Will Congressional Bills Regulate Data Brokers?
Two bills from the last Congress would create a national registry of third-party data brokers. Here's what to know.
Congress is paying more attention to the data broker industry — generally, companies involved in gathering, inferring, and aggregating and then selling or licensing data — which is worth billions of dollars in the United States alone. Two bills from the last Congress, which may be reintroduced, would create a national registry of third-party data brokers. Here’s what to know about these bills and what they would do for consumers’ ability to opt out of the sale of their data. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
ADPPA and the DELETE Act both would create a national registry of third-party data brokers to which consumers could submit a do-not-sell-my-data request.
Zooming In: ADPPA and the DELETE Act
I testified several weeks ago to the House Energy & Commerce Committee on the data brokerage ecosystem, the kinds of data gathered and sold about people, and privacy and security risks to individuals and the country. Read more in our previous post here:
Data Brokers and Privacy and Security Risks
Following up on that hearing, I recently wrote an article for Lawfare examining two bills from the last Congress that have a good chance of being reintroduced:
The American Data Privacy and Protection Act (ADPPA): This bipartisan bill was positioned as a comprehensive consumer privacy law and contains some provisions related to “third-party collecting entities” that would have to sign up to a national registry. It was by many accounts the closest the US Congress has come to passing a comprehensive data privacy law.
The Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act: This bipartisan bill was focused specifically on third-party data brokers and building a national registry through which consumers could opt out of the sale of their data by some of those registered brokers.
As I broke down for Lawfare:
Both bills’ registries focus on third-party companies only (not the “first parties” that collect data directly on users), include information that is publicly published and searchable online, and establish a centralized opt-out mechanism for consumers. … Neither bill is perfect. For instance, neither bill outright bans the brokerage of certain kinds of particularly sensitive data — such as mobile apps and websites selling individuals’ location and health data. But they would each improve on the status quo, and their proposals for a national data broker registry hold important lessons for regulating the data broker industry.
Under ADPPA:
First, every third-party collecting entity with a website or mobile app would have to place a conspicuous notice on their website. The notice would have to include language from the Federal Trade Commission (FTC), to be developed through rulemaking, and a link to the FTC’s to-be-created registry of third-party collecting entities. Said notice must be “reasonably accessible to and usable by individuals with disabilities.” Second, by Jan. 31 of each year, any third-party collecting entity that processed ADPPA-covered data in the year prior about more than 5,000 devices or people — linked or reasonably linked to those individuals — would have to register with the FTC. The registration submission would include a $100 fee as well as the entity’s legal name, primary physical and email addresses, website, and contact information (such as contact person, phone number, email, and mailing address). FTC registration would also include a “description of the categories of covered data the third-party collecting entity processes and transfers.” This last inclusion is a beneficial one, because it would provide consumers and regulators with more insights into the types of data processed by third-party collecting entities, including data sold by third-party data brokers.
From there, the FTC would create a mechanism by which consumers could submit a “Do Not Collect” request to registered third-party data brokers, except for consumer reporting agencies. As I discuss in the article, all three major consumer reporting agencies in the US — Equifax, Experian, and TransUnion — are subject to some regulation under the Fair Credit Reporting Act (FCRA). But they also broker plenty of other data outside the scope of FCRA, such as selling geolocation data; excluding these companies from ADPPA’s do not sell provision is a weakness of the bill. And:
The third and final registry provision would fine companies $100 each day for failing to register or provide notices on their websites, not to exceed $10,000 in a year. Entities would additionally be liable for the equivalent of a registration fee ($100) for each year they did not register. For all the ADPPA’s many improvements on the privacy status quo, this is a weak penalty.
Registry and do-not-sell provisions in the DELETE Act are relatively similar, although the DELETE Act would require much more registry information:
Registry information would include “the sources from which the data broker obtains data,” which is information that most brokers closely hold or even outright hide from policymakers and the public. More insights into those sources would help to identify the ways that Americans’ data — such as health and location data — become available on the open market for sale in the first place. Additionally, many data brokers claim that they implement controls on their sale of data, but the little public information about data brokers’ sale processes often points to the opposite. Requiring disclosure of whether a broker has a “credentialing process” for prospective buyers (and if so, what it looks like) would help to address these questions and to better inform legislation and regulatory enforcement. On top of that, the DELETE Act would critically empower the FTC to require covered brokers to submit additional information that could provide further insights.
From there, the FTC would set up a centralized, one-stop-shop mechanism by which consumers could tell registered third-party data brokers to stop selling their data. It would also require the use of hashing to limit the information transmitted to brokers:
Once submitted, the centralized system would hash the information on FTC systems — that is, formulaically convert an entry into a standard-length string of letters and numbers. Then, data brokers could retrieve it by submitting their own hashed queries. After an individual submits information in a request, the FTC would keep it for two years before automatically deleting it.
What Now?
ADPPA and the DELETE Act are bills from the last Congress, and each has a solid chance of reintroduction in the current Congress. Generally speaking, sometimes a narrower bill may have a higher likelihood of passage — the scope is more focused and therefore may run into fewer substantive concerns, political frictions, lobbying forces, and more. But with privacy, a number of influential members of Congress have insisted that Congress lean towards a comprehensive privacy approach. Hence, ADPPA could have a slightly better chance of advancing.
These bills would improve on the status quo vis-a-vis data brokerage, including by requiring third-party data brokers to register in a national database and giving consumers the ability to opt out of the sale of their data in some cases. Of course, a problem remains: US privacy law discourse focuses on opt-outs rather than opt-ins. These registry-style approaches still place the burden on the consumer rather than, by default, outright preventing data brokers from gathering and selling data about individuals on the open market. They also place controls on just third-party data brokers and do not fully address the many first-party collectors that sell data.
Nonetheless, the two bills could learn from each other, as I write in closing to the Lawfare article:
At least one place where the DELETE Act could be improved by incorporating an ADPPA provision is the timeline for processing data deletion requests. Under the ADPPA, covered entities must comply with deletion requests within 30 days of receipt, and under the DELETE Act, covered entities must comply within 31 days of receipt. These provisions are almost identical. However, the ADPPA seems to suggest that data brokers would receive deletion requests immediately. It is not stated explicitly but seems implied that once the FTC opt-out system receives a request, it forwards it right away to covered brokers. The DELETE Act, by contrast, says brokers must query the hashed delete-my-data requests once every 31 days. This is a significant difference. A consumer could file a DELETE Act request with a data broker, and the broker could continue to sell that individuals’ data for another 62 days — the first 31, without even accessing the deletion request filed to the FTC, and for the next 31, taking the maximum permitted amount of time to comply. …
Conversely, the ADPPA should adopt the DELETE Act’s approach to non-registration and non-notice penalties. The latest version of the ADPPA had small fines and a relatively low penalty limit ($10,000 maximum per year) for third-party collecting entities that fail to register with the FTC and provide required notice to consumers. In that scenario, data brokers making millions or billions of dollars each year will not be sufficiently incentivized to comply. One path forward could be increasing the non-registration and non-notice penalties for companies over a certain size. But that would leave in place the low ceiling on monetary penalties. The staff working on a possible reintroduction of the ADPPA could thus draw on the DELETE Act: Forgo an explicit monetary limit on penalties and leave it up to the FTC under its Section 5, unfair or deceptive acts or practices authority. This would provide the legislation with clear enforcement teeth.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.