Privacy, Identity, Data Security

Feds blast ‘shadow’ operations of data brokers, revive calls for federal privacy law

Washington skyline

Bipartisan calls for a federal privacy law are growing louder, bolstered by growing concerns over the data broker industry “operating in the shadows” and a lack of a cohesive federal data privacy law.

The House Oversight and Investigations Subcommittee hearing on Wednesday saw lawmakers’ obvious disdain over what’s considered outright violations of consumer rights, particularly data privacy.

“A stunning amount of information and data is being collected on Americans — their physical health, mental health, their location, what they are buying, what they are eating,” said Cathy McMorris Rodgers, R-Wash., during the fifth hearing focused on data brokers this session.

“Data brokers are harvesting people’s data, selling or sharing it without their knowledge, and failing to keep it secure,” she added. “It certainly raises questions of how data brokers aren’t just violating people’s privacy but their civil liberties as well. ….This isn’t acceptable. Data brokers’ days of surveilling in the dark should be over.”

Prior to the pandemic, the need for a federal privacy law to replace or supersede the patchwork of state regulations was a prime focus for lawmakers, which saw multiple hearings between 2018 and 2019 focused on consent and opt out policies, at a minimum.

Those conversations dwindled during the COVID-19 era, but have since been revived due to the spate of reports detailing egregious privacy practices — a result of the current state regulatory gaps. What’s remained clear is the need for bipartisan agreement, and with growing pressure, it appears a federal data privacy law may be the one issue for which both parties can agree.

The $200 billion data broker industry results in the collection and storage of nearly every U.S. household and commercial transaction. The FTC found one data broker firm possessed 1.4 billion consumer transactions, while another held data tied to $1 trillion in consumer spending. A third broker had 3,000 separate pieces of data for nearly every U.S. consumer.

As Rep. Frank Joseph Pallone Jr., D-N.J., sees it, these data broker practices constitute “abuses” and “an infringement of Americans’ privacy.” And due to the brokerage firms' shady operations, most consumers have no idea their data is in the hands of these firms, or how much.

As seen in a report from a former Duke University Technology Policy Lab researcher, the majority of third-party data brokers are willing and able to sell mental health information and many actively advertise seeking consumer health data. The data is used to create profiles of consumers' digital identities.

This is allowed, in part, because the data broker industry is “virtually unregulated” and boasts an “ecosystem of companies collecting, aggregating, and selling data on Americans, which threatens civil rights, consumer privacy, and U.S. national security,” Duke University’s Data Brokerage Project Research Lead and Senior Fellow Justin Sherman testified.

But while there’s certainly a need for a comprehensive privacy law, it’s imperative that Congress does not wait to resolve the details being debated by both parties to act on this poorly regulated industry.

For Sherman, Congress needs to “strictly control the sale of data to foreign companies” and ban the sale completely for certain categories, such as health, location data, and information tied to children.

Data brokers must also be stopped from “circumventing controls” that allow for inferred data, or composite information, many of which is public, to create profiles of consumers. This information includes location histories, political beliefs, demographic details, online habits, and other highly sensitive information that the vast majority of consumers would never share with companies.

The firms are known for aggregating data tied to Americans public records, then posting the information online for search and sale. Brokers can “track and sell your race, religion, gender, sexual orientation, income level, how you vote, what you buy, what videos you watch, what prescriptions you take, and where your kids and grandkids go to school,” said Sherman.

“This harms every American, especially the most vulnerable,” he added.

This is not just hyperbole: inferred data has already been used to target veterans. Sherman’s team has found “individually identified data on military service members from data brokers with almost no vetting” and being sold for as little as 12.5 cents per service member.

Some tech companies, including browsers like Mozilla, have banded together to shore up data privacy gaps. But Marshall Irwin, Mozilla’s vice president and chief security officer, noted that these efforts “account for roughly half of the browser and mobile operating market.”

In addition to a federal privacy law and the needed controls for data brokers, lawmakers are also proposing a “one stop shop” that will allow consumers to request their data scraped by brokers to be deleted. Sherman added there must also be a way to prevent companies from profiting from public records.

As it stands, these lawmakers are banking on the proposed American Data Privacy and Protection Act to begin the creation of a comprehensive privacy law. McMorris Rodgers stressed that Congress is at an “inflection point” on responsible data collection and privacy.

“We will continue to build on our work from ADPPA this Congress and get these strong protections for kids and all Americans signed into law,” she added.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.