High-Profile California Bill Regulating Data Brokers Heads for Key Vote – Source: securityboulevard.com

California lawmakers later this month are expected to vote on a highly debated bill that would make it easier for residents to keep data brokers from collecting and selling their personal data, legislation that if approved could have ripple effects around the country.

Senate Bill 362 – known as the California Delete Act – would “create a one-stop-shop website to allow Californians who want to control access to their personal information to hit the ‘DELETE’ button when it comes to a data broker’s ability to collect, maintain and sell information on them,” according to a release from California Sen. Josh Becker (D-San Mateo), the author of the bill.

“The time of uncontrolled gambling with our personal information is almost over,” Becker said in a statement. “Data brokers currently have the ability to use data on reproductive healthcare, geolocation, and purchasing data to sell it to the highest bidder, and the DELETE Act would protect our most sensitive information.”

The California State Assembly’s Appropriations Committee voted September 1 to advance the bill to the full body, which must vote on the bill by September 14.

A Simple Solution to a Controversial Issue

Boiled down, the Delete Act is a fairly straightforward bill. It would require data brokers to register with the California Privacy Protection Agency (CPPA), which also would create a way for state residents to easily direct all data brokers to delete their personal information for free. Brokers who don’t comply with the law would face civil penalties and administrative fines set by the agency, Becker wrote.

As simple as it is, the bill is drawing attention from both proponents and opponents, an indication of the polarizing nature of data brokers, which collect and aggregate massive amounts of data available in public records – such as marriage and driver’s licenses, birth certificates, and bankruptcy, court, and driving records – analyze it and then sell it to businesses, government agencies, or individuals.

The relatively unregulated nature of the industry, wholesale selling of such personal information, and the legal, ethical, and security issues arising from that has made data brokers the target of harsh criticism. Despite that, it’s a fast-growing market, with estimates saying it could climb from $319 billion two years ago to more than $545 billion in 2031. There are about 4,000 data brokers worldwide.

Using a Sledgehammer

“People should be able to live their lives without worrying that shadowy data brokers are buying and selling their location information, health records, purchasing habits, or other personal data,” John Davisson, director of litigation and senior counsel at the Electronic Privacy and Information Center (EPIC), told Security Boulevard. “The data broker industry is the antithesis of privacy, a vast market built on funneling the most sensitive details of our lives to anyone who’s willing to pay for them.”

The California bill “will take a sledgehammer to that business model, and rightly so,” Davisson said. “Empowering people to easily demand the deletion of their personal data held by brokers will help put consumers back in control. It’s a game-changer for privacy.”

Hayley Tsukayama, associate director of legislative activism for the Electronic Frontier Foundation (EFF), echoed those sentiments, writing in a blog post last month that the Delete Act will “start holding these companies accountable.”

“Scams, identity theft, and financial exploitation result from the collection and misuse of personal information,” Tsukayama wrote. “Potential misuse of health data could lead to real harms in harassment, discrimination, and legal consequences for those seeking health services in California, including reproductive and gender affirming healthcare data. And if information is sold to local, state, or federal agencies, that puts our Fourth Amendment rights at risk.”

And despite all this information about them being aggregated by the data brokers, “normal people have essentially zero visibility into the ways their information is traded and sold, making it even more difficult to know who has your information,” she told Security Boulevard.

A ‘Blunt Force Approach’

However, the advertising industry and similar business sectors are working to kill the bill, saying it would damage California’s data-driven economy “by using a blunt force approach on this complicated and vital system. By proposing a new and untested mechanism to delete consumer data across hundreds of companies, SB 362 would choke off data used for good by companies and institutions across the state.”

According to a website hosted by the Consumer Data Industry Association called No to SB 362, victims of the legislation would include small and midsize companies in the state, non-profits, cybersecurity firms, law enforcement agencies, academic researchers, and government agencies, all of which rely on such data.

In a blog post last month, Jordan Abbott, chief privacy officer of data brokerage Acxiom, called for a comprehensive national privacy law to replace what is a patchwork of state-level regulations that have cropped up in recent years, starting with California’s with its Consumer Protection Act in 2018, which was followed by others like Virginia, Connecticut, and Colorado.

Abbott noted others joining the trend this year, like Indiana and Tennessee, and noted that some other states that earlier instituted such regulations – like California – are now amending the laws with new compliance rules.

“The continued rollout of individual U.S. state privacy laws has undoubtedly advanced the conversation around data protection, but it has also brought numerous challenges for businesses,” he wrote. “A federally preemptive national privacy law is essential to address these challenges and provide a cohesive and harmonized framework that benefits consumers, brands, and the partners with which they do business.”

A Long Search for an Answer

The debate over data brokers isn’t new. The Federal Trade Commission a decade ago urged Congress to enact legislation to bring more transparency to data brokers’ operations. More recently, Congress has been working to limit the government’s ability to deal with data brokers. In July, the bipartisan Fourth Amendment Is Not For Sale Act was voted out of the House Judiciary Committee to the full House.

The act, first introduced by the Senate in 2021, would ban law enforcement and federal agencies from buying consumer data from data brokers without a warrant. At the same time, the Davidson-Jacobs amendment to the Defense Department budget would put similar restrictions on the Pentagon.

For now, those sitting on both sides of the issue now wait to see what happens in California. The EFF’s Tsukayama is cautiously optimistic the votes are there to get the legislation passed into law, but knows there are no guarantees.

“I say that with the caveat that I’m not a bill sponsor,” she said. “I haven’t been whipping votes.”