Noor Ghuniem, Contributing Member 2024-2025
Intellectual Property and Computer Law Journal
I. Introduction
“You have been selected to pick cotton at the nearest plantation. Please have your belongings together by ten sharp. Our executive slaves will pick you up in a yellow van.”[1] Variations of this abhorrent text message were sent to African Americans nationwide, spanning at least 30 states from New York to California in the days following the 2024 election.[2] The message targeted individuals in middle school, high school, and college, successfully hand-delivering the racist rhetoric to each individual by name.[3]
Though the Federal Bureau of Investigations (FBI), the Federal Communications Commission’s (FCC) Enforcement Bureau, and the Justice Department have been actively investigating the origins of this widespread and clearly targeted attack, the identity of the perpetrators remains unknown.[4] Furthermore, there is no clearly defined list of all recipients, leaving the scale of the harassment to be alarmingly questionable.[5]
These messages were believed to be sent out through TextNow, a free texting and calling application intended to assign users random phone numbers.[6] According to a TextNow company representative, once the accounts tied to the messages were reported, they were quickly disabled within an hour.[7] However, the mere fact that recipients were addressed by name suggests that the perpetrators likely purchased personal data online.[8] Cori Faklaris, an assistant professor of software and information systems at the University of North Carolina at Charlotte, observed how this approach may explain the heightened level of personalization involved in the bigoted attack.[9] Faklaris noted compilations of personal data could be purchased for relatively low prices in some areas of the internet.[10] Combined with other readily obtainable data, it can be easy to employ machine learning algorithms and figure out demographic information, like the races associated with phone numbers.[11]
This heinous act against African Americans raises significant unease about data privacy in the digital age. Specifically, there is concern about how perpetrators were able to access such personal information and what gaps in existing laws allowed this breach to occur.[12]
This article explores the legal implications surrounding the collection, use, and exploitation of personal data in incidents of mass cyberbullying. Part II provides an overview of data privacy and the digital age. Part II also deep dives into data privacy as applied to online harassment, the inadequacies of current data privacy laws, and the mechanics of how personal data is sold or shared. Part III examines the possible legal defenses in this offense. Finally, Part IV concludes by discussing proposed data privacy legislation and the future of data privacy in the United States.
II. Background
Data Privacy
Data privacy is a branch of law focused on protecting sensitive, personal, and confidential data.[13] Privacy protections help guide individuals to control and consent to the extent and way their personal information is shared or communicated.[14] Personal information can include a wide range of details, such as a person’s name, location, contact information, and more.[15]
The technological industry’s main principles of data privacy are consent, transparency, and security.[16] Companies and platforms are expected to ensure that individuals have clear and informed grounds to provide or revoke consent for collecting and using their information.[17] While technological institutions should also aim to be transparent about their practices, clearly communicating how data is collected, used, and stored, they MUST implement robust measures to safeguard data from unauthorized access, breaches, or misuse [18] When business protocols fail, breaches can occur, leading to major legal consequences such as fines or lawsuits.[19]
Protection agencies must grow as the digital age continues to skyrocket. An increasing amount of personal information is being shared and stored online.[20] Websites, phone applications, and social media platforms often require personal data from their users to function and advance.[21] This means large platforms such as Google, Instagram, and X collect extensive amounts of personal data, including browsing habits, search history, and geographic information.[22] This data is then used to create detailed user profiles, which may be sold to advertisers and third parties for targeted advertising and promotions when permitted by the user – which is almost always.[23]
Without strong protection protocols, however, this data is extremely vulnerable to security risks and could fall into the hands of malicious actors, like those who send out discriminatory attacks on children. This alone emphasizes the overwhelming importance of stringent data privacy laws and protocols on organizations, platforms, and companies to uphold them.
Data Collection
Data collection is the practice of collecting information about users or visitors to websites, applications, social media platforms, and other online services.[24] This information can generally be grouped into categories.[25] There is personal information, which includes names, email addresses, phone numbers, credit card details, demographics, and other data that could identify an individual.[26] Further, there is usage or behavioral data, which centers on how people interact with digital platforms – what links they click, search for and purchase, and the websites they visit.[27]
Almost every digital interaction becomes a potential data source for these platforms. Companies use this data to drive revenue by selling it to third parties, who then leverage it for targeted advertising, product development, and improving reach.[28] For example, imagine you spend time browsing a website, eyeing a nice watch. You add it to your cart, remove it, and ultimately decide not to buy. Do not be surprised if you see an ad for that same watch pop up on your Instagram feed later–maybe even with a discounted price to reel you in this time.
You might be wondering how these companies can collect such extensive information. You do not remember explicitly saying “yes,” to a collection and sale of your scrolls and inputs. The unfortunate reality is you likely agreed without realizing it.[29] You consented to their data collection practices when you clicked “I agree” on a terms and conditions agreement or a privacy policy notice.[30] And those “accept cookies” pop-ups that appear on many websites? They are another layer of consent.[31] Every time you click “accept,” you give the webpage permission to track your activities and share your data with third parties, whomever they may be.[32]
The Second Circuit Court of Appeals discussed the terms of service of the Uber application in Myer v. Uber Technologies, Inc.[33] Though the plaintiffs attempted to argue otherwise, the Court declared that the ride hailing app was clear in indicating terms of service were part of the sign-up process.[34] The consumer would have clearly indicated agreement to the terms of service, because a reasonable user would understand that clicking the registration button signifies acceptance of the terms and conditions linked through the provided hyperlink, regardless of whether the hyperlink was accessed or not.[35]
Data Sharing
There are three primary ways companies handle the private data they collect.[36] They may (1) sell it to data brokers, (2) use it to enhance their marketing strategies, or (3) leverage the data to improve the overall user experience on their platforms.[37]
Thousands of data brokers operate in the shadows of the World Wide Web, buying, analyzing, and compiling data cultivated through online tracking systems.[38] The process becomes a little murky because companies have a significant financial incentive to collect as much personal data as possible to sell it off, and data brokers have little to no obligation to safeguard that data.[39] These brokers often use algorithms to compile detailed profiles of individuals based on all the data they were given.[40] Since consent is typically buried in the fine print of the original platform where the user provided their information, individuals have no clue their data is in the hands of a broker far from home.[41]
The data collected by the brokers can be used for various purposes, not all of which benefit the consumer.[42] For example, the compiled data may be sold off or implemented into some vet-out program that could determine an individual’s credit interest rates or even influence hiring decisions.[43] A person could be denied a job based on a data broker-constructed file containing flagged information, like a series of politically charged TikToks.[44] The Ninth Circuit investigated the matter of sharing private information in Eichenberger v. ESPN, Inc., where the plaintiff alleged the defendant violated the Video Privacy Protection Act (VPPA) by knowingly disclosing information about him to the third-party company Adobe.[45] The Court analyzed the coverage of the VPPA, and concluded any unauthorized disclosure of personally identifiable information (PII) constitutes a concrete injury.[46] The Court further explained “personally identifiable information” under the VPPA is data that would allow an “ordinary person” to identify an individual’s video-watching behavior.[47]
Regulation
Currently, no comprehensive federal law in the United States broadly prohibits the sale and transfer of personal data across all sectors.[48] Instead, data privacy protections are pieced together through various federal and state laws, often targeting specific demographics or industries.[49]
Federal regulations include the Health Insurance Portability and Accountability Act (HIPAA) regulates how health information is used and disclosed while prohibiting the sale of protected health information without explicit consent.[50] Similarly, the Gramm-Leach-Bliley Act (GLBA) oversees financial institutions and requires them to disclose any data-sharing practices while implementing safeguards for sensitive consumer data.[51] The Children’s Online Privacy Protection Act (COPPA) focuses on protecting the personal information of children under 13.[52] The Act mandates parental consent for data collection and restricts the sale of such information.[53]
At the state level, legislation has taken a broader approach. The California Consumer Privacy Act (CCPA) gives California residents the right to know what personal data is being collected about them, who it is shared or sold with, and the option to opt out of its sale.[54] In Virginia, the Virginia Consumer Data Protection Act (VCDPA) allows individuals to access, correct, delete, or opt out of the sale of their personal data.[55] Colorado’s Privacy Act (CPA) offers similar protections while also imposing stricter requirements on businesses for data handling and processing.[56] While protections exist in certain states or with specific information fields, the United States still lacks a more comprehensive set of regulations to safeguard everyday data privacy rights.
III. Discussion
How Does This All Relate?
How do data privacy regulations relate to the disturbing blast of racist text messages sent to African American individuals across the country? Somehow, the perpetrator managed to obtain private information on so many individuals, and authorities are still unclear on how.[57] Theoretically, this could have occurred in several ways, each with different legal implications.
One avenue is to go straight through the company. In 2017, Equifax, one of the largest credit reporting agencies in the U.S., was plagued by unauthorized access to their systems.[58] Hackers were able to exploit a vulnerability in Apache Struts, a software used in one of Equifax’s web applications.[59] The known vulnerability remained unpatched despite repeated warnings from security researchers and federal agents.[60] Their weak security practices allowed sensitive data to be stored in unencrypted parts of their system.[61] Over several months from May to July, the breach in security exposed sensitive information belonging to 147 million individuals, including Social Security numbers, birthdates, addresses, driver’s license numbers, credit card information, and tax IDs.[62] Equifax was met with a $700 million class action lawsuit settlement in response.[63] The charges filed against Equifax included a violation of the Federal Trade Commission Act, which prohibits unfair or deceptive business practices, a violation of the Dodd-Frank Act, which addresses consumer financial protections, and a violation of Illinois and Massachusetts state consumer protection laws.[64]
Another avenue of acquisition lies with data brokers.[65] In 2024, National Public Data (NPD), a broker specializing in public records and background checks, suffered a massive data breach that compromised the sensitive information of millions.[66] Nearly 2.9 billion records were exposed, affecting up to 170 million individuals across the U.S., U.K., and Canada.[67] The stolen data included names, addresses, Social Security numbers, birthdates, phone numbers, and more.[68] A hacker group known as “USDoD” claimed responsibility for the breach, allegedly offering the data for sale on the dark web for $3.5 million. NPD subsequently faced multiple class action lawsuits and investigations from regulatory bodies, including the U.S. House Committee on Oversight and Accountability.[69] The primary charge they faced was negligence, as they failed to implement reasonable data security measures and, therefore, violated consumer protection laws.[70]
With that being said, individuals also share personal details, including contact information, phone numbers, emails, and racial or ethnic identifiers, through photos, memberships, reposts, and likes on social media. By simply browsing social media, an individual could put together a pretty accurate list of a person and a race, then use a public phone number database to send a message accordingly.
Regarding these text messages, the anonymous party behind the curtain could have breached the protection of a company to acquire personal information. If that were the case, the company responsible can expect to face a lawsuit similar to Equifax. Another possible scenario is a breach of a data broker’s protections. Since the data brokers compile information, essentially creating profiles on individuals, that would be a prime spot to strike and obtain information like mass data on the races of individuals and their phone numbers. A data brokerage company found to be responsible for this could also face legal implications similar to NPD. If the data were found organically online, the perpetrator would likely be the only individual liable for any laws broken.
In the U.S., a hacker could be charged under the Computer Fraud and Abuse Act, which covers unauthorized access to protected computers and data theft from government, financial, or other protected systems.[71] A hacker could also be liable for trafficking in stolen data, which encompasses selling or trafficking stolen data, such as credit card numbers or other personal information.[72] An additional violation includes identity theft, which punishes theft or using another’s personal identifying information without authorization.[73] And finally, among other statute violations, a hacker could be charged with the Racketeer Influenced and Corrupt Organizations Act, which oversees the usage of hacking as part of a broader criminal enterprise.[74] In conjunction with additional discriminatory violations, the perpetrator could be charged with any of these if they are found to have obtained their data by breaking the protective walls of a data mining agency.
So, What’s Next?
Although most of the violations of stealing personal and data information would be, by reasonable assumption, an infringement of a data privacy law, there are no all-encompassing U.S. federal data privacy laws to breach.[75] The reason this is an issue is because coverage is deemed “sector-specific,” which leaves a very limited range to protect the privacy rights of American citizens.[76] There is coverage for health information, financial information, children, and areas of access to data, but not all of it.[77] As technology and data retention become more complex, it becomes even more important to dedicate a comprehensive statute that can uniformly protect personal data in the online world uniformly rather than trying to pinpoint what category the online data may or may not fall under to seek out its protection.[78]
Lawmakers, however, have recently introduced the American Privacy Rights Act (APRA) in April 2024.[79] This proposed legislation aims to create the comprehensive federal data privacy protections the U.S. lacks.[80] The intention is to limit the types of data companies can collect, allow users to access, correct, or delete their data as they please, and restrict companies from being able to enforce mandatory arbitration in any data privacy disputes.[81] Furthermore, the APRA would establish a catalog of associated data brokers and provide consumers with clear avenues to opt out of having their data sold or used for any personalized advertising.[82]
IV. Conclusion
If passed, the APRA will unify data privacy standards nationwide, supersede existing state laws, and solidify data privacy as a federal right.[83] An act like this may sway businesses and companies to shift even more focus to protecting user data, which would reduce the number of incidents we see today. Only time will tell if the U.S. can finally enact a federal data privacy law.
[1] What We Know About the Racist Text Messages Sent to Black People After the 2024 Election, CNN (Nov. 10, 2024, 10:11 AM), https://www.cnn.com/2024/11/09/us/racist-texts-black-people-investigation-what-we-know/index.html [https://perma.cc/2CNZ-4M45].
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Ayanna Alexander & Matt O’Brien, Racist Text Messages Sent After Election Spark Investigations, AP News (Nov. 8, 2024, 7:27 PM), https://apnews.com/article/racist-text-messages-slavery-investigations-election-efc248569cb48e056931ed3e8470ae65 [https://perma.cc/HXK3-BV3H%5D.
[10] Id.
[11] Id.
[12] Id.
[13] What Is Data Privacy?, SNIA, https://www.snia.org/education/what-is-data-privacy#:~:text=Data%20privacy%2C%20sometimes%20also%20referred,meet%20regulatory%20requirements%20as%20well [https://perma.cc/TNQ8-ZFX4].
[14] Id.
[15] Matthew Urwin, What Is Data Privacy?, Built In (Oct. 23, 2023), https://builtin.com/articles/data-privacy [https://perma.cc/A5D4-52AC].
[16] Id.
[17] Id.
[18] Id.
[19] Id.
[20] Id.
[21] Id.
[22] Id.
[23] Id.
[24] Id.
[25] Id.
[26] Id.
[27] What Is Behavioral Data?, FullStory Blog (Feb. 28, 2024), https://www.fullstory.com/blog/behavioral-data/ [https://perma.cc/9XX3-B76T].
[28] Urwin, supra note 15.
[29] Catherine Cote, A Guide to Data Collection Methods, Harv. Bus. Sch. Online Blog (Dec. 2, 2021), https://online.hbs.edu/blog/post/data-collection-methods [https://perma.cc/X3F3-NS7K].
[30] Id.
[31] Id.
[32] Id.
[33] Meyer v. Uber Techs., Inc., 868 F.3d 66, 79 (2d Cir. 2017).
[34] Id.
[35] Id.
[36] Matthew Adkins, The Internet and Data Privacy, Security (Feb. 24, 2024), https://www.security.org/digital-safety/data-privacy/ [https://perma.cc/VZA4-39LC].
[37] Id.
[38] Id.
[39] Id.
[40] Id.
[41] Id.
[42] Id.
[43] Id.
[44] Id.
[45] Eichenberger v. ESPN, Inc., 876 F.3d 979, 981 (9th Cir. 2017).
[46] Id. at 984.
[47] Id. at 985.
[48] Adkins, supra note 36.
[49] Id.
[50] Health Insurance Portability and Accountability Act of 1996 (HIPAA), CDC, https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html#:~:text=The%20Health%20Insurance%20Portability%20and,from%20disclosure%20without%20patient’s%20consent [https://perma.cc/L6FF-QSR5].
[51] Gramm-Leach-Bliley Act, FTC, https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act [https://perma.cc/56BY-5F8J].
[52] Children’s Online Privacy Protection Rule (COPPA), FTC, https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa [https://perma.cc/67RV-QX4F].
[53] Id.
[54] California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100–1798.199 (West 2024).
[55] Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-575–59.1-585 (2024).
[56] Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301-1313 (2024).
[57] Alexander & O’Brien, supra note 9.
[58] In re Equifax, Inc., 362 F. Supp. 3d 1295, 1310 (N.D. Ga. 2019).
[59] Id.
[60] Id.
[61] Id.
[62] Id.
[63] Id. at 1308.
[64] Id. at 1322.
[65] The 2024 National Public Data Breach, McKonly & Asbury, (Oct. 9, 2024), https://macpas.com/the-2024-national-public-data-breach/#:~:text=The%20Breach,host%20and%20sell%20their%20data [https://perma.cc/K4V5-E9YA].
[66] Id.
[67] Id.
[68] Id.
[69] Id.
[70] Exposed: Data Broker NPD Sued for Massive Breach Endangering 2.9 Billion People’s Identities, LawInc (Oct. 1, 2024), https://www.lawinc.com/exposed-data-broker-npd-sued-massive-breach-endangering-2-9-billion-peoples-identities#:~:text=A%20groundbreaking%20lawsuit%20exposes%20data,duties%20and%20damages%20at%20issue [https://perma.cc/7657-LPGA].
[71] 18 U.S.C. § 1030 (2024).
[72] 18 U.S.C. § 1029 (2024).
[73] 18 U.S.C. § 1028 (2024).
[74] 18 U.S.C. §§ 1961–1968 (2024).
[75] Data Protection and Privacy Law: An Introduction, Cong. Rsch. Serv. (Oct. 12, 2022), https://crsreports.congress.gov/product/pdf/IF/IF11207 [https://perma.cc/ZAV3-RRAL%5D.
[76] Id.
[77] Id.
[78] Id.
[79] Ali Talip Pınarbaşı, American Privacy Rights Act (APRA): What You Need to Know, DIDOMI.IO (June 25, 2024), https://www.didomi.io/blog/american-privacy-rights-act-apra#:~:text=On%20April%207th%2C%202024%2C%20Maria,protection%20for%20all%20Americans’%20data [https://perma.cc/K7UZ-L364].
[80] Id.
[81] Id.
[82] Id.
[83] Id.
The University of Cincinnati Intellectual Property and Computer Law Journal 
Leave a comment