Brandon Pugh, policy director for cybersecurity and emerging threats at the R Street Institute, a right-leaning think tank, told CyberScoop that the failure of federal privacy law to properly define data brokers has allowed the industry to obfuscate their business model to the public.

The APRA would begin to address that by requiring firms to prominently identify themselves as data brokers on their websites, using language that would be developed by the FTC.

 “Sometimes you’re engaging with a company and you don’t realize they’re a data broker,” Pugh said.

Pugh said he was also encouraged by the APRA’s data-minimization provisions, which may reduce the flood of customer data collected by companies that are eventually sold to data brokers.

“To the extent that data brokers are dealing with other private sector companies to get that data, it would help reduce some of those data flows,” Pugh said.