Companies line up to undercut key data privacy law
A pioneering law in New Jersey that protects the privacy of law enforcement officials could soon come under fire from a coalition of businesses that want to loosen up the new rules, according to an audio recording provided to POLITICO.
The Association of National Advertisers hosted a conference call on Feb. 22 to discuss how the industry should respond to Daniel’s Law, a New Jersey data privacy regulation that three other states are also considering.
The law allows law enforcement officials such as judges, police officers and prosecutors to request companies stop sharing information such as their home address and phone number. It also allows the officials to sue companies that don’t comply.
The law is one of the strictest regulations in America governing data brokers, companies that buy and sell personal data. It is named after Daniel Anderl, the son of U.S. District Judge Esther Salas, who was killed after a gunman found the jurist's New Jersey address online.
Though Daniel’s Law applies only to New Jersey, it has been nationally influential. Privacy advocates consider it an important, if limited, move in the direction of enforceable personal privacy, while the industry argues that the law makes it far harder to provide important services like fraud prevention and identity verification.
The participants in the call — a collection of data brokers and industry groups — outlined plans to weaken the law, pushing amendments that would protect them from lawsuits and let them resume sharing police officers’ and judges’ personal information with customers even when those law enforcement officials are afraid for their safety.
On the call, the ANA, the Consumer Data Industry Association, the lobbying firm Venable and the data broker Acxiom discussed their plans to pressure legislators to amend Daniel’s Law in New Jersey before other states begin to adopt the legislation.
“It’s going to be a street fight, and we’re ready for it, we’ll lead,” Acxiom’s chief privacy officer Jordan Abbott said on a recording of the call obtained by POLITICO.
The discussion came about a week after the company Atlas Data Privacy Corporation filed class action lawsuits against 118 data brokers on behalf of 20,000 New Jersey law enforcement officials for allegedly failing to comply with the law.
A spokesperson for Acxiom said that the company “is dedicated to its continued commitment to meeting the goals of Daniel’s Law,” and also said that Abbott’s “street fight” remarks were referring to the ongoing lawsuits.
“This commitment will be borne out in our defense as the facts become public” in the suit, Acxiom said in a statement.
Data brokers have come under fire by privacy advocates and lawmakers in recent years, but the New Jersey law is one of the few laws passed to regulate them, and perhaps the toughest. While some states now require data brokers to delete people’s information upon request, the lack of enforcement and the difficulty for consumers to opt out often allows data brokers to maintain the status quo.
Daniel’s Law poses a particular risk to the data broker industry because it includes a “private right of action” — a provision allowing individuals to sue if companies don’t comply within 10 days of the request.
Other states have taken notice: Legislators in Hawaii, Maryland, Arizona and Idaho have all pursued similar bills in the last year.
The threat of lawsuits under New Jersey’s law, as well as proposals to implement similar regulations in other states, pose a major financial risk to data brokers and prompted the conference call in February.
On the call, the company executives discussed plans to propose amendments to New Jersey’s law that would narrow the scope to only apply to “publicly displayed information.” The law currently requires businesses to stop disclosing law enforcement officials’ information upon request, not just in public postings online.
This change could potentially allow data brokers to continue sharing law enforcement officials’ home addresses and phone numbers to their customers, as long as the sensitive information is not posted publicly.
Other proposed amendments included exemptions for information covered under federal privacy regulations such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, and requiring identity verification from law enforcement officials sending an opt-out request.
If implemented, these amendments would extinguish law enforcement officials’ ability to sue for privacy violations, Matt Adkisson, the president of Atlas Data Privacy Corporation, said in a statement.
“As described to us, the proposed amendments would decimate Daniel’s Law to such an extent that there would be no meaningful protections left to fight for,” he said.
Data brokers argue that their collections have beneficial purposes, such as identity verification and fraud prevention. Information such as a person’s past addresses, phone number and financial history, for example, can be used to verify a person applying for a loan is who they say they are.
Because Daniel’s Law requires companies to stop sharing a law enforcement official’s address and phone number when requested, data brokers argue that cutting off that information breaks its fraud detection pipeline.
LexisNexis, a prominent national company that acts as a data broker, responded to opt-out requests under Daniel’s Law by placing security freezes on requesters’ accounts, according to a class action lawsuit filed in March.
LexisNexis did not respond to a request for comment on its policy.
On its website, the company noted that opt-out requests would prevent information from being shared for identity verification and fraud prevention purposes, prompting the security freeze.
The company executives on the call said they hope to change the law’s requirements for data to “public display” instead of “disclosure” so that information can still be shared privately between companies for verification purposes.
On the call, the companies discussed their political strategy for pushing New Jersey legislators to change Daniel’s Law. The effort would require a change in public perception of data brokers, the ANA’s Executive Vice President Chris Oswald said on the call. He cautioned against the ANA’s public involvement with the effort, warning that the “narrative would be spun” that companies just want to use the data for advertising purposes.
Oswald recommended shifting the focus to highlight the unintended consequences of data deletion requests instead.
“Law enforcement and judges are being cut off from access for applications for credit, insurance, mortgages, which is much more sympathetic in trying to get changes to the law,” he said on the call.
ANA did not respond to a request for comment.
On the call, some of the groups said they hoped to highlight this issue to sway one of Daniel’s Law’s biggest political allies, the New Jersey State Policemen’s Benevolent Association. The organization worked with Atlas Data Privacy Corporation to file its flood of lawsuits against data brokers who allegedly failed to remove their data.
Sarah Ohs, the CDIA’s vice president of government relations, said on the call that she’d been in touch with New Jersey’s PBA president, Pat Colligan, who she claimed was open to changes to the legislation.
“My hope is that we can get PBA to buy into this, and then we’ll put their name behind it, and that will help a legislative fix go much quicker and smoother,” Ohs said on the call.
Colligan told POLITICO that this conversation was meant to be confidential, and was frustrated to learn that the CDIA shared details of their discussion without consent. He denied being supportive of their proposed amendments, noting only that he would consider them.
Colligan said he does not support the proposed amendments after seeing them.
“The law was passed, it was strengthened by us, by our lobbying, and I have no intention of letting anybody have a third bite at the apple,” Colligan said.
He said that despite the law passing in 2020, many data brokers ignored officers’ opt-out requests until the lawsuits were filed this year.
A spokesperson for the CDIA said in a statement that the industry group acknowledges the importance of privacy protections for law enforcement officials, and is seeking changes to ensure that the data can still be used for fraud detection and identity verification.
“If the law is not clarified, the unintended consequences could make it difficult for protected individuals to access their credit files to finance a car, a home, secure rental housing, or even complete online transactions depending on identity verification processes,” the industry group said.
Acxiom, which was also sued for noncompliance in New Jersey, recommended that companies comply with the law until the regulations were changed. A handful of data brokers on the call were asking how they could comply with the law rather than change the rules.
The call also raised concerns about other states potentially adopting similar legislation. The ANA’s Oswald discussed the organization’s efforts to lobby legislation in California, as well as Hawaii.
The CDIA, Acxiom, Venable and the ANA were behind a coordinated campaign against the DELETE Act in California, with plans to use information from data brokers to target political ads against the bill designed to limit data brokers. The campaign ultimately failed and the DELETE Act was signed into law last October.
