As Northern New Jersey cop Jane Doe investigated a criminal organization between 2021 and 2022, the gang acquired her home address from an online data broker.
When Doe’s investigation ultimately took down a group leader, text messages on a retrieved mobile phone confirmed she’d been the target of a surveillance operation tracking her movements “to and from her home,” according to court filings. Criminals had been stalking Doe, even as the task force was about to topple the gang.
Two years later, she’s now an unnamed plaintiff in a spree of lawsuits against the very websites that doxxed her and other officers for as little as an email address and a free trial.
Jane Doe’s story is just one in a wave of more than 140 complaints brought this year against data brokers using a 2021 New Jersey law allowing protected citizens, including judges and police officers, to sue when these platforms fail to remove public information. Now many of those suits have transferred to federal court, morphing into a constitutional battle that could impact both state and federal privacy policies and hinder efforts to protect vulnerable individuals, like Doe, from violent threats.
Central to these disputes is a relatively unknown New Jersey-based data-deletion firm, Atlas Data Privacy Corp. As a software company, Atlas says they’ve distributed their privacy protection tools to tens of thousands of users with many more cops, judges, and teachers wait-listed. But Atlas is also evolving into a litigation machine, leading all of the data-broker complaints by wielding the 2021 state statute, Daniel’s Law, named after Daniel Anderl who was shot and killed at home by a disgruntled lawyer in 2020 trying to attack Anderl’s mother, a federal judge.
Atlas’ litigation push enters a new phase Tuesday, when a judge for the US District Court for the District of New Jersey will hear arguments from Atlas and data brokers profiting from their access and sale to information key to public safety. Heavy hitters including Acxiom LLC and Thomson Reuters will argue that the law arbitrarily tramples on free speech by limiting brokers’ rights to disseminate data, such as home addresses. Atlas, backed by the New Jersey attorney general, will argue that the defendants fail to show that the law is wholly unconstitutional, and the harms defendants claim are hypothetical at best.
Defanging or overturning the New Jersey statute would “pose an existential threat to the future of privacy law. It would have repercussions far beyond Daniel’s Law,” said Megan Iorio, counsel at the Electronic Privacy Information Center.
‘Missing Piece’
Matt Adkisson says when he co-founded Atlas in 2021, legally registered as RoundRobin Corp., attempting to litigate the future of the data broker industry wasn’t part of his business plan. Instead, his mission was to help customers opt out of a growing trove of personal data up for grabs to marketers and “people search” sites.
What he quickly discovered was that existing privacy laws, like the California Consumer Privacy Act, came with limited enforcement and minimal consequences for non-compliance, making an already burdensome opt-out process for consumers difficult to enforce. Many data brokers simply don’t care about complying with deletion requests, he said.
“If a speeding ticket is $5 people tend to ignore speed limits. If the ticket is $1,500, we all naturally take that responsibility more seriously,” said Adkisson. “What we stepped into in the early days under the CCPA was a lack of enforcement that emboldened many data brokers to continue acting recklessly.”
Outside of a few exceptions like Daniel’s Law, privacy laws in the generally don’t bar websites from collecting and publishing public records, leaving at-risk communities such as reproductive health workers, domestic violence victims, and law enforcement officers vulnerable.
Bloomberg Law reported that threats against federal judges more than doubled from 2019 to 2023.
Daniel’s Law was “the missing piece,” to getting brokers to comply with deletion requests, Adkisson says.
The law prohibits disclosure of residential addresses for cops, judges, prosecutors and their families on state and local government websites, and allows covered residents to request removal of home address or unpublished phone numbers from commercial websites. It also comes with penalties other statutes lack: actual damages of at least $1,000 per violation and punitive damages for violations, as well as attorney’s fees and litigation costs.
In 2023, amendments to the law allowed individuals to transfer their claims to a third party, enabling that party to file lawsuits with guaranteed minimum damages if a violation is proved. This arrangement is unusual for privacy laws and is a key reason behind Atlas’s focus on Daniel’s Law, according to data brokers’ arguments filed against the lawsuits. After the amendments, Atlas pitched its services to police organizations including the New Jersey State Police Benevolent Association, which made the service a member benefit and advertised it at an April 2023 conference.
“We’re just looking to protect the people who are out there in harm’s way, because they’re just doing their job,” said NJSPBA president Peter Andreyev, a named plaintiff in the Atlas lawsuits.
In February, two months after sending tens of thousands of removal requests, Atlas filed more than 140 lawsuits on behalf of thousands of police officers against data brokers who the company said had failed to remove its customer’s data. Across the various New Jersey suits, data brokers could face as much as $19 million in damages, if found liable.
Data brokers responded to the wave of litigation by convening in February to coordinate their response, including discussing a push to shut down similar bills in other states, Politico reported.
The industry’s main concern is with the changes made in 2023, including minimum penalties, said Ron Raether, partner at Troutman Pepper and counsel for Acxiom LLC, a defendant in one of Atlas’ suits.
“The only things these amendments seem to have done is allowed Atlas to bring hundreds of lawsuits for its own financial benefit,” he said.
The Constitutional Question
In June, more than 70 defendants who had removed Atlas’ cases to federal court filed a consolidated motion to dismiss arguing Daniel’s Law is unconstitutionally vague.
The motion argued that public agencies, despite facing the same safety implications as businesses, receive an extra 20 days to honor removal requests and in limited cases can share home addresses. This creates unfair burdens on private companies, stifling their free speech, the motion said.
Atlas argued in response that this argument fails since the law targets commercial speech, and the parties have failed to provide robust evidence of First Amendment violations, while courts are hesitant to issue sweeping rulings when privacy and speech interests clash.
Acxiom, a broker that collects data on over 200 million people, is supported in its motion to dismiss by other data brokers defendants including Thomson Reuters.
“We believe Daniel’s Law attempts to serve a laudable goal,” a Thomson Reuters spokesperson said in a statement. “But in its current form, the statute is overbroad and violates the First Amendment.”
Privacy has no weight on whether the law meets the requirements of the First amendment, a coalition of data brokers argued in court filings. There is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest,” reads the filing.
First Amendment challenges to regulations targeting tech companies are increasingly common, particularly around privacy and online safety. Appeals courts, however, often dismiss broad attacks, directing cases back to lower courts to scrutinize specific elements of laws.
“Facial challenges are usually brought by companies that can’t make a good First Amendment arguments,” said Neil Richards, law professor at Washington University School of Law.
Data brokers point to a 2011 US Supreme Court ruling in Sorrell v. IMS Health Inc., which deemed unconstitutional a Vermont statute banning the sale of prescription drug user data for marketing.
“This lawsuit has nothing to do with any reasonable commitment to freedoms of speech,” said Richards. “Instead, it has everything to do with companies that make large amounts of money trafficking with large amounts of sensitive amounts of information are afraid their meal tickets are going away.”
The Atlas case is not the first challenge to Daniel’s Law; a New Jersey journalist previously attempted and lost a First Amendment appeal against it. That case is now being reviewed by the New Jersey Supreme Court.
What’s Next
The cases in New Jersey could reverberate in other states that have similar statutes, including West Virginia and Maryland.
It could also have a chilling effect on states seeking to pass such legislation.
“Anytime any small privacy law is shot down, it can discourage states from doing the same thing,” said Justin Sherman, a data broker researcher and founder and CEO of Global Cyber Strategies. “And it can also discourage other advocates and other privacy-protective companies from advocating for those laws.”
Acxiom’s chief privacy officer Jordan Abbott said the company hasn’t lobbied on any similar laws since its motion to dismiss was filed.
Acxiom and other data brokers have expressed their support for a comprehensive federal privacy law. Bills haven’t advanced in Congress, however, and public records could be exempt from data brokers’ removal requirement in such proposals.
“We’re only talking just about judges and law enforcement, which is not most people in the state,” said Sherman. “Daniel’s Law is really one piece of a much bigger puzzle that needs to be completed, but the fact that the brokers are so adamant about tanking this one slice underscores just how much opposition there is.”
As attorneys joust over constitutional arguments, those judges and cops remain as exposed as Jane Doe. While she was putting the finishing touches on her criminal probe in 2022, her suspect fought back with their own surveillance. But she wasn’t the only target.
Police would later recover night-time photography of her home, her spouse, and a young child’s bedroom. The light in the bedroom is on in the photos, according to court documents, and inside that room was Doe’s child, playing.
The case is Atlas Data Priv. Corp. v. Lightbox Parent LP, D.N.J., No. 1:24-cv-04105.