CA Regulators' Bite: Equal to Their Bark?
Hello all, and happy Thursday!Read Now
January 18, 2024
Hello all, and happy Thursday!
Data brokers are slowly but surely drawing the attention of regulators. Our newsletter features not one, but two stories centered on the increasing pressure these businesses are facing.
Last week, we covered the FTC settlement ruling that Outlogic, a major data broker, was prohibited from selling location data. This week, our newsletter includes stories on another FTC case against Kochava as well as the growing wave of U.S. states with privacy regulation specific to data brokers.
It’s taken regulators so long to catch onto data brokers in part because they aren’t a very visible party to most consumers. The average consumer will likely never interact with a data broker directly; instead, the data they provide mobile apps (often unwittingly) is funneled to these entities, packaged together to build a profile, and analyzed to deliver startingly accurate insights into identifiable individuals’ lives and habits. That could include insights into where you go to the hospital, what your gender identity is, what medical treatments you receive, what political beliefs you hold, and more.
And for the most part, this information is simply up for sale to whoever can afford it. As is always the case in data privacy, it’s tempting to shrug this off. Who cares if advertisers have your data? Or even law enforcement agencies—assuming you have nothing to hide? But data brokerages can and have had an outsized impact on our society. The Cambridge Analytica scandal wasn’t all that long ago, and they both collected data directly without obtaining consent and made use of other data brokers to influence an election. And that’s not to mention the fact that any organization, regardless of whether their intentions are benign, shouldn’t handle your personal information without your knowledge and consent.
Given the impact that data brokers can have, it will be well worth your time to pay close attention to the recent legislative and enforcement developments in this space.
The Information Commissioner’s Office (ICO) has launched a consultation series on generative AI, examining how aspects of data protection law should apply to the development and use of the technology. During the consultation, the ICO will seek input from developers and users of generative AI, legal advisors, and consultants working in this area, civil society groups and other public bodies with an interest in generative AI. The first consultation is open until 1 March 2024.
Kochava, a data broker that provides mobile app data analytics, is locked in a legal battle with the Federal Trade Commission (FTC). The FTC’s recently unsealed amended complaint against Kochava makes clear that there’s truth to what Kochava advertises: it can provide data for “Any Channel, Any Device, Any Audience,” and buyers can “Measure Everything with Kochava.” This has privacy experts concerned.
Google Cloud announced on Thursday that it was eliminating exit fees for customers who leave for competing cloud services providers. The change shakes up industry practices in data portability and licensing at companies that have legacy software customers from before the advent of cloud computing. The move comes as regulators worldwide are probing business practices of the cloud computing industry and with the effective date of the EU’s Data Act.
The Court of Justice of the European Union (CJEU) recently issued a judgment involving the GDPR's requirements surrounding decision-making based solely on automated processing that produces legal effects concerning the data subject. Specifically, the CJEU ruled that by calculating a credit score, a credit reference agency makes an automated decision subject to the GDPR. The ruling has major implications for credit reference agencies and numerous other scoring systems. How these systems relate to the GDPR will depend on how the score relates to the final decision made regarding a data subject and what role it plays as a factor under consideration.
With the new year, new data broker laws have come into effect. Texas and Oregon both passed data broker laws in 2023, bringing us to a total of four states (along with Vermont and California) that will now impose their own requirements on the data broker industry. Both states’ laws are already effective: Texas’ law went into effect on September 1, 2023, while Oregon’s law went into effect on January 1, 2024.
Some cynics think that when businesses define their values and mission, it’s little more than an exercise in vanity; at Osano, we know that’s not true. Our values inform every aspect of our operations, including the partners, vendors, and customers we choose to work with. Find out how our B-Corp status and mission of simplifying data privacy informs who we work with in this blog.
If you’re interested in working at Osano, check out our Careers page!
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.