When the smoke cleared from California’s privacy legislative battles that ended on September 13th, many were surprised to see another large alien life form snorting alongside the CCPA. AB 1202 requires the registration of “data brokers” on a public website maintained by the Attorney General. We have seen a public registry for data brokers before, in Vermont. But Vermont’s law is a much smaller animal, mostly because when it says “sell” it means sell, and even specifically excludes “a sale or license of data that is merely incidental to the business.”
Remember, the CCPA took us through the looking glass with its definition of “sell,” by making it disclosure for any non-monetary consideration whatsoever, so as we said it really means any sharing. Thus AB 1202 can use almost the same words as Vermont in its “data broker” definition – “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” – but by importing the CCPA’s definition of “sells,” it makes any business that shares personal information as part of its business without a relationship with the person in question a “data broker.”
Poor Richard simply must speak up at this point, in part to calm the confused and concerned cognoscenti. He has hesitated to argue that California consumers will be misled by a button that says “Do Not Sell My Personal Information,” when it really means “do not share.” However, he is certain that to stamp the label “data broker” on any business that shares personal information – when “broker” clearly means a buyer or seller of goods or assets for others – will mislead consumers both by mischaracterizing many entities as data brokers and by making it impossible for consumers to distinguish the real data brokers. Thus the California registry flies directly in the face of the transparency goals of Acxiom's chief data ethics officer in advocating -- as he did on Friday -- for the creation of a national data broker registry.
But then a smile, as the path forward becomes clear. Section 1(g) of the legislative findings, he notes, gives important clues about what the legislature means by “direct relationship,” in fact offering what might be read as the possibility of establishing a relationship, some “knowledge about and control over….”
Consumers who have a direct relationship with traditional and e-commerce businesses, which could have formed in a variety of ways such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements, may have some level of knowledge about and control over the collection of data by those businesses, including: the choice to use the business’s products or services, the ability to review and consider data collection policies, the ability to opt out of certain data collection practices, the ability to identify and contact customer representatives, and the knowledge necessary to complain to law enforcement.
Many businesses have found that their only sharing of personal information is with service providers who use the information on behalf of the business and do not disclose it further, but they find themselves needing to offer the button only because they engage in the usual tracking and analytics on their websites. These businesses, thankfully, do not go up on the wall of shame as data brokers because they have direct relationships with consumers who browse their websites under the above analysis. Moreover, if those businesses have clearly disclosed all of the third-party tracking on their websites and offered an opt-out, then it looks like even that third-party tracking may not be by “data brokers.”
The biggest questions will probably focus on the digital advertising industry, now undergoing its annus horribilis on both sides of the Atlantic. It is not selling data, it is selling ads, and it is not hard to tell the difference between data brokers and digital advertising, but under AB 1202, many of the participants in digital advertising may need to wear exactly the same public badge as data brokers, unless they establish that “direct relationship.”
The Takeaway: Look carefully to find or establish that “knowledge about and control over” sufficient to establish a “direct relationship,” so as to avoid California’s new wall of shame.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.