The bipartisan data privacy bill announced by House and Senate leaders last week would protect the operations of large data brokers — companies that collect, combine and sell large amounts of personal data to advertisers, governments and other interested parties. We aim to set boundaries in our methods.
The U.S. Privacy Rights Act, created by House Energy and Commerce Committee Chairwoman Cathy McMorris Rodgers (R-Wash.) and Senate Commerce, Science, and Transportation Committee Chairwoman Maria Cantwell (D-Wash.), would provide companies with a series of would impose extensive new requirements. It will limit and regulate how personal data collected directly from customers or through other means is used, stored, protected and shared.
Against the backdrop of Congress' failure to meaningfully update privacy laws for the information age and the lack of federal data privacy standards, Rogers and Cantwell said in a statement that APRA is “It's the best opportunity I've had in decades,” he said. A privacy and security standard that gives people the right to control their personal information. ”
Researchers and experts warn that the unregulated collection and sale of Americans' personal information through data brokers is an imminent threat to their privacy. While APRA has taken some steps to rein in the data broker industry, this bill is far from the strong measures many experts are actively seeking to regulate.
The measure would define the industry in federal law and includes proposals to help policymakers and the public identify and track the largest companies in the market.
It would also impose a number of new restrictions on data brokers. Brokers are prohibited from advertising or marketing for the express purpose of stalking or harassment, identity theft or fraud, or unfair or deceptive business practices.
The bill would task the Federal Trade Commission with creating a national registry to track data brokers that handle data and devices related to 5,000 or more individuals. This registry is not only publicly searchable, but also provides a way for an individual to submit a “do not collect” request to all registered brokers for covered data within her 30 days.
It also requires brokers to provide “clear, conspicuous, non-misleading, and readily accessible” notices on the web that identify their business models and provide an easily accessible link for individuals to opt out. It will force companies to be more transparent about their activities, including posting them on their sites.
Companies that sell or transfer customer data to large brokers must also identify the specific entities to which the data is transferred, the categories of data involved, the intended use, how long the information is retained, and how the data is stored. secured.
Categories of data covered by the bill include private communications, health information, biometric and genetic data, financial account and payment data, precise geolocation and photographs, among others.
The data broker industry is vast. According to Transparency Market Research, the global data broker industry was valued at more than $240 billion in 2021 and is expected to reach $462 billion by 2031. Market Research Future predicts that by 2032 it will likewise reach $471 billion, with North America accounting for the largest market. share.
Currently, there are few meaningful restrictions on how data brokers operate. The market is “virtually unregulated,” according to a 2021 paper by Justin Sherman, a senior researcher at Duke University who studies the role data brokers play in digital privacy.
Sherman told CyberScoop that ideas like registries with opt-out mechanisms are “a very American 'consumer choice' focused way of thinking about privacy risks.”
Some of the bill's obligations regarding first-party data collectors include prohibiting businesses from transferring certain sensitive information to third parties without the customer's explicit consent, and creating a notice for consumers regarding data collection. including reasonable opt-out options and “reasonable” data requests. A security program to minimize data loss due to hacking incidents. This could potentially impact the kind of data that brokers can easily purchase or collect online.
On the other hand, “it's easy for a bill to improve the status quo when it's not very regulated,” Sherman said. While APRA may increase scrutiny of the industry, Sherman argued that the lack of strong measures to regulate and limit the sale of Americans' personal data represents a victory for the data broker industry.
“The primary focus on transparency and self-regulation is a lobbying strategy for data brokers to ease the burden on consumers,” Sherman said.
Tentative efforts to regulate the industry have already sparked significant lobbying activity, according to a review of the OpenSecrets database. RELX, the British data broker and owner of data analytics company LexisNexis, spent $3.1 million in 2023 lobbying for a number of privacy bills. Experian spent his $1.4 million lobbying Congress on numerous data privacy and credit monitoring bills, while his rival Equifax spent more than his $1.5 million.
In Sherman's view, strong legislation to regulate the data broker industry would not only allow consumers to opt out of data collection, but also allow them to delete data that has already been collected. In addition to introducing stronger regulations on the collection, transfer, and sale of harmful data, it also provides more resources to privacy regulators and empowers the public to sue bad actors through private rights of action. become.
Brandon Pugh, policy director for cybersecurity and emerging threats at the R Street Institute, a right-wing think tank, told CyberScoop that federal privacy law fails to adequately define data brokers, forcing the industry to change its business model. He said that it was making it difficult for the public to understand.
APRA will begin to address this issue by requiring companies to prominently identify themselves as data brokers on their websites using language that the FTC will develop.
“Sometimes you're dealing with a company and you don't realize that it's a data broker,” Pugh said.
Mr Pugh said he was also encouraged by APRA's data minimization provisions, which have the potential to reduce the large amounts of customer data that companies collect and ultimately sell to data brokers.
“To the extent that data brokers are dealing with other private companies to obtain data, it will help reduce some of the data flows,” Pew said.
National registries with comprehensive opt-outs may not eliminate abuse by bad actors. Several experts liken it to the National Do Not Call Registry. This has only had a limited impact on the number of spam and marketing calls flooding American cell phones. However, this could help the public and policy makers better track industry players.
Antonio Sanchez, chief cybersecurity evangelist at data security firm Fortra, said the bill's various opt-out features need to be accompanied by awareness efforts. “Otherwise, fewer consumers will know their data privacy rights and be able to control how it is used.”
While APRA is directly aimed at how private companies collect, share and sell data, it largely avoids addressing the larger issue of how federal agencies can use the same data.
Other efforts on Capitol Hill would further restrict who data brokers can sell to. Oregon Democratic Sen. Ron Wyden's proposal, called the Fourth Amendment Not for Sale Act, would allow law enforcement and intelligence agencies to purchase various types of personal information from data brokers without a court order. It is prohibited.
U.S. intelligence and law enforcement agencies have become increasingly reliant on data purchased on the open market, a trend many civil libertarians see as an extension of the Fourth Amendment's protections against unreasonable searches and seizures. is accusing the government of being at an impasse.
In the absence of Congressional action on the issue, national security officials said they are moving to introduce stronger rules governing the use of commercially obtained data.
“We are developing our own policy,” Eric Rosenberg, acting chief of acquisition and technology transfer law at the U.S. Cyber Command's Office of Staff Judges and Legal Affairs, said at a briefing last week. “Cybercom has already started incorporating clauses into contracts to address issues such as data privacy.”
Lindsey Rodman, deputy assistant attorney general for intelligence in the Pentagon's Office of General Counsel, said at the same event that the Office of the Director of National Intelligence plans to issue its own guidelines for commercial purchases. Data will be released in the coming weeks.