Privacy advocates pressed Congress during a hearing Wednesday to do more to regulate the multibillion-dollar industry of buying and selling Americans’ private data.
During the House Energy and Commerce Oversight and Investigation Committee hearing, witnesses discussed a wide range of harms posed by the data broker industry including the potential to reveal the private health or sexual histories of individuals, provide foreign powers with sensitive information threatening national security and enable predatory marketers and scammers.
The data broker industry has come under increased scrutiny over the past year, especially in light of the Supreme Court decision that overturned Row v. Wade. In August, the Federal Trade Commission sued a data broker for selling geolocation information from hundreds of millions of mobile devices — often without user permission — that could reveal an individual’s sensitive behaviors, including visits to reproductive health clinics. And the Biden administration has proposed stronger laws to protect sensitive reproductive health data.
But without a comprehensive federal privacy law there remains little oversight of the industry that operates “people search websites” and turned trading in addresses, phone numbers, financial data, shopping history and location data and other information into a massive global business that’s largely unregulated.
The hearing follows other recent congressional testimony raising concerns about the collection of Americans’ data by social media giant TikTok, which members referred to on several occasions. Rep. Brett Guthrie, R-Ky., asked if China could get the same information from data brokers as it could from a backdoor into TikTok.
While it may not be the exact data, data brokers still sell enormous amounts of information on Americans with little discernment of who is buying it, said Justin Sherman, a senior fellow and research lead for the Data Brokerage Project at Duke University. That includes data on military members, which Sherman and researchers at Duke were able to purchase for as little as 12.5 cents. He noted that because data brokers don’t vet their clients, it would be easy for a foreign power to pose as a less conspicuous buyer.
Lawmakers used the hearing to ask questions about how to improve upon the American Data Privacy Protection Act, the stalled federal privacy bill. The bill would require data brokers to register with a FTC do-no-collect list allowing individuals to ask brokers to delete their data.
“We should not have to opt-out of those brokers having our information,” Laura Moy, associate professor and faculty director at Georgetown Law’s Center on Privacy & Technology, told lawmakers. She said the bill’s proposed registry could help the FTC exercise oversight and users gain some insight into what’s happening with their information.
But any registry should be simple and let the public opt-out to all data brokers, she stressed. Congress needs consider how to create costs for data brokers that refuse to participate in any type of registry, such as stronger fines, and also consider how data brokers should be able to buy and sell publicly available information such as voting records.
Vermont and California require data brokers in the state to register, but witnesses noted that those registries have limitations. “They’re an important step but they don’t do anything to block the sale of data,” noted Sherman. “We do need to do more including regulating the sale of data.”
Sherman said that both ADPPA and most state privacy laws carve out an exception for data brokers dealing in public records. Still, he said, the easy availability of those records is problematic. “Abusive individuals for decades have bought this data to hunt down and stalk, harass and even murder other people, nominally women and members of the LGBTQ plus community.”
What can potentially be even more concerning is the information brokers infer based on users’ online history such as religion or sexuality without those individuals ever explicitly telling a company. That’s also true of health data. A recent Duke University report found that nearly a dozen data brokers were willing to sell mental health data to a researcher posing as a buyer with little vetting.
“The more mental health services that are not regulated are collecting data, the more they are able to sell it to data brokers,” Sherman said in response to a question from Rep. Paul Tonko, D-N.Y., about whether brokers are taking advantage of the mental health crisis in America.
Witnesses urged Congress to go a step further than the current federal privacy bill by banning the sale of location and health data altogether. Last year, ADPPA faced resistance by some members due to its preemption of state data privacy laws, most notably California’s. The bill has yet to be reintroduced this term.
Also on Wednesday, California Democrats Reps. Anna Eshoo and Zoe Lofgren reintroduced their own comprehensive privacy legislation, the Online Privacy Act. The bill would create a Digital Privacy Agency to enforce protections such as requirements that companies do not disclose or sell data without explicit consent. The bill does not preempt state privacy laws.