SECTION 1.
The Legislature finds and declares all of the following:(a) In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.
(b) Since California voters approved the right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, Shine the Light, and as of last year, the California Consumer Privacy Act of 2018, which gives Californians the ability to better control the personal information that is collected and sold about them.
(c) While many different types of businesses collect data about consumers, a “data broker” is in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship.
(d) A data broker collects many hundreds or thousands of data points about consumers from multiple sources, including: internet browsing history, online purchases, public records, location data, loyalty programs, and subscription information. The data broker then analyzes the data to assess content and packages the data for sale to a third party.
(e) Data brokers may provide information that can be beneficial to services that are offered in the modern economy, including credit reporting, background checks, government services, risk mitigation and fraud detection, banking, insurance, and ancestry research, as well as helping to make determinations about whether to provide these services.
(f) While data brokers may offer benefits, they also create risks that are associated with the widespread aggregation and sale of data about consumers, including risks related to the inability of consumers to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information.
(g) There are important differences between data brokers and businesses with whom consumers have a direct relationship. Consumers who have a direct relationship with traditional and e-commerce businesses, which could have formed in a variety of ways such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements, may have some level of knowledge about and control over the collection of data by those businesses, including: the choice to use the business’ products or services, the ability to review and consider data collection policies, the ability to opt out of certain data collection practices, the ability to identify and contact customer representatives, and the knowledge necessary to complain to law enforcement.
(h) By contrast, consumers are generally not aware that data brokers possess their personal information, how to exercise their right to opt out, and whether they can have their information deleted, as provided by California law.
(i) People desire privacy and more control over their information. California residents should be able to exercise control over their personal information and be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level of transparency regarding their business practices.
(j) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.