A report earlier this year revealed the data brokers’ shadowy industry practice of selling American mental health data to anyone willing to pay the price. Data brokers indirectly collect, package and sell consumers’ personal information, with little to no oversight, causing raised eyebrows among many Americans. The purpose and use of the data collected by data brokers can vary—some data brokers package and sell sensitive data that can predict an individual’s behaviors. In contrast, others use data analytics to help prevent fraud or assist law enforcement investigations. Over the past 20 years, data brokers’ business practices have received congressional scrutiny, and recently, a hearing on data brokers was held by House Energy and Commerce Subcommittee on Oversight and Investigations. While the decades-old debate over concerns on how the data brokers industry operates continues, one thing is clear—a comprehensive federal data privacy and security law is urgently needed to protect all Americans’ data.   

The Data Broker’s Collection Process

Data brokers collect information on a person that might help sell a product or service to that person or that person’s household. This collection involves automated processes that scour the internet for publicly available information, like property records and marriage certificates. Data brokers also provide their software development kits to app developers for free in exchange for the data that is collected through the use of the app. In addition, through data analytics, data brokers can make statistical inferences by combining several sources of data that have been collected, like an individual’s income level, by combining age, zip code, property records and financial records. Most consumers are not aware that this data collection is occurring, and even if they are, many do not know the extensiveness of the data collection process because it is buried in privacy notices.   

The Different Uses of Collected Data

There are practical purposes for data brokers to collect data used to support societal needs. Landlords and prospective tenants use services like background and credit checks to secure rental housing. Airlines and frequent travelers might use services like Clear to expedite airport security screenings. And while law enforcement access to data is rightfully debated, some companies that purchase data from data brokers, or collect data directly, provide investigative tools that support law enforcement investigations. There are complexities to data brokers—such as what specific types of data they collect and how that data is used—that requires a nuanced discussion on how to regulate them.

The Dark Side of Data Brokers

The ethical concerns surrounding the buying and selling of personal data are real. Many data brokers’ business practices can negatively impact vulnerable populations, such as the elderly, low-income and minority communities. For example, a 2014 Federal Trade Commission (FTC) report described how data brokers package collected and inferred data into specific and sensitive classifications:

Data brokers infer consumer interests from the data that they collect. They use those interests, along with other information, to place consumers in categories.  Some categories may seem innocuous such as “Dog Owner,” “Winter Activity Enthusiast,” or “Mail Order Responder.” Potentially sensitive categories include those that primarily focus on ethnicity and income levels, such as “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African Americans with low incomes […] Yet other potentially sensitive categories highlight certain health-related topics or conditions, such as “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.”

This also extends to political affiliations, where political campaigns’ use of personal data has expanded, causing concerns about disruptions to the election process. In 2012, Barack Obama’s presidential campaign ran a data-driven campaign, connecting voter registration data, political donation information and consumer data to deliver more targeted campaign ads. During the 2016 elections, Donald Trump’s presidential campaign utilized Cambridge Analytica, a small data broker that gained access to 50 million Facebook users’ personal information and developed tools that offered psychological profiling and influencing.

The concern is not only the amount of information data brokers hold on an individual but that they hold this information indefinitely, even if it is outdated. This is contrary to best data security practices, such as data minimization, which states that entities should only collect and hold personal data that is necessary. Without guardrails, many data brokers are not likely to follow data minimization principles or provide adequate data security once data has been collected outside regulated industries.

There are national security concerns surrounding data brokers, with reports that some data brokers have targeted military service members. There are no laws on who can purchase these data sets, so there is a risk of adversarial nations purchasing data dossiers on military members for potential espionage.

Regulation and Legislation Aimed at Data Brokers

Currently, there is very little regulatory and legislative oversight on data brokers, but several regulatory agencies want a piece of that pie. The FTC has commented extensively on data brokers, but they are limited to Section 5 of the FTC Act. The FTC has used Section 5 to enforce deceptive and unfair business practices by data brokers. The Securities and Exchange Commission (SEC) has recently entered the data broker enforcement fray and used the Security Exchange Act to thwart intentional fraud by SEC-regulated companies on investors. Further, the Consumer Financial Protection Bureau (CFPB) has issued a broad legal interpretation of the Fair Credit Reporting Act (FCRA) that expands its traditional jurisdiction of regulating credit-reporting companies to regulate consumer data privacy, including data brokers. The CFPB would use the provision in the FCRA mandating that any consumer-reporting agency or person that furnishes, uses and obtains consumer reports must have a legal “permissible purpose.” Recently, the CFPB issued a Request for Information (RFI) seeking comments from the public related to data brokers. The legal interpretation and RFI signal that the CFPB believes the FCRA can be an enforcement tool to regulate data brokers.

On a state level, California and Vermont have taken limited action and have data broker registry laws. However, in California, there are reports that thousands of data brokers have been able to walk a legal tightrope around the definition of a data broker and avoid the registry altogether.

The Need for Congress to Act

A bill similar to the American Data Privacy Protection Act (ADPPA) is needed. The data minimization provisions would limit the amount of covered data available to data brokers in the first place. Further, the ADPPA would have expressly regulated data brokers, which were referenced as “third-party collecting entities.” Under the ADPPA, the FTC would have been mandated to establish a data broker registry and required data brokers to register. Further, the ADPPA required data brokers to comply with “Do Not Collect” requests from individuals and delete any covered data related to that individual’s request that was not collected directly. Admittedly, it is important to get any legislation right because legitimate or potentially targeted uses by law enforcement are different than compiling data to exploit vulnerable populations, or influence and predict consumer behavior.  A comprehensive federal data privacy and security bill would reign in data brokers’ access to Americans’ personal and sensitive data, providing a critical solution to the available personal data to nefarious actors and adversarial nations.