Delaware must regulate the shady data broker industry | Opinion

Justin Sherman
Special to the USA TODAY Network

Family “safety” app Life360 recently announced it would stop selling the raw GPS locations of parents and children to third parties — which, until a couple months ago, it was doing behind users’ backs. If this kind of privacy-invasive trickery sounds like an outlier case, think again.

Imagine there’s a company that knows virtually everything about you. It knows your race, religion, and sexual orientation; it can estimate your household income, list your favorite political candidates and organizations, and follow your smartphone as you walk to a marriage counselor or abortion clinic. You’ve never heard of this company in your life, yet it can sell this data on the open market, entirely legally, to basically anyone with an email address and a credit card.

These companies are real — and they’re called data brokers. They form a multibillion-dollar industry that goes almost entirely unregulated. But by strengthening a new privacy bill, Delaware has the opportunity to lead the country in regulating this shady, dangerous ecosystem.

I lead a research project at Duke University, where we study the data brokerage ecosystem and its impacts on civil rights, consumer privacy, and national security. When we examined 10 of the largest data brokers in the country, we found them advertising data on hundreds of millions of Americans: their sensitive demographic characteristics, their political preferences and beliefs, and their whereabouts and real-time locations, as well as data on first responders, healthcare workers, students, government employees, and current and former members of the U.S. military. There are hundreds of companies whose entire business model is data brokerage, and thousands more companies — from mobile apps to major internet service providers — sell their own users’ data as part of this ecosystem, usually without their knowledge and full consent.

Data brokers supply information for secret quesitons

The harms are clear. Health insurance companies buy up individuals’ data to predict healthcare costs, including data on your race, marital status, education level, and even what you purchase online. Law enforcement agencies buy data broker data, circumventing the Fourth Amendment and other controls, to surveil US citizens. Abusive individuals have bought whereabouts and location data from data brokers to hunt down and stalk, harass, intimidate, and even kill other people — predominantly women and members of the LGBTQ+ community. Criminals have bought data broker data before to scam people, including stealing from veterans, and they could easily do the same to target seniors or people with Alzheimer’s and dementia. Foreign states could even acquire this data to undermine U.S. national security.

American privacy regulation is already weak. Only a few states have passed comprehensive — albeit flawed — privacy laws, like California, and there is no comprehensive consumer privacy law at the federal level. Data brokers know this, and they exist, in many ways, to circumvent the few privacy laws on the books. The Health Insurance Portability and Accountability Act, for instance, narrowly regulates how covered health providers handle your medical information — yet data brokers, not covered by these laws, can — and do — legally sell citizens’ surgical histories, mental health conditions, and other medical data on the open market.

Delaware is considering a new bill to impose regulations on the data brokerage industry. It would require companies selling or licensing people’s information to register with the state — mirrors of laws in Vermont and California. Unlike the Vermont and California laws, however, which exempt many kinds of companies from classification as a “data broker,” Delaware’s bill encompasses a range of businesses selling or licensing individuals’ data.

Yet in current form, it’s not enough. Most people have never heard of data brokers, and notification and registry laws place the burden on consumers to go through, one by one, and email data brokers to stop selling their information. Even then, there is no legal guarantee the broker will comply without proper privacy rights. Instead, Delaware should impose strict controls on data brokers’ buying, licensing, selling, and sharing of data, and it should ban some categories of data sales, like individuals’ GPS locations, altogether.

Data brokers enable and exacerbate domestic violence, civil rights abuses, consumer exploitation and threats to national security. Other states that have attempted to regulate them — namely, California and Vermont — have done poor jobs. Data brokers also continue lobbying against privacy regulation across the country. Delaware has an opportunity to be a national privacy leader by putting its residents first — and regulating the companies that hoard and sell information on us all.

Justin Sherman

Justin Sherman, @jshermcyber, is a fellow at Duke University’s Sanford School of Public Policy, where he leads a research project on data brokerage.