If you have visited a family planning system in the continental United States in the past few years, data broker Near Intelligence likely knows about it and may have sold that information to anti-abortion activists. If you attended a particular house of worship or used a particular pharmacy, a data broker known as Outlogic allegedly sold that information.
Near Intelligence filed for bankruptcy in December. Outlogic has agreed to a settlement with the Federal Trade Commission to stop selling users' location data, although the regulator says it “does not condone any misuse of data.” Both companies are listed on the latest edition of California's Data Brokers Registry, and are among about 90 companies that sell self-reported data about where people are or have been. It was.
For the first time this year, California required data brokers (companies that knowingly collect consumer data and sell it to third parties) to report whether they collect location data. New state transparency requirements introduced this year also revealed that about 24 companies collect personal data about children and about 12 collect reproductive health data about pregnant people. .
Does some data broker have data about you? Almost certainly. At most places on your digital journey, traces of information about you are collected. If you've been using the Internet for the last few years, you've probably been bombarded with notices from websites you visit asking if you want to collect “cookies” (information that allows websites to remember you). You've probably seen it before. Essentially. Some apps on your phone may track your location. It's hard to say exactly what information about a user is where because there are so many variables, such as a user's privacy settings, the sites they visit, what they buy and from whom, but data brokers can search, collecting and selling that data to other companies.
Brokers use your web activity and other personal information to help target ads to you, whether you get an apartment, whether your activity is fraudulent, and how your insurance company treats it. We sell it to companies that may make important decisions about your life, such as whether or not you are hired.
The market is largely unregulated.
Selling data about people is a cornerstone of the modern internet economy, driving targeted advertising based on insights gleaned from personal data. Media investment firm GroupM expects digital ad revenue to reach $258 billion this year.
To give people visibility into who is selling their personal data for profit, California began requiring data brokers to register once a year four years ago. Since then, new registries have been published annually based on these submissions.
The latest registry was published a month ago, has more detailed information, and is now managed by a relatively new state agency. Legislation passed last fall introduced new consumer rights and stricter requirements for brokers.
The important things to know are:
How can data brokers harm you or your loved ones?
Data brokers can sell your data to a variety of bad actors, from fraudsters to hostile foreign governments. In testimony before a Congressional committee a year ago, Laura Moy, an associate professor at the Georgetown Law Center, argued that data brokers selling information to law enforcement agencies are free from unreasonable searches and seizures in the United States. He said it could amount to a violation of Fourth Amendment rights.
From Beijing to Brussels to Washington, D.C., to U.S. state capitals, government regulators are creating registries and business reporting rules aimed at preventing privacy violations and harmful forms of artificial intelligence. Privacy advocates have been asking the Federal Trade Commission for years to create a national data broker registry, but no such registry yet exists.
Who will protect my privacy rights?
California voters voted in 2020 to give consumers the right to access information collected about them, delete or change that information, and tell brokers that they can't sell or share that information. passed the bill. Consumers can begin the process by sending an email to the contact information listed on the registry website. Next, you will need to show a copy of your ID, such as your driver's license, to prove who you are. Consumers and their persons under the age of 18 may also work with an authorized representative to make data deletion requests on their behalf. Companies like Transcend and nonprofit organizations like Consumer Reports offer consumer data deletion services.
To enforce these rights, the ballot measure established the California Privacy Protection Agency and a five-member board to govern its activities.
Businesses that buy, sell, or share the personal data of at least 100,000 Californians, or that derive a significant portion of their annual revenue from data sales, must comply with the Consumer Privacy Act.
what's new?
The latest changes to California's data broker registry, which took effect in January, require brokers to disclose whether they sell children, pregnant people, or anyone's geolocation data. There is.
But relatively soon, consumers should be able to delete data collected about them as quickly as state governments operate.
Currently, consumers must visit hundreds of data brokers at once if they want their data deleted.
Last fall, Gov. Gavin Newsom signed the Deletion Act, giving consumers a way to delete their data from all registered brokers using a single tool or website.
Under the law, authored by state Sen. Josh Becker, D-Menlo Park, the state's privacy office would have to create a website by 2026 that would allow Californians to delete their data within 30 seconds. The Takedown Act would double the cost to $200 per day for data brokers to fail to register, and also double the costs associated with lawsuits by state attorneys general. By 2028, audits must verify that data brokers comply with takedown laws.
Another big change is the Deletion Act, which would require brokers to delete all information they have collected about consumers, not just information shared directly by consumers, which privacy advocates say This closes a significant loophole in the right of deletion granted to consumers under the law. California Consumer Privacy Act.
The legislation also transfers responsibility for managing the registry from the Department of Justice to the California Privacy Protection Agency. This means that the authority to determine which companies fail to register and comply with state privacy or takedown laws will be determined by that privacy authority's enforcement officer.
It will then be up to authorities to decide whether a company should register as a data broker.
The Enforcement Division received more than 1,200 complaints from July 2023 to February 2024, according to last month's staff update. The majority of these complaints concern the right to delete data collected about individuals.
Is California's Data Broker Registry comprehensive?
Because data brokers don't have a direct relationship with consumers, most people have never heard of the companies that buy and sell data. However, the registry is not comprehensive, at least not yet.
The registry, launched on March 1, includes approximately 450 companies and email contact points. Brokers have until January 31 to register, but Privacy Protection Agency attorney Liz Travis Allen warned at a meeting last month: But we can force it to understand who is not registered and who should be registered. ”
There were 550 companies listed in the 2023 registry maintained by the state Department of Justice.
Emory Roan, director of privacy at the Privacy Rights Clearinghouse, was a co-sponsor of the Takedown Act. He said the Privacy Protection Agency's Data Brokers Registry revealed previously unseen information, including the number of companies that track your location or collect data on children and pregnant people, and the number of credit scoring agencies. He said it would be “really great” to reveal the indicators. Experian he collects all three. But he said the register was clearly incomplete. Vermont defines data brokers in the same way as California and also maintains a data broker registry, which it created around the same time as California, but which lists 660 companies.
The discrepancy “suggests there is a problem with unregistered data brokers,” he told CalMatters via email. “As for how many unregistered brokers there are, it’s anyone’s guess. It could be tens, hundreds or even thousands.”
A study published by Consumer Reports in January involved nearly 700 volunteers who shared Meta-collected data on Facebook and Instagram and found that the average individual is being tracked by more than 2,220 companies. did.
How do I tell my data broker to delete my data?
Each company maintains its own privacy policy, but deleting your collected personal data is as easy as sending an email to your broker. The broker's contact email is listed in the registry. California law requires the broker to respond within 90 days.
You can also use third-party tools such as the Permission Slip app to instruct data brokers to delete your data.
Brokers should detail how to delete or change data in a privacy policy posted on their website. If the company does not take action within this 90-day period, you can file a complaint with the California Privacy Protection Agency.
To quickly view a complete list of companies selling child data, reproductive health data, and geolocation data, toggle the arrow button at the top of the screen on California's online registration site.
How do I delete data collected about my child?
Parents or guardians who wish to make a deletion request on behalf of their child can do so by following the same steps required for other Californians, except that businesses must provide a government-issued ID card, telephone, Or we may require you to verify your identity via video. Contact a trained professional.
What's next for California?
The state's Office of Privacy Protection is already working on a one-click option to delete data. The Enforcement Department will contact companies that it believes should be registered on the register, or face fines, fees or legal action.
How aggressive will California's Consumer Privacy Office actually be? One test will be how often it imposes fines and fees on brokers who fail to register. Megan White, deputy director-general for external affairs at the Privacy Office, declined to say when enforcement officers would contact companies that are required to register as data brokers and are found to be in breach of the law.
Roan said he hopes and expects that “dedicated enforcers will more carefully pursue unregistered and non-compliant data brokers to account.”
In July, California will require data brokers to publish on their websites the number of requests to delete, change, or share data they collect about individuals and the median time it takes to fulfill those requests. begins to be mandatory.