Led by civil rights activists Cat Brooks and Rasheed Shabazz, a recent class action CCPA lawsuit is gaining traction after the pair defeated Thomson Reuter’s motion to dismiss in August. While the Thomson Reuter’s website offers a variety of services, from legal research to financial management, the specific service in question is its CLEAR reports—which Reuters argues is simply a compilation of public records.
These reports are then sold to private companies that include law enforcement, investigative firms and even U.S. Immigration and Customs Enforcement (ICE). The CLEAR reports include criminal history, credit reports, utility records, registered vehicles and personal addresses—a strong trail of the breadcrumbs often needed to locate an individual.
On the surface, Thomson Reuter’s service appears to have intentions to serve the greater good—locating criminals, identifying fraud, curbing illegal immigration, etc. But the other side of the coin isn’t as clear. In their initial complaint filed in December of 2020, the Plaintiffs allege that “Because of CLEAR, Californians’ identities are up for sale without their knowledge, let alone consent.” The lawsuit seeks to “remedy Thomson Reuters’ repeated violations of the plaintiffs and class members’ publicity rights and to enjoin the company from continuing to profit off their personal information without their consent.”
The complaint also claims that Reuters “purchases and consolidates information held by third-party data tracking firms, data brokers, and other companies that compile consumer and location data—private firms that the Wall Street Journal once dubbed ‘Big Brother-in-Law.’ This information includes data from credit agencies, DMV records, cellphone registries, social media posts, property records, utility accounts, professional and fishing licenses, internet chat rooms, court records and bankruptcy filings.” As the New York Times wrote, this information is then “fused and vetted by algorithm to form an ever-evolving, 360-degree view of U.S. residents’ lives.
Public Information? Or Proprietary?
While Reuters argues all the information they provide is publicly available, they also stated at one time on their website that its CLEAR service allows users to locate information that is “not ascertainable via public records or traditional search queries.” Additionally, the website also advertised CLEAR as a way to uncover “facts hidden online” and “key proprietary and public records.”
In August of 2021, a federal judge sided with the Plaintiffs, arguing that the reports infringe upon privacy rights. In his 29-page ruling, U.S. District Judge Edward Chen wrote: “The harm to plaintiffs is tremendous: an all-encompassing invasion of plaintiff’s privacy, whereby virtually everything about them—including their contact information, partially redacted social security number, criminal history, family history and even whether they got an abortion, to name just a few—is transmitted to strangers without their knowledge, let alone their consent.”
Chen also pointed to a prior California Supreme Court decision that illustrated the perils of forced disclosure (Cynthia MORENO et al., Plaintiffs and Appellants, v. HANFORD SENTINEL, INC., et al., Defendants and Respondents. “The claim is not so much one of total secrecy as it is of the right to define one’s circle of intimacy—to choose who shall see beneath the quotidian mask. Loss of control over which ‘face’ one puts on may result in literal loss of self-identity, and is humiliating beneath the gaze of those whose curiosity treats a human being as an object.”
CCPA Layer – Right to be Forgotten
Both Shabazz and Brooks made an attempt to opt-out on the Reuter’s website, which can be done by clicking the “Do Not Sell My Personal Information” link that pops up at the bottom of the page.
According to the CCPA, a “consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” Additionally, the steps to opt-out should be “reasonably accessible to consumers” or “clear and conspicuous,” which is required by Cal Civ. Code 1798.135 (a)(1). Moreover, U.S. District Judge Edward Chen also cited Cal. Code Regs. Title 11 999.315 (h), saying that CLEAR’s opt-out function was not “easy for consumers” to use with “minimal steps.”
When Shabazz and Brooks made their opt-out attempt, they were informed they needed to provide a government-issued ID card and a separate picture of their face to confirm the identity. As U.S. District Judge Edward Chen stated in the Factual Allegations section of the complaint, “given that Thomson Reuters is already selling (their) personal information without (their) consent, (they) were not comfortable providing further information to the company, and thus could not complete the company’s process.”
The judge continued to say that “The Court cannot determine as a matter of law that CLEAR’s opt-out mechanism complies with the CCPA and its implementing regulations. In the words of the statute, CLEAR’s opt-out mechanism—as alleged in the complaint—is not ‘reasonably accessible to consumers’ or ‘clear and conspicuous.’ Nor is it ‘easy for consumers’ to opt-out using ‘minimal steps.’” Chen would continue to state that “At the very least, there is a serious question of material fact as to whether Thomson Reuter’s opt-out mechanism even complies with the CCPA.”
Without thorough fact-checking, CLEAR reports also can be riddled with inaccuracies. Plaintiff Rasheed Shabazz ran his own report and found the following errors that he communicated in his complaint. The last name Mr. Shabazz “was given at birth was associated with the slave owners who held his ancestors in bondage, Mr. Shabazz legally changed his name to one he felt was a better representation of himself and his family. CLEAR includes detailed information associated with Mr. Shabazz’s prior name…Some of this information is inaccurate: CLEAR’s profile on Mr. Shabazz’s prior name indicates that Mr. Shabazz was divorced, when he has never legally been married, and that he has been sued for failing to pay child support, when he has no children.”
Subsequently, a CLEAR report that is not thoroughly vetted for inaccuracies can send anyone who purchases the profile down the wrong path. Mr. Shabazz’s report is just one such example of CLEAR compiling data that hasn’t actually been confirmed to belong to the individual identified in the profile. This is addressed in their disclaimer, but is another reminder of the importance of verifying information so the wrong assumptions aren’t made.
Public Benefit Argument
In the right hands, a CLEAR report could be argued to represent a “public benefit” such as the type a journalist would pursue to provide important information to the public. But in the wrong hands, a CLEAR report could provide the means to target individuals as argued by the plaintiffs.
In their complaint, plaintiffs state that “Cat Brooks, for example, is an activist, who has spent years fighting police violence, particularly in communities of color. Because of her work, Ms. Brooks is targeted by white supremacist groups. Concerned for her safety and that of her family, Ms. Brooks works hard to maintain ownership and control over her personal information. She even subscribes to a service that routinely scrubs her personal information from the internet. Yet, CLEAR offers a ‘360-degree view’ of her life: Her address, her cell phone number, and information about her relatives, neighbors, and associates, are all for sale without her consent.”
U.S. District Judge Edward Chen sided with the plaintiffs on this issue, stating, “Here, by contrast, Thomson Reuters is not a journalist performing a ‘public benefit’ by making Plaintiffs’ personal information available to the public. Rather, the company’s dissemination of this information only benefits the private parties who purchase the CLEAR dossiers.”
With the motion to dismiss defeated, Cat Brooks et. al. v. Thomson Reuters Corporation is a prime example of “Right to be Forgotten” litigation that will surely set a precedent for cases in the future.
How Western Can Help
Concerned your organization may not be in harmony with the CCPA and other privacy laws? Need to create an “opt-out” or “Do Not Sell My Personal Information” notification and workflow? Contact the experts at Western Integrated Systems and we can walk you though the steps your organization can take towards CCPA compliance.
Give us a call, send us an email or simply fill out a form on our website and put “CCPA Compliance” in the message section.