Articles

Calif. Delete Act Paves Way for Data Broker Accountability

Law360

October 17, 2023

Photograph of Karina Puttieva

For far too long, data brokers who work out of the public eye to collect and sell all types of consumer data have been allowed to profit with little oversight.

Most consumers don’t even know that vast quantities of their personal information are regularly sold into a fast-growing, $240 billion market — let alone consent to it.[1]

The tide may be turning.

With California Gov. Gavin Newsom signing the Delete Act into law Oct. 10, there is renewed focus on holding an extremely lucrative but underregulated industry accountable.[2][3]

The act will allow Californians to delete their personal information held by some 500 data brokers registered in California through a single, verified request — albeit not until 2026.

But will the Delete Act be enough?

Keeping data brokers in check after a long period of free rein, may require a two-pronged approach: legislation and litigation.

Indeed, consumer protection litigation may prove to be a well-placed and time calculated strategy to help expedite continued legislation beyond California and establish important case law in the meantime.

What Data Brokers Are

Data brokers are businesses that aggregate and sell all types of personal information.

This includes names, addresses, phone numbers, email addresses, gender, age, marital status, education, profession, income and credit score, health information, political affiliations, and even real-time location data.

Why Data Brokers Are Bad for Consumers

In short, consumers have no control over what data brokers do with their personal information, because data brokers do not have a direct relationship with consumers — even though consumer data is the product they sell.

As Slate journalist Justin Sherman explains, there are three main avenues for data brokers to obtain personal information:[4]

1. Acquiring companies, apps and websites that collect information on people;

2. Scraping public records, like voting registries and property records; and

3. Using algorithms and other techniques to predict data points, such as using a consumer’s purchase and ZIP code data to infer household income.

Some data brokers use a combination of all three. But no matter how the data broker gets consumer data, one thing remains constant: Consumers often don’t know about it, and have no say in it.

Data brokers have every incentive to amass consumer data but no incentive to protect consumers from any of the downstream effects of monetizing it, such as keeping it from falling into the hands of a scammer or criminal, or ensuring its accuracy to prevent wrongful denial of credit, housing or employment.

What the Government Has Done About Data Brokers

There is currently no federal data broker legislation, though data brokers have argued that existing laws like the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Federal Trade Commission Act are adequate to address any harms that occur because of their business practices.

The FTC made headlines[5] last year by filing suit against Kochava Inc., a data broker that sold geolocation data that could be used to trace the movements of individuals to and from sensitive locations, including abortion clinics and places of worship. But that effort has not been successful to date.

The FTC’s initial suit was dismissed, though the agency refiled it in June. Likewise, in August of this year, the Consumer Financial Protection Bureau announced its intention to launch rulemaking targeting data brokers under the FCRA.[6] But the rules will not be released for public comment until 2024.

Only four states have laws requiring data broker registries: Vermont, California, Texas and Oregon.[7] These laws do not restrict the collection or sale of personal information, however. They only require that data brokers register with a state agency and provide certain information about their business practices.

But, as mentioned, California is upping the ante with the Delete Act. Once implemented, Californians will likely have more control over their personal information.

Until then, consumers are left to navigate the old system, in which they have little power to exercise control over their private information. The state has until 2026 to implement the Delete Act. This is where private lawsuits can play a role.

Another Avenue for Change

Government enforcement actions against data brokers have been limited, such as violations under the FCRA.

But the plaintiffs bar is starting to hold data brokers accountable for the unfettered collection and sale of consumer data using more novel theories of liability under federal and state law. Below are three types of data broker consumer class actions that have recently been in the news.

These are still in the early stages of litigation, but worth monitoring given the lengths registered data brokers go to obtain and sell consumer information.

Challenging the Premise of Accumulating Personal Information

In 2022, immigrant activists and organizational plaintiffs sued LexisNexis Risk Solutions Inc. for its online database Accurint, which allegedly aggregates public and nonpublic information to create detailed dossier on individuals, including names, government records, utility bills, phone records and medical records.

The plaintiffs in Ramirez v. LexisNexis Risk Solutions allege, among other things, that this platform enabled the U.S. Immigration and Customs Enforcement to obtain sensitive information about them while circumventing state and local laws.

The plaintiffs brought claims under the Illinois Consumer Fraud and Deceptive Business Practice Act and for unjust enrichment. The case is still awaiting a decision on a motion to dismiss in the Circuit Court of Cook County, Illinois.

The technology and data collection practices at the heart of this case are the subject of Electronic Privacy Information Center’s recent call for ICE to cancel its $22.1 million contract with LexisNexis for invasive surveillance databases.[8]

Engaging in Electronic Tracking to Aggregate Personal Information

Another group of plaintiffs, one of whom is affiliated with the Center for Human Rights and Privacy, sued the database management company and registered data broker Oracle America Inc., claiming that it violated state privacy and federal wiretap laws, along with unjust enrichment, by tracking users across the internet and selling their personal information without their knowledge or consent.

Earlier this month, the U.S. District Court for the Northern District of California allowed many of these claims to move forward, denying the bulk of Oracle’s motion to dismiss in Katz-Lacabe v. Oracle America Inc.[9]

What Constitutes Data Broker Activity

In September, OpenAI LP and Microsoft Corp. were sued for ChatGPT’s practice of scraping personal information from hundreds of millions of individuals without their knowledge or consent to train fast-growing artificial intelligence technology applications.[10]

Among other things, the plaintiffs in A.T. v. OpenAI LP in the Northern District of California argue that this practice amounts to an illegal data brokerage and violates state consumer protection and privacy laws.

Conclusion

Though the cases are still in early stages, they serve as a reminder that the data broker business model uses consumer data for a purpose that may do more harm than good.

Notably, most of these cases to redress consumer harm and hold data broker activity accountable are being litigated in the Northern District of California.

Indeed, California is often a leader in consumer protection law and business innovation. With the signing of the Delete Act into law, the Golden State could lead the nation in an important paradigm shift and start the ball rolling on change.

[1] The Record, Sept. 21, 2023, “FTC Official Attacks Data Brokers at Industry Conference” https://therecord.media/ftc-samuel-levine-data-brokers-speech.

[2] Consumer Reports: Advocacy, October 10, 2023, “Governor Newsom Signs First-of-Its-Kind Data Rights Bill into Law” (Press Release) https://advocacy.consumerreports.org/press_release/governor-newsom-signs-first-of-its-kind-data-rights-bill-into-law/.

[3] California Legislative Information, Sept. 28, 2021, Senate Bill No. 362, Chpt. 334 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB362.

[4] SLATE, April 26, 2023, “How Shady Companies Guess Your Religion, Sexual Orientation, and Mental Health: And Sell That Data to the Highest Bidder” https://slate.com/technology/2023/04/data-broker-inference-privacy-legislation.html.

[5] Federal Trade Commission, Aug. 29, 2022, “FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations: Agency Alleges that Kochava’s Geolocation Data from Hundreds of Millions of Mobile Devices Can Be Used to Identify People and Trace Their Movements” (Press Release) https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other.

[6] Consumer Financial Protection Bureau, Aug. 15, 2023, “Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices” https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.

[7] Vermont Secretary of State, Business Division, Data Brokers Register Online https://sos.vermont.gov/corporations/other-services/data-brokers/; Office of the Attorney General for California, Data Broker Registry https://oag.ca.gov/data-brokers; Texas Health and Human Services, C-828, Data Broker https://www.hhs.texas.gov/handbooks/texas-works-handbook/c-820-data-broker; Oregon Department of Justice, AG Rosenblum’s Legislative Report: A Successful Session for Laws Protecting Oregonians https://www.doj.state.or.us/media-home/news-media-releases/ag-rosenblums-legislative-report-a-successful-session-for-laws-protecting-oregonians/?hilite=data+broker.

[8] EPIC.org, February 23, 2023, EPIC, Coalition Call for ICE to Cancel Contract with LexisNexis for Invasive Surveillance Databases https://epic.org/epic-coalition-call-for-ice-to-cancel-contract-with-lexisnexis-for-invasive-surveillance-databases/.

[9] Law360, Oct. 4, 2023, “Oracle Can’t Gut Consumer Class Action Over Data Collection” https://www.law360.com/articles/1729508.

[10] A.T. et al v. OpenAI LP et al, Case No. 3:23-cv-04557, United States District Court for the District of Northern California.