Family ‘safety’ app Life360 recently announced that it would stop selling the raw GPS locations of parents and children to third parties – something it did until a few months ago behind users’ backs. If this kind of privacy-invasive deception sounds like an outlier, think again.
Imagine that there is a company that knows almost everything about you. He knows your race, your religion and your sexual orientation; it can estimate your household income, list your favorite political candidates and organizations, and track your smartphone as you head to a marriage counselor or abortion clinic. You’ve never heard of this company in your life, but it can sell this data on the open market, legally, to pretty much anyone with an email address and a credit card.
These companies are real and are called data brokers. They are a multi-billion dollar industry that is almost unregulated. But by bolstering a new privacy bill, Delaware has the opportunity to lead the country in regulating this shady and dangerous ecosystem.
I lead a research project at Duke University, where we study the data brokerage ecosystem and its impacts on civil rights, consumer privacy, and national security. When we looked at 10 of the nation’s largest data brokers, we found them advertising data on hundreds of millions of Americans: their sensitive demographics, political preferences and beliefs, whereabouts and whereabouts in time. real, as well as data on first responders, healthcare workers, students, government employees, and current and former members of the U.S. military. There are hundreds of companies whose entire business model is data brokerage, and thousands of other companies – from mobile apps to major internet service providers – sell their own users’ data as part of this ecosystem, usually without their knowledge and full consent.
The harms are clear. Health insurance companies buy people’s data to predict health care costs, including data on your race, marital status, education level, and even what you buy online. Law enforcement is buying data from data brokers, bypassing the Fourth Amendment and other controls, to surveil US citizens. Abusive individuals have purchased tracking and whereabouts data from data brokers to stalk and stalk, harass, intimidate, and even kill others – primarily women and members of the LGBTQ+ community. Criminals have bought data from data brokers before to defraud people, including stealing veterans, and they could easily do the same to target the elderly or people with Alzheimer’s and dementia. Foreign states could even acquire this data to harm the national security of the United States.
US privacy regulations are already weak. Only a few states have comprehensive – albeit imperfect – privacy laws, such as California, and there is no comprehensive consumer privacy law at the federal level. Data brokers know this, and they exist, in many ways, to circumvent the few privacy laws in place. The Health Insurance Portability and Accountability Act, for example, tightly regulates how covered healthcare providers handle your medical information — but data brokers, not covered by those laws, can — and sell – legally the surgical history, mental health and other problems of citizens. medical data on the open market.
Delaware is considering a new bill to impose regulations on the data brokerage industry. It would require companies selling or licensing people information to register with the state – mirrors of Vermont and California laws. Unlike the Vermont and California laws, however, which exempt many types of businesses from classification as a “data broker,” the Delaware bill encompasses a range of businesses selling or licensing individual data.
However, in its current form, it is not enough. Most people have never heard of data brokers, and notification and registry laws require consumers to go through a data broker one at a time and send an email to stop selling their information. . Even then, there is no legal guarantee that the broker will comply without appropriate privacy rights. Instead, Delaware should impose strict controls on the buying, licensing, selling and sharing of data by data brokers, and it should ban certain categories of data sales altogether, such as GPS positions of individuals.
Data brokers enable and exacerbate domestic violence, civil rights abuses, consumer exploitation, and national security threats. Other states that have attempted to regulate them, namely California and Vermont, have done a poor job. Data brokers also continue to lobby against privacy regulations across the country. Delaware has the opportunity to be a national privacy leader by putting its residents first and regulating the companies that collect and sell information about us all.
Justin Sherman, @jshermcyber, is a research fellow at the Sanford School of Public Policy at Duke University, where he leads a research project on data brokerage.