnesses, debtors, organ donors, and parents seeking to avoid child support obligations. Opponents note, too, that this information is sometimes needed to administer public benefits, notify consumers about product recalls, or improve disaster response through the use of cross-matched data. Opponents also contend that the bill has an "overly broad and vague" definition of "data broker" that will "likely capture much of the online business community and, at a minimum, result in extensive litigation to determine who is and who is not a 'data broker.'" Opponents similarly contend that the definition of "personal information" is also too vague and will provide businesses "with little guidance to delineate between personal and non-personal information for purposes of complying with the law. SB 1348 exposes businesses to both unnecessary litigation and liability while courts wrestle with this definition." In addition to these general concerns, opponents assert that this bill will create a number of practical problems of implementation. For example, they claim that much of the information in their databases is anonymous and not readily associated with the requester's name, thus the bill would require "dredging through dormant data and re-identifying all information that could potentially fit within the vague definition of personal information." (However, it should be noted in this regard based on the real-life experience of several Judiciary Committee counsel who personally visited Acxiom's website, Aboutthedata.com, Acxiom produces the consumer's profile within seconds, apparently having no difficulty whatsoever in "dredging through dormant data.") Opponents also point out that it will be difficult if not impossible for data brokers to "permanently remove" all of the requester's personal information, for the "the Internet is a constant exchange of information amongst websites. It would be nearly impossible to completely halt this fluid information exchange, much less to do so within 10 days of the request." [NOTE: As recently amended the response time is increased to 30 days.] "Simply put," opponents conclude, "the requirements of SB 1348 are out of step with technological realities and are unworkable." Finally, opponents' coalition letter raise a number of other objections: that the bill is unconstitutional in light of IMS SB 1348 Page 18 Health v. Sorrell (see discussion above); and that a number of existing state and federal laws, including FCRA, GLB, HIPAA, and the California Online Privacy Protection Act, already govern data collection and sharing. The Data Marketing Association (DMA), a member of the coalition noted above who also writes separately, claims that this bill will be counterproductive in that it will actually "expose an individual's personal information to fraudsters . . . and imposters posting as the subject individual." Overall, DMA asserts that this bill will impede "the responsible use of marketing data that is vital to small business and nonprofit organizations and is a crucial component of the California economy and the source of tens of thousands of jobs." Online advertising, DMA maintains, "is essential to today's small businesses and California's information economy" and supports "a wide variety of services that are available to consumers for free or at a low cost and helps small businesses succeed against larger competitors." Finally DMA notes that it has already developed guidelines and self-regulatory standards that give consumers a voice in how their data is used and the kinds of advertisements that they receive. REGISTERED SUPPORT / OPPOSITION : Support Alameda County District Attorney Nancy O'Malley American Civil Liberties Union California Police Chief's Association Consumer Federation of California Correctional Peace Officers Association Privacy Rights Clearinghouse Opposition California Association of Licensed Investigators California Chamber of Commerce California Restaurant Association Consumer Data Industry Association Direct Marketing Association Internet Coalition NetChoice Personal Insurance Federation of California Reed Elsevier SB 1348 Page 19 The Internet Association Software & Information Industry Association State Privacy and Security Coalition Analysis Prepared by : Thomas Clark and Drew Liebert / JUD. / (916) 319-2334