American data privacy law was already weak before the explosion of data caused by smartphones and high-speed internet service. Data broker companies have been taking advantage — and so has law enforcement. Congress must act to bring them all into line with legislation that gives Americans’ privacy protections a badly needed update. Today, the Brennan Center has published a resource that explains how Congress can do just that.
The lack of a comprehensive data privacy protection law in the United States and a reliance on illusory “notice-and-consent” regimes have spawned a market for data brokers to trade in people’s personal data. This $200 billion industry assembles, analyzes, and sells data from mobile apps, cookies, and other sources to create detailed dossiers on millions of Americans. Data brokers traffic in all types of personal information, including detailed location information, health information, purchase history, and browsing history. Alone or combined, that information can reveal the most intimate details of our lives: our movements, habits, associations, health conditions, and ideologies.
The Federal Trade Commission’s recent complaint against data broker InMarket highlighted how the company collected users’ location data from mobile apps that were downloaded to over 390 million devices. InMarket analyzed that information to group users into audiences like “Christian church goers,” “wealthy and not healthy,” and “parents of preschoolers.” Data brokers sell this type of personal information, not only to advertisers, but also to predatory loan companies, stalkers, scammers, and foreign actors. They can also exploit legal loopholes to sell such information to government agencies, allowing these agencies to bypass privacy safeguards — including, in some cases, the requirements of the Fourth Amendment. The government’s unfettered access to personal data without judicial or legislative oversight can exacerbate existing biases in law enforcement and intelligence practices, permitting speculative investigations on the basis of constitutionally protected categories and the targeting of marginalized communities. We’ve seen alarming examples of this over the past few years.
For example, a Vice investigation in 2020 revealed that the Defense Department purchased location data collected by data broker Outlogic (formerly X-mode) from popular prayer apps to monitor Muslim communities. Police departments similarly purchased information to track racial justice protesters. In states where abortion is illegal, location data can be used by police to track people involved in providing and accessing reproductive health services.
These risks to Americans’ privacy and freedoms of speech and association will be amplified with the integration of new artificial intelligence tools that, as President Biden’s recent executive order on AI acknowledges, make it easier to “extract, re-identify, link, infer, and act on sensitive information about people’s identities, locations, habits, and desires.”
Government agencies can do this because they are exploiting outdated court interpretations of the Fourth Amendment and gaps in the country’s patchwork of privacy-protecting statutes. The Electronic Communications Privacy Act, for instance, was enacted in 1986, and it hasn’t been updated to cover the modern world of mobile apps and commercial data brokers. As a result, even though the law prohibits telephone and email service providers from providing certain sensitive customer information to government agencies without a court order, it places no restrictions on those companies selling the information to data brokers. The data brokers can then sell the same information to the agencies, creating an end run around the court-order requirement.
Over the past few years, lawmakers have sought to address the data broker problem, proposing bills that would limit the collection of location and health data and regulate the government’s purchases of data from third parties. Our resource highlights two legislative proposals that would constrain the government’s ability to acquire large swaths of personal information without legal process.
The first, the Fourth Amendment Is Not For Sale Act, takes an important step toward closing the data broker loophole and updating the Electronic Communications Privacy Act. The bill would bar law enforcement and intelligence agencies from purchasing certain communications-related information and location data.
But it could be stronger. The bill is still tied to outdated categories of communications service providers from the 1980s, and it would not cover similar information collected and sold by other companies, such as health and fitness apps. It also would not cover other categories of sensitive personal information like health, financial, or biometric information. Nor would it address the overcollection of data, or the trafficking of personal information to private entities or even foreign governments, practices that will likely intensify with the proliferation of AI models reliant on vast data sets.
The American Data Privacy and Protection Act takes a different approach. It is a comprehensive federal consumer privacy bill that promises to reduce the amount of personal information flowing into and out of the hands of data brokers. It would do this by restricting the collection of such information to only what is necessary to provide a service or achieve certain purposes specified in the bill and by placing additional limits on data transfers. This legislation is a promising template, but it, too, should be strengthened.
The bill has multiple exceptions that would allow government agencies to obtain a significant amount of personal data. These exceptions should be narrowed to prohibit transfers of data to law enforcement or intelligence agencies absent clear indications of a threat to public safety, a security incident, fraud, harassment, or illegal activity, or unless the government has followed the legal process required for compelled disclosure.
These bills, with the modifications we suggest, point the way forward. The data broker loophole is growing wider by the day, and it threatens to swallow the privacy protections provided in statutes and even in the Constitution. Congress must intervene to bring the law in line with the modern world and end the government’s all-too-common practice of buying its way around our privacy rights.
