BILL ANALYSIS ��
SB 1348
Page 1
Date of Hearing: December 25, 2014
ASSEMBLY COMMITTEE ON ARTS, ENTERTAINMENT, SPORTS, TOURISM, AND
INTERNET MEDIA
Ian C. Calderon, Chair
SB 1348 (DeSaulnier) - As Amended: June 23, 2014
SENATE VOTE : 24-8
SUBJECT : Data Brokers: sale of personal information
SUMMARY : Requires a data broker, as defined, to permit an
individual to review the personal information that the data
broker holds about them and to request that the data broker
cease selling, or otherwise sharing, that personal information
to third parties, except as specifically allowed. Specifically,
this bill :
1)Requires a data broker, as defined, that sells or offers for
sale the personal information of any resident of California to
a third party to do both of the following:
a) Permit a "subject individual" (the person to whom the
information pertains) to review his or her personal
information that has been collected, assembled, or
maintained by the data broker by submitting an electronic
demand through a secure online system, unless the data
broker is required by law or authorized by statute to share
information with a third party.
b) Conspicuously post an opt-out notice on its Internet Web
site, which shall include specific and easily understood
instructions for the subject individual to make a demand on
the Internet Web site that his or her personal information
not be shared with or sold to third parties, unless the
data broker is required by law or authorized by statute to
share information with a third party.
2)Provides that if the subject individual makes a demand that
his or her personal information not be shared with or sold to
third parties, the data broker will cease sharing or selling
that information with third parties as soon as is reasonably
possible, and in no event later than 30 days after receipt of
the notice and the data broker shall thereafter retain only as
much personal information as is reasonably necessary to comply
�
SB 1348
Page 2
with the subject individual's demand.
3)Specifies that, after receiving a removal demand from the
subject individual, the data broker shall not transfer the
subject individual's personal information to any other person
or entity, and any information collected by the data broker to
confirm the identity of the subject individual making the
demand shall be deleted once the identity has been confirmed
and the information collected shall not be used for any other
purpose.
4)Makes it unlawful for a data broker to solicit or accept the
payment of a fee or other consideration to review or remove
personal information from the data broker's database.
5)Provides that, in addition to any other remedy available at
law, a subject individual may bring a civil action for actual
or statutory damages, as specified, against a person or entity
that violates the provisions of this bill.
6)Defines "data broker" to mean a commercial entity that
collects, assembles, or maintains personal information
concerning individuals residing in California who are not
customers or employees, or who have had no contact with that
entity prior to contacting the entity pursuant to the
provisions of this bill, for the purposes of selling or
offering for sale, or other consideration, the personal
information to a third party.
7)Specifies that a "data broker" does not include any of the
following:
a) A commercial entity that sells personal information to
the subject individual.
b) A "credit reporting agency" or a "consumer credit
reporting agency" that is regulated by federal Fair Credit
Reporting Act or the state Consumer Credit Reporting
Agencies Act.
c) A commercial entity that sells or provides for sale
personal information to another entity that will use the
information pursuant to purposes permitted by the federal
Gramm-Leach-Bliley Act, including purposes such as identity
confirmation and fraud prevention.
d) A person or entity enumerated in subdivision (b) of
Article I of the California Constitution or Section 1070 of
�
SB 1348
Page 3
the Evidence Code that publishes or broadcasts information
obtained or prepared in gathering, receiving, or processing
of information for the purpose of communicating information
to the public.
8)Defines "personal information" to mean any information that
identifies, relates to, describes, or is capable of being
associated with, a particular individual, including, but not
limited to, his or her name, signature, social security
number, physical characteristics or description, address,
telephone number, passport number, driver's license or state
identification card number, insurance policy number,
education, employment, employment history, bank account
number, credit card number, debit card number, or any other
financial information, medical information, or health
insurance information. "Personal information" does not
include any information that is lawfully made available to the
general public from federal, state, or local government
records.
EXISTING STATE LAW :
1)Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy. (Cal. Const.,
art. I, Sec. 1.)
2)Permits a person to bring an action in tort for an invasion of
privacy and provides that in order to state a claim for
violation of the constitutional right to privacy, a plaintiff
must establish the following three elements: (1) a legally
protected privacy interest; (2) a reasonable expectation of
privacy in the circumstances; and (3) conduct by the defendant
that constitutes a serious invasion of privacy. (Hill v.
National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Recognizes four types of activities considered to be an
invasion of privacy giving rise to civil liability, including
the public disclosure of private facts. (Id.)
3)Requires an operator of a commercial Web site or online
service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Business & Professions Code Section
22575.)
�
SB 1348
Page 4
4)Requires a business with an established business relationship
with a customer that has, within the preceding calendar year,
disclosed specified personal information about the customer to
third parties for direct marketing purposes to, after the
receipt of a written request, disclose to the customer free of
charge the categories of personal information disclosed to
third parties for direct marketing purposes, the names and
addresses of all third parties that received the personal
information, and, if not reasonably discernable by the name,
examples of the products or services marketed by the third
parties. (Civil Code Section 1798.83.)
EXISTING FEDERAL LAW :
Permits, under the federal Gramm-Leach-Bliley Act, financial
institutions to share nonpublic customer information with
non-affiliated third parties, unless the consumer "opts out" of
such disclosure. The Act requires privacy statements to be
disclosed by financial institutions and restricts their ability
to disclose non-public personal information about consumers to
third parties. (15 U.S.C. Sec. 6801 et seq.)
FISCAL EFFECT : Unknown
COMMENTS :
1)Author's statement and support: Need to regain control over
third parties' use of personal information:
According to the author, "Current law requires disclosure of
privacy policies, and allows existing customers rights to
their personal information. However, under current law
consumers do not have the ability to modify or opt out of
privacy policies. Further, individuals do not have rights to
opt-out of the sale of their personal information by third
parties with whom they have no customer relationship."
Privacy Rights Clearinghouse (PRC) argues in support that "SB
1348 will help protect Californians from the largely
unregulated practices of online data brokers. In doing so,"
PRC believes, "it will enable consumers to take better control
over how their personal information is disseminated online,
thereby helping to protect Californians from identity theft,
stalking, and other invasions of their privacy." PRC notes
that, over the past several years, it has been contacted by
"hundreds of consumers" expressing their concerns about data
�
SB 1348
Page 5
brokers. These businesses are "particularly troublesome for
victims of stalking or domestic violence, law enforcement and
court personnel, and victims of identity theft." The American
Civil Liberties Union supports this bill for substantially the
same reasons.
This bill is also supported by the California Police Chief's
Association (CPCA), noting that data brokers can be
"particularly troublesome for victims of stalking or domestic
violence, law enforcement and court personnel, and victims of
identity theft." CPCA believes that SB 1348 will protect
Californians from the "largely unregulated practices" of data
brokers by enabling them to "take better control over how
their personal information is disseminated."
2)Background :
The advent of inexpensive computer storage and the increased
power and sophistication of computer processing technology
have unleashed a revolution in data acquisition and analysis
in just about every field. "Algorithms that predict
stock-price movements have transformed Wall Street," and
"[a]lgorithms that chomp through our Web histories have
transformed marketing." (Peck, They're Watching You at Work
(Dec. 2013) The Atlantic
(as of April 10, 2014).) "The range and depth of information
that's routinely captured about how we behave" has also
greatly increased in recent years. (Id.) "Ordinary people at
work and at home generate much of this data, by sending
e-mails, browsing the Internet, using social media, working on
crowd-sourced projects, and more," and according to one
estimate "more than 98 percent of the world's information is
now stored digitally, and the volume of that data has
quadrupled since 2007." (Id.) "By combining the power of
modern computing with the plentiful data of the digital era,"
data analytics "promises to solve virtually any problem -
crime, public health, the evolution of grammar, the perils of
dating - just by crunching the numbers." (Marcus and Davis,
Eight (No, Nine!) Problems With Big Data (Apr. 6, 2104) New
York Times (as of April 10,
2014).)
�
SB 1348
Page 6
The growth of data acquisition and analysis in the marketing
economy has been no less revolutionary. What was once limited
to customer lists and basic information contained in public
records (e.g. mailing addresses, property tax records, etc.)
and sales records (e.g. credit card purchase histories),
companies and marketing firms can now collect, analyze,
package, and sell precise information about individuals across
a wide range of data points. According to one analyst, with
the help of new technology, companies in the marketing economy
are now able to:
collect and sell information to marketers on everything
from your marital status, whether you might be pregnant
or have a newborn, have cancer, are trying to lose
weight, are gay or straight, how much you make, what
credit cards you use, your lines of credit, where you
live, what your house cost, what kind of car you drive or
if you might be looking to buy a new one, your race,
occupation, political leanings, education level, have one
or more children in college, have pets to what your
hobbies are and more, much more. (Armerding, Data
Brokers' Collection of Internet Activity Data Raises
Privacy Issues (Nov. 7, 2013) CSO Online (as of April 10, 2014).)
Indeed, one marketing company claims that it "has, on average,
1,500 pieces of information on more than 200 million
Americans." (Kroft, The Data Brokers: Selling Your Personal
Information (Mar. 9, 2014) CBS News (as of April 10, 2014).) The data marketing economy
has also swelled in economic impact, contributing as much as
$156 billion annually to the national economy, according to a
recent industry report. (See Deighton and Johnson, The Value
of Data: Consequences for Insight, Innovation, and Efficiency
in the U.S. Economy (2013).)
Some marketing companies and other participants in the data
industry, colloquially known as "data brokers," aggregate and
sell large volumes of information from their databases to
third parties over the internet without the direct knowledge
�
SB 1348
Page 7
or consent of the individuals to whom the data pertains
("subject individuals"). Several organizations have publicly
raised privacy concerns over the practice of buying and
selling personal information over the Internet without the
subject individual's knowledge or consent.
3)Recently published Federal Trade Commission (FTC) Data Brokers
report :
In May of this year, the FTC released a report that discussed
the results of its study of nine selected major national data
brokers. (FTC, Data Brokers: A Call for Transparency and
Accountability, May 2014.) The FTC report noted they chose to
review these particular companies because "these companies
generally never interact with consumers, consumers are often
unaware of their existence, much less the variety of practices
in which they engage." (FTC, Data Brokers, p. I, emphasis
added.) Drawing from its 2012 report, Protecting Consumer
Privacy in an Era of Rapid Change, the FTC noted that there
are three different categories of data brokers: (1) credit
reporting agencies subject to the Fair Credit Reporting Act
(FCRA); (2) entities that maintain data for marketing
purposes; and (3) non-FCRA covered entities that maintain data
for non-marketing purposes that fall outside of FCRA, such as
entities that detect fraud or locate people. The FTC noted in
its earlier 2012 report that the last two categories remain
largely unregulated, except for the regulation of financial
institutions under the Gramm-Leach Bliley (GLB) Act.
In its report, the FTC called on Congress to consider enacting
the very type of legislation reflected by this measure. In
its report, it stated in this regard that "Congress consider
legislation requiring data brokers to provide consumers with
access to their data . . . at a reasonable level of detail,
and the opportunity to opt out of having it shared for
marketing purposes." (Emphasis added.) In order to help
consumers identify which data brokers may have data about them
and how they might exercise opt-out rights, the FTC also
recommended that Congress create "a centralized mechanism,
such as an Internet portal, where data brokers can identify
themselves, describe their information collection and use
practices, and provide links to access tools and opt outs."
(FTC, Data Brokers, p. viii.) In addition, the FTC
recommended that Congress consider (1) requiring data brokers
to notify consumers that, not only do they collect core data,
�
SB 1348
Page 8
but that they use this raw core data to make certain
inferences, sometimes about sensitive consumer preferences and
characteristics; and (2) requiring data brokers to disclose
the sources of their data, so that a consumer might know, for
example, that they need not only to correct information that
the data broker possesses, but also correct the data in the
source (especially if it is a public record source). Finally,
the FTC recommended that Congress consider preventing a data
broker from collecting or sharing of certain especially
sensitive information - such as health information - unless it
obtains the consumer's express consent before collecting or
sharing the information (allow a consumer opt-in mechanism).
4)Data Broker Industry Response to the FTC Report - Acxiom's
experience with consumer choice :
Shortly after the FTC began its study, the data broker company
Acxiom - one of the nine data brokers studied by the FTC -
developed a new website, called "AboutTheData.com." This
website allows any person to access the modeled profiles - and
some of the core data - that Acxiom states it provides to its
clients. Beyond the approach taken in this bill, however
Acxiom allows the individual to correct any information.
According to information provided by Acxiom to the Assembly
Judiciary Committee, about 500,000 people have visited the
website, and of that number only about 2% have actually
requested that Acxiom not share information for marketing
purposes.
5)Joint Informational Hearing of the Assembly Judiciary and
Assembly Banking & Finance Committees was held entitled: Is
Our Personal Data Really Safe and Secure: A Review of the
Recent Data Attacks:
The privacy issues raised by SB 1348 are not simply
theoretical harms, or as Justice Brandeis noted in his famous
tome on Privacy, a desire to be "left alone." When personal
financial information falls into the wrong hands, substantial
financial harm and sometimes personal financial ruin can
result. In January of this year, a Joint Informational
Hearing of the Assembly Committees on Banking & Finance and
Judiciary explored the outcome of the personal financial data
falling into the wrong hands, by examining the vast data
breach cases known as the "Target" data breach. In their
Background Report, the Committees offered illuminating facts
�
SB 1348
Page 9
about what can go wrong with personal information contained in
databases and how.
"Between November 27 and December 15, 2013, hackers were able
to get access to Target's point of sale system, which allowed
them to duplicate cards and receive customer's important
information. This exposed as many as 40 million U.S. customers
to credit and-debit card fraud. Ultimately, Target reported
that an additional 70 million customers had their personal
information stolen including names, mailing address, phone
numbers, and emails, totaling those affected to 110 million.
Target on-line shopping was not affected in the breach and to
date, social security numbers were not compromised. The data
breach included customer names, credit card numbers, and the
card's expiration date. Hackers were even able to retrieve
customer's encrypted PIN number from Debit or ATM cards. Both
Neiman Marcus and Michael's fell victim to the same type of
intrusion but on a smaller scale."
6)Stalking made easy by online data brokers :
One extremely troubling use of online data is stalking.
According to the Author, SB 1348 began as a response to a
constituent who was stalked by a person who obtained her
personal contact information through an online data service.
According to The National Center for Victims of Crime, report
entitled, The Model Stalking Code Revisited: Responding to New
Realties of Stalking, "Stalking is a crime of intimidation and
psychological terror that often escalates into violence
against its victims. Stalkers can destroy the lives of
victims, terrorizing them through a course of conduct that may
include monitoring, following, threatening, or harassing
victims in a variety of ways. Stalking often has devastating
consequences for victims. Many are forced to profoundly alter
their lives-going as far as relocating to another state and
changing their identities-to protect themselves and their
families.
"Stalkers increasingly use technology to surveil, monitor,
track, and terrorize victims. When the original model
anti-stalking code and most of the state stalking statutes
were drafted in the early 1990s, many of today's technologies
did not exist or were not affordable or readily available to
the public. New, affordable technology has fundamentally and
�
SB 1348
Page 10
profoundly changed the way stalkers monitor and initiate
contact with their victims. A stalker no longer needs to be in
close proximity to his victim to monitor or surveil her. He
can use a global positioning system (GPS) to track her in her
car as she travels to virtually any location. He can put a
small hidden camera (often called a "spycam") in his victim's
home and have access to even the most private moments of her
life. He can put a spyware program on her computer and
intercept all of her e-mails and Internet searches."
The Report concludes, "Stalking is a serious, prevalent crime
that wreaks havoc on its victims. Victims feel great fear for
their personal safety and, in many cases, their lives.
Research indicates that stalking is not just a crime of
harassment and annoyance but that it can be a precursor to
serious violence-most often occurring between people who know
each other. The use of technology by stalkers to terrorize and
surveil victims, which first emerged in the 1990s, is likely
to increase in the coming years. Law enforcement officials,
prosecutors, and judges need to be equipped with the legal
tools to allow early and effective intervention that responds
to the ever-expanding methods used by stalkers." (The Model
Stalking Code Revisited: Responding to New Realties of
Stalking, [2007] The National Center for Victims of Crime).
7)Opposition concerns:
According to the California Chamber of Commerce, writing on
behalf of a diverse coalition of opponents, "This bill would
stifle critical information sharing with organizations -
including law enforcement, local, state and federal government
agencies, non-profit organizations, and business - that rely
on private sector information collection. SB 1348 also
utilizes overly broad and vague definitions, as well as
technologically infeasible requirements, that would - despite
recent amendments - expose much of the online business
community to extensive litigation and liability. Additionally,
SB 1348 attempts to regulate an industry already governed by
federal and state statutes."
Specifically, the opposition states, "By restricting the
gathering of private sector data by online companies, SB 1348
curbs the exchange of critical information with government
agencies, law enforcement, non-profit organizations, and
businesses that currently utilize this information. These
�
SB 1348
Page 11
organizations rely on information sharing to perform critical
functions, including the following highlighted examples.
"Locating individuals including missing children, fugitives,
witnesses, debtors, organ donors, and custodial parents
seeking to avoid child support obligations. Law enforcement,
investigators and non-profit organizations utilize online data
services to provide essential information needed to find these
individuals. SB 1348 would reduce the effectiveness of data
services and hinder efforts to locate these individuals.
"Assisting law enforcement. Law enforcement and investigators
utilize private sector data to identify, prevent, and
prosecute crimes including - amongst other crimes - identity
theft, fraud, money laundering, and criminal financing. SB
1348 would assist hackers and fraudsters by enabling them to
remove or conceal their fraudulent activities.
"Administering public benefits. Private sector data assists
federal, state and local government agencies in administering
public benefits ensuring the correct benefits are provided to
the right individuals. Additionally, health-care exchanges
also utilize data services to verify an applicant's identity -
without this verification, applicants may be delayed or denied
from signing up for healthcare.
"Improving disaster response through the use of cross-matched
databases. These databases help first responders quickly aid
those in need and prevent fraudsters from manipulating these
efforts for personal gain.
The Opponents further claim, "SB 1348 encourages Litigation
through Overly-Broad and Vague Definitions, such as "data
broker" which is defined as, "a commercial entity that
collects, assembles or maintains personal information" for
purpose of selling that information to a third party. This
overly-broad definition would likely capture much of the
online business community and, at a minimum, result in
extensive litigation to determine who is and who is not a
"data broker."
In response to issues raised by the opposition, the bill's
proponents have offered to amend the bill and to work with the
opposition on issues such as; to tighten and clarify the
definition of data broker to be more explicit about the
�
SB 1348
Page 12
combination of activities that constitutes data brokering,
ensure that third parties who are acting at the behest of/as
an extension of a company but who are not selling/transferring
information are exempted, where appropriate; and, further
define "previous contact" as it relates to Internet/web page
use and the timing of contact when it is instigated only for
the purpose of opting out. Given that the bill comes to
Committee following passage of the policy hearing deadline,
this offer to tighten the policy of the bill's language may be
difficult for the Committee to oversee.
8)Committee recommended amendments :
In order to address the Author's stated intention to correct a
flaw in the law which allows stalkers to obtain and use
personal identifying information to commit stalking (and other
nefarious data users to commit crimes as well), and in
recognition that the existing bill language has a great
distance to go before it can become law, the Committee
recommends the following:
Delete the contents of the existing bill and insert instead:
Penal Code �530.5. Unauthorized use of personal identifying
information ; Mail theft
(a) Every person who willfully obtains
personal identifying information, as defined in
subdivision (b) of Section 530.55, of another
person, and uses that information for any unlawful
purpose, including to obtain, or attempt to obtain,
credit, goods, services, real property, or medical
information without the consent of that person; to
stalk or attempt to stalk a person under Section
646.9; or to commit any other criminal offense
against the person or property of another is guilty
of a public offense, and upon conviction therefor,
shall be punished by a fine, by imprisonment in a
county jail not to exceed one year, or by both a
fine and imprisonment, or by imprisonment pursuant
to subdivision (h) of Section 1170.
This language is consistent with the recommendations of The
�
SB 1348
Page 13
Model Stalking Code Revisited: Responding to New Realties of
Stalking, to update state laws to prohibit use of personal
information regardless of media.
REGISTERED SUPPORT / OPPOSITION :
Support
Alameda County District Attorney Nancy O'Malley
American Civil Liberties Union
California Police Chief's Association
Consumer Federation of California
Privacy Rights Clearinghouse
Opposition
Acxiom
American Council of Life Insurers
AOL
California Association of Collectors
California Association of Licensed Investigators
California Chamber of Commerce
Consumer Data Industry Association
California Retailers Association
Direct Marketing Association
Internet Coalition
NetChoice
R.L. Polk & Company
Reed Elsevier
Stop Child Predators
Tech America
TechNet
The Internet Association
Software & Information Industry Association
Analysis Prepared by : Dana Mitchell / A.,E.,S.,T. & I.M. /
(916) 319-3450