WASHINGTON, April 26, 2023 — House lawmakers from both parties are taking aim at the largely unregulated data broker industry with a slew of new and reintroduced bills that would limit the collection and sale of personal data online.
Experts have warned that the $200 billion industry poses a grave threat to digital privacy, particularly for children and other vulnerable populations — sparking renewed calls for comprehensive federal privacy legislation at a hearing convened Thursday by the Oversight and Investigations Subcommittee.
“A staggering amount of information is collected on Americans every day, frequently without their knowledge or consent,” said Subcommittee Chair Morgan Griffith, R-Va. “This data then gets shared, analyzed, combined with other data sets, bought and sold. In some cases, this data is not even anonymized… There is a complete lack of safeguards.”
Data collection extends far beyond the information that most consumers are willing to enter into online forms, said Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy.
Using a variety of prediction tools, Sherman explained, data brokers infer and then sell sensitive personal information that a consumer might never have explicitly provided — for example, inferring a certain health condition based on visits to a relevant medical facility.
“These analytical tools render the factual context fundamentally different,” said Laura Moy, faculty director of the Georgetown Law Center’s Center on Privacy & Technology. “Maybe having a list of addresses on paper at one time was something that didn’t give people much cause for concern. Now those lists of historical address information can be mined to learn information about people’s relationships and their religion and their habits.”
Data brokers fuel discrimination and exploitation, witnesses say
The broad scope of data collected by brokers includes “race, religion, gender, sexual orientation, income level, how you vote, what you buy, what videos you watch, what prescriptions you take, and where your kids and grandkids go to school,” Sherman said. “This harms every American, especially the most vulnerable.”
Throughout the hearing, experts and lawmakers highlighted stories of recovering gambling addicts bombarded with sports betting ads, elderly Alzheimer’s patients targeted by predatory scammers and other examples of exploitation fueled by data brokers.
“The more you know about someone, the more you can manipulate them,” said Marshall Erwin, chief security officer of Mozilla. “You can target your message to exactly who you want, who you want, and in some cases that can be fine… but in other cases it can be terribly problematic.”
A particularly dangerous category of data brokerage takes the form of people search sites, which compile and sell millions of individuals’ data profiles. “Abusive individuals for decades have bought this data to hunt down and stalk, harass and even murder other people — predominantly women and members of the LGBTQ+ community,” Sherman said.
In addition, data brokers enable housing and employment discrimination by facilitating specific demographic targeting and exclusion — practices that are functionally comparable to historical redlining, Erwin explained.
Awaiting ADPPA reintroduction, lawmakers focus on children’s privacy
Out of all the potential harms caused by excessive data collection and sale, several lawmakers emphasized the urgency of protecting children’s online safety.
“There are few things more concerning to me… We know that Big Tech has enabled advertisers to target children for a whole range of damaging products, ranging from tobacco and e-cigarettes to low-calorie diets that can create and exacerbate body image anxieties,” said Rep. Kathy Castor, D-Fla., ranking member of the subcommittee.
Moy agreed, noting that it can be nearly impossible to delete a piece of information from the internet once it has been captured by a data broker, it can be nearly impossible to delete it. “It might exist in databases forever, and so I absolutely think children lack the capacity to consent… there should be a retention limit on information that is collected,” she said.
Castor on Monday reintroduced the Protecting the Information of our Vulnerable Adolescents, Children and Youth Act, a bill that would build on the Children’s Online Privacy Protection Act by prohibiting targeted advertisements to underage consumers and expanding protections for 13 to 17-year-olds.
The Kids PRIVACY Act is one of many recent proposals aimed at safeguarding children online, alongside the STOP CSAM Act introduced April 19 by Sen. Dick Durbin, D-Ill., and the controversial Kids Online Safety Act, which Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., are expected to be reintroduced in the coming days.
Several lawmakers at Thursday’s hearing also voiced their support for the bipartisan American Data Privacy and Protection Act, which failed to pass in 2022 after then-Speaker Nancy Pelosi, D-Calif., opposed its preemption of state privacy laws.
In the absence of comprehensive federal legislation, both businesses and consumers must struggle to navigate a “patchwork of state laws and narrow protections that leave a wide swath of our neighbors vulnerable to privacy abuses — including by data brokers,” Castor said.
On April 19, Reps. Anna Eshoo and Zoe Lofgren, both California Democrats, reintroduced their Online Privacy Act with an amendment framing the legislation as a federal floor rather than a ceiling — potentially providing a framework for the next iteration of the ADPPA to address their state’s preemption concerns.