In the absence of a federal data privacy law and despite multiple state privacy regulations, the multibillion-dollar data broker industry is collecting and selling extensive personal data on Americans, including physical and mental health information on the elderly, veterans and kids.
“A staggering amount of information is collected on Americans every day, frequently without their knowledge or consent,” Rep. Morgan Griffith, R-Va., chair of the House Energy and Commerce Subcommittee on Oversight and Investigations, said at a hearing last week. “This data then gets shared, analyzed, combined with other data sets, bought and sold.”
The privacy abuses and sale of sensitive information is hurting vulnerable adults, “including the elderly, veterans and people of color,” said Rep. Kathy Castor, D-Fla., the subcommittee’s ranking member. “But there are few things more concerning to me than the ways Big Tech, including data brokers, have proliferated the surveillance and targeting of our kids.”
Lawmakers of both parties are eyeing legislation that would advance federal data privacy as well as measures that would address children’s online privacy.
Congress didn’t pass a national data privacy measure last year after key members, including former Speaker Nancy Pelosi, D-Calif., objected to a bill they deemed to be less stringent than privacy standards enacted by California.
Colorado, Connecticut, Utah and Virginia have also passed privacy laws. Five other states are considering similar measures.
Castor said she planned to reintroduce legislation that would restrict data collection on children and teenagers. Her previous proposal aimed to expand federal law that applies to data collection on kids under 13.
Citing widespread abuses of privacy and scams targeting the elderly and those with Alzheimer’s disease, experts who testified before the committee urged Congress to ban the sale of data in sensitive categories, including health and location, and severely restrict collection and sale of data to foreign governments.
While several members of Congress are alarmed at apps such as TikTok potentially allowing Beijing to access American users’ data, one expert who testified before the committee said it was easy to access data even without such apps. TikTok is owned by the Chinese company ByteDance Ltd.
Justin Sherman, a senior fellow at the Data Brokerage Project at Duke University’s Sanford School of Public Policy in North Carolina, told lawmakers that his team was able to buy individually identifiable information on U.S. military servicemembers from a data broker “with almost no vetting and [for] as low as 12.5 cents a servicemember.”
At a separate hearing by the Senate Veterans’ Affairs Committee last week, James Rice, assistant director at the Consumer Financial Protection Bureau, told lawmakers that his agency is examining practices of data brokers.
“Earlier this year, we issued a request for information on data broker practices that may be putting military consumers’ privacy at risk,” Rice told lawmakers. “We have also undertaken a similar effort for credit cards and auto loans.”
Data brokers include companies like Experian PLC, a consumer credit reporting company; Oracle Corp.; Acxiom LLC; and others that collect data from a wide variety of sources, including publicly available information, Sherman said in an interview.
“As potential federal legislation takes shape, Acxiom will continue prioritizing the responsible use of data in all our engagements,” Erin Tomaski, a spokesperson for Acxiom, said in an email. “We remain unwavering in our commitment to data protection, privacy, and confidentiality, and we stand ready to support thoughtful legislative changes that balance these values while advancing innovation.”
Acxiom is part of the Interpublic Group Inc. The other companies didn’t respond to a request for comment.
The industry likely ranges in size from tens of billions of dollars in annual sales to potentially hundreds of billions, Sherman said, adding that more precise figures aren’t available.
He and Laura Moy, director of Georgetown Law’s Center on Privacy and Technology, told lawmakers that government records, location data obtained from smartphone apps, information on retail purchases such as over-the-counter medications and alcohol, health information from wearable devices and tracking information on visits to doctors’ offices may all be sources of the information.
‘Married Sophisticates’ and ‘Rural Everlasting’
Using the data, brokers infer characteristics about individuals, putting them into groups such as “Married Sophisticates” to describe upper-middle-class couples, or “Rural Everlasting” to identify single men and women over the age of 66 with low levels of education, Moy testified, citing a study by the Federal Trade Commission.
Such inferences and categorizations are used by companies to target products and services to such individuals, Sherman and Moy testified.
A February 2023 report by Duke University’s Technology Policy Lab found that data brokers were willing to sell highly sensitive mental health data on users, collected via smartphone apps that typically are not covered by the law known as the Health Insurance Portability and Accountability Act.
That means health apps, “wearables, social media platforms, and many other technology companies … can most often legally share, license, and sell users’ health data (in addition to other data) to third parties without users’ knowledge or consent,” author Joanne Kim wrote in the report.
Although states have attempted to control data brokers through privacy laws that create registries of the brokers and allow consumers and users to opt out of data collection, the industry has not been deterred, Sherman said in the interview.
“This is why ‘do not sell my data’ provisions are not a real solution to data brokerage,” he said. Such provisions require users to sift through hundreds of registered data brokers and use individual forms to opt out of tracking and sale of data by each company, he said.
Congress should “flip that on its head” and create a process that would require brokers to seek users’ permission to collect and sell data, Sherman said.
Sherman said he also favored a bill that Rep. Lori Trahan, D-Mass., introduced in the last Congress that would establish a central registry to be managed by the Federal Trade Commission.
“Congresswoman Trahan is working with her bipartisan co-leads in the Senate to reintroduce the DELETE Act in the coming weeks,” said Katie Petersen, a spokeswoman for Trahan, referring to the title of the bill. “This legislation is essential to rein in the abuses of data brokers and give every American the ability to easily delete all of their data collected by these shady middlemen.”
Such a registry would have allowed consumers to “have a one-stop shop to opt out” by allowing them to register their choice with the FTC and the agency would then have the authority to “blast out to every data broker in the system,” Sherman said. “That would be a great first step.”