example, trackers can provide information about products the user has viewed.
29
This
information can be combined with other data, analyzed, and shared to target advertising to
users.
30
A recent California Consumer Privacy Act enforcement update from the California
attorney general indicates that this can be considered a data sale and that covered companies
may be required to give California consumers the option to opt out of these data disclosures.
31
We asked the four companies if they were aware of this recent enforcement update, and
whether they planned to make any changes to their policies as a result; all four responded that
they knew about it, and do not feel they need to change their policies as a result.
Extensive data collection poses privacy risks to consumers. The Equifax data breach of 2017,
which led to the disclosure of the sensitive information, including Social Security numbers, of
over 100 million consumers, brought widespread public attention to the reality that credit
reporting companies are not impenetrable to hacks.
32
But the Equifax breach was just one in a
series of credit bureau and data broker security incidents over the past 20 years. According to
the Department of Justice, for example, in 2003 a hacker illegally obtained personal information
from over a billion consumer records held by the data broker Acxiom.
33
In 2005, the data broker
LexisNexis announced that, across its business units, it may have been breached almost 60
33
Former Officer of Internet Company Sentenced in Case of Massive Data Theft from Acxiom
Corporation, Department of Justice (Feb. 22, 2006),
https://web.archive.org/web/20060322185137/http://www.justice.gov/opa/pr/2006/February/06_crm_088.h
tml; John Leyden, Acxiom Database Hacker Jailed for 8 Years, The Register (Feb. 23, 2006),
https://www.theregister.com/2006/02/23/acxiom_spam_hack_sentencing/.
32
Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data
Breach, FTC (Jul. 22, 2019),
https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-
states-related.
31
State of California Department of Justice, CCPA Enforcement Case Examples (accessed Aug. 2, 2021),
https://oag.ca.gov/privacy/ccpa/enforcement.
30
Id., Update Report into AdTech and Real-Time Bidding, Information Commissioner’s Office at 10-11
(Jun. 20, 2019),
https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl1912
20.pdf (PDF); Authorized Buyers Overview, Google (accessed Aug. 3, 2021),
https://support.google.com/authorizedbuyers/answer/6138000; WTF is Real-Time Bidding? Digiday (Feb.
17, 2014), https://digiday.com/media/what-is-real-time-bidding/.
29
How to Protect Your Privacy Online, Federal Trade Commission (May 2021),
https://www.consumer.ftc.gov/articles/how-protect-your-privacy-online.
business partners and third-party service providers collect, use and share information to develop and
deliver targeted online advertising. These are ads that you may see across different sites and devices
over time. This information includes marketing information such as your preferences and inferences
based on your interactions with the Site.” Credit Sesame Privacy Policy (Jan. 21, 2021),
https://www.creditsesame.com/about/privacy-policy/: “Some content or applications, including
advertisements, on the Website may be served by third-parties, including advertisers, ad networks and
servers, content providers, and application providers. These third parties may use cookies, alone or in
conjunction with web beacons or other tracking technologies, to collect information about you when you
use our Website. The information they collect may be associated with your personal information or they
may collect information, including personal information, about your online activities over time and across
different websites and other online services. They may use this information to provide you with
interest-based (behavioral) advertising or other targeted content. We do not share your personal
information with these parties.”