BILL ANALYSIS                                                                                                                                                                                                    Ó

                                                                  SB 1348
                                                                  Page  1

          Date of Hearing:  June 24, 2014

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                Bob Wieckowski, Chair
                   SB 1348 (DeSaulnier) - As Amended: June 23, 2014

           SENATE VOTE  :  24-8
          SUBJECT  :  Data Brokers: FUTURE sale of personal information to  
          third parties 

           KEY ISSUE  :  Should californians GENERALLY be permitted to review  
          the personal information that a data broker, as narrowly  
          defined, holds about them, and SIMPLY HAVE THE OPTION TO REQUEST  
          that the data broker NO LONGER sell or share their personal  
          information IN THE FUTURE if they SO request? 


          This bill, as recently substantially narrowed, would allow an  
          individual to learn what personal information a data broker, as  
          narrowly defined, holds about him or her and to request that the  
          data broker no longer sell or share his or her information.  At  
          least one of the major data brokers - Acxiom - has stated and  
          advertised that they already not only allow individuals to  
          access personal information possessed by the data broker, but  
          they go further and allow the requesting individual to correct  
          and prevent the sharing of their personal information in the  
          future, suggesting, contrary to claims by the bill's opponents,  
          that this is not only technically feasible, but also a likely  
          industry best practice as well.  Although the term "data broker"  
          is sometimes loosely used to describe any entity that collects  
          and then shares or sells a consumer's personal data, this bill  
          now as amended adopts a narrower definition essentially used by  
          the Federal Trade Commission (FTC) in its recent studies and  
          reports.  For purposes of this bill, a data broker is a  
          commercial entity that collects, assembles, and sells personal  
          information of persons who have had  no  prior direct contact with  
          the data broker, whether as user, customer, employee, or any  
          other capacity.  Under FTC usage, it is this lack of prior  
          contact that defines a "data broker," and narrowly targets  
          specific companies from other entities - such as online and  
          offline retailers, or operators of Internet Web sites or online  
          services.  That is, a data broker collects an individual's  
          person information from a variety of other sources - public  


                                                                  SB 1348
                                                                  Page  2

          records, retailers, surveys, Internet Web sites, etc. - but not  
          from the individual to whom the personal information pertains  
          (i.e. the "subject individual" in the language of this bill.)   
          The rationale for this distinction is clear: the user of an  
          Internet Web site takes an affirmative step in using the site,  
          and can read the privacy policy (if they so choose), ideally  
          learn what information is collected and how it is used, and  
          exercise any available opt-outs or, as a last resort, stop using  
          the Web site to halt the sharing of their personal information.  
          However none of this is true of a third party entity that  
          collects personal information about people from other entities  
          that have had no contact or relationship with that entity.  The  
          bill also limits its definition of "personal information" to  
          exclude any information that could be obtained from public  
          records.  Finally, the bill exempts credit reporting and  
          financial entities whose data collection and sharing practices  
          are already regulated by state and federal law, exempts an  
          entity if the requirements of this bill would interfere with the  
          entity's requirements or authorizations under existing law, and  
          exempts media organizations engaged in the news reporting  
          process protected under the 1st Amendment.  
          The bill is supported by privacy rights organizations and the  
          California Police Chiefs Association.  It is opposed by a  
          coalition of business, retail, and high-tech industry groups.   
          Should it pass this Committee, it will face a second bite at the  
          proverbial legislative apple in the Assembly Arts,  
          Entertainment, Sports, Tourism and Internet Media Committee. 

           SUMMARY  :  Requires a data broker, as narrowly defined, to permit  
          an individual to review the personal information that the data  
          broker holds about them and to request that the data broker  
          cease selling, or otherwise sharing, that personal information  
          to third parties, except as specifically allowed.  Specifically,  
           this bill  :   

          1)Requires a data broker, as narrowly defined, that sells or  
            offers for sale the personal information of any resident of  
            California to a third party to do both of the following:

             a)   Permit a "subject individual" (the person to whom the  
               information pertains) to review his or her personal  
               information that has been collected, assembled, or  
               maintained by the data broker by submitting an electronic  
               demand through a secure online system, unless the data  
               broker is required by law or authorized by statute to share  


                                                                  SB 1348
                                                                  Page  3

               information with a third party.

             b)   Conspicuously post an opt-out notice on its Internet Web  
               site, which shall include specific and easily understood  
               instructions for the subject individual to make a demand on  
               the Internet Web site that his or her personal information  
               not be shared with or sold to third parties, unless the  
               data broker is required by law or authorized by statute to  
               share information with a third party.

          2)Provides that if the subject individual makes a demand that  
            his or her personal information not be shared with or sold to  
            third parties, the data broker will cease sharing or selling  
            that information with third parties as soon as is reasonably  
            possible, and in no event later than 30 days after receipt of  
            the notice and the data broker shall thereafter retain only as  
            much personal information as is reasonably necessary to comply  
            with the subject individual's demand.  

          3)Specifies that, after receiving a removal demand from the  
            subject individual, the data broker shall not transfer the  
            subject individual's personal information to any other person  
            or entity, and any information collected by the data broker to  
            confirm the identity of the subject individual making the  
            demand shall be deleted once the identity has been confirmed  
            and the information collected shall not be used for any other  

          4)Makes it unlawful for a data broker to solicit or accept the  
            payment of a fee or other consideration to review or remove  
            personal information from the data broker's database. 

          5)Provides that, in addition to any other remedy available at  
            law, a subject individual may bring a civil action for actual  
            or statutory damages, as specified, against a person or entity  
            that violates the provisions of this bill.  

          6)Defines "data broker" to mean a commercial entity that  
            collects, assembles, or maintains personal information  
            concerning individuals residing in California who are not  
            customers or employees, or who have had no contact with that  
            entity prior to contacting the entity pursuant to the  
            provisions of this bill, for the purposes of selling or  
            offering for sale, or other consideration, the personal  
            information to a third party.   


                                                                  SB 1348
                                                                  Page  4

          7)Specifies that a "data broker" does not include any of the  

             a)   A commercial entity that sells personal information to  
               the subject individual.
             b)   A "credit reporting agency" or a "consumer credit  
               reporting agency" that is regulated by federal Fair Credit  
               Reporting Act or the state Consumer Credit Reporting  
               Agencies Act.
             c)   A commercial entity that sells or provides for sale  
               personal information to another entity that will use the  
               information pursuant to purposes permitted by the federal  
               Gramm-Leach-Bliley Act, including purposes such as identity  
               confirmation and fraud prevention. 
             d)   A person or entity enumerated in subdivision (b) of  
               Article I of the California Constitution or Section 1070 of  
               the Evidence Code that publishes or broadcasts information  
               obtained or prepared in gathering, receiving, or processing  
               of information for the purpose of communicating information  
               to the public.

          8)Defines "personal information" to mean any information that  
            identifies, relates to, describes, or is capable of being  
            associated with, a particular individual, including, but not  
            limited to, his or her name, signature, social security  
            number, physical characteristics or description, address,  
            telephone number, passport number, driver's license or state  
            identification card number, insurance policy number,  
            education, employment, employment history, bank account  
            number, credit card number, debit card number, or any other  
            financial information, medical information, or health  
            insurance information.  "Personal information" does not  
            include any information that is lawfully made available to the  
            general public from federal, state, or local government  
           EXISTING LAW  :

          1)Provides that, among other rights, all people have an  
            inalienable right to pursue and obtain privacy.  (Cal. Const.,  
            art. I, Sec. 1.)

          2)Permits a person to bring an action in tort for an invasion of  
            privacy and provides that in order to state a claim for  


                                                                  SB 1348
                                                                  Page  5

            violation of the constitutional right to privacy, a plaintiff  
            must establish the following three elements: (1) a legally  
            protected privacy interest; (2) a reasonable expectation of  
            privacy in the circumstances; and (3) conduct by the defendant  
            that constitutes a serious invasion of privacy.  (Hill v.  
            National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)   
            Recognizes four types of activities considered to be an  
            invasion of privacy giving rise to civil liability, including  
            the public disclosure of private facts.  (Id.)

          3)Permits, under the federal Gramm-Leach-Bliley Act, financial  
            institutions to share nonpublic customer information with  
            non-affiliated third parties, unless the consumer "opts out"  
            of such disclosure.  The Act requires privacy statements to be  
            disclosed by financial institutions and restricts their  
            ability to disclose non-public personal information about  
            consumers to third parties.  (15 U.S.C. Sec. 6801 et seq.)

          4)Requires an operator of a commercial Web site or online  
            service that collects personally identifiable information  
            through the Internet about individual consumers residing in  
            California who use or visit its Web site to conspicuously post  
            its privacy policy.  (Business & Professions Code Section  

          5)Requires a business with an established business relationship  
            with a customer that has, within the preceding calendar year,  
            disclosed specified personal information about the customer to  
            third parties for direct marketing purposes to, after the  
            receipt of a written request, disclose to the customer free of  
            charge the categories of personal information disclosed to  
            third parties for direct marketing purposes, the names and  
            addresses of all third parties that received the personal  
            information, and, if not reasonably discernable by the name,  
            examples of the products or services marketed by the third  
            parties.  (Civil Code Section 1798.83.)

           FISCAL EFFECT  :  As currently in print this bill is keyed  

           COMMENTS  :  By now it has become a cliché to note that "Big Data"  
          - the combination of massive amounts of data manipulated by ever  
          faster and more powerful analytical tools - is transforming our  
          world.  A seemingly breathtaking array of amazing social media,  
          mobile applications, and seemingly "free" Internet content and  


                                                                  SB 1348
                                                                  Page  6

          services are made possible, for the most part, by the  
          commodification of digital information.  Virtually every time a  
          consumer visits a website to make a purchase, book a hotel,  
          reserve a rental car, search for information, play a game,  
          communicate with loved ones, donate to a cause, or even post a  
          video of a cat playing a piano, chances are the information is  
          being collected, stored, analyzed, and eventually sold or shared  
          to third parties without many consumers being aware of that  
          background development.  

          Without question, data collection and sharing increasingly  
          drives modern commerce and improves the lives of so many in  
          immeasurable ways.  Not only does the selling and sharing of  
          personal information permit much more targeted and relevant  
          advertising, it pays for the ever-expanding wealth and breadth  
          of "free" Internet content and services that one finds online or  
          via mobile applications.  Google, for example, of course does  
          not provide users with free searches, personal e-mail accounts,  
          and detailed maps and directions as a non-profit charitable  
          enterprise, though such services are certainly helpful and  
          awe-inspiring.  In addition, "Big Data" is often reportedly used  
          for many helpful non-marketing purposes, including medical and  
          scholarly research.   

          Yet many commentators agree that "the good and the bad" often  
          are walking hand-in-hand with the evolution of the seemingly "no  
          cost" Internet.  Assembled, shared, and analyzed personal  
          information can help consumers get the targeted product and  
          service information they need or desire.  But many commentators  
          also note that this dramatically evolving "data analytics"  
          industry also poses a growing potential threat to Americans'  
          personal privacy, and it can create unprecedented opportunities  
          for identity theft and other challenges to personal space and  

          Although those who sell this amalgamated personal information to  
          third parties, generally referred to as "data brokers," are of  
          course not the only entities that collect and sell information  
          (many retailers, websites, and political campaigns and many  
          others do the same of course), the data brokers, as now narrowly  
          defined in this bill, are unique in that they are primarily in  
          the business of collecting and selling information of persons  
          with whom they have had  no  prior contact or business  
          relationship - unlike so many others who do business on the  
          Internet.  It is that much narrower group of companies upon  


                                                                  SB 1348
                                                                  Page  7

          which this measure seeks to impose relatively modest public  
          policy-based consumer protection protocols - consistent with the  
          recently published and widely-discussed report, discussed next,  
          by the Federal Trade Commission, calling for government to  
          consider this and other more substantial types of government  

           FTC's Important Data Brokers Report of Just Last Month  :  In May  
          of this year, the Federal Trade Commission (FTC) released a  
          report that discussed the results of its study of nine selected  
          major national data brokers.  (FTC, Data Brokers: A Call for  
          Transparency and Accountability, May 2014.)  The FTC report  
          noted they chose to review these particular companies because  
          "these companies generally never interact with consumers,  
          consumers are often unaware of their existence, much less the  
          variety of practices in which they engage."  (FTC, Data Brokers,  
          p. I, emphasis added.)  Drawing from its 2012 report, Protecting  
          Consumer Privacy in an Era of Rapid Change, the FTC noted that  
          there are three different categories of data brokers: (1) credit  
          reporting agencies subject to the Fair Credit Reporting Act  
          (FCRA); (2) entities that maintain data for marketing purposes;  
          and (3) non-FCRA covered entities that maintain data for  
          non-marketing purposes that fall outside of FCRA, such as  
          entities that detect fraud or locate people.  The FTC noted in  
          its earlier 2012 report that the last two categories remain  
          largely unregulated, except for the regulation of financial  
          institutions under the Gramm-Leach Bliley (GLB) Act.  

           FTC Report's Call for Legislative Action to Regulate Data  
          Brokers and Provide Consumers Reasonable Choice and Control  :  In  
          its report, the FTC called on Congress to consider enacting the  
          very type of legislation reflected by this measure.  In its  
          report, it stated in this regard that "Congress consider  
          legislation requiring data brokers to provide consumers with  
          access to their data . . . at a reasonable level of detail, and  
          the opportunity to opt out of having it shared for marketing  
          purposes." (Emphasis added.)  In order to help consumers  
          identify which data brokers may have data about them and how  
          they might exercise opt-out rights, the FTC also recommended  
          that Congress create "a centralized mechanism, such as an  
          Internet portal, where data brokers can identify themselves,  
          describe their information collection and use practices, and  
          provide links to access tools and opt outs."  (FTC, Data  
          Brokers, p. viii.)  In addition, the FTC recommended that  
          Congress consider (1) requiring data brokers to notify consumers  


                                                                  SB 1348
                                                                  Page  8

          that, not only do they collect core data, but that they use this  
          raw core data to make certain inferences, sometimes about  
          sensitive consumer preferences and characteristics; and (2)  
          requiring data brokers to disclose the sources of their data, so  
          that a consumer might know, for example, that they need not only  
          to correct information that the data broker possesses, but also  
          correct the data in the source (especially if it is a public  
          record source).  Finally, the FTC recommended that Congress  
          consider preventing a data broker from collecting or sharing of  
          certain especially sensitive information - such as health  
          information - unless it obtains the consumer's express consent  
          before collecting or sharing the information (allow a consumer  
          opt-in mechanism).

           Data Broker Industry Response to the FTC Study and One Industry  
          Leader's Courageous Decision Showing the Procedures Called for  
          by This Measure Are Not" Pie in the Sky" And Appear to Be Quite  
          Doable  :  Shortly after the FTC began its study, the data broker  
          company Acxiom - one of the nine data brokers studied by the FTC  
          - voluntarily decided to take the lead in consumer protection by  
          arming consumers with greater say over the use of their personal  
          information.  Acxiom developed a new website, called  
          ""  This website allows any person to access  
          the modeled profiles - and some of the core data - that Acxiom  
          states it provides to its clients.  Unlike the more modest  
          approach taken in this bill, however Acxiom voluntarily allows  
          the individual to correct any information.  According to  
          information provided by Acxiom to the Committee, about 500,000  
          people have visited the website, and of that number only about  
          2% have actually requested that Acxiom not share information for  
          marketing purposes. 

          Thus claims by some opponents of this measure that the measure  
          unreasonably or impractically calls for business protocols that  
          are either too difficult or expensive to undertake to vest  
          consumers with some control over their personal data, appear to  
          be refuted by this industry leader's own voluntary consumer  
          protection actions.  Nor does this company's reported "2% opt  
          out" experience suggest, to say the least, that many consumers  
          will flood companies with requests to "opt out" of the selling  
          of their personal information, threatening the basic advertising  
          model of the Internet. 

           Very Limited Congressional Action To Date - The Rockefeller  
          Bill  :  Not just due to the report's recent publication of  


                                                                  SB 1348
                                                                  Page  9

          course, so far Congress has done little to implement the FTC's  
          recommendations.  Senator Jay Rockefeller's pending "Data Broker  
          Accountability and Transparency Act" (S. 2025, 113th Congress,  
          2d Session) takes up one small component of the FTC  
          recommendations: requiring data brokers, as defined, to permit  
          consumers to review their data, make corrections and prevent  
          data brokers from sharing that data for marketing purposes.   
          Rockefellers S.2025 defines "data broker" to mean "a commercial  
          entity that collects, assembles, or maintains personal  
          information concerning an individual who is not a customer or  
          employee of that entity in order to sell the information or  
          provide third party access to the information."  Subject to  
          certain exceptions, S.2025 requires a data broker to provide a  
          means by which an individual may review information that  
          pertains to him or her; request that the data broker correct  
          inaccurate information, if, depending on the nature of the  
          information, the accuracy can be verified; and permit the  
          individual to request that the data broker not use his or her  
          information for marketing purposes.  These provisions can be  
          enforced by the FTC, by the several state attorneys general, or  
          by a civil action brought by a public official or agency of a  
          state on behalf of the people of the state.  

          At the time of this writing, S.2025 is still pending and the  
          recent history of all data privacy bills introduced in Congress  
          suggests that the bill will not be enacted any time soon.  This  
          bill, like the FTC's more recent 2014 report, clearly seeks to  
          take up the FTC's call to action and attempts to address the  
          likely inability of Congress to act - and the potential ability  
          of states like California to fill this glaring consumer  
          protection void.  

           This Measure's Greatly Narrowed Definition of "Data Broker" As  
          Recently Amended  :  Although Internet websites and retailers  
          collect, share, and sell consumer's personal information to  
          varying degrees, this bill, as amended, nevertheless seeks to  
          narrowly limit its definition of data brokers to only those  
          entities studied in the FTC report, namely those relatively few  
          companies primarily engaged in the business of collecting,  
                                                             analyzing, and selling the personal information of persons with  
          whom the data broker has had no prior contact or relationship.   
          A data broker, as now narrowly defined by this bill, collects  
          information about an individual from a wide variety of sources -  
          public records, retailers, subscription lists, and information  
          collected through the Internet Web sites of other persons or  


                                                                  SB 1348
                                                                  Page  10

          entities - but it does so, as the FTC's recent study shows,  
          without having any contact or business relationship with that  

           Why Not All Internet Sites That Sell Consumer Information Are  
          Covered  :  As noted, the principal rationale for allowing the  
          "subject individual" - the person to whom the information refers  
          -- to review and prohibit sharing by the data broker, as  
          narrowly defined, is that the subject individual has typically  
          never interacted with the data broker and never had any  
          opportunity to opt-out of data collection and sharing.  In  
          contrast, as the FTC study recently noted, an Internet Web site,  
          as noted above, may also collect and sell a user's personal  
          information -- but at least that collection and sharing was  
          initiated (even if most often potentially unwittingly) by an  
          affirmative act of the Web site user.  The website's user at  
          least had the opportunity to consult the mandatory privacy  
          policy - required by California's Online Privacy Act - to try to  
          get at least a general sense of the website's collection,  
          sharing, and marketing policies (though such policies are  
          admittedly often hundreds of words long, and are too often  
          impenetrable to comprehend, even by those who attended law  

          With websites that consumers interact with directly, if the user  
          is potentially uncomfortable with how his or her data will be  
          used, and if the website offers no "opt-out" option for the user  
          to say "don't share my data," then at least the user can, as a  
          last resort, choose to not use that website anymore.  But key to  
          this proposal, a data broker that has no prior direct contact  
          with the subject individual does not offer these very limited  
          options.  Indeed, almost by definition the consumer has no idea  
          that his or her data is being sold or shared to that entity.  It  
          is therefore critical to understand the narrowness of this  
          definition, for contrary to the claims of some of the opponents  
          of this measure, this bill would not apply to private or public  
          websites that collect information directly from the users of  
          their websites, because in those situations the subject  
          individual has made direct contact with the website, whether as  
          a customer or merely a non-purchasing visitor to the website.

           Affirmative Effort to Avoid Any Possible Federal Preemption and  
          Limit Bill's Reach  :  To avoid any preemption issues, this bill,  
          as recently amended, wisely exempts from its definition of "data  
          broker" any entity insofar as its activities are already  


                                                                  SB 1348
                                                                  Page  11

          regulated by FCRA or GLB.  (It also exempts consumer credit  
          reporting agencies regulated under the California Consumer  
          Credit Reporting Agencies Act.)  

           How This Narrow Bill Differs from Congressional Legislation and  
          Industry Self-Regulation  :  While the requirements of this bill  
          are similar to the pending federal legislation by Senator  
          Rockefeller and the practices of at least the one major data  
          broker noted above, it nonetheless differs in some significant  
          ways - in some ways providing more consumer protection, in some  
          ways arguably providing less.  Below are a few of the more  
          significant similarities and differences: 

            This Bill Allows Consumers To Review Information and Request  
            That It Not Be Shared  :  Most substantively, this bill, as  
            recently amended, would require a data broker, as defined, to  
            permit the subject individual to (1) review the information  
            that the data broker holds about him or her; and (2) demand  
            that the data broker cease sharing his or her information with  
            third parties.  The bill does not, it should be stressed,  
            prevent data brokers from engaging in the business of  
            collecting, assembling, and selling personal information for  
            profit.  The bill simply says that if a person requests that  
            the data broker cease sharing that information - and if the  
            data broker is not otherwise required or expressly authorized  
            by law to share the information - then the data broker must  
            honor that request as to that single individual.  If the  
            reported Acxiom experience is any indication, only a fraction  
            of the people about whom data brokers possess information will  
            ever request to see their information, and only a minute  
            percent of that limited subset will request that the data  
            broker cease sharing his or her personal information.  

            This Bill Does Not Allow a Consumer to Correct Information  :   
            Both the federal bill (if enacted) and Acxiom permit the  
            subject individual to correct information that may be  
            inaccurate.  The author states he has decided to not include  
            this requirement in the bill because it would introduce  
            practical difficulties concerning just what a data broker must  
            precisely do in order to confirm the accuracy of the subject  
            individual's claim.  Opting for the virtues of simplicity,  
            this bill avoids the need to establish standards and criteria  
            of proof and does not seek to impose any burden on data  
            brokers to investigate the accuracy of data or the  
            individual's claim that the data is inaccurate.  A subject  


                                                                  SB 1348
                                                                  Page  12

            individual may just see what information the data broker  
            shares with third parties and request that the information not  
            be shared at all, whether it is accurate or not. 

            Definition of "Data Broker" More Consistent with FTC Report  
            Than the Federal Bill  :  This bill also provides an arguably  
            clearer definition of "data broker" than the federal  
            legislation.  As noted above, the defining characteristic of a  
            "data broker," for purposes of the FTC study, was that the  
            data broker collected and sold personal information about an  
            individual with whom the data broker had no necessary  
            relationship.  The federal legislation defines a data broker  
            as a commercial entity that collects, maintains, and sells  
            information about an individual "who is not a customer or  
            employee of that entity."  However, what defines a data  
            broker, as used in the FTC report, is not merely that the  
            subject individual is not a "customer or employee" of the data  
            broker, but that subject individual has not had any contact  
            with the data broker, whether as a "customer" or not.  This  
            bill, therefore, appears to provide a very precise - and much  
            more limited -- definition: a data broker is a commercial  
            entity that collects, maintains, and sells personal  
            information about a subject individual who is not a customer  
            or employee of the entity, "or who has not contacted that  
            entity prior to reviewing his or her information or demanding  
            that information not be shared" pursuant to the provisions of  
            this bill.   

            This Bill Is Not Restricted to Sharing for "Marketing  
            Purposes  :" Both Senator Rockefeller's bill and Acxiom's  
            voluntary policy only permits the individual to opt out of the  
            sharing of data for "marketing" purposes.  In other words,  
            neither the federal bill nor Acxiom's practice currently allow  
            the person to opt out of the "risk mitigation" or "people  
            search" products discussed above.  This bill is not as limited  
            and would allow an individual to opt out of these other  
            products as well if they so choose.

           Bill Does Not Appear, as the Opposition Claims, to Prohibit Any  
          Particular Technology or Business Practice:   Some opponents  
          argue that the bill targets a particular technology instead of  
          targeting bad behavior.  Digitized information is not inherently  
          bad, the opposition contends, even though "the actions that  
          people take using information may be inappropriate if not in  
          some cases unlawful."  According to the opposition coalition,  


                                                                  SB 1348
                                                                  Page  13

          "the lawful gathering of information serves a multitude of  
          purposes.  Many state and local government and law enforcement  
          agencies use these services to fight fraud in eligibility  
          determinations for benefits, locate deadbeat parents, find  
          missing children, find witnesses, etc.  Business and government  
          both use these services to help verify job histories,  
          eligibility for loans, and find individuals who deliberately try  
          to avoid paying bills that they owe."  The opponents contend  
          that it "would be more effective to look for remedies that  
          address the bad behavior of individuals rather than impose  
          unreasonable restrictions on technologies that serve a useful  

          However, contrary to what is implied by this opposition  
          statement, this bill does not seek to ban a particular  
          technology, nor does it aim to prohibit data brokers from doing  
          what they currently do: collect personal information from a wide  
          variety of sources and sell it to others for marketing and other  
          purposes.  The bill simply says that consumers have the right to  
          find out what kinds of information a data broker possesses and,  
          having determined that, to demand that it not be shared with  
          third parties if that is the individual consumer's personal  

          To be sure, if every consumer contacted a data broker to demand  
          that it cease sharing or selling the consumer's personal  
          information, then that data broker, to the extent that its  
          business model depended upon selling such information, might  
          have to dramatically adjust its business model due to consumer  
          demands.  But, as Acxiom has discovered, only a minute  
          percentage of individuals for whom they collect data actually  
          appear likely to seek to have their personal data protected and  
          stop being sold to others.  Thus the author notes this bill  
          should not affect the data broker industry any more than  
          Acxiom's self-imposed policy has affected its business.  Most  
          consumers will apparently choose not to visit the site.  If  
          Acxiom's experience is typical, only a small proportion of those  
          that do will ask the data broker to stop sharing the  

          Moreover, the author notes that punishing bad behavior does not  
          necessarily preclude the possibility of permitting an individual  
          to take proactive steps to prevent the sharing and long-term  
          retention of their personal information.  Persons who may  
          believe, for any number of reasons, that they are particularly  


                                                                  SB 1348
                                                                  Page  14

          at risk of harm if personal information is disclosed to the  
          wrong person will be able to avoid the time, cost, and stress of  
          a criminal or civil action by taking steps that reduce the  
          probability of harm occurring in the first place. 

           Bill Does Not, As Some Opponents Appear to Claim, Prohibit Data  
          Brokers From Sharing Critical Information  :  The opposition  
          coalition also contends that this bill "curbs the exchange of  
          critical information" between "government agencies, law  
          enforcement, non-profit organizations, and businesses that  
          currently utilize this information."  Specifically, opponents  
          claim that interrupting the flow of this information will  
          prevent these organizations from performing a variety of  
          critical functions, such as helping law enforcement locate  
          missing children, fugitives, witnesses, and organ donors;  
          administering public benefits and verifying applicant  
          eligibility; notifying customers of product recalls; and  
          improving disaster response through the cross-matched data  

          However, this bill does not appear to prevent any of these  
          organizations from doing any of these things.  First, the bill  
          expressly exempts any sharing of data that is required or  
          authorized by law.  For example, existing law already authorize  
          an automobile manufacturer, or its agent, to share confidential  
          customer information for the purposes of notifying consumers in  
          the event of a recall.  This bill, as recently amended, also  
          expressly states that an entity is not prohibited from sharing  
          any information that is required by law, or expressly authorized  
          by statute, to share.  

          Second, this bill does not prohibit data brokers from doing any  
          of the things that they currently do.  This bill simply says  
          that, unless sharing is otherwise required or authorized by law,  
          that an individual may demand that a data broker - as narrowly  
          defined to be an entity whom the individual has had no prior  
          contact - not share his or her information.  If law enforcement  
          needed to obtain information it could obtain a court order or  
          warrant to do so regardless of this measure.  

          Finally, as to the opposition's claim that this bill would allow  
          a "fraudster" or "criminal" to conceal his or her activities, if  
          this is true, it is also true of industry leader Acxiom's  
          voluntary policy of allowing individuals to correct information  
          without providing any evidence that the information is  


                                                                  SB 1348
                                                                  Page  15

          incorrect.  This bill, however, does not allow a person to  
          correct or alter this information.  It simply says that the data  
          broker, if requested by the individual, cannot share the  
          information unless it is required or authorized by law to do so.  
           Finally, it is worth noting that the California Police Chief's  
          Association support this latest more narrow version of the bill,  
          and no law enforcement agencies are opposed to it. 

           Newspaper Concerns Addressed by Recent Amendments  :  The  
          California Newspaper Publishers Association initially opposed  
          this bill and expressed its concerns that the bill could  
          conceivably allow a person who was the subject of a newspaper  
          article or other published piece to demand that any personal  
          information about them be removed, or that such a person could  
          demand to review the information that was gathered about that  
          person, thereby violating both statutory and constitutional  
          protections afforded to the press.  It does not appear that a  
          newspaper publisher, whether paper or online, would ever be  
          construed as a "data broker" under this bill's narrow  
          definition.  While a newspaper is a commercial entity that  
          collects information, it does not sell that information.  While  
          it may sell the newspaper that contains an article that contains  
          personal information, the newspaper does not sell the personal  
          information as such.  Nonetheless, given the high value that  
          California places upon freedom of the press, the author agreed  
          to an amendment that now clarifies that publishers, editors,  
          reporters, or others who are employed by a newspaper, magazine,  
          or other publication, or by a television or radio statute, are  
          not "data brokers" within the meaning of this bill. 

           Notwithstanding Some Opponents' Assertions, IMS Health v.  
          Sorrell Does Not Appear to Be Applicable  :  Some opponents also  
          contend that the measure is likely unconstitutional, citing the  
          United States Supreme Court decision, IMS Health v. Sorrell  
          (2011) 131 S. Ct. 2653.  That case involved a 2007 Vermont law  
          that banned the sale, transmission or use of  
          prescriber-identifiable data (''PI data'') for marketing or  
          promoting a prescription drug without the consent of the  
          prescriber.  The law also prohibited the sale, license or  
          exchange for value of PI data for marketing or promoting a  
          prescription drug.  Three companies, including IMS Health, that  
          collect and sell such data and a trade group for pharmaceutical  
          manufacturers challenged the law. The U.S. Court of Appeals for  
          the 2nd Circuit struck down the measure, holding that it  
          violated the First Amendment because it restricts the speech  


                                                                  SB 1348
                                                                  Page  16

          rights of the companies without directly advancing legitimate  
          state interests.  The U.S. Supreme Court agreed, holding by a  
          6-3 vote that the Vermont law was a content-based restriction  
          that infringed upon the companies' commercial speech rights.   
          However, as already noted, this bill does not, like the Vermont  
          law, ban the sale, transmission, or use of personal data.  It  
          merely prohibits the data broker from sharing the information of  
          a single individual if that individual requests that his or her  
          information not be shared in the future once a secure and formal  
          request is received from that individual.  In short, the IMS  
          Health ruling would not appear to render this bill  
          unconstitutional in any way; and at any rate, such a suggested  
          approach has not yet been tested in the courts. 

           ARGUMENTS IN SUPPORT  :  Privacy Rights Clearinghouse (PRC) argues  
          that "SB 1348 will help protect Californians from the largely  
          unregulated practices of online data brokers.  In doing so," PRC  
          believes, "it will enable consumers to take better control over  
          how their personal information is disseminated online, thereby  
          helping to protect Californians from identity theft, stalking,  
          and other invasions of their privacy."  PRC notes that, over the  
          past several years, it has been contacted by "hundreds of  
          consumers" expressing their concerns about data brokers.  These  
          businesses are "particularly troublesome for victims of stalking  
          or domestic violence, law enforcement and court personnel, and  
          victims of identity theft."  The American Civil Liberties Union  
          supports this bill for substantially the same reasons. 

          This bill is also supported by the California Police Chief's  
          Association (CPCA), noting that data brokers can be  
          "particularly troublesome for victims of stalking or domestic  
          violence, law enforcement and court personnel, and victims of  
          identity theft."  CPCA believes that SB 1348 will protect  
          Californians from the "largely unregulated practices" of data  
          brokers by enabling them to "take better control over how their  
          personal information is disseminated." 

           ARGUMENTS IN OPPOSITION  :  A broad coalition of businesses and  
          associations representing the data management, marketing, and  
          retail industries, among others, opposes this bill for several  
          reasons.  In general, as noted above, opponents argue that this  
          bill will have a chilling effect on the fluid exchange of  
          critical information, pointing out that government agencies, law  
          enforcement, non-profit organizations, and businesses all use  
          information collected by data brokers for a variety of important  


                                                                  SB 1348
                                                                 Page  17

          reasons: locating individuals, including missing children,  
          fugitives, witnesses, debtors, organ donors, and parents seeking  
          to avoid child support obligations.  Opponents note, too, that  
          this information is sometimes needed to administer public  
          benefits, notify consumers about product recalls, or improve  
          disaster response through the use of cross-matched data. 

          Opponents also contend that the bill has an "overly broad and  
          vague" definition of "data broker" that will "likely capture  
          much of the online business community and, at a minimum, result  
          in extensive litigation to determine who is and who is not a  
          'data broker.'"  Opponents similarly contend that the definition  
          of "personal information" is also too vague and will provide  
          businesses "with little guidance to delineate between personal  
          and non-personal information for purposes of complying with the  
          law.  SB 1348 exposes businesses to both unnecessary litigation  
          and liability while courts wrestle with this definition." 

          In addition to these general concerns, opponents assert that  
          this bill will create a number of practical problems of  
          implementation.  For example, they claim that much of the  
          information in their databases is anonymous and not readily  
          associated with the requester's name, thus the bill would  
          require "dredging through dormant data and re-identifying all  
          information that could potentially fit within the vague  
          definition of personal information."  (However, it should be  
          noted in this regard based on the real-life experience of  
          several Judiciary Committee counsel who personally visited  
          Acxiom's website,, Acxiom produces the  
          consumer's profile within seconds, apparently having no  
          difficulty whatsoever in "dredging through dormant data.") 

          Opponents also point out that it will be difficult if not  
          impossible for data brokers to "permanently remove" all of the  
          requester's personal information, for the "the Internet is a  
          constant exchange of information amongst websites. It would be  
          nearly impossible to completely halt this fluid information  
          exchange, much less to do so within 10 days of the request."  
          [NOTE: As recently amended the response time is increased to 30  
          days.]  "Simply put," opponents conclude, "the requirements of  
          SB 1348 are out of step with technological realities and are  

          Finally, opponents' coalition letter raise a number of other  
          objections: that the bill is unconstitutional in light of IMS  


                                                                  SB 1348
                                                                  Page  18

          Health v. Sorrell (see discussion above); and that a number of  
          existing state and federal laws, including FCRA, GLB, HIPAA, and  
          the California Online Privacy Protection Act, already govern  
          data collection and sharing.  

          The Data Marketing Association (DMA), a member of the coalition  
          noted above who also writes separately, claims that this bill  
          will be counterproductive in that it will actually "expose an  
          individual's personal information to fraudsters . . . and  
          imposters posting as the subject individual."  Overall, DMA  
          asserts that this bill will impede "the responsible use of  
          marketing data that is vital to small business and nonprofit  
          organizations and is a crucial component of the California  
          economy and the source of tens of thousands of jobs."  Online  
          advertising, DMA maintains, "is essential to today's small  
          businesses and California's information economy" and supports "a  
                                                                                   wide variety of services that are available to consumers for  
          free or at a low cost and helps small businesses succeed against  
          larger competitors."  Finally DMA notes that it has already  
          developed guidelines and self-regulatory standards that give  
          consumers a voice in how their data is used and the kinds of  
          advertisements that they receive.  

          Alameda County District Attorney Nancy O'Malley
          American Civil Liberties Union
          California Police Chief's Association
          Consumer Federation of California
          Correctional Peace Officers Association
          Privacy Rights Clearinghouse 

          California Association of Licensed Investigators 
          California Chamber of Commerce
          California Restaurant Association 
          Consumer Data Industry Association
          Direct Marketing Association 
          Internet Coalition 
          Personal Insurance Federation of California 
          Reed Elsevier


                                                                  SB 1348
                                                                  Page  19

          The Internet Association 
          Software & Information Industry Association 
          State Privacy and Security Coalition  

           Analysis Prepared by  :  Thomas Clark and Drew Liebert / JUD. /  
          (916) 319-2334