UC Irvine researchers conducted a comprehensive study into California data brokers and the extent to which they break state consumer privacy laws, including the California Consumer Privacy Act (CCPA). Legal observers and consumer protection advocates were alarmed by the chief finding of the study: data brokers don’t comply with CCPA requirements. In fact, researchers found that data brokers are guilty of “rampant noncompliance” with California digital privacy laws, with nearly half of all data brokers failing to reply to consumer data requests.
To learn more about the UC Irvine study of data brokers & California’s consumer privacy laws, keep reading this blog.
What Are Data Brokers?
What is a data broker? Data brokers are companies that acquire personal information of millions of people and then sell that data to third-party companies. The California Data Broker Registration law defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The last part of the definition is important because it highlights a unique aspect of data brokers: they collect data from people who have never used their services.
One of the largest data brokers in the world is LiveRamp, which operates a “data collaboration platform” that gives other companies access to consumer data. According to Gene Tsudik, a co-author of the UC Irvine study, data brokers and the companies that do business with them are primarily interested in using the consumer data they collect to pinpoint personal details about consumers, “such as purchasing behavior, financial status, and health conditions.” The data brokers then attempt to monetize this data by selling it to third parties without the consent of the individuals.
CCPA Requires Data Brokers to Respond to Consumer Requests
As set forth by the California Consumer Privacy Act (CCPA), data brokers must respond in a timely manner to consumer requests related to data collection: they must reply within 10 business days to confirm receipt of the request, and then provide an answer to the request within 45 calendar days (with the option to extend the deadline by another 45 days). If the data broker has in fact collected the consumer’s personal data, then the company must provide that information in detail. If the data broker has not collected and/or does not possess any personal information about the consumer, then the company must declare so in writing.
The California Data Broker Registration law requires every data broker that does business in the state to register annually with the California Privacy Protection Agency (CPPA). The state also maintains a Data Broker Registry, which helps with compliance because the California Privacy Protection Agency can use the registry to identify offenders and enforce the law.
“People Search” Websites
One major source of identity theft and fraud is “people search” websites. These sites offer the personal information of consumers to the public for free, with additional information typically available for a fee. The information offered on these websites often comes from data brokers.
UC Irvine Study Examines Data Broker Compliance with California Consumer Privacy Laws
The title of the UC Irvine study is: “Consumer Beware! Exploring Data Brokers’ CCPA Compliance.” The study’s authors are Elina van Kempen, Isita Bagayatkar, Chloe Georgiou, and Gene Tsudik. Funding for the study came from the National Science Foundation, which is an independent federal agency that issues grant money to U.S. colleges and universities for research.
The study was conducted by a team of computer scientists who investigated every data broker registered in California. At the time of the study, there were a total of 543 data brokers doing business in the state. This was the most comprehensive study of data broker behavior ever conducted because it evaluated all data brokers registered in California. By contrast, previous studies only examined a small sample size of 20 people-search websites.
Study Conclusion: California Data Brokers Violate CCPA by Failing to Respond to Consumer Requests
UC Irvine researchers discovered that approximately 50% of data brokers doing business in California are violating the California Consumer Privacy Act (CCPA) by failing to respond to legitime consumer requests.
Gene Tsudik, a computer science professor at UC Irvine and one of the co-authors of the study, emphasized the legal and ethical concerns raised by data brokers’ “rampant noncompliance” with invasion of privacy laws. According to Tsudik, data brokers operating in California are taking advantage of consumers by monetizing their personal information and then selling the data to third parties, including other companies, individuals, and even governments. Tsudik noted that these types of transactions “can open the door to malicious actors, giving them access to consumers’ personal information to mount identity theft, fraud, or phishing activities.”
What Is the Identity Verification Process for Consumer Data Requests?
The purported reason that data brokers must verify a consumer’s identity before releasing any personal information is to prevent data breaches by unauthorized parties. But the identity verification process can be extremely difficult for consumers. The UC Irvine study’s authors referred to it as “Kafkaesque,” questioning how a consumer can possibly prove their identity to a company that might not even have their personal information. Moreover, how can a consumer verify the truthfulness of a data broker who claims that they did not collect any personal information about the consumer?
Data Brokers Request Sensitive Personal Information from Consumers
Worse than the non-responses to consumer requests about personal data were the responses from data brokers that actually requested even more information from the consumer. The study concluded that data brokers are violating the spirit of the CCPA by forcing consumers to “jump through hoops” and “surrender personal data” just to exercise their privacy rights.
For example, several data brokers asked for extremely sensitive information that included the consumer’s legal name, mailing address, driver’s license number, and Social Security number. This was ostensibly for the purpose of “verifying” the consumer’s identity, but it is still alarming that consumers looking to exercise their data access rights under the CCPA are instead asked to incur greater privacy risks by exposing even more personal information to potentially unscrupulous data brokers.
Additionally, researchers observed that “an impersonator could easily receive another consumer’s personal information.” This means that the identity verification process used by data brokers could result in data breaches that harm consumers.
California Consumer Privacy Act (CCPA) Grants Data Access Rights to Consumers
The California Consumer Privacy Act (CCPA) was enacted in 2018. The statute was amended by the California Privacy Rights Act (CPRA) in 2020. Basically, the CCPA gives California residents the legal right to control the personal data that is collected by businesses, including data brokers. The statute specifically requires California businesses to give consumers an opportunity to opt out of the collection and/or sharing of their personal data. Additionally, the law stipulates that companies must respond promptly to any inquiries from consumers about data collection, including requests to delete personal data.
CCPA Consumer Requests
Elina van Kempen, the lead author of the UC Irvine data broker study, noted that researchers looked closely at six (6) aspects of the CCPA consumer request process:
- What burden does the consumer have in submitting the CCPA request?
- How difficult is it for the data broker to verify the consumer’s identity before answering the request?
- How long is the response time for a data broker to answer a consumer request?
- How adequate is the data broker’s response?
- Was any additional personal information requested?
- Are there any other privacy issues implicated by the consumer request?
The study’s authors acknowledged that it can be difficult for consumers to submit a CCPA request in the first place because there is not one standardized way of doing so: different data brokers have different submission processes and require various kinds of information from the consumer. The UC Irvine research team had to deal with multi-step submission forms that necessitated follow-ups, broken links in website privacy policies that made it impossible to initiate a request, and untrained data broker employees and other staff who made it difficult to even start the complicated process.
Call the Los Angeles Data Privacy Lawyers at Tauler Smith LLP
California law stipulates that data brokers that collect and sell consumers’ personal information are required to respond to any consumer requests about the data collected, as well as requests to delete the data. If your personal information was unlawfully shared with a data broker or any other third party, you may have a valid legal claim for financial compensation.
The Los Angeles consumer protection attorneys at Tauler Smith LLP can help you. Call 310-590-3927 or email us today.
