Challenges and Efforts in Personal Data Regulation

For many years, the United States Congress has struggled to give citizens control over their personal data, including the ability to view, correct, and delete it. This lack of action has left Americans vulnerable to misuse of their data. Meanwhile, the data broker industry continues to thrive, collecting and selling information in an unregulated market.

States like California, Virginia, and Texas have taken measures to address this issue by implementing laws that require data brokers to register with the state, respect deletion requests, and disclose collected data. However, enforcement varies, and coverage is inconsistent. Companies operating across state boundaries often face minimal consequences for not complying.

Two new proposed bills, the SECURE Data Act and the GUARD Financial Data Act, aim to address these challenges and bring data brokers under legal scrutiny. Discussions in Congress have surfaced concerns that federal protections might override existing state laws. This lack of federal action could leave consumers with uneven protection based on their location.

Adding to consumer risk, some companies intentionally avoid classification as data brokers to bypass state regulations. Rather than selling names or addresses, these large-scale data aggregators gather information online to create risk scores and behavioral profiles. These profiles influence key decisions like mortgage approvals, loan interest rates, and marketing strategies.

The loophole allowing data aggregators to dodge regulations stems from a definitional gap. Current data broker laws target companies relying on raw data sales for over half their revenue. Data aggregators sell derived conclusions instead, utilizing algorithms to generate risk scores and other profiles.

The SECURE Data Act and GUARD Financial Data Act signify progress in addressing industry accountability. The GUARD Financial Act defines financial data aggregators in federal terms, while the SECURE Data Act introduces data minimization, opt-in requirements, and a Federal Trade Commission data broker registry.

Yet, both bills have shortcomings. The SECURE Data Act’s 50% revenue threshold excludes data aggregators earning income from derived profiles, leaving major operations unregulated. Meanwhile, the GUARD Financial Data Act’s credential provisions permit aggregators to continue data reselling, provided disclosures are hidden in onboarding processes.

Although the SECURE Data Act allows consumers to opt-out from certain profiling, it does not fully restrict secondary use and sale of derived data.

Gerard Scimeca serves as chairman and general counsel of Consumer Action for a Strong Economy (CASE), a free-market-focused consumer nonprofit.