Court Casts Doubt on the Legality of the Data Brokerage Industry–Brooks v. Thomson Reuters

Thomson Reuters (TR) offers a database called “CLEAR” that assembles personal information into individual dossiers. The plaintiffs are Black civil rights activists leading a class action lawsuit for publicity rights and related claims. The court denies TR’s motion to dismiss–in a ruling with potentially vast implications.

Publicity Rights. TR claimed its dossiers didn’t “use” the plaintiffs’ identity, citing Perfect 10 v. Google (2010) and Cross v. Facebook. The court distinguishes those cases, saying “Google and Facebook—unlike Thomson Reuters—were not posting or sharing the plaintiffs’ identities; they were simply providing the websites or platforms where others posted that information.” Instead, citing Perkins v. LinkedIn and Fraley v. Facebook, the court says “it is Thomson Reuters that posted the dossiers with Plaintiffs’ name, likeness, and personal information on its CLEAR platform. In other words, Thomson Reuters—not third parties—used Plaintiffs’ identities.”

TR also argued that the plaintiffs don’t make a commercial endorsement via their dossiers. The court agrees but says that’s not required:

Plaintiffs therefore correctly argue that…their names, likeness, and personal information is what attracts the attention of Thomson Reuters’s customers to the dossiers on the CLEAR platform, even if Thomson Reuters is not suggesting that Plaintiffs endorse its dossiers. The only reason CLEAR subscribers pay Thomson Reuters is to have direct access to Plaintiffs’ personal information, regardless of whether Plaintiffs authorized or endorsed the creation of the dossiers. The Court therefore cannot conclude that this is not a right of publicity case simply because Thomson Reuters is not suggesting that Plaintiffs endorse its dossiers.

The last sentence contained how many negatives? Stuffing more than two negatives into a sentence is a yellow flag of judges trying to reach a strained outcome.

This is shaping up to be a really troubling publicity rights precedent, but the court eventually turns it around. The court questions how TR uses the plaintiffs’ identity for promotional purposes:

Plaintiffs allege the product is their name, likeness, and personal information. Plaintiffs do not cite a single right of publicity case with analogous facts. Although the publishing of Plaintiffs’ most private and intimate information for profit might be a gross invasion of their privacy, it is not a misappropriation of their name or likeness to advertise or promote a separate product or service.

That distinguishes the case from Perkins and Fraley, where the users’ identity was displayed in the ads:

The use of a person’s name and likeness to promote a product (other than that which pertains to the person themselves) is the essence of an “appropriation” of one’s name or likeness. No such appropriation is alleged here; unlike Perkins and Fraley, Plaintiffs’ name or likeness in this case were not sent to unsuspecting CLEAR users to advertise or promote the CLEAR platform or some other third party’s products or services; they were sent only to CLEAR subscribers who deliberately paid Thomson Reuters to receive information about them.

Unfairness Prong of 17200

TR argued that the CCPA authorized its dossier sales because the CCPA permits data sales unless consumers opt-out. This argument goes over poorly:

  • The court says no other case has held that. Well, there have been less than 10 cases interpreting the CCPA so far because it came into effect less than 2 years ago. Given the CCPA’s newness, it’s disingenuous to adversely interpret the lack of precedent. The court could have said this was an argument that has never been tested before.
  • The CCPA expressly doesn’t curtail other California privacy laws: “the Court can easily harmonize the CCPA’s right to opt-out with Plaintiffs’ claim under the unfair prong of the UCL by concluding that CLEAR’s opt-out mechanism does not necessarily mean Thomson Reuters’s unauthorized sale of Plaintiffs’ personal information is fair under the UCL as a matter of law.” (Another sentence that would have benefited from avoiding the double negatives).
  • the court questions if TR made adequate disclosures of the CCPA opt-out enough to satisfy the CCPA. This portion made me uncomfortable. The AG has exclusive enforcement of the CCPA requirements (other than the data breach provisions), so having the court police the CCPA requirements through this 17200 backdoor makes my head spin. In particular, this statement from the court seemed clearly inappropriate by implying a 17200 claim from alleged CCPA violations: “plaintiff alleges that CLEAR required Plaintiffs’ photo identifications and faces to opt out. If true, those allegations could easily lead a reasonable trier of fact to conclude that CLEAR’s opt-out mechanism, itself, is unfair under the UCL.”

The court says the plaintiffs adequately allege unfairness:

the harm to Plaintiffs is tremendous: an all-encompassing invasion of Plaintiffs’ privacy, whereby virtually everything about them—including their contact information, partially redacted social security number, criminal history, family history, and even whether they got an abortion, to name just a few—is transmitted to strangers without their knowledge, let alone their consent…CLEAR dossiers may deeply damage Plaintiffs by directly contravening their right to keep private their most intimate and personal information….The unauthorized dissemination of virtually every piece of Plaintiffs’ personal information on the CLEAR platform may constitute a severe invasion of privacy.

TR argued that it only republishes already-published information. The court responds that TR allegedly advertises CLEAR by promising access to unpublished and inaccessible material; and its data aggregation would be a problem to the court even if TR is right:

compiling bits of Plaintiffs’ personal information scattered throughout the internet (and allegedly in non-public sources) into a dossier is a significant invasion of privacy because it is much easier to access that information in one place. Otherwise why would CLEAR subscribers pay to access the dossiers? That some of Plaintiffs’ personal information on the CLEAR dossiers comes from publicly available sources does not diminish the significant harm Plaintiffs suffer from the sale of that compiled information to whomever is willing to pay for it.

Unfortunately, the judge backs this up with citations to harms caused by government-created dossiers. Conflating government invasions of privacy with private sector activity is a common but categorical error, and it undermines the credibility and persuasiveness of the judge’s analysis.

The court says equitable relief for the unfairness claim is possible because “the injury here is an invasion of privacy that can never be fully remedied through damages.”

Unjust Enrichment. The court wades into the pitched jurisprudential battle over whether unjust enrichment is a standalone claim or not. The court says Hartford Casualty Insurance Co. v. J.R. Marketing, L.L.C, 353 P.3d 319, 322 (Cal. 2015) definitively resolved that unjust enrichment is a standalone claim. There are plenty of cases since then holding there’s no standalone claim, so this area remains jumbled.

Section 23o. Consistent with its discussion about publicity rights, the court thinks TR is publishing first-party content, not third-party content: “Plaintiffs are not seeking to hold Thomson Reuters liable ‘as the publisher or speaker’ because they are not asking it to monitor third-party content; they are asking to moderate its own content.” In other words, the court treats TR as the dossiers ICP: “Here, there is no user-generated content—Thomson Reuters generates all the dossiers with Plaintiffs’ personal information that is posted on the CLEAR platform…It is nothing like the paradigm of an interactive computer service that permits posting of content by third parties.”

Ugh, really? Section 230 definitely applies to the “paradigm” 0f posting third-party content, but that’s not the only route to immunity. For example, Google gets Section 230 protection for its search results even though Google search assembles the database and remixes the search results without hosting the third-party content; and Section 230 can apply to FCRA claims to republishing private dossiers. Saying that TR “generates all the dossiers” is like saying “Google generates all the search results.” Section 230 applies if the material in the dossiers/search results comes from third parties, which it clearly does in this case. The court makes an obviously wrong Section 230 interpretation.

Remarkably, the court doesn’t cite the Accusearch case, which also denied Section 230 protection for data brokerage (in that case, pretexted phone records). Accusearch is distinguishable because the illegal content was generated after the sale, but it would have been closer to the court’s twisted Section 230 interpretation. So the court isn’t even citing its strongest precedent!

Note that there are several cases involving the advertising of personal dossiers where Section 230 didn’t apply, either. E.g. Lukis v. Whitepages, Knapke v. Classmates. The court implicitly distinguished those in the publicity rights discussion because they are closer to the cited Perkins and Fraley cases.

Anti-SLAPP. The court says CLEAR might not be a public forum because it’s paywalled, which might mean it’s not generally accessible to the public. Either way, “the unauthorized sale of people’s most personal and private information is not a matter of public interest, particularly when the information pertains to any individual regardless of whether they are a public figure or person of interest to the public.” Plus, the paywall degrades the likelihood the information informs public concerns: “that Thomson Reuters only shares Plaintiffs’ personal information with its CLEAR subscribers who specifically pay for it, and not with the general public, cuts heavily against concluding that Thomson Reuters’s conduct is of public concern.” Thus:

the sale of Plaintiffs’ personal information cannot be fairly characterized as journalistic. It is hard to conceive how the public has any interest—let alone a compelling interest protected by the First Amendment—in the raw personal information of every California resident, especially where it is not connected to a matter of public interest.

As many mainstream publications erect paywalls around socially vital conversations to prop up their business model, anti-SLAPP protection cannot turn on the presence of paywalls. This court’s suggestion otherwise could have dramatic consequences for anti-SLAPP law.

Implications. This is a troubling opinion because it is so clearly results-oriented. This court’s hostility to data brokerage is deep and unrelenting, and that creates multiple rough edges that could attract attention on appeal.

If this ruling survives appeal, it could become a foundational ruling limiting data brokerage. It suggests that 17200 UCL bans data brokerage despite the fact that California law clearly contemplates that data brokerage is legal. For example, the CCPA tolerates data brokerage, and there’s a scheme for data brokers to register with the state. The court’s handling of that obvious statutory conflict was unsatisfying.

The court reacted negatively to the comprehensive nature of the CLEAR dossier, but its reasoning doesn’t have a bright-line quantitative threshold. That invites the standard law professor slippery slope questions: how extensive must a dossier be to trigger the court’s antipathy? If the data broker is selling just one item of data, is that equally problematic? If not, why not?

The court’s treatment of Section 230 was also problematic. It highlights the ongoing doctrinal conflicts between Section 230 and privacy law. Judges may be increasingly open to prioritizing privacy over 230.

Case citation: Brooks v. Thomson Reuters Corp., 2021 WL 3621837 (N.D. Cal. Aug. 16, 2021).

Prior CCPA/CPRA Posts

* New Primer on the California Privacy Rights Act (CPRA)
CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud
A Roundup of CCPA Court Decisions (I Only Know of 7)
CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
Over 50 Privacy Professionals & Experts Oppose Prop. 24
Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)