Congressional privacy bill looks to rein in data brokers 

A bipartisan data privacy bill unveiled last week by House and Senate leaders seeks to place boundaries around how large data brokers — firms that collect and combine massive sets of personal data and sell them to advertisers, governments and other interested parties — can operate.

The American Privacy Rights Act, developed by House Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., and Senate Commerce, Science and Transportation Committee Chair Maria Cantwell, D-Wash., would subject companies to a sweeping set of new requirements that would limit and regulate how they use, store, protect and share the personal data they collect directly from customers and through other means.

Against the backdrop of Congress’s failure to meaningfully update privacy laws for the information age and the lack of a federal data privacy standard, Rodgers and Cantwell said in a statement that APRA represents “the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.” 

Researchers and experts warn that the unregulated collection and sale of Americans’ personal information via data brokers represents an urgent threat to their privacy.  While APRA takes some steps to rein in the data broker industry, the bill is a far cry from the strong measures many experts have sought to aggressively regulate it. 

The measure would define the industry in federal law and includes proposals to allow policymakers and the public to identify and track the biggest players in the market.

It would also impose a number of new restrictions on data brokers. Brokers would be prohibited from advertising or marketing their data for the express purpose of stalking or harassment, to commit identity theft or fraud, or engage in unfair or deceptive business practices. 

The bill charges the Federal Trade Commission with creating a national registry to track data brokers that handle data or devices linked to more than 5,000 individuals. This registry would not only be publicly searchable, it would also provide individuals with a way to submit “Do Not Collect” requests to all registered brokers for covered data within 30 days.

It would also force brokers to be more transparent about what they do — including a “clear, conspicuous, not misleading, and readily accessible” notice on their websites that identifies their business model and offers easily accessible links for individuals to opt out.

Companies that sell or transfer their customers’ data to larger brokers must also identify the specific entities they’re transferring the data to, what categories of data are included, the intended purpose, how long the information will be retained and how that data will be secured. 

The categories of data covered by the bill include private communications, health information, biometric and genetic data, financial account and payment data, precise geolocation information and photos, among other things.

The data broker industry is vast. According to Transparency Market Research, the global data broker industry was valued at more than $240 billion in 2021 and is expected to reach $462 billion by 2031. Market Research Future puts it at a similar $471 billion by 2032, with North America composing the largest market share.

Currently there are few meaningful restrictions on how data brokers operate. The market is “virtually unregulated,” according to a 2021 paper by Justin Sherman, a senior fellow at Duke University who researches the role that data brokers play in digital privacy.

Sherman told CyberScoop that ideas like a registry with opt-out mechanisms is “a very American ‘consumer choice’ focused way of looking at privacy risk.” 

Some of the bill’s mandates on first-party data collectors — like prohibiting companies from transferring certain sensitive information to a third party without gaining the express consent of the customers, prominent opt-out options for consumers around data collection and requiring a “reasonable” data security program to minimize the data loss from hacking incidents — could potentially impact the kind of data that brokers can easily buy or collect online.

On the other hand, “it’s easy for a bill to improve upon the status quo when the status quo is highly unregulated,” Sherman noted. While the APRA may bring more scrutiny of the industry, the lack of stronger measures to regulate and restrict the sale of Americans’ personal data represents a victory for the data broker industry, Sherman argued.

“Making transparency and self-regulation the biggest focal points are data broker lobbying strategies to keep the burden on consumers,” Sherman said. 

Tentative efforts to regulate the industry have already unleashed a flood of lobbying, according to a review of the OpenSecrets database. RELX, a British data broker and owner of data analytics company LexisNexis, spent $3.1 million in 2023 to lobby on a slew of privacy bills. Experian spent $1.4 million to lobby Congress on numerous data privacy and credit monitoring bills, while its rival Equifax spent over $1.5 million. 

A stronger bill to regulate the data broker industry, in Sherman’s view, would empower consumers to not only opt out of having their data collected, but also have data that has already been collected deleted. It would also provide greater resources to privacy regulators and empower citizens to sue bad actors via a private right of action, in addition to putting into place stronger regulations on harmful data collection, transfer and sale. 

Brandon Pugh, policy director for cybersecurity and emerging threats at the R Street Institute, a right-leaning think tank, told CyberScoop that the failure of federal privacy law to properly define data brokers has allowed the industry to obfuscate their business model to the public.

The APRA would begin to address that by requiring firms to prominently identify themselves as data brokers on their websites, using language that would be developed by the FTC.

 “Sometimes you’re engaging with a company and you don’t realize they’re a data broker,” Pugh said.

Pugh said he was also encouraged by the APRA’s data-minimization provisions, which may reduce the flood of customer data collected by companies that are eventually sold to data brokers.

“To the extent that data brokers are dealing with other private sector companies to get that data, it would help reduce some of those data flows,” Pugh said.

A national registry with a blanket opt-out may not eliminate abuse from bad actors. Several experts likened it to the National Do Not Call Registry, which has had limited impact on the number of spam and marketing calls flooding American phones. But it could help the public and policymakers keep better track of players in the industry.

Antonio Sanchez, a principal cybersecurity evangelist at data security firm Fortra, said the bill’s various opt-out features would need to be accompanied by awareness-raising efforts. “Otherwise, there will be a small percentage of consumers that will know about their data privacy rights and that they have control about how they are used.”

While the APRA takes direct aim at the way private businesses collect, share and sell data, it largely avoids addressing larger questions of how federal agencies can use that same data.

Other efforts on Capitol Hill would go much further in restricting to whom data brokers can sell. A proposal from Sen. Ron Wyden, D-Ore., dubbed the Fourth Amendment Is Not For Sale Act, would prevent law enforcement and intelligence agencies from purchasing many types of personal information from data brokers without a court order.

American intelligence and law enforcement agencies are increasingly relying on data purchased on the open market, a trend that many civil libertarians decry as an end-run of the U.S. Constitution’s Fourth Amendment protections against unreasonable searches and seizures. 

In the absence of congressional action on the issue, national security officials say they are trying to put in place stronger rules to govern the use of commercially acquired data. 

“We’re drafting our own policy,” Eric Rosenberg, the acting chief of acquisition and tech transfer law in the Office of the Staff Judge Advocate at U.S. Cyber Command, said at a conference last week. “We’re already starting to incorporate clauses into our contracts at CyberCom to try to address issues about data privacy and things like that.”

Lindsay Rodman, the associate deputy general counsel for intelligence in the Office of the General Counsel at the Department of Defense, said at the same event that the Office of the Director of National Intelligence is planning to release its own guidelines on the purchase of commercially available data in the coming weeks.