Everyone talks about the weather, but nobody does anything about it.
Similarly, everybody seems to despise the entire business of data brokerage – third parties who collect information about us second-hand and third-hand, but who do not actually have a relationship with the data subjects whose information is collected – but nobody seems to do anything about them. Until now.
Sure, the U.S. Federal Trade Commission used its Unfair and Deceptive Practices authority to wrangle with the worst crimes of data brokers, such as directly selling people’s personal information to identity thieves, and place some of them under decades-long consent orders. While these actions brought the often sleazy practices of certain data brokers out into the light, they did not strike at the core of the business.
Vermont passed a law forcing certain data brokers to register with the state, but this simply identifies the (law abiding) data collection companies but otherwise does little or nothing to affect their behavior. We know who they are, but not much about what they are doing.
California is changing all of this. While the state has addressed some issues with data brokers before, the California Consumer Privacy Act (CCPA) not only requires data broker registration, but it takes one step that essentially eviscerates the entire data broker business model. It is not exaggerating to say that the California requirement that data brokers hold affirmative permission from their data subjects to pass the data to broker customers essentially outlaws the data brokerage business in California.
CCPA, Cal. Stat. 999.305(d) requires:
A business that does not collect information directly from consumers does not need to provide a notice at collection to the consumer, but before it can sell a consumer’s personal information, it shall do either of the following:
(1)Contact the consumer directly to provide notice that the business sells personal information about the consumer and provide the consumer with a notice of right to opt-out in accordance with section 999.306; or (2) Contact the source of the personal information to: a.Confirm that the source provided a notice at collection to the consumer in accordance with subsections (a) and (b) [providing consumers with direct notice before data is collected how it will be sold/used]; and b.Obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.
On its face, the requirement doesn’t seem too onerous. Of course a data broker couldn’t claim to receive direct consent from a consumer that it never has a direct relationship with. Instead, a company selling people’s identifiable information must either, 1) provide notice and gain permission to do so, or 2) receive records from the initial collector of the data that such collector provided notice and received permission from data subjects about what would happen to their data. Simple, right?
Not really. According to the marketing professionals I have talked with, moving from an opt-out model for collecting names (data brokers either use an opt-out model or never tell the data subject what data is being sold or to whom) to an opt-in model (requiring affirmative notice at collection and/or express permission), reduces a company’s marketing lists by over 85%. The reduction in data base numbers is so severe that an effective marketing program is dropped to less than a sixth of the names, making it hardly worth the effort of hiring marketing professionals in the first place.
While a cursory search did not find back-up for these numbers, a study from more than a decade ago also found deep economic losses for companies moving to an affirmative permission based marketing system to meet the 2002 EU privacy directive:
Goldfarb and Tucker analyzed the impact of the European Union’s Privacy and Electronic Communications Directive (2002/58/EC), which various European countries implemented to limit how advertisers can collect and use information about consumers for targeted advertising. The authors found that after the opt-in policy went into effect, the result was an average reduction in the effectiveness of the online ads by approximately 65 percent. The authors note that if advertisers reduced their spending on online advertising in line with this reduction in effectiveness, “revenue for online display advertising could fall by more than half from $8 billion to $2.8 billion.”
The situation will be substantially worse for data brokers. Their entire business model is premised on the collection of massive amounts of data about all of us, collected either from public sites or private third parties. There is no way that this business model can be similarly sustained if the broker must be able to establish that permission was granted for each item of non-public information in a person’s file.
From the little I have seen in this industry, it is likely that most effective data brokers hold thousands of items of information about each consumer. Will the broker need to send each California resident a 50-page list of all of this data and ask, “Will you grant us permission to use each of these items in a huge file that we sell to your political enemies and people who want to manipulate you out of your money?” Even with a more realistic and evenhanded request, nearly all of us are likely to say “no” without some form of significant compensation, and even then most of us would either ignore the request or explicitly deny it.
In short, I don’t see how data brokers can meet the CCPA notice requirements and still survive. Affirmative consent kills the commercial viability of deep personal analytics and marketing the way it has developed since the wide adoption of the Internet. Will data brokers abandon California, and if so, how does that work and how much will it cost the California economy? Will data brokers feint toward compliance while trying to have it both ways, and if so, how will the California AG penalize them?
Either way, the legislators in Sacramento have thrust a sword into the guts of the data broker industry, and the multi-billion dollar business of selling personal data may not survive in its current form – if at all.