Privacy

Congress Considers Regulating Data Brokers Amid Broader Push for Privacy Legislation

The $200 billion industry specifically targets children and other vulnerable populations, experts said.

Published

9 months ago

April 26, 2023

Em McPhie

Screenshot of Rep. Kathy Castor from the House Energy & Commerce Committee webcast

WASHINGTON, April 26, 2023 — House lawmakers from both parties are taking aim at the largely unregulated data broker industry with a slew of new and reintroduced bills that would limit the collection and sale of personal data online.

Experts have warned that the $200 billion industry poses a grave threat to digital privacy, particularly for children and other vulnerable populations — sparking renewed calls for comprehensive federal privacy legislation at a hearing convened Thursday by the Oversight and Investigations Subcommittee.

“A staggering amount of information is collected on Americans every day, frequently without their knowledge or consent,” said Subcommittee Chair Morgan Griffith, R-Va. “This data then gets shared, analyzed, combined with other data sets, bought and sold. In some cases, this data is not even anonymized… There is a complete lack of safeguards.”

Data collection extends far beyond the information that most consumers are willing to enter into online forms, said Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy.

Using a variety of prediction tools, Sherman explained, data brokers infer and then sell sensitive personal information that a consumer might never have explicitly provided — for example, inferring a certain health condition based on visits to a relevant medical facility.

“These analytical tools render the factual context fundamentally different,” said Laura Moy, faculty director of the Georgetown Law Center’s Center on Privacy & Technology. “Maybe having a list of addresses on paper at one time was something that didn’t give people much cause for concern. Now those lists of historical address information can be mined to learn information about people’s relationships and their religion and their habits.”

Data brokers fuel discrimination and exploitation, witnesses say

The broad scope of data collected by brokers includes “race, religion, gender, sexual orientation, income level, how you vote, what you buy, what videos you watch, what prescriptions you take, and where your kids and grandkids go to school,” Sherman said. “This harms every American, especially the most vulnerable.”

Throughout the hearing, experts and lawmakers highlighted stories of recovering gambling addicts bombarded with sports betting ads, elderly Alzheimer’s patients targeted by predatory scammers and other examples of exploitation fueled by data brokers.

“The more you know about someone, the more you can manipulate them,” said Marshall Erwin, chief security officer of Mozilla. “You can target your message to exactly who you want, who you want, and in some cases that can be fine… but in other cases it can be terribly problematic.”

A particularly dangerous category of data brokerage takes the form of people search sites, which compile and sell millions of individuals’ data profiles. “Abusive individuals for decades have bought this data to hunt down and stalk, harass and even murder other people — predominantly women and members of the LGBTQ+ community,” Sherman said.

In addition, data brokers enable housing and employment discrimination by facilitating specific demographic targeting and exclusion — practices that are functionally comparable to historical redlining, Erwin explained.

Awaiting ADPPA reintroduction, lawmakers focus on children’s privacy

Out of all the potential harms caused by excessive data collection and sale, several lawmakers emphasized the urgency of protecting children’s online safety.

“There are few things more concerning to me… We know that Big Tech has enabled advertisers to target children for a whole range of damaging products, ranging from tobacco and e-cigarettes to low-calorie diets that can create and exacerbate body image anxieties,” said Rep. Kathy Castor, D-Fla., ranking member of the subcommittee.

Moy agreed, noting that it can be nearly impossible to delete a piece of information from the internet once it has been captured by a data broker, it can be nearly impossible to delete it. “It might exist in databases forever, and so I absolutely think children lack the capacity to consent… there should be a retention limit on information that is collected,” she said.

Castor on Monday reintroduced the Protecting the Information of our Vulnerable Adolescents, Children and Youth Act, a bill that would build on the Children’s Online Privacy Protection Act by prohibiting targeted advertisements to underage consumers and expanding protections for 13 to 17-year-olds.

The Kids PRIVACY Act is one of many recent proposals aimed at safeguarding children online, alongside the STOP CSAM Act introduced April 19 by Sen. Dick Durbin, D-Ill., and the controversial Kids Online Safety Act, which Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., are expected to reintroduce in the coming days.

Several lawmakers at Thursday’s hearing also voiced their support for the bipartisan American Data Privacy and Protection Act, which failed to pass in 2022 after then-Speaker Nancy Pelosi, D-Calif., opposed its preemption of state privacy laws.

In the absence of comprehensive federal legislation, both businesses and consumers must struggle to navigate a “patchwork of state laws and narrow protections that leave a wide swath of our neighbors vulnerable to privacy abuses — including by data brokers,” Castor said.

On April 19, Reps. Anna Eshoo and Zoe Lofgren, both California Democrats, reintroduced their Online Privacy Act with an amendment framing the legislation as a federal floor rather than a ceiling — potentially providing a framework for the next iteration of the ADPPA to address their state’s preemption concerns.

Up Next

Experts Debate TikTok Ban, Weighing National Security Against Free Speech

Don't Miss

Experts Call for Multisector Collaboration to Fight Digital Fragmentation and Build Public Trust

Em McPhie

Reporter Em McPhie studied communication design and writing at Washington University in St. Louis, where she was a managing editor for the student newspaper. In addition to agency and freelance marketing experience, she has reported extensively on Section 230, big tech, and rural broadband access. She is a founding board member of Code Open Sesame, an organization that teaches computer programming skills to underprivileged children.

Click to comment

Broadband's Impact

CES 2024: Industry Wants Federal Data Privacy Law

The current patchwork of state laws makes compliance difficult, said representatives from T-Mobile and Meta.

Published

1 day ago

January 12, 2024

Jake Neenan

Photo of the panel by Jake Neenan

LAS VEGAS, January 12, 2024 – Industry stakeholders called for federal data privacy legislation at CES on Thursday.

“I think oftentimes companies can be in the position of opposing additional regulation at the federal level,” said Melanie Tiano, director of federal regulatory affairs at T-Mobile. “But this is probably one of those areas where that’s not the case, in part because of the flurry of activity going on at the state level, which makes compliance in the U.S. marketplace extraordinarily confusing and difficult.”

The New Jersey legislature cleared one such bill on Monday. If that’s signed into law by the state’s governor, it would bring the number up to 13. Federal efforts, notably the American Data Privacy and Protection Act, have stalled in recent years.

“We will continue to be seriously committed to getting legislation done in a bipartisan way. That’s not always easy right now, but we’re continuing to work on that” said Tim Kurth, chief counsel for the House Innovation, Data and Commerce Subcommittee.

Simone Hall Wood, privacy and public policy manager at Meta, said “privacy regulation should not inhibit beneficial uses of data.” The company has argued it has a legitimate interest in data use practices that the European Union has found to be out of compliance with its data privacy law, the GDPR.

Industry groups, including the Consumer Technology Association, which runs the CES conference, have advocated for a light-touch privacy law in the United States, in contrast with the more comprehensive European standard.

Kurth had similar thoughts Thursday, saying the GDPR “really hurt startups and really hurt innovations.”

Still, Woods said establishing a uniform standard is something the law does well.

“It sets certainty across the marketplace for what privacy protections look like for consumers. And so that aspect of it is positive,” she said.

Broadband's Impact

CES 2024: Biden Administration Announces Deal with EU on Cyber Trust Mark

The White House is looking to get the mark on products “by next year.”

Published

2 days ago

January 11, 2024

Jake Neenan

Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger at CES.

LAS VEGAS, January 11, 2024 – The United States has entered an agreement with the European Union on a “joint roadmap” for standardized cybersecurity labels, a Biden Administration official announced at CES on Thursday.

“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”

Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.

The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.

What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those include encrypting both stored and communicated data and the ability to receive software updates.

The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”

Robocall

CES 2024: FCC and AT&T Say Collaboration is Key in Combatting Spam

The Commission has been aggressive on spam this year, and AT&T has been working to improve filters on its networks.

Published

3 days ago

January 10, 2024

Jake Neenan

Photo of the panel by Jake Neenan

LAS VEGAS, January 10, 2024 – Members of the telecom industry and the Federal Communications Commission emphasized the need for industry and government entities to collaborate in combating scam calls and texts at CES on Tuesday.

“Collaboration is key here,” said Amanda Potter, assistant vice president and senior legal counsel for AT&T.

Current measures

Alejandro Roark, chief of the FCC’s Consumer and Government Affairs Bureau, noted Federal Trade Commission data showing American consumers reported losing $790 million to scam calls and another $396 million to scam texts in 2022.

The Commission took action on preventing both in 2023, expanding its STIR/SHAKEN regime – a set of measures to confirm caller identities – to all providers who handle call traffic, moving to block call traffic from non compliant providers, and issuing multiple fines in the hundreds of millions. Almost every state has entered an agreement with the agency to collaborate on robocall investigations.

In addition, the FCC adopted its first robotext rules and moved to tighten those rules in December, closing the “lead generator loophole” by requiring affirmative consent for companies to send consumers marketing messages. Comments are being accepted on a proposal to institute a text authentication scheme.

For AT&T’s part, Potter said the company has instituted network filters to block messages that are likely to be illegal.

“We’re not going to claim success by any means, but when we have these robust network defenses, that does a lot,” she said, citing a total of 1 billion blocked texts on the company’s networks in July 2023.

AT&T also worked with manufacturers on features allowing consumers to report text as junk when deleting messages, which Potter said has provided extra data to tune spam filters.

What’s next

“We start from a standpoint of maximum flexibility when it comes to messaging,” Potter said, in contrast to voice calls, which are more tightly regulated and required FCC intervention for providers to block.

“I’m concerned about that being taken away, or perhaps regulation being something of a distraction,” she said.

Roark agreed on flexibility being superior to regulation, although the Commission is moving forward with its proceeding on more expansive text authentication rules. The proposed rules include requiring more providers on the traffic chain to block texts from numbers flagged as scammers by the FCC and requiring measurers to verify the identity of texters, similar to the STIR/SHAKEN system for caller authentication.

The FCC is also taking comments on how AI factors into robocalls and robotexts, both how it’s used to perpetrate them and how the Commission might use AI tools to combat them.

At a House oversight hearing in November, FCC Chairwoman Jessica Rosenworcel asked Congress for the authority to collect the fines the Commission imposes – a job currently left to the DOJ – and access to more financial information to help the agency’s robocall prevention efforts.