Congress Needs to Act on Bills Regulating Data Brokers
Technology Policy Brief #79 | By: Steve Piazza | February 21, 2023
Header photo taken from: Pavlo Gonchar / Getty Images
Follow us on our social media platforms above
Browse more technology policy briefs from the top dashboard
Photo taken from: Sean Gallup / Getty Images
Ever since Congress enacted the Electronic Communications Privacy Act of 1986 it has been unable to secure legislation to increase privacy protection that better reflects the technologies of today.
Over the past few years, several bills have been introduced in Congress that are specifically targeting data brokers, or companies that use AI and other methods to collect and organize personal information for the purpose of selling to businesses or law-enforcement:
- S.1265 Fourth Amendment Is Not For Sale Act (2021)
- H.R.8152 American Data Privacy and Protection Act (introduced 2022)
- S.4408 Health and Location Data Protection Act of 2022
Though the activity is a positive sign for the public, the lack of speed in passing these and others are examples that the trend to do nothing still lingers.
Information may be power, but it is also a lucrative business. A number of corporations have recognized the value of information as a commodity by mining, cleaning, and bundling a myriad of personal data into manageable packages for other businesses to easily use.
These data brokers have benefited from the uses of advances in technology that allow for the algorithms of AI to obtain specific information from individuals who relinquish it into the public arena just by using the Internet. Every time somebody visits a website and clicks “allow” so that others can access its content, they are agreeing to share any information provided, even if it’s just the links they click on in passing.
As a result, simple key strokes have resulted in an industry worth hundreds of billions of dollars.
Some data brokers are familiar companies, like Experian and Equifax, which operate under a benign mission of credit agencies but still sell information for profit. Others, like Oracle and Cisco, benefit from information obtained in the popular networking platforms they are more noted for. But the largest data brokers, like Acxiom LLC and Epsilon, are not quite household names, and that’s because selling personal information behind the scenes is mostly what they do.
And for a little perspective on how big is big, according to some analyses, Acxiom may be processing the data on more than 2.5 billion people it obtained from over 62 countries.
In the U.S, data brokers take advantage of a number of loopholes in laws that allow them to take public information and profit from it despite jeopardizing the privacy of individuals.
The number of regulatory bills that Congress has proposed are an indication of the recognition that action is needed. The delay in passing them is an indication that the data brokers lobbying efforts have been paying off. Companies have paid up to nearly $7 billion to see that those efforts have stalled.
Chart taken from: Lobbying Disclosure Act / Politico
(click or tap to enlargen)
Chart taken from: Privacy Bee
(click or tap to enlargen)
But even if the regulations are in place, enforcing them is the issue. With information swapped in fractions of a second and stored in clouds, it’s very difficult and very expensive for government agencies to keep pace with private efforts to share data.
Data brokers buy their information from firms that rely directly on personal data (e.g. credit card companies) or they may get it from records available to the public, like those pertaining to taxes, public utilities, or court proceedings. They then organize the data intro marketable formats in order to sell to other interested parties.
Why does all this matter? The ease of information gathering from purchases, cookies, audio selections, phone calls, and other activities can be aggregated into user profiles through the linking of similar data points. Then, the ubiquity of personal information, whether accurate or inaccurate, subjects innocent people to everything from financial peril to the weaponization of information against women seeking reproductive health care or those most vulnerable to racial injustice.
The problem may not solely be the fact that people are sharing, often unknowingly, their personal information and searching habits. But the problem is clearly the lack of transparency of and restrictions on companies in obtaining information and what they do with it. Even taking something that’s in the public domain and making it private for profit is specious and invasive in many ways.
This is not to say that action is impossible. The California Consumer Privacy Act (CCPA) in 2018 requires transparency and the option for individuals to request for data to be removed. Several other states have followed suit. Elsewhere, the EU’s General Data Protection Regulation (2018), what the CCPA is based on, is considered to be a model for the world.
Hopefully, existing bills and others gain traction soon and things can change. Until then, users might help themselves to think more about what’s being allowed.
Click or tap on resource URL to visit links where available
Just Future Laws is a group of legal advocates who work for social justice by empowering individuals and communities. To see how they are involved in their work to prevent abuses by data brokers, click here.