Data Brokers

Thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight. As the data broker industry proliferates, companies have enormous financial incentives to collect consumers’ personal data, while data brokers have little financial incentive to protect consumer data. For these companies, consumers are the product, not the customer. Companies also maintain information about consumers that is often inaccurate, wrongfully denying them credit, housing, or even a job.

Data brokers collect and aggregate many types of personal information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned. Data brokers also collect information on an individual’s purchases, where they shop, and how they pay for their purchases. In addition, data brokers collect health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.

The lack of a comprehensive baseline U.S. privacy law has allowed the data broker industry to build profiles on millions of Americans at great cost to our privacy, civil rights, national security, and democracy. Congress must pass comprehensive privacy legislation and create a U.S. Data Protection Agency to regulate the out-of-control data broker industry.

The Data Broker Industry

Data brokers use secret algorithms to build profiles on every American citizen, regardless of whether the individual even knows that the data broker exists. As such, consumers now face the specter of a “scored society” where they do not have access to the most basic information on how they are evaluated. The data broker industry’s secret algorithms can be used to determine the interest rates on mortgages and credit cards, raise consumers’ interest rates, or deny people jobs. In one instance, a consumer found that his credit score suffered a forty-point hit simply because he requested accurate information about his mortgage. Data brokers even scrape social media and score consumers based on factors such as their political activity on Twitter.

The use of algorithms can also have widespread discriminatory effects. The Equal Credit Opportunity Act (ECOA) prohibits lenders from discriminating in credit decisions. Still, studies have demonstrated that Black and Latino communities have lower credit scores as a group than whites. Current law does not allow consumers or regulators to evaluate these scores to determine whether they violate ECOA. Although consumers have the right to request their credit scores, they do not have the right to know how this score is determined.

Algorithmic explainability and transparency are crucial to accountability. Absent rules requiring the disclosure of these secret scores and the underlying data and algorithms upon which they are based, consumers will have no way to know the extent of, let alone solve, these problems.

Legislative Efforts to Regulate Data Brokers

There is no federal law in the United States that regulates the data broker industry. As a result, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. EPIC supports state and federal legislative efforts that set limits on data brokers’  collection, use, retention, and disclosure of personal data. EPIC also strongly advocates for the creation of a U.S. Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.

Some states have made efforts to regulate data brokers. For example, Vermont and California have enacted laws to shine a light on the data broker industry. Vermont passed the nation’s first data broker legislation in 2018, requiring data brokers to “register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.” The California Legislature passed a similar law in the following year, requiring data brokers to register annually with California’s Attorney General and provide information about how consumers may opt-out of the sale of their personal information.” While these laws have allowed the public to see a public listing of data brokers, stronger regulation is needed to restrict the buying and selling of Americans’ personal data.