Poor Richard Stares Down California’s New Wall of Shame, The “Data Broker” Registry

When the smoke cleared from California’s privacy legislative battles that ended on September 13th, many were surprised to see another large alien life form snorting alongside the CCPA.  AB 1202 requires the registration of “data brokers” on a public website maintained by the Attorney General.  We have seen a public registry for data brokers before, in Vermont.  But Vermont’s law is a much smaller animal, mostly because when it says “sell” it means sell, and even specifically excludes “a sale or license of data that is merely incidental to the business.”

Remember, the CCPA took us through the looking glass with its definition of “sell,” by making it disclosure for any non-monetary consideration whatsoever, so as we said it really means any sharing.  Thus AB 1202 can use almost the same words as Vermont in its “data broker” definition – “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” – but by importing the CCPA’s definition of “sells,” it makes any business that shares personal information as part of its business without a relationship with the person in question a “data broker.” 

Poor Richard simply must speak up at this point, in part to calm the confused and concerned cognoscenti.  He has hesitated to argue that California consumers will be misled by a button that says “Do Not Sell My Personal Information,” when it really means “do not share.”  However, he is certain that to stamp the label “data broker” on any business that shares personal information – when “broker” clearly means a buyer or seller of goods or assets for others – will mislead consumers both by mischaracterizing many entities as data brokers and by making it impossible for consumers to distinguish the real data brokers.  Thus the California registry flies directly in the face of the transparency goals of Acxiom's chief data ethics officer in advocating -- as he did on Friday -- for the creation of a national data broker registry. 

But then a smile, as the path forward becomes clear.  Section 1(g) of the legislative findings, he notes, gives important clues about what the legislature means by “direct relationship,” in fact offering what might be read as the possibility of establishing a relationship, some “knowledge about and control over….”

Consumers who have a direct relationship with traditional and e-commerce businesses, which could have formed in a variety of ways such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements, may have some level of knowledge about and control over the collection of data by those businesses, including: the choice to use the business’s products or services, the ability to review and consider data collection policies, the ability to opt out of certain data collection practices, the ability to identify and contact customer representatives, and the knowledge necessary to complain to law enforcement.

Many businesses have found that their only sharing of personal information is with service providers who use the information on behalf of the business and do not disclose it further, but they find themselves needing to offer the button only because they engage in the usual tracking and analytics on their websites.  These businesses, thankfully, do not go up on the wall of shame as data brokers because they have direct relationships with consumers who browse their websites under the above analysis.  Moreover, if those businesses have clearly disclosed all of the third-party tracking on their websites and offered an opt-out, then it looks like even that third-party tracking may not be by “data brokers.”

The biggest questions will probably focus on the digital advertising industry, now undergoing its annus horribilis on both sides of the Atlantic.  It is not selling data, it is selling ads, and it is not hard to tell the difference between data brokers and digital advertising, but under AB 1202, many of the participants in digital advertising may need to wear exactly the same public badge as data brokers, unless they establish that “direct relationship.”

The Takeaway:  Look carefully to find or establish that “knowledge about and control over” sufficient to establish a “direct relationship,” so as to avoid California’s new wall of shame.

 

close
Loading...
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their