Cybersecurity & Tech Surveillance & Privacy

Examining State Bills on Data Brokers

Justin Sherman
Tuesday, May 31, 2022, 8:01 AM

The laws already in California and Vermont do not put any meaningful controls on companies selling, licensing and otherwise sharing Americans’ sensitive data on the open market—and the new bills are no different.

The Oregon State House of Representatives. (Glen Bledsoe, https://flic.kr/p/8q51tv; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Data brokers’ unregulated buying and selling of Americans’ data on the open market continues to make headlines. Vice reported in May, for example, that data broker SafeGraph was openly selling GPS data on people visiting abortion clinics (the company has since claimed it stopped providing location pattern data for sale and for access through its API).

Amid this growing media and policy attention, three states are considering entirely new privacy bills that would impact data brokers: Delaware, Massachusetts and Oregon. California—which, along with Vermont, is one of the two states that already has a data broker registry law—was until recently considering a new bill that would have amended its existing data broker registry law.

Each of these bills matters in and of itself: They would introduce some regulations on the state level around data brokers, and state privacy legislation is even more impactful given the current lack of a comprehensive consumer federal privacy law.

They also matter nationally for that reason: State laws are paving the way for a consumer federal privacy law, and much of what states do will be referenced by congressional legislators as they write privacy bills. Indeed, even in the data broker context, state-level definitions of “data brokers” in Vermont and California have already found their way into congressional proposals. This post examines the state bills on data brokers, how they compare to existing state laws, their gaps and limitations, and what lessons they hold for other states and for congressional policymakers looking to regulate the data brokerage ecosystem.

Delaware: House Bill 262

Delaware’s bill on data brokers, introduced in June 2021, “seeks to provide consumers with critical information about how their personal information is being used by data brokers.” The bill primarily requires data brokers operating in Delaware to register with the Delaware Department of Justice’s Consumer Protection Unit and establish mechanisms to protect the security and confidentiality of the data they collect and sell. It has been amended twice since its introduction, once on March 31 and again on May 4. In comparison to the existing laws in California and Vermont, Delaware’s bill more expansively defines data brokers and requires those companies to submit far more information to the state—yet does not impose controls on companies selling, licensing and otherwise sharing data on individuals.

Another notable difference in the Delaware bill is its definition of a data broker compared to other state laws. For context, Vermont and California define a data broker in generally the same way: a company selling data on individuals with whom it has no direct business relationship.

  • Vermont (Statute 9 V.S.A. § 2430): A data broker is “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship” (with several exceptions).
  • California (Civil Code § 1798.99.80): A data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (with several exceptions).

The Delaware bill originally used the term “data broker” in its June 2021 text, and then, in the first amendment to the bill on March 31, the term “data broker” was removed from the text entirely and replaced with the term “data market participant.” Legislators, in doing so, additionally shortened the definition of the bill’s central term.

The original June 2021 bill specified:

“Data broker” means a business that both (i) knowingly maintains or collects the brokered personal information of at least 500 consumers and (ii) either sells or licenses such information to one or more independently operated businesses. The term “data broker” includes, but is not limited to, data collectors and third-party data brokers. A business may be both a data collector and a third-party data broker depending on its activities.

In the March 31 amendment to the bill, “data broker” was swapped out for “data market participant” and specified:

“Data market participant” means a business that both (i) knowingly maintains or collects the brokered personal information of at least 500 consumers and (ii) either sells or licenses such information to one or more independently operated businesses. 

Delaware’s bill is closer in form to Vermont’s definition, because Vermont scopes a data broker to include companies that either sell or license data on individuals; California, by contrast, defines data brokerage only in terms of an outright sale. Delaware’s bill also expands on both of these definitions by classifying any company selling or licensing data on at least 500 consumers as a data market participant—whether or not they have a direct business relationship with the consumers in question. This greatly increases the number of companies that would have to register in Delaware as a data market participant, because in California and Vermont, selling any customer’s data is an immediate disqualifier from classification as a data broker under the law.

In addition to the new definitions (and terminology), Delaware’s bill requires data market participants operating in Delaware to submit far more information to the state than is currently required by California’s and Vermont’s data broker registry laws. Currently, these other states require brokers to submit basic information like their name, website and physical address for publication in an online registry. California does not require any additional information, though its law says that brokers can provide the state with “any additional information or explanation the data broker chooses to provide concerning its data collection practices.” Vermont goes further and requires that brokers submit their mechanisms for consumer opt-outs, the number of data breaches they have experienced in the past year and the number of consumers affected, whether they require buyers of data to meet credential requirements, and whether they have brokered minors’ personal information.

Delaware’s bill elaborates on that set of information and mandates that each data market participant submit the following to the state: name, physical address, email address, and website; links to privacy policies; hyperlinks, email addresses, phone numbers, and mailing addresses for opt-out requests; whether consumers can authorize third parties to opt out for them; what consumers cannot opt out of; the company’s process to vet buyers; whether the company has data on minors; and whether the company puts limits on data usage post-purchase (like prohibiting a company from reselling data). Critically, it would also require each data market participant to disclose the categories of information it sells—including contact information, demographic information, race, nationality, ethnicity, sexual preferences, geolocations, income data, biometric data, health data, criminal history, internet history, and more—as well as to whom the data market participant sells data—including financial institutions, insurance providers, health care providers, law enforcement agencies, advertising platforms, foreign businesses, foreign governments, and third-party data brokers.

This expansion of the list would provide much more information about the nature of data brokers’ sell processes and customer vetting. It would also directly provide regulators, civil society organizations and even federal policymakers with more information concerning the risks associated with data brokerage—such as whether data brokers are selling citizens’ data to law enforcement (which does not require a warrant) or whether data brokers are selling or licensing Americans’ data to foreign companies or foreign governments.

Nonetheless, Delaware’s bill does not propose any controls on the actual practice of buying and selling individuals’ data; it orients its proposal entirely around the construction and maintenance of a state data broker registry.

Massachusetts: Information Privacy and Security Act

Massachusetts is considering a consumer privacy bill that aims to impose privacy and cybersecurity protections and regulations for residents of and businesses in Massachusetts. The lengthy text defines a data broker, gives individuals what it describes as the right to opt out and requires companies classified as data brokers to register with the state.

The bill defines a data broker as “a controller that knowingly collects and sells to third parties”:

(1) The sensitive information of not less than 10,000 individuals; or

(2) The personal information of not less than 10,000 individuals with whom the controller does not have a direct relationship, including, but not limited to, a relationship in which an individual is a past or present: (i) customer, client, subscriber, user, or registered user of the controller’s goods or services; (ii) an employee, contractor, or agent of the controller; (iii) an investor in the controller; or (iv) a donor to the controller.

It then provides several exceptions to that definition, including for companies that provide “411 directory assistance or directory information services,” those that provide “publicly available information related to an individual’s business or profession,” and those that provide “publicly available information via real-time or near-real-time alert services for health or safety purposes.” Overall, the proposed definition echoes some of the terminology and exceptions from the California and Vermont laws, though it includes companies that sell data on their customers under the data broker classification—a more comprehensive view than the other two states.

For companies that are classified as data brokers, the bill would require them to register with the Massachusetts attorney general and provide basic information such as an email and physical address. The bill further mandates the data brokers to provide the attorney general with privacy notices, how individuals could opt out, whether the broker vets its buyers, whether it sells data on people with whom it does not have a direct relationship, whether it “sells the sensitive information of at least 10,000 individuals,” and whether it processes minors’ personal information. The bill notes brokers can additionally supply other information or explanations as they wish. Much like in other states, the bill gives the attorney general the ability to fine companies that fail to register as data brokers and instructs the attorney general to publish annual reports with anonymized examples of alleged data broker violations of the law.

The Massachusetts bill also provides consumers with the right to “opt out of the processing of the individual’s personal information for the purposes of the sale of such personal information.” Companies would have 30 days to comply with data sale opt-out requests once received, and once a company complies, it would have to wait at least 12 months before asking for “the individual’s consent to sell the individual’s personal information.”

Additionally, data brokers would have to notify individuals about sales of their data before doing it in the first place. Section 12(d) of the bill states: “A data broker shall not sell an individual’s personal information unless the individual has received explicit notice and is provided an opportunity to exercise the right to opt out of the sale of their personal information.” Granted, in practice, this may simply manifest in a company providing an individual with a long privacy policy pop-up on a website, to which the individual then clicks “agree” without reading. But the Massachusetts privacy and security bill’s proposal on data brokers goes further than some of the measures in other states by requiring this notification of data sales from the outset.

Oregon: House Bill 4017

Oregon is considering a bill to implement a data broker registry. It defines a data broker as “a business entity or part of a business entity that collects, stores or transfers to another person the personal data of a resident individual with whom the business entity or part does not have a direct relationship.”

This definition appears to be a mixture of those in the California and Vermont laws and the definition proposed in the Delaware bill: It scopes the act of data brokerage around data “transfers,” not just outright data sales, though it still includes the direct-relationship clause that narrows the definition’s scope. Selling data on a single individual outside of a direct business relationship is enough to trigger the data broker classification, however, as clarified further down in the text. The bill makes some exceptions to this definition, as with other bills, like consumer reporting agencies governed by the Fair Credit Reporting Act.

When registering with the state of Oregon, data brokers would be required to submit much of the same information required or discussed in other states, including business contact information, whether individuals can opt out of data collection and sale, and whether individuals can authorize another person to opt out on their behalf. Yet Oregon adds that instead of registration, companies have another option: submitting a signed written declaration under penalty of false swearing that

(A) All personal data that the business entity collects, stores or transfers is aggregated data or personal data that is deidentified;

(B) The business entity will maintain all personal data only as aggregated data or deidentified personal data and will not by any means attempt to associate the personal data with a resident individual; and

(C) The business entity by contract shall obligate any recipient of the data that the business entity collects, stores or transfers to treat the personal data in the same way the business entity must under this paragraph.

This goes further than many of the other enacted or proposed regulations in allowing data brokers to self-certify to a legally defined threshold of data “deidentification.” (The bill defines deidentified data as “information that does not directly or indirectly identify, relate to or describe a resident individual and that cannot reasonably be associated with a resident individual or a device that the resident individual owns, possesses or has a right or permission to use.”)

Nonetheless, this also raises numerous questions about the law’s efficacy. “Deidentification” is often used synonymously with “anonymization” in policy discussions to refer to such practices as removing names from a dataset, but there is a large body of academic research demonstrating that linking datasets back to individual people is remarkably easy. The notion of anonymization is therefore an abstraction, and data brokers can both easily link datasets back to individuals and cause harm without needing individuals’ names in the first place, such as by selling GPS locations without a name and letting other individuals do the linking. Enshrining this idea in law may play into this narrative while still allowing real harms to occur. Data brokers could, for instance, attempt to obscure their existence and operations from the public by submitting this declaration to the state and continuing to sell aggregated location data in the meantime—which can still be very dangerous, such as for individuals visiting health clinics or military facilities.

In general, though, there is also the question of whether data brokers would even opt for this alternative to registration in the first place. If Oregon’s bill gives companies classified as data brokers the option of registering with the state or submitting a legally binding declaration that they only collect, store, or transfer deidentified data or data in the aggregate, many will likely just register with the state.

California: SB-1059

California, until just recently, was considering a bill introduced in February 2022 to amend the state’s existing data broker law. Its new bill had been amended twice, once on March 7 and again on April 21.

The bill proposed three primary changes to California’s existing data broker law. First, it would amend the definition of a data broker so that it includes not just the selling of data but the sharing of data. Everything else about the definition would remain the same—including the exclusion of every company selling data on its own customers from a data broker classification. Second, it would require those companies classified as data brokers to submit more information to the state when they register each year. This new information would include whether the broker has been breached and, if so, what happened; whether the data broker collects minors’ data; instructions for consumers, if applicable, for deleting data, correcting inaccurate data about them, knowing what data is collected on them and how to access it, knowing what data on them is sold or shared and to whom, how to opt out of data sale or sharing, and how to limit the use and disclosure of data about them. And last, it would transfer management of the state data broker registry and oversight of data brokers’ compliance from the California attorney general to the California Privacy Protection Agency, established in the 2020 California Privacy Rights Act (CPRA) to enforce California consumer privacy law.

Implications for Other States and National Legislation

Most of these bills are still in the legislative pipeline. The Delaware bill recently passed out of the state’s House Appropriations Committee, and several business associations are pushing to constrain the regulation even further—including the Delaware State Chamber of Commerce and the Consumer Data Industry Association, the trade association for consumer reporting agencies that includes some of the largest data brokers in the country, such as Equifax and Experian. The bills in Massachusetts and Oregon are still under consideration. California’s bill was under consideration until recently, when, as one of its principal advocates noted, it was marked as held in committee, which means it is stalled without any motion for it to exit committee (which the California Chamber of Commerce listed as an opposed bill that was stopped).

Delaware’s bill is particularly important in expanding the definitions of the California and Vermont definitions of data brokers. As I have detailed previously, the California and Vermont definitions (then echoed in some of these new proposals) are problematic for several reasons. First, they focus on the outright selling of data, excluding other kinds of data sharing—from licensing data to, literally, just sharing it—which are a core part of the data brokerage ecosystem as well. For example, many companies share their own users’ data with real-time bidding networks for online ads, an action that sends individuals’ sensitive information (from income level to GPS location) to third parties but that may not be captured under the strict definition of “selling” individuals’ information.

This leads to the second problem with the California and Vermont definitions: They exclude every company that sells data on its own customers from a data broker classification because those companies have direct business relationships with the individuals in question. Take the Markup’s December 2021 investigation: It found that “family safety” app Life360 was secretly selling the GPS locations of parents and children who used the app to about a dozen data brokers. Yet, because Life360 sold its customers’ information, it would not fall under the Vermont and California definitions of a data broker and would not be subject to their state registration requirements. These definitions likewise exclude every other company engaged in the practice of selling data concerning their customers—a widespread practice that encompasses virtually every major U.S. internet service provider and many other companies. While purporting to address the data broker industry, these definitions exclude many of the companies involved in the data brokerage ecosystem in practice.

These bills in Delaware, Massachusetts, Oregon and California matter at the federal level because Congress has yet to pass a strong consumer privacy law, there are currently many stumbling blocks to the implementation of such a law, and Congress has still failed to pass regulations to place controls on data brokers in particular. As such, many states are leading the U.S. in privacy regulation, and when international partners look to understand what privacy law momentum exists in the U.S., they increasingly look at the state level. There is also an open question as to how much federal inaction on data brokers is contributing to state-level regulation on data brokers that may domestically fragment U.S. privacy law—as already evidenced by Delaware not even using the term “data broker” in its most recent bill draft and instead using the term “data market participant.”

Beyond that, many congressional bills on data brokers reference or, even, copy-and-paste some of the definitions and language from the existing laws in California and Vermont. State privacy laws inherently matter because of the protections they do (or do not) offer citizens in those states from such practices as law enforcement buying data on citizens without warrants, or abusive individuals purchasing data on women to stalk and harm them. They also matter at the federal level, as weak or poorly scoped state laws may end up informing the scope of congressional legislation around the data brokerage ecosystem.

Problematically, the laws in California and Vermont do not put any meaningful controls on companies selling, licensing or otherwise sharing Americans’ sensitive data on the open market—and the new bills are no different. For example, the Delaware law broadens the scope of a data broker (data market participant) definition beyond the California and Vermont laws, but it still orients its regulation on setting up a state website that lists data brokers, instead of implementing controls on data selling. The same goes for California’s bill, which would have broadened the scope of the legal term “data brokers” but would not have stopped a data broker from selling a minor’s GPS location or licensing data on women’s health conditions to a business in another state. Given the documented harms of the data brokerage ecosystem—from enabling and exacerbating gender violence to advertising data on military personnel and exposing the U.S. to national security risks—these notification- and consent-oriented approaches are wholly insufficient to protect individuals and society from ongoing harm. These registry-focused laws also place the burden entirely on consumers, who may have to file opt-out requests with hundreds if not thousands of companies, and even if consumers file those requests, it is possible in some cases and under some of these proposals that data brokers will continue selling information on those individuals anyway—claiming, for example, that said information is not explicitly tied to a name.

Further, state laws may increasingly legitimize terms or narratives that obscure technical realities or ongoing harms. Oregon’s reference to “deidentified data,” for instance, focuses (generally speaking) on defining information that is collected on individuals in the aggregate or stored without explicit reference to a person. Yet data brokers continually push the narrative that data without names attached is unharmful—even though aggregate-level data can still cause great harm, such as by tracking crowds exercising their protest rights, identifying groups of individuals walking around military bases, and mass profiling a population’s political preferences. When the aforementioned “family safety” app Life360 announced, after the Markup’s story, that it would be changing its data selling practices, the app’s founder and CEO emphasized that it would still be selling data but only in aggregate form. When data broker Mobilewalla was criticized in 2020 for tracking and profiling Americans at Black Lives Matter protests across the U.S., its CEO claimed the data was “anonymized” and “aggregated” and did not include personally identifiable information, even though the company had secretly collected citizens’ race, age and gender information alongside their phone data—plenty to build a targeted profile. Laws that attempt to limit data brokerage data collection may have some benefits, but the reality is that there is also a great risk of legitimizing particular data broker narratives that obscure how data collection and sale enable a range of harms.

Looking forward, it is imperative to get these state laws right and to push for laws that move beyond narrowly scoped disclosure and transparency requirements toward substantive controls on data brokerage. Otherwise, the U.S. will end up with an increasingly fragmented domestic privacy landscape, absent federal regulation, as data threats to civil rights, consumer privacy and national security persist.


Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare