Who’s selling your digital data?

California gives you tools to protect your online privacy

Photo by Sten Ritterfeld

This story on protecting online privacy in California was produced by CalMatters, an independent public journalism venture covering California politics and government. For more info, visit calmatters.org.

By Khari Johnson (for CalMatters)

If you visited a Planned Parenthood in the continental United States in the past few years then the company Near Intelligence, a data broker, probably knew it — and may have sold that information to anti-abortion activists. If you attended certain houses of worship or patronized particular pharmacies, the data broker known as Outlogic allegedly sold that information.

Near Intelligence filed for bankruptcy in December. Outlogic agreed to a settlement with the Federal Trade Commision to stop selling user location data, while insisting regulators had found “no misuse of any data.” Both were among nearly 90 companies on the latest version of the California data broker registry that self-reported selling data about where people are or have been. 

For the first time this year California requires data brokers — companies that knowingly collect and sell consumer’s data to third parties — to report if they collect location data. New state transparency requirements that kicked in this year also revealed that roughly two dozen companies collect personal data about children and about a dozen collect reproductive health data about people who are pregnant.

Do data brokers somewhere have data about you? Almost certainly. Most everywhere you go on your digital journey will collect traces of information about you. If you’ve been on the internet in the past few years, you’ve probably seen a bunch of notices asking if it’s okay for the website you’re on to collect your “cookies” — information that allows the website to remember you, essentially. Some apps on your phone may track your location. It’s hard to say precisely what information about you is where because there are so many variables — your privacy settings, the sites you visit, what you buy and from whom, etc. — but data brokers are in the business of finding, collecting, and selling that data to other businesses. 

Data brokers sell personal information, including your location data, to third parties. (Satellite image courtesy of NASA)

Brokers sell your web activity and other personal information to companies that may target advertising to you or make important decisions about your life, such as whether you get an apartment, whether your activity is labeled fraudulent, or how you’re treated by insurance companies.

The market is largely unregulated.

Selling data about people is the cornerstone of the modern internet economy, powering targeted advertising based on insights gleaned from personal data. Media investment company GroupM forecast $258 billion in digital advertising revenue this year. 

To give people visibility into who sells their personal data for profit, four years ago California started requiring data brokers to register once a year. Since then, a new registry has come out each year based on those submissions. 

The latest registry debuted one month ago with more detailed information and is now maintained by a relatively new state agency. A law passed last fall introduces new consumer rights and more stringent requirements for brokers.

Here are some important things to know:

How can data brokers harm you or your loved ones?

Data brokers can sell data to bad actors ranging from scam artists to adversarial foreign governments. In testimony to a congressional committee one year ago, Georgetown Law Center associate professor Laura Moy said data brokers selling information to law enforcement agencies could amount to a violation of the Fourth Amendment right to live free from unreasonable search and seizure.

From Beijing to Brussels to Washington D.C. and U.S. state capitals, government regulators are creating registries and business reporting rules that aim  to prevent online privacy violations or harmful forms of artificial intelligence. Privacy advocates have urged the creation of a national data broker registry with the Federal Trade Commission for years, but no such registry exists yet.

Who protects my online privacy rights?

California voters passed a ballot measure in 2020 that gives consumers the right to access information collected about them, delete or modify that information, or tell a broker they cannot sell or share that information. Consumers can initiate the process by sending an email to a point of contact listed on the registry website. Then they have to present a copy of their ID like a driver’s license to prove who they are. Consumers and people under 18 can also work with an authorized agent, somebody who makes data deletion requests on their behalf. Companies like Transcend and nonprofit organizations like Consumer Reports offer consumer data deletion services.

The most recent list of data brokers is on the state’s website: cppa.ca.gov/data_broker_registry

To enforce these rights, the ballot measure created the California Privacy Protection Agency and a five-member board to govern its activity.

Companies that buy, sell, or share the personal data of at least 100,000 Californians or get a majority of annual revenue from selling data are required to comply with the consumer online privacy law.

What’s new?

The most recent changes to California’s data broker registry — which took effect in January — require brokers to disclose whether they sell data about kids, pregnant people, or anyone’s geolocation data. 

But relatively soon — at the speed state governments operate — consumers should be able to delete data collected about them.  

Right now, consumers must go to hundreds of data brokers one at a time if they want them to delete their data. 

Last fall, Gov. Gavin Newsom signed the Delete Act giving consumers a way to delete data from all registered brokers by using a single tool or website. 

Under the law — authored by state Sen. Josh Becker, a Democrat from Menlo Park — the state’s privacy agency must launch a website by 2026 that allows Californians to delete their data in 30 seconds or less. The Delete Act doubles the cost if data brokers fail to register to $200 a day as well as costs associated with action brought by the state attorney general. By 2028, audits must verify that data brokers are complying with the Delete Act.

The other major change is that the Delete Act requires brokers to delete any information they collect about a consumer, not just information shared directly from a consumer, closing what online privacy advocates called a crucial loophole that existed in the right to delete granted to consumers under the California Consumer Privacy Act.

The law also shifts responsibility for maintaining the registry from the Department of Justice to the California Privacy Protection Agency. That means that power to determine which companies fail to register and comply with state privacy law or the Delete Act is decided by enforcement officers within that privacy agency.

And it’s up to the agency to decide whether companies should register as data brokers.

The enforcement division has received more than 1,200 complaints from July 2023 to February 2024, according to a staff update last month. The majority of those complaints concern the right to delete data collected about individuals.

Is California’s data broker registry comprehensive?

Since data brokers do not have a direct relationship with consumers, most people have never heard of companies that buy and sell data. But the registry is not comprehensive, not yet at least.

The registry that launched March 1 includes roughly 450 businesses and email points of contact. Brokers were required to register by Jan. 31, but in a meeting held last month, privacy protection agency attorney Liz Travis Allen warned that “If you look at the whole universe of every data broker, we don’t have that list. But that would be something we can enforce on, to figure out who isn’t registered and should be.”

The 2023 registry maintained by the state Justice Department listed 550 companies.

Privacy Rights Clearinghouse head of privacy Emory Roane was a co-sponsor of the Delete Act.  He said it’s “really cool” that the privacy protection agency data broker registry illuminates metrics that you couldn’t see before like the number of companies that track your location or collect data about kids and people who are pregnant, or that the credit score agency Experian collects all three. But he said the registry is clearly incomplete. The state of Vermont defines a data broker the same way as California, also maintains a data broker registry registry, and created its registry around the same time as California, but it lists 660 companies.  

That discrepancy “suggests that there is a problem with non-registered data brokers,” he told CalMatters in an email. “As to how many brokers aren’t registered, well, that’s anyone’s guess. It could be dozens, hundreds, or even thousands.”

A January Consumer Reports study involving nearly 700 volunteers who shared the data Meta collects about them on Facebook and Instagram found that the average person is tracked by more than 2,220 companies.

How can I tell a data broker to delete my data?

Each company maintains its own online privacy policy, but deleting the data it collects on you can be as simple as sending an email to the broker, whose contact email is listed on the registry. California law requires the broker to respond within 90 days. 

You can also use third parties tools like the Permission Slip app to tell data brokers to delete your data.

Photo by Markus Spiske

Brokers must detail how you can delete or modify data in a privacy policy listed on their website. If a business fails to act in those 90 days, you can file a complaint with California’s  privacy protection agency. 

To quickly view the complete list of companies that sell kids data, reproductive health data, or geolocation data, toggle the arrow buttons at the top of the screen on California’s online registry site. 

How do I delete data collected about my kid?

A parent or guardian who wishes to make a deletion request on a child’s behalf may do so by following the same steps necessary for any other Californian, but a business may require them to verify their identity with a government-issued ID card or phone or video call with a trained professional.

What’s next in California?

The state’s privacy protection agency is already developing a single-click data deletion option. The enforcement division will contact companies they believe should be part of the registry or face fines, fees, or legal action. 

How aggressive will California’s consumer online privacy agency really be? One test is how frequently it issues fines and fees for brokers who fail to register. Privacy protection agency deputy director of external affairs Megan White wouldn’t say when enforcement officers will contact companies that they determined must register as data brokers and are in violation of the law. 

Roane said he hopes for, and expects, “eager enforcers more vigilantly holding non-registering and non-conforming data brokers to account.”

In July, California will begin requiring data brokers to publicly report on their own websites the number of requests they receive to delete, modify, or share what data they collected about individuals, and the median amount of time it takes to fulfill those requests.

Be the first to comment

Leave a Reply

Your email address will not be published.