For many years, Congress has struggled to empower Americans to have control over their personal data. This includes the ability to view, amend, and remove their data at will. The absence of effective federal legislation has left people vulnerable to the misuse of their information. Meanwhile, the data broker industry continuously collects and sells personal data in an unchecked gray market.
States like California, Virginia, and Texas have addressed these issues by enacting laws that mandate data brokers to register with the state, comply with deletion requests, and disclose collected data. However, these laws are met with uneven enforcement and inconsistent coverage. Businesses operating across state boundaries often go unpunished for not complying with rules.
Currently, the SECURE Data Act and the GUARD Financial Data Act represent new efforts by Congress to regulate data brokers and ensure accountability. Unfortunately, resistance to the SECURE Data Act and other federal protections is visible. A congressional hearing held by the House Energy and Commerce Committee highlighted concerns about overriding existing state data protection laws with federal standards. Without federal involvement, consumers face unequal protection based on their geographical location.
Further complicating the scenario is a group of companies that deliberately avoid classification as data brokers, seeking to evade state regulations. Rather than selling names and addresses, these massive data aggregators gather information online, creating risk scores and behavioral profiles. These assessments impact consumer services, loans, and marketing strategies. Despite performing similar functions to data brokers, aggregators bypass existing consumer safeguards.
The challenge in regulating these massive data aggregators stems from a gap in definitions. State laws concerning data brokers usually target firms collecting and selling raw data for profit, accounting for at least 50 percent of their revenue. Aggregators differ as they sell insights based on algorithms applied to collected data instead. They produce inferred profiles, financial dashboards, and detailed dossiers, maintaining a presence in a regulatory void.
The SECURE Data Act and the GUARD Financial Data Act aim to hold this industry accountable. The GUARD Financial Act introduces a definition for financial data aggregators, while the SECURE Data Act sets forth requirements for data minimization and opt-in processes, along with a Federal Trade Commission data broker registry.
Still, these legislative proposals leave substantial gaps. The SECURE Data Act’s revenue threshold for data broker classification does not encompass massive data aggregators, who earn revenue from inferred profiles rather than raw data sales. Meanwhile, the GUARD Financial Data Act relies on disclosure-based credentials, allowing aggregators to continue data operations by embedding disclosures within onboarding processes consumers might overlook.
Though the SECURE Data Act permits consumers to opt-out of certain profiling decisions, it does not prohibit the secondary use and sale of derived data, such as risk scores and behavioral profiles. Gerard Scimeca, an attorney and co-founder of Consumer Action for a Strong Economy, advocates for stronger protections within this market.