The Importance of Precise Language in Data Broker Legislation
Data privacy remains a central focus at the state and the federal level. Yet, with the rise of consumer-facing digital services, so too have new industries emerged that focus mainly on the sale and usage of data without providing a consumer-facing service. One such industry, generally known as “data brokers,” have seen a meteoric rise. Questions have arisen pertaining to their business and privacy practices as this industry, which largely has remained in the shadows, becomes more unveiled.
A data broker can mean many things and have been defined in numerous ways. One defining trait among data brokers is that they collect personal consumer information from a range of public and nonpublic sources (public records, browsing history, and purchase history). The information that is collected is then directly sold or licensed to a third-party organization. These organizations include corporations, governments, law enforcement, or research entities. More concerning, a consumer often has no idea that their data is being sold. Indeed, many consumers have never heard of the top five data broker companies, despite these entities collectively holding data on well over one billion individuals.
While large-scale data analysis can lead to benefits for consumers, limited privity and a lack of transparency raises serious privacy concerns for consumers. Other concerns stem from a lack of accuracy on data collected. For example, reports of “junk” inferences, where incorrect assumptions of consumers are used to make entirely false inferences about certain individual habits, commonly arise. This could include incorrect conclusions that falsely assume an individual’s health status, sexual orientation, or employability, impacting a person’s safety.
With the obvious need to address these privacy concerns, it is important to avoid overly broad language that risks grouping consumer-facing products that use data to provide a service, like social media platforms and retailers, with those that do not. Put another way, a service that collects data to improve a search function or curate a social media timeline is not the same as a company that scrubs the internet for the sole purpose of collecting and selling consumer data profiles.
Vermont was the first state to take action, passing the Data Broker Act in 2018. This Act defined data brokers as “a business… that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Vermont’s legislative aims were clear, with the Act focusing on indirect relationships between the data broker and the consumers. Clarifying the application of the law provides businesses of varying sizes with reassurances of the rules of the road.
Unfortunately, not all laws are as clear. The California Delete Act, which builds upon existing state data protection laws, is a recent example of well intentioned but unhelpful data broker legislation. The legislation would give California consumers a simplified global deletion mechanism to request that data that has been collected about them be deleted. While entirely reasonable on its face, the legislation’s scope could potentially lead to frustrating outcomes. First, the broad definitions of who a data broker is and what encompasses the “sale” of consumer data in the bill may lead to innumerable digital services, rather than merely data broker companies, having to delete data that a consumer may not actually wish to be removed. Second, businesses that fall under the broad definition would have to check the deletion mechanism constantly to ensure no new requests have been filed, or risk costly fines. Take, for example, an online marketplace that saves commonly purchased groceries to benefit consumers who make monthly purchases for their favorite branded items. If included in the definition of a data broker, would this service need to check the mechanism and potentially remove the consumer’s entire purchase history?
Similar concerns arise around federal data privacy legislation with the American Privacy Rights Act (APRA), which includes provisions governing the rules for data brokers across the country. APRA’s definition of a data broker does not account for the type of business relationship it intends to govern, making it broadly applicable to countless digital services. Further, combining APRA’s global “Delete My Data” option with its broad definition of data brokers will be frustrating for consumers who may not want data deleted. A consumer who opts for a global deletion request may be left with multiple services entirely deleting their social media profiles, messages with loved ones, or other important information that they were not aware fell under the deletion mechanism.
Data broker legislation is important to protect consumers’ privacy. Lawmakers need to carefully evaluate definitions and scope to limit unintended consequences. Vermont has demonstrated how a direct approach to define the practice of data brokers leads to better privacy protection for its citizens. Legislation can be enacted to ensure citizens are protected from commonly understood data brokers without damaging other consumer-facing services. The demand for transparency and privacy around this emerging industry should not come at the expense of consumer expectations.
