Georgetown Law
Technology Review

Data privacy surged to the forefront of policy concerns in Congress during 2018 after revelations regarding Cambridge Analytica’s misappropriation of Facebook user information. As a result, elected officials in both the House and Senate spent months hosting hearings, grilling technology companies, and drafting bills to address growing concern about the “wanton collection, dissemination, and monetization of personal data.” In 2019, the stage now seems set for the 116th Congress to actually pass comprehensive online privacy legislation. Until recently, however, policymakers have focused on regulating Silicon Valley technology giants while the role of “data brokers” has remained out of the limelight.

Data brokers are entities that trade in personal information without having a direct relationship with consumers. Essentially, these intermediary companies aggregate and collect data from public-facing services before selling that information to third-parties. Those third-parties generally buy personal information from data brokers in order to perform tasks such as verifying an individual’s identity, marketing products, and detecting fraud. However, these data brokers are not regulated and receive little oversight. Thus, it is immensely difficult to know how consumer information is actually being used down the supply chain, and how secure such data is from cyber threats. Moreover, consumers are usually unaware that data brokers exist and are selling their information, which has led to their operations being called a “shadow economy” behind modern technology markets.

Motherboard published an alarming investigation last month that demonstrates the danger of unchecked data brokers. Reporters showed how easy it was to hire a bounty hunter to track an individual’s real-time location information through their mobile device. With just the target’s phone number and a few hundred dollars in payment, the bounty hunter was quickly able to determine the individual’s current whereabouts within a few city blocks. This feat was accomplished through information provided by a bail bond company that had purchased location-data from a data broker called Microbilt, which had in turn bought records from another data broker named Zumigo, which had itself obtained the information directly from T-Mobile. The Motherboard story thus highlights the complexity of data broker transactions, as well as the limits of using internal corporate policies to prevent such abuses of consumer information by entities down the supply chain.

To privacy experts, the facts of the Motherboard investigation are not surprising. Groups like the Center for Democracy and Technology have been highlighting the safety and security threats raised by data brokers for years, as well as calling for new rules governing such entities to be included in any future privacy legislation. These advocacy organizations are not only concerned about the threat of criminal access to the information maintained by data brokers, but also how the market for “[b]uying and selling data facilitates everything from government surveillance to financial exploitation.” In recent weeks, high-profile figures like Apple CEO Tim Cook aided their mission to shine a light on data brokers, writing an an op-ed calling for the regulation of “these secondary markets for [consumer] information.” In addition, the CEO of Acxiom, one of the leading data brokers, just expressed support for privacy legislation that would “root out the nefarious players in the ecosystem” of his business.

Due to the confluence of these factors, it appears that Members of Congress are now paying attention to data brokers as well. For example, in response to the Motherboard investigation, leaders from both the Democratic and Republican parties have sent letters to data brokers and federal regulators requesting additional information. The House Energy and Commerce Committee has sought an emergency briefing from the Federal Communications Commission on the wireless industry’s data-sharing practices. Beyond that, at least one U.S. Senator has pledged to introduce legislation that will directly address the role of data brokers in protecting consumer privacy. Thus, momentum for new rules on data brokers is clearly growing, although it is uncertain whether such provisions will ultimately be included in any comprehensive privacy bill that passes the 116th Congress. At a minimum, it seems that the data broker industry has itself lost the privacy it once enjoyed.