Privacy advocates say these requested changes would entrench practices in the data broker industry that have raised years of concerns about information collected en masse and shared without proper consent.
Hundreds of companies have reported lobbying on the American Data Privacy and Protection Act, H.R. 8152 (117), including drugmakers, nonprofits and tech giants such as Microsoft and Amazon. But no industry is potentially more affected by the bill than the data brokers, which rely largely on third-party data — information collected by companies that users have no direct relationship with.
For example, location data brokers can collect information on people’s whereabouts through apps, and can gain access to data that websites collect on people’s demographics and online shopping activities.
This unregulated flow of data fuels an estimated $240 billion market, and lawmakers have raised concerns that the collections are being used to surveil protesters and influence specific groups with targeted ads.
The bill, sponsored by House Energy and Commerce chair Frank Pallone (D-N.J.), would give people the right to demand the deletion of data that companies collect about them, while imposing restrictions on data being collected and shared with third parties. It would also put special protections on sensitive data like geolocation.
In total, the five data brokers reported spending about $1.73 million on lobbying during the quarter ending June 30, compared with $1.55 million during the same quarter of 2021. While that’s just a small fraction of what largest tech companies collectively paid for lobbying during the same period, it is comparable to the $1.9 million that Apple reported spending on similar issues during the second quarter of this year. (Apple, Microsoft, Facebook and Amazon combined spent nearly $15 million on lobbying during the same period.) In addition to lobbying on the House bill, the five brokers also indicated in their filings that they are lobbying on issues such as data security, children’s privacy, algorithmic bias and artificial intelligence.
Privacy advocates are already criticizing the House bill for offering loopholes for data brokers, such as an exemption for “de-identified” data and carve-outs for brokers working on behalf of law enforcement agencies.
Brokers often say they only offer data that has been stripped of information that could be used to identify specific individuals, but privacy researchers have found that this data can easily be linked to people when combined with other sources. Law enforcement agencies have also bought data from brokers as a way to circumvent Fourth Amendment restrictions on government searches.
But data brokers don’t think these exceptions go far enough. Three brokers that lobbied on the bill told POLITICO that they are seeking more exemptions for third-party data and are pushing to block states from passing privacy protections stronger than those Congress enacts.
“ADPPA has moved farther through Congress than any privacy bill has in many years,” said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, one of D.C.’s best-known privacy advocacy groups. “Data brokers are likely responding to the fact that Congress seems serious about passing privacy regulations.”
She said the data brokers’ requests would mean no changes to a problematic status quo, while the bill in its current form would limit the industry in significant ways.
All five data brokers that lobbied on the privacy bill spent at least as much during the second quarter as they did during the same period in 2021. RELX, the parent company of digital identity services such as ThreatMetrix and LexisNexis, spent 26 percent more — making up the bulk of the industry’s lobbying bump.
The company said it has been in touch with lawmakers about the bill, and raised concerns about how the legislation would restrict the use of third-party data for public safety purposes.
RELX chief privacy officer Michael Lamb said the company collects and shares data with law enforcement agencies for crime prevention in areas like money laundering, fraud and human trafficking. And a federal privacy law allowing people to opt out would open the door for criminals to do the same, he said.
While law enforcement agencies must get warrants to gather digital evidence on people, they can get around that requirement by buying the same kind of data from brokers. Lawmakers have proposed legislation to prevent government agencies from doing this.
Lamb said the bill’s deletion rules also shouldn’t cover data that is primarily used for investigating illegal activities.
“We obtain our data indirectly, and we would be subject to a blanket opt-out rule where any criminal or anyone else planning a crime is free to opt-out of these services that are really vital for law enforcement and for fraud prevention,” Lamb said.
Larry Cosme, the president of the Federal Law Enforcement Officers Association, agreed with RELX that the bill would have a severe impact on criminal investigations. Cosme, a retired agent for the Department of Homeland Security, said information from data broker services had aided him in solving and preventing child exploitation cases, a tool the legislation would remove.
“It helps provide this data to connect the dots,” he said. Cosme said investigators often need data immediately, and getting a warrant for the information can take too long.
RELX collects data from a plethora of sources, including public records — which the House bill would exempt — as well as apps and third parties such as other data brokers. It told investors in April that “hundreds of millions of records” are added to its holdings every day. Its data includes information from 5 billion devices and 2 billion digital identities, according to its presentation for investors.
RELX says it does not use its third-party data for advertising purposes.
Privacy researchers say RELX’s massive data collection needs more oversight, not more exemptions, even if the data is being used for public safety purposes.
“Law enforcement and fraud prevention shouldn’t be a free pass to collect and sell disproportionately excessive data on the whole population,” said Wolfie Christl, a researcher who investigates the data industry.
He pointed to how closely RELX and its subsidiaries work with law enforcement agencies, and said the fact that its database contains “extensive personal information about almost every American citizen” puts an entire population under surveillance.
Immigration advocates filed a lawsuit last week against the company’s subsidiary LexisNexis Risk Solutions over its $22 million contract with U.S. Immigrations and Customs Enforcement, alleging the company violated Illinois law by collecting and selling state residents’ data without consent.
Similar objections to the House bill come from TransUnion, the quarter’s second-largest spender among the five data brokers, which boasts insights on about 98 percent of U.S. adults. TransUnion also owns the data broker Neustar, which says it receives third-party data from more than 200 providers. Neustar uses its data collection for both marketing and fraud prevention purposes.
Eli Peterson, TransUnion’s deputy general counsel, said in an emailed statement that its lobbying was to help “ensure that fraud prevention products can continue providing meaningful consumer protections.”
TransUnion uses the data it collects for digital marketing as well.
EPIC’s Fitzgerald said the House bill already makes exceptions for fraud prevention, and that the bill is focused on regulating commercial data brokers, not government agencies.
A section in the bill says government agencies can work with brokers, though the legislation wouldn’t allow for selling data to government entities.
“ADPPA doesn’t upend the ability of law enforcement to conduct investigations or obtain information through appropriate, legal processes,” Fitzgerald said. “What it does do is drive a stake through the shady practices of data brokers.”
Other data brokers are open about pushing for exemptions for marketing purposes.
Those include Acxiom, a data broker that says it has a collection of data from more than 2.5 billion people. It takes issue with how the bill would restrict third-party data.
“The current draft does not adequately protect businesses not categorized as ‘first parties,’ and we encourage legislators to amend to include an express recognition of the responsible use of third-party data for advertising as a permissible purpose,” Acxiom’s chief privacy officer, Jordan Abbott, said in an email.
The other two data brokers that reported lobbying on the House bill, LiveRamp and Experian, didn’t respond to requests for comment.
While each data broker may differ in what it’s seeking, each of them has made one request for the House bill: Keep its provisions that would preempt state privacy laws.
The proposed legislation is facing opposition from California Democrats who want to preserve the state’s privacy law. Privacy groups and attorneys generals have argued that if Congress blocks states from passing laws on data privacy, the tech industry will find new ways to collect data that the federal bill doesn’t address.
But lawmakers see preemption as an important compromise for the bill to receive bipartisan support. Republican lawmakers who support the House bill have said any attempts to provide states like California with exemptions for their privacy laws could mean losing their vote.
All three data brokers who responded to POLITICO said they support preempting state laws, while LiveRamp has also called for a national standard that overwrites state regulations. The brokers argue that state laws put a significant burden on businesses that must comply with multiple standards instead of a unified set of rules.
“It’d be very problematic if we don’t preempt state laws trying to do the same things but in different ways,” RELX’s Lamb said.
The House bill would preempt state laws, a compromise that is drawing ire from California lawmakers as well as privacy advocates. While it’s an obstacle for the bill’s passage, the legislation’s bigger roadblock comes from Senate Commerce Chair Maria Cantwell (D-Wash.).
She has criticized the bill as too weak on privacy protections — and if the data brokers get their wishes, it’s even more unlikely that she’ll back the legislation.
A person familiar with the House Energy and Commerce committee said the data brokers’ lobbying has not affected the bill, saying that universal distrust of the industry exists among the committee’s members. The person spoke on condition of anonymity to discuss the behind-the-scenes deliberations.
Skeptics of the data brokers’ attempts to latch themselves onto public safety have noted that criminals have sometimes made use of the same data. In 2020 and 2021, the Justice Department charged three other data brokers with selling elderly Americans’ data to known scammers, and in 2002 a murderer found his victim’s workplace through information he bought from a data broker.
RELX said it carefully vets potential customers, including through in-person visits, before allowing them to access its services.
In a statement, TransUnion said it “employs a range of practices, from customer credentialing to contract obligations, to ensure that data is used appropriately.”
Even if the bill doesn’t pass, it could still be chalked up as a win for the data broker industry, by maintaining a status quo that privacy advocates say should cease to exist.
“Just because data brokers have spent the last 20 years making millions of dollars off of our personal data because Congress hasn’t passed a privacy law doesn’t mean it should continue to be legal,” EPIC’s Fitzgerald said. “The bipartisan consensus behind ADPPA is that we need to rein in these abusive data practices, not codify them into law.”