Washington’s focus on data brokers is blurry …
Congress has been distracted recently with the question of whether or not to impeach and eventually remove the President from office. The discussion is taking up a lot of oxygen in Washington, but eventually the inside-the-beltway gang will turn itself back to other matters and I believe among those matters will be a national treatment of data privacy.
Pushing the desire for a national treatment of data privacy is the call on the part of broadband companies for federal privacy legislation that treats broadband providers, such as AT&T and Comcast, the same way as Amazon, Facebook, and Google.
While the data broker business model differs from that of a broadband infrastructure provider, the common denominator for congressman and consumer is data and its protection. Cambridge Analytica’s mishandling of data it obtained from Facebook served to blend in Congress and the consumers’ minds that a bad act on the part of one player automatically taints all other players in the chain of data possession.
The federal and state attempts at reining in data brokers …
On the federal side, Congress has dipped its toe on the “regulate the data brokers” pool with introduction of S. 2342, the Data Broker List Act. Introduced by Senator Gary Peters, Democrat of Michigan, and co-sponsored by Senator Martha McSally, Republican of Arizona, the Act, if passed, would require that data brokers register annually with the Federal Trade Commission.
Under the Data Broker List Act, there would be certain requirements regarding the acquisition and brokering of personal information, including the requirement that brokered data not be acquired through fraudulent means, and that acquired or brokered personal data not be used for stalking or harassing another person; committing financial or e-mail fraud, or engaging in unlawful discrimination, including discrimination involving credit, employment, or housing.
Data brokers would also be required to implement and maintain a comprehensive information security program designed to protect personal data against hacks and other breaches.
Two states are ahead of the federal government when it comes to legislation regulating data brokers. Under the Vermont Data Broker Law, there is also a requirement for the annual registration of data brokers with the Vermont secretary of state where company name and physical, email, and internet addresses are required. Data brokers are also required to implement and maintain an information security program that protects Vermont consumers from theft or fraudulent use of personally identifiable information.
California AB 1202 requires that data brokers register with the state’s attorney general, providing company name and physical, email, and internet address. The legislation, which takes effect next January, is not as comprehensive as Vermont’s statute or the proposed federal data broker legislation in terms of requiring an information security program.
What’s next …
As state legislatures begin their sessions in the next couple of months, data brokers should continue to stay on the look out for pre-filed bills and keep their ears to the ground for any media chatter concerning data privacy protection. Data brokers may also continue refining arguments that promote the positive role they play in ensuring that data that brings value to commercial actors i.e. lenders, landlords, retailers, etc., gets to these market participants thus ensuring that consumers get the products that best suit their needs.