BILL ANALYSIS �Ó
SB 1348
Page 1
Date of Hearing: June 24, 2014
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
SB 1348 (DeSaulnier) - As Amended: June 23, 2014
SENATE VOTE : 24-8
SUBJECT : Data Brokers: FUTURE sale of personal information to
third parties
KEY ISSUE : Should californians GENERALLY be permitted to review
the personal information that a data broker, as narrowly
defined, holds about them, and SIMPLY HAVE THE OPTION TO REQUEST
that the data broker NO LONGER sell or share their personal
information IN THE FUTURE if they SO request?
SYNOPSIS
This bill, as recently substantially narrowed, would allow an
individual to learn what personal information a data broker, as
narrowly defined, holds about him or her and to request that the
data broker no longer sell or share his or her information. At
least one of the major data brokers - Acxiom - has stated and
advertised that they already not only allow individuals to
access personal information possessed by the data broker, but
they go further and allow the requesting individual to correct
and prevent the sharing of their personal information in the
future, suggesting, contrary to claims by the bill's opponents,
that this is not only technically feasible, but also a likely
industry best practice as well. Although the term "data broker"
is sometimes loosely used to describe any entity that collects
and then shares or sells a consumer's personal data, this bill
now as amended adopts a narrower definition essentially used by
the Federal Trade Commission (FTC) in its recent studies and
reports. For purposes of this bill, a data broker is a
commercial entity that collects, assembles, and sells personal
information of persons who have had no prior direct contact with
the data broker, whether as user, customer, employee, or any
other capacity. Under FTC usage, it is this lack of prior
contact that defines a "data broker," and narrowly targets
specific companies from other entities - such as online and
offline retailers, or operators of Internet Web sites or online
services. That is, a data broker collects an individual's
person information from a variety of other sources - public
�
SB 1348
Page 2
records, retailers, surveys, Internet Web sites, etc. - but not
from the individual to whom the personal information pertains
(i.e. the "subject individual" in the language of this bill.)
The rationale for this distinction is clear: the user of an
Internet Web site takes an affirmative step in using the site,
and can read the privacy policy (if they so choose), ideally
learn what information is collected and how it is used, and
exercise any available opt-outs or, as a last resort, stop using
the Web site to halt the sharing of their personal information.
However none of this is true of a third party entity that
collects personal information about people from other entities
that have had no contact or relationship with that entity. The
bill also limits its definition of "personal information" to
exclude any information that could be obtained from public
records. Finally, the bill exempts credit reporting and
financial entities whose data collection and sharing practices
are already regulated by state and federal law, exempts an
entity if the requirements of this bill would interfere with the
entity's requirements or authorizations under existing law, and
exempts media organizations engaged in the news reporting
process protected under the 1st Amendment.
The bill is supported by privacy rights organizations and the
California Police Chiefs Association. It is opposed by a
coalition of business, retail, and high-tech industry groups.
Should it pass this Committee, it will face a second bite at the
proverbial legislative apple in the Assembly Arts,
Entertainment, Sports, Tourism and Internet Media Committee.
SUMMARY : Requires a data broker, as narrowly defined, to permit
an individual to review the personal information that the data
broker holds about them and to request that the data broker
cease selling, or otherwise sharing, that personal information
to third parties, except as specifically allowed. Specifically,
this bill :
1)Requires a data broker, as narrowly defined, that sells or
offers for sale the personal information of any resident of
California to a third party to do both of the following:
a) Permit a "subject individual" (the person to whom the
information pertains) to review his or her personal
information that has been collected, assembled, or
maintained by the data broker by submitting an electronic
demand through a secure online system, unless the data
broker is required by law or authorized by statute to share
�
SB 1348
Page 3
information with a third party.
b) Conspicuously post an opt-out notice on its Internet Web
site, which shall include specific and easily understood
instructions for the subject individual to make a demand on
the Internet Web site that his or her personal information
not be shared with or sold to third parties, unless the
data broker is required by law or authorized by statute to
share information with a third party.
2)Provides that if the subject individual makes a demand that
his or her personal information not be shared with or sold to
third parties, the data broker will cease sharing or selling
that information with third parties as soon as is reasonably
possible, and in no event later than 30 days after receipt of
the notice and the data broker shall thereafter retain only as
much personal information as is reasonably necessary to comply
with the subject individual's demand.
3)Specifies that, after receiving a removal demand from the
subject individual, the data broker shall not transfer the
subject individual's personal information to any other person
or entity, and any information collected by the data broker to
confirm the identity of the subject individual making the
demand shall be deleted once the identity has been confirmed
and the information collected shall not be used for any other
purpose.
4)Makes it unlawful for a data broker to solicit or accept the
payment of a fee or other consideration to review or remove
personal information from the data broker's database.
5)Provides that, in addition to any other remedy available at
law, a subject individual may bring a civil action for actual
or statutory damages, as specified, against a person or entity
that violates the provisions of this bill.
6)Defines "data broker" to mean a commercial entity that
collects, assembles, or maintains personal information
concerning individuals residing in California who are not
customers or employees, or who have had no contact with that
entity prior to contacting the entity pursuant to the
provisions of this bill, for the purposes of selling or
offering for sale, or other consideration, the personal
information to a third party.
�
SB 1348
Page 4
7)Specifies that a "data broker" does not include any of the
following:
a) A commercial entity that sells personal information to
the subject individual.
b) A "credit reporting agency" or a "consumer credit
reporting agency" that is regulated by federal Fair Credit
Reporting Act or the state Consumer Credit Reporting
Agencies Act.
c) A commercial entity that sells or provides for sale
personal information to another entity that will use the
information pursuant to purposes permitted by the federal
Gramm-Leach-Bliley Act, including purposes such as identity
confirmation and fraud prevention.
d) A person or entity enumerated in subdivision (b) of
Article I of the California Constitution or Section 1070 of
the Evidence Code that publishes or broadcasts information
obtained or prepared in gathering, receiving, or processing
of information for the purpose of communicating information
to the public.
8)Defines "personal information" to mean any information that
identifies, relates to, describes, or is capable of being
associated with, a particular individual, including, but not
limited to, his or her name, signature, social security
number, physical characteristics or description, address,
telephone number, passport number, driver's license or state
identification card number, insurance policy number,
education, employment, employment history, bank account
number, credit card number, debit card number, or any other
financial information, medical information, or health
insurance information. "Personal information" does not
include any information that is lawfully made available to the
general public from federal, state, or local government
records.
EXISTING LAW :
1)Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy. (Cal. Const.,
art. I, Sec. 1.)
2)Permits a person to bring an action in tort for an invasion of
privacy and provides that in order to state a claim for
�
SB 1348
Page 5
violation of the constitutional right to privacy, a plaintiff
must establish the following three elements: (1) a legally
protected privacy interest; (2) a reasonable expectation of
privacy in the circumstances; and (3) conduct by the defendant
that constitutes a serious invasion of privacy. (Hill v.
National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Recognizes four types of activities considered to be an
invasion of privacy giving rise to civil liability, including
the public disclosure of private facts. (Id.)
3)Permits, under the federal Gramm-Leach-Bliley Act, financial
institutions to share nonpublic customer information with
non-affiliated third parties, unless the consumer "opts out"
of such disclosure. The Act requires privacy statements to be
disclosed by financial institutions and restricts their
ability to disclose non-public personal information about
consumers to third parties. (15 U.S.C. Sec. 6801 et seq.)
4)Requires an operator of a commercial Web site or online
service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Business & Professions Code Section
22575.)
5)Requires a business with an established business relationship
with a customer that has, within the preceding calendar year,
disclosed specified personal information about the customer to
third parties for direct marketing purposes to, after the
receipt of a written request, disclose to the customer free of
charge the categories of personal information disclosed to
third parties for direct marketing purposes, the names and
addresses of all third parties that received the personal
information, and, if not reasonably discernable by the name,
examples of the products or services marketed by the third
parties. (Civil Code Section 1798.83.)
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
COMMENTS : By now it has become a cliché to note that "Big Data"
- the combination of massive amounts of data manipulated by ever
faster and more powerful analytical tools - is transforming our
world. A seemingly breathtaking array of amazing social media,
mobile applications, and seemingly "free" Internet content and
�
SB 1348
Page 6
services are made possible, for the most part, by the
commodification of digital information. Virtually every time a
consumer visits a website to make a purchase, book a hotel,
reserve a rental car, search for information, play a game,
communicate with loved ones, donate to a cause, or even post a
video of a cat playing a piano, chances are the information is
being collected, stored, analyzed, and eventually sold or shared
to third parties without many consumers being aware of that
background development.
Without question, data collection and sharing increasingly
drives modern commerce and improves the lives of so many in
immeasurable ways. Not only does the selling and sharing of
personal information permit much more targeted and relevant
advertising, it pays for the ever-expanding wealth and breadth
of "free" Internet content and services that one finds online or
via mobile applications. Google, for example, of course does
not provide users with free searches, personal e-mail accounts,
and detailed maps and directions as a non-profit charitable
enterprise, though such services are certainly helpful and
awe-inspiring. In addition, "Big Data" is often reportedly used
for many helpful non-marketing purposes, including medical and
scholarly research.
Yet many commentators agree that "the good and the bad" often
are walking hand-in-hand with the evolution of the seemingly "no
cost" Internet. Assembled, shared, and analyzed personal
information can help consumers get the targeted product and
service information they need or desire. But many commentators
also note that this dramatically evolving "data analytics"
industry also poses a growing potential threat to Americans'
personal privacy, and it can create unprecedented opportunities
for identity theft and other challenges to personal space and
privacy.
Although those who sell this amalgamated personal information to
third parties, generally referred to as "data brokers," are of
course not the only entities that collect and sell information
(many retailers, websites, and political campaigns and many
others do the same of course), the data brokers, as now narrowly
defined in this bill, are unique in that they are primarily in
the business of collecting and selling information of persons
with whom they have had no prior contact or business
relationship - unlike so many others who do business on the
Internet. It is that much narrower group of companies upon
�
SB 1348
Page 7
which this measure seeks to impose relatively modest public
policy-based consumer protection protocols - consistent with the
recently published and widely-discussed report, discussed next,
by the Federal Trade Commission, calling for government to
consider this and other more substantial types of government
action.
FTC's Important Data Brokers Report of Just Last Month : In May
of this year, the Federal Trade Commission (FTC) released a
report that discussed the results of its study of nine selected
major national data brokers. (FTC, Data Brokers: A Call for
Transparency and Accountability, May 2014.) The FTC report
noted they chose to review these particular companies because
"these companies generally never interact with consumers,
consumers are often unaware of their existence, much less the
variety of practices in which they engage." (FTC, Data Brokers,
p. I, emphasis added.) Drawing from its 2012 report, Protecting
Consumer Privacy in an Era of Rapid Change, the FTC noted that
there are three different categories of data brokers: (1) credit
reporting agencies subject to the Fair Credit Reporting Act
(FCRA); (2) entities that maintain data for marketing purposes;
and (3) non-FCRA covered entities that maintain data for
non-marketing purposes that fall outside of FCRA, such as
entities that detect fraud or locate people. The FTC noted in
its earlier 2012 report that the last two categories remain
largely unregulated, except for the regulation of financial
institutions under the Gramm-Leach Bliley (GLB) Act.
FTC Report's Call for Legislative Action to Regulate Data
Brokers and Provide Consumers Reasonable Choice and Control : In
its report, the FTC called on Congress to consider enacting the
very type of legislation reflected by this measure. In its
report, it stated in this regard that "Congress consider
legislation requiring data brokers to provide consumers with
access to their data . . . at a reasonable level of detail, and
the opportunity to opt out of having it shared for marketing
purposes." (Emphasis added.) In order to help consumers
identify which data brokers may have data about them and how
they might exercise opt-out rights, the FTC also recommended
that Congress create "a centralized mechanism, such as an
Internet portal, where data brokers can identify themselves,
describe their information collection and use practices, and
provide links to access tools and opt outs." (FTC, Data
Brokers, p. viii.) In addition, the FTC recommended that
Congress consider (1) requiring data brokers to notify consumers
�
SB 1348
Page 8
that, not only do they collect core data, but that they use this
raw core data to make certain inferences, sometimes about
sensitive consumer preferences and characteristics; and (2)
requiring data brokers to disclose the sources of their data, so
that a consumer might know, for example, that they need not only
to correct information that the data broker possesses, but also
correct the data in the source (especially if it is a public
record source). Finally, the FTC recommended that Congress
consider preventing a data broker from collecting or sharing of
certain especially sensitive information - such as health
information - unless it obtains the consumer's express consent
before collecting or sharing the information (allow a consumer
opt-in mechanism).
Data Broker Industry Response to the FTC Study and One Industry
Leader's Courageous Decision Showing the Procedures Called for
by This Measure Are Not" Pie in the Sky" And Appear to Be Quite
Doable : Shortly after the FTC began its study, the data broker
company Acxiom - one of the nine data brokers studied by the FTC
- voluntarily decided to take the lead in consumer protection by
arming consumers with greater say over the use of their personal
information. Acxiom developed a new website, called
"AboutTheData.com." This website allows any person to access
the modeled profiles - and some of the core data - that Acxiom
states it provides to its clients. Unlike the more modest
approach taken in this bill, however Acxiom voluntarily allows
the individual to correct any information. According to
information provided by Acxiom to the Committee, about 500,000
people have visited the website, and of that number only about
2% have actually requested that Acxiom not share information for
marketing purposes.
Thus claims by some opponents of this measure that the measure
unreasonably or impractically calls for business protocols that
are either too difficult or expensive to undertake to vest
consumers with some control over their personal data, appear to
be refuted by this industry leader's own voluntary consumer
protection actions. Nor does this company's reported "2% opt
out" experience suggest, to say the least, that many consumers
will flood companies with requests to "opt out" of the selling
of their personal information, threatening the basic advertising
model of the Internet.
Very Limited Congressional Action To Date - The Rockefeller
Bill : Not just due to the report's recent publication of
�
SB 1348
Page 9
course, so far Congress has done little to implement the FTC's
recommendations. Senator Jay Rockefeller's pending "Data Broker
Accountability and Transparency Act" (S. 2025, 113th Congress,
2d Session) takes up one small component of the FTC
recommendations: requiring data brokers, as defined, to permit
consumers to review their data, make corrections and prevent
data brokers from sharing that data for marketing purposes.
Rockefellers S.2025 defines "data broker" to mean "a commercial
entity that collects, assembles, or maintains personal
information concerning an individual who is not a customer or
employee of that entity in order to sell the information or
provide third party access to the information." Subject to
certain exceptions, S.2025 requires a data broker to provide a
means by which an individual may review information that
pertains to him or her; request that the data broker correct
inaccurate information, if, depending on the nature of the
information, the accuracy can be verified; and permit the
individual to request that the data broker not use his or her
information for marketing purposes. These provisions can be
enforced by the FTC, by the several state attorneys general, or
by a civil action brought by a public official or agency of a
state on behalf of the people of the state.
At the time of this writing, S.2025 is still pending and the
recent history of all data privacy bills introduced in Congress
suggests that the bill will not be enacted any time soon. This
bill, like the FTC's more recent 2014 report, clearly seeks to
take up the FTC's call to action and attempts to address the
likely inability of Congress to act - and the potential ability
of states like California to fill this glaring consumer
protection void.
This Measure's Greatly Narrowed Definition of "Data Broker" As
Recently Amended : Although Internet websites and retailers
collect, share, and sell consumer's personal information to
varying degrees, this bill, as amended, nevertheless seeks to
narrowly limit its definition of data brokers to only those
entities studied in the FTC report, namely those relatively few
companies primarily engaged in the business of collecting,
analyzing, and selling the personal information of persons with
whom the data broker has had no prior contact or relationship.
A data broker, as now narrowly defined by this bill, collects
information about an individual from a wide variety of sources -
public records, retailers, subscription lists, and information
collected through the Internet Web sites of other persons or
�
SB 1348
Page 10
entities - but it does so, as the FTC's recent study shows,
without having any contact or business relationship with that
individual.
Why Not All Internet Sites That Sell Consumer Information Are
Covered : As noted, the principal rationale for allowing the
"subject individual" - the person to whom the information refers
-- to review and prohibit sharing by the data broker, as
narrowly defined, is that the subject individual has typically
never interacted with the data broker and never had any
opportunity to opt-out of data collection and sharing. In
contrast, as the FTC study recently noted, an Internet Web site,
as noted above, may also collect and sell a user's personal
information -- but at least that collection and sharing was
initiated (even if most often potentially unwittingly) by an
affirmative act of the Web site user. The website's user at
least had the opportunity to consult the mandatory privacy
policy - required by California's Online Privacy Act - to try to
get at least a general sense of the website's collection,
sharing, and marketing policies (though such policies are
admittedly often hundreds of words long, and are too often
impenetrable to comprehend, even by those who attended law
school.)
With websites that consumers interact with directly, if the user
is potentially uncomfortable with how his or her data will be
used, and if the website offers no "opt-out" option for the user
to say "don't share my data," then at least the user can, as a
last resort, choose to not use that website anymore. But key to
this proposal, a data broker that has no prior direct contact
with the subject individual does not offer these very limited
options. Indeed, almost by definition the consumer has no idea
that his or her data is being sold or shared to that entity. It
is therefore critical to understand the narrowness of this
definition, for contrary to the claims of some of the opponents
of this measure, this bill would not apply to private or public
websites that collect information directly from the users of
their websites, because in those situations the subject
individual has made direct contact with the website, whether as
a customer or merely a non-purchasing visitor to the website.
Affirmative Effort to Avoid Any Possible Federal Preemption and
Limit Bill's Reach : To avoid any preemption issues, this bill,
as recently amended, wisely exempts from its definition of "data
broker" any entity insofar as its activities are already
�
SB 1348
Page 11
regulated by FCRA or GLB. (It also exempts consumer credit
reporting agencies regulated under the California Consumer
Credit Reporting Agencies Act.)
How This Narrow Bill Differs from Congressional Legislation and
Industry Self-Regulation : While the requirements of this bill
are similar to the pending federal legislation by Senator
Rockefeller and the practices of at least the one major data
broker noted above, it nonetheless differs in some significant
ways - in some ways providing more consumer protection, in some
ways arguably providing less. Below are a few of the more
significant similarities and differences:
This Bill Allows Consumers To Review Information and Request
That It Not Be Shared : Most substantively, this bill, as
recently amended, would require a data broker, as defined, to
permit the subject individual to (1) review the information
that the data broker holds about him or her; and (2) demand
that the data broker cease sharing his or her information with
third parties. The bill does not, it should be stressed,
prevent data brokers from engaging in the business of
collecting, assembling, and selling personal information for
profit. The bill simply says that if a person requests that
the data broker cease sharing that information - and if the
data broker is not otherwise required or expressly authorized
by law to share the information - then the data broker must
honor that request as to that single individual. If the
reported Acxiom experience is any indication, only a fraction
of the people about whom data brokers possess information will
ever request to see their information, and only a minute
percent of that limited subset will request that the data
broker cease sharing his or her personal information.
This Bill Does Not Allow a Consumer to Correct Information :
Both the federal bill (if enacted) and Acxiom permit the
subject individual to correct information that may be
inaccurate. The author states he has decided to not include
this requirement in the bill because it would introduce
practical difficulties concerning just what a data broker must
precisely do in order to confirm the accuracy of the subject
individual's claim. Opting for the virtues of simplicity,
this bill avoids the need to establish standards and criteria
of proof and does not seek to impose any burden on data
brokers to investigate the accuracy of data or the
individual's claim that the data is inaccurate. A subject
�
SB 1348
Page 12
individual may just see what information the data broker
shares with third parties and request that the information not
be shared at all, whether it is accurate or not.
Definition of "Data Broker" More Consistent with FTC Report
Than the Federal Bill : This bill also provides an arguably
clearer definition of "data broker" than the federal
legislation. As noted above, the defining characteristic of a
"data broker," for purposes of the FTC study, was that the
data broker collected and sold personal information about an
individual with whom the data broker had no necessary
relationship. The federal legislation defines a data broker
as a commercial entity that collects, maintains, and sells
information about an individual "who is not a customer or
employee of that entity." However, what defines a data
broker, as used in the FTC report, is not merely that the
subject individual is not a "customer or employee" of the data
broker, but that subject individual has not had any contact
with the data broker, whether as a "customer" or not. This
bill, therefore, appears to provide a very precise - and much
more limited -- definition: a data broker is a commercial
entity that collects, maintains, and sells personal
information about a subject individual who is not a customer
or employee of the entity, "or who has not contacted that
entity prior to reviewing his or her information or demanding
that information not be shared" pursuant to the provisions of
this bill.
This Bill Is Not Restricted to Sharing for "Marketing
Purposes :" Both Senator Rockefeller's bill and Acxiom's
voluntary policy only permits the individual to opt out of the
sharing of data for "marketing" purposes. In other words,
neither the federal bill nor Acxiom's practice currently allow
the person to opt out of the "risk mitigation" or "people
search" products discussed above. This bill is not as limited
and would allow an individual to opt out of these other
products as well if they so choose.
Bill Does Not Appear, as the Opposition Claims, to Prohibit Any
Particular Technology or Business Practice: Some opponents
argue that the bill targets a particular technology instead of
targeting bad behavior. Digitized information is not inherently
bad, the opposition contends, even though "the actions that
people take using information may be inappropriate if not in
some cases unlawful." According to the opposition coalition,
�
SB 1348
Page 13
"the lawful gathering of information serves a multitude of
purposes. Many state and local government and law enforcement
agencies use these services to fight fraud in eligibility
determinations for benefits, locate deadbeat parents, find
missing children, find witnesses, etc. Business and government
both use these services to help verify job histories,
eligibility for loans, and find individuals who deliberately try
to avoid paying bills that they owe." The opponents contend
that it "would be more effective to look for remedies that
address the bad behavior of individuals rather than impose
unreasonable restrictions on technologies that serve a useful
purpose."
However, contrary to what is implied by this opposition
statement, this bill does not seek to ban a particular
technology, nor does it aim to prohibit data brokers from doing
what they currently do: collect personal information from a wide
variety of sources and sell it to others for marketing and other
purposes. The bill simply says that consumers have the right to
find out what kinds of information a data broker possesses and,
having determined that, to demand that it not be shared with
third parties if that is the individual consumer's personal
preference.
To be sure, if every consumer contacted a data broker to demand
that it cease sharing or selling the consumer's personal
information, then that data broker, to the extent that its
business model depended upon selling such information, might
have to dramatically adjust its business model due to consumer
demands. But, as Acxiom has discovered, only a minute
percentage of individuals for whom they collect data actually
appear likely to seek to have their personal data protected and
stop being sold to others. Thus the author notes this bill
should not affect the data broker industry any more than
Acxiom's self-imposed policy has affected its business. Most
consumers will apparently choose not to visit the site. If
Acxiom's experience is typical, only a small proportion of those
that do will ask the data broker to stop sharing the
information.
Moreover, the author notes that punishing bad behavior does not
necessarily preclude the possibility of permitting an individual
to take proactive steps to prevent the sharing and long-term
retention of their personal information. Persons who may
believe, for any number of reasons, that they are particularly
�
SB 1348
Page 14
at risk of harm if personal information is disclosed to the
wrong person will be able to avoid the time, cost, and stress of
a criminal or civil action by taking steps that reduce the
probability of harm occurring in the first place.
Bill Does Not, As Some Opponents Appear to Claim, Prohibit Data
Brokers From Sharing Critical Information : The opposition
coalition also contends that this bill "curbs the exchange of
critical information" between "government agencies, law
enforcement, non-profit organizations, and businesses that
currently utilize this information." Specifically, opponents
claim that interrupting the flow of this information will
prevent these organizations from performing a variety of
critical functions, such as helping law enforcement locate
missing children, fugitives, witnesses, and organ donors;
administering public benefits and verifying applicant
eligibility; notifying customers of product recalls; and
improving disaster response through the cross-matched data
bases.
However, this bill does not appear to prevent any of these
organizations from doing any of these things. First, the bill
expressly exempts any sharing of data that is required or
authorized by law. For example, existing law already authorize
an automobile manufacturer, or its agent, to share confidential
customer information for the purposes of notifying consumers in
the event of a recall. This bill, as recently amended, also
expressly states that an entity is not prohibited from sharing
any information that is required by law, or expressly authorized
by statute, to share.
Second, this bill does not prohibit data brokers from doing any
of the things that they currently do. This bill simply says
that, unless sharing is otherwise required or authorized by law,
that an individual may demand that a data broker - as narrowly
defined to be an entity whom the individual has had no prior
contact - not share his or her information. If law enforcement
needed to obtain information it could obtain a court order or
warrant to do so regardless of this measure.
Finally, as to the opposition's claim that this bill would allow
a "fraudster" or "criminal" to conceal his or her activities, if
this is true, it is also true of industry leader Acxiom's
voluntary policy of allowing individuals to correct information
without providing any evidence that the information is
�
SB 1348
Page 15
incorrect. This bill, however, does not allow a person to
correct or alter this information. It simply says that the data
broker, if requested by the individual, cannot share the
information unless it is required or authorized by law to do so.
Finally, it is worth noting that the California Police Chief's
Association support this latest more narrow version of the bill,
and no law enforcement agencies are opposed to it.
Newspaper Concerns Addressed by Recent Amendments : The
California Newspaper Publishers Association initially opposed
this bill and expressed its concerns that the bill could
conceivably allow a person who was the subject of a newspaper
article or other published piece to demand that any personal
information about them be removed, or that such a person could
demand to review the information that was gathered about that
person, thereby violating both statutory and constitutional
protections afforded to the press. It does not appear that a
newspaper publisher, whether paper or online, would ever be
construed as a "data broker" under this bill's narrow
definition. While a newspaper is a commercial entity that
collects information, it does not sell that information. While
it may sell the newspaper that contains an article that contains
personal information, the newspaper does not sell the personal
information as such. Nonetheless, given the high value that
California places upon freedom of the press, the author agreed
to an amendment that now clarifies that publishers, editors,
reporters, or others who are employed by a newspaper, magazine,
or other publication, or by a television or radio statute, are
not "data brokers" within the meaning of this bill.
Notwithstanding Some Opponents' Assertions, IMS Health v.
Sorrell Does Not Appear to Be Applicable : Some opponents also
contend that the measure is likely unconstitutional, citing the
United States Supreme Court decision, IMS Health v. Sorrell
(2011) 131 S. Ct. 2653. That case involved a 2007 Vermont law
that banned the sale, transmission or use of
prescriber-identifiable data (''PI data'') for marketing or
promoting a prescription drug without the consent of the
prescriber. The law also prohibited the sale, license or
exchange for value of PI data for marketing or promoting a
prescription drug. Three companies, including IMS Health, that
collect and sell such data and a trade group for pharmaceutical
manufacturers challenged the law. The U.S. Court of Appeals for
the 2nd Circuit struck down the measure, holding that it
violated the First Amendment because it restricts the speech
�
SB 1348
Page 16
rights of the companies without directly advancing legitimate
state interests. The U.S. Supreme Court agreed, holding by a
6-3 vote that the Vermont law was a content-based restriction
that infringed upon the companies' commercial speech rights.
However, as already noted, this bill does not, like the Vermont
law, ban the sale, transmission, or use of personal data. It
merely prohibits the data broker from sharing the information of
a single individual if that individual requests that his or her
information not be shared in the future once a secure and formal
request is received from that individual. In short, the IMS
Health ruling would not appear to render this bill
unconstitutional in any way; and at any rate, such a suggested
approach has not yet been tested in the courts.
ARGUMENTS IN SUPPORT : Privacy Rights Clearinghouse (PRC) argues
that "SB 1348 will help protect Californians from the largely
unregulated practices of online data brokers. In doing so," PRC
believes, "it will enable consumers to take better control over
how their personal information is disseminated online, thereby
helping to protect Californians from identity theft, stalking,
and other invasions of their privacy." PRC notes that, over the
past several years, it has been contacted by "hundreds of
consumers" expressing their concerns about data brokers. These
businesses are "particularly troublesome for victims of stalking
or domestic violence, law enforcement and court personnel, and
victims of identity theft." The American Civil Liberties Union
supports this bill for substantially the same reasons.
This bill is also supported by the California Police Chief's
Association (CPCA), noting that data brokers can be
"particularly troublesome for victims of stalking or domestic
violence, law enforcement and court personnel, and victims of
identity theft." CPCA believes that SB 1348 will protect
Californians from the "largely unregulated practices" of data
brokers by enabling them to "take better control over how their
personal information is disseminated."
ARGUMENTS IN OPPOSITION : A broad coalition of businesses and
associations representing the data management, marketing, and
retail industries, among others, opposes this bill for several
reasons. In general, as noted above, opponents argue that this
bill will have a chilling effect on the fluid exchange of
critical information, pointing out that government agencies, law
enforcement, non-profit organizations, and businesses all use
information collected by data brokers for a variety of important
�
SB 1348
Page 17
reasons: locating individuals, including missing children,
fugitives, witnesses, debtors, organ donors, and parents seeking
to avoid child support obligations. Opponents note, too, that
this information is sometimes needed to administer public
benefits, notify consumers about product recalls, or improve
disaster response through the use of cross-matched data.
Opponents also contend that the bill has an "overly broad and
vague" definition of "data broker" that will "likely capture
much of the online business community and, at a minimum, result
in extensive litigation to determine who is and who is not a
'data broker.'" Opponents similarly contend that the definition
of "personal information" is also too vague and will provide
businesses "with little guidance to delineate between personal
and non-personal information for purposes of complying with the
law. SB 1348 exposes businesses to both unnecessary litigation
and liability while courts wrestle with this definition."
In addition to these general concerns, opponents assert that
this bill will create a number of practical problems of
implementation. For example, they claim that much of the
information in their databases is anonymous and not readily
associated with the requester's name, thus the bill would
require "dredging through dormant data and re-identifying all
information that could potentially fit within the vague
definition of personal information." (However, it should be
noted in this regard based on the real-life experience of
several Judiciary Committee counsel who personally visited
Acxiom's website, Aboutthedata.com, Acxiom produces the
consumer's profile within seconds, apparently having no
difficulty whatsoever in "dredging through dormant data.")
Opponents also point out that it will be difficult if not
impossible for data brokers to "permanently remove" all of the
requester's personal information, for the "the Internet is a
constant exchange of information amongst websites. It would be
nearly impossible to completely halt this fluid information
exchange, much less to do so within 10 days of the request."
[NOTE: As recently amended the response time is increased to 30
days.] "Simply put," opponents conclude, "the requirements of
SB 1348 are out of step with technological realities and are
unworkable."
Finally, opponents' coalition letter raise a number of other
objections: that the bill is unconstitutional in light of IMS
�
SB 1348
Page 18
Health v. Sorrell (see discussion above); and that a number of
existing state and federal laws, including FCRA, GLB, HIPAA, and
the California Online Privacy Protection Act, already govern
data collection and sharing.
The Data Marketing Association (DMA), a member of the coalition
noted above who also writes separately, claims that this bill
will be counterproductive in that it will actually "expose an
individual's personal information to fraudsters . . . and
imposters posting as the subject individual." Overall, DMA
asserts that this bill will impede "the responsible use of
marketing data that is vital to small business and nonprofit
organizations and is a crucial component of the California
economy and the source of tens of thousands of jobs." Online
advertising, DMA maintains, "is essential to today's small
businesses and California's information economy" and supports "a
wide variety of services that are available to consumers for
free or at a low cost and helps small businesses succeed against
larger competitors." Finally DMA notes that it has already
developed guidelines and self-regulatory standards that give
consumers a voice in how their data is used and the kinds of
advertisements that they receive.
REGISTERED SUPPORT / OPPOSITION :
Support
Alameda County District Attorney Nancy O'Malley
American Civil Liberties Union
California Police Chief's Association
Consumer Federation of California
Correctional Peace Officers Association
Privacy Rights Clearinghouse
Opposition
California Association of Licensed Investigators
California Chamber of Commerce
California Restaurant Association
Consumer Data Industry Association
Direct Marketing Association
Internet Coalition
NetChoice
Personal Insurance Federation of California
Reed Elsevier
�
SB 1348
Page 19
The Internet Association
Software & Information Industry Association
State Privacy and Security Coalition
Analysis Prepared by : Thomas Clark and Drew Liebert / JUD. /
(916) 319-2334