Data Brokers

Thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight. Companies have enormous financial incentives to collect consumers’ personal data and few impediments to doing so. For these companies, consumers are the product, not the customer. Companies also maintain information about consumers that is often inaccurate, wrongfully denying them credit, housing, or even a job. 

Data brokers collect extensive dossiers of deeply personal information including name, address, telephone number, e-mail address, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate ownership. In addition, data brokers collect health information, the sites we visit online, which products we buy, how we pay, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data. 

The lack of a comprehensive baseline U.S. privacy law has allowed the data broker industry to build profiles on millions of Americans at great cost to our privacy, civil rights, national security, and democracy. Congress must pass comprehensive privacy legislation and regulate the out-of-control data broker industry. 

Harm Imposed by The Data Broker Industry 

Data brokers use secret algorithms to build profiles on every American citizen, regardless of whether the individual even knows that the data broker exists. As such, consumers now face the specter of a “scored society” in which they are not aware of when and how they are algorithmically evaluated. The data broker industry’s secret algorithms can be used to determine interest rates on mortgages and credit cards, determine eligibility for public benefits, or deny people jobs. Data brokers even scrape social media and score consumers based on factors such as their political activity on social media. Even though government entities and companies use information from data brokers to make critical decisions about people, the information data brokers hold is often inaccurate and negatively biased against already marginalized populations. 

The use of algorithms has widespread discriminatory effects. The Equal Credit Opportunity Act (ECOA) prohibits lenders from discriminating in credit decisions. Still, studies have demonstrated that Black and Latino communities have lower credit scores as a group than Whites and Asians. The technical complexity and opacity of credit scoring models makes it very difficult for consumers and regulators to know if a company is using a discriminatory algorithm in violation of ECOA. Consumers have the right to request their credit score, and companies are required to give a reason for making adverse decisions against consumers. However, companies are not required to fully disclose the data and methods used to generate a score. 

Algorithmic explainability and transparency are crucial to accountability. Absent rules requiring the disclosure of these secret scores and the underlying data and algorithms upon which they are based, consumers will have little way to know the extent of, let alone solve, these problems. 

Beyond diminishing individual privacy and perpetuating discrimination, data brokers also harm people by offering sensitive personal information for sale to anyone. This information can be used to commit fraud, threaten national security, and even to target someone for physical violence.  

Criminals use personal information obtained from data brokers to legitimize their attempts to scam and defraud consumers. Someone is more likely to fall for a phishing scam when the phishing message includes accurate information about the person’s location, employment information, or bank accounts, for example. Further, fraudsters target certain groups of people, including retirees and veterans, using information from data brokers.  

Data brokers also threaten national security by compiling and selling extensive profiles of information on members of the military and government officials. These records contain information including location data, financial information, information about family members, and other sensitive information that could be used by bad actors to carry out blackmail or use phishing techniques to obtain state secrets from military and government personnel. 

Data brokers indiscriminately sell personal information without the knowledge or consent of individuals. By doing so, data brokers enable physical violence by providing a tool for abusers and criminals to locate and track victims. For example, data brokers enable harm against domestic violence survivors by providing a tool for abusers to locate and track victims. Even when survivors are able to escape their abuser, survivors may continue to live in fear that their abusers may be able to find them again by purchasing data about their new home or job. This fear of exposure by data brokers may cause a survivor not to seek legal services, find a new job, or purchase or rent a new home to avoid generating new records that data brokers can obtain and sell to abusers. Similarly, data brokers fuel violence against public officials like law enforcement officers and judges. People who wish to harm public officials can often purchase personal information like home address, names of close relatives, and location data from data brokers and use this information to find and harm public officials and their families. 

Data brokers enable significant harm by indiscriminately collecting and selling sensitive personal information. These harms underscore the urgent need to establish guardrails to protect individuals from data brokers. 

Legislative Efforts to Regulate Data Brokers 

There is no federal law in the United States that adequately regulates the data broker industry. As a result, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. EPIC supports state and federal legislative efforts that set limits on data brokers’ collection, use, retention, and disclosure of personal data. 

States have begun to pass laws that expand transparency and consumer control in the data broker industry. Vermont, California, Texas, and Oregon have enacted laws to shine a light on the data broker industry. Vermont passed the nation’s first data broker legislation in 2018, requiring data brokers to “register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.” California passed a similar law in the following year, requiring data brokers to register annually with California’s Attorney General. California’s law also requires all data brokers to delete all personal information held about residents who submit an opt-out to the California Privacy Protection Agency (CPPA). In 2023, Texas and Oregon also both passed data broker registration laws. State data broker registration and deletion laws have allowed the public to see a public listing of data brokers and allowed Californians to submit one opt-out request that all data brokers must follow. However, stronger and more widespread regulation is needed to restrict the buying and selling of Americans’ personal data.