FPF’s Stacey Gray Testifies Before Senate Finance Committee Regarding Data Brokers, Urges Congress Pass a Comprehensive Federal Privacy Law

Today, Future of Privacy Forum Senior Counsel Stacey Gray testified before the U.S. Senate Finance Subcommittee on Fiscal Responsibility and Economic Growth regarding consumer privacy in the technology sector.

Stacey’s testimony explains that the term “data brokers” typically encompasses a wide variety of companies and business practices that use personal information for different purposes, some of which directly benefit consumers, and others that primarily benefit the purchasers or users of data. Recent laws and proposed bills define data brokers as entities without a direct relationship with consumers, and this third-party data processing is at the heart of concerns around privacy, fairness, and accountability; the third-party relationship also presents a challenge for crafting effective regulation. While a “first party” company that collects and uses personal data can exercise enormous influence and market power, there is still some degree of public accountability to users who are aware that the company exists and can delete accounts or raise alarms when practices go too far. In contrast, a business lacking a direct relationship with consumers – like a data broker – does not have the same reputational interests, business incentives, or in some cases legal requirements, to limit the collection of consumer data or protect it against misuse.

The lack of a consumer relationship also means that businesses engaged in legitimate data processing often cannot rely on the traditional privacy mechanisms of notice and choice. Meaningful affirmative consent, or “opt-in,” may be impossible or impractical for a business to obtain, while “opting out” after the fact tends to be both inadequate as a safeguard and impractical for consumers to navigate. Consumers can become overwhelmed with choices, and often lack the knowledge to assess future risks, complex technology, or future secondary uses.

What does this all mean? First and foremost, Congress should pass baseline comprehensive privacy legislation that establishes clear rules for both data brokers and first-party companies that process personal information. It should address the gaps in the current U.S. sectoral approach to consumer privacy; and it should incorporate but not rely solely on consumer choice: a privacy law should also codify clear limits on the collection of data; in accountability measures such as transparency; risk assessment and auditing; limitations on the use of sensitive data; and limits on retention.

In the absence of comprehensive legislation, there are a number of steps Congress can take to address risks related to consumer privacy and data brokers, including 1) empowering the Federal Trade Commission to continue using its authority to enforce against unfair and deceptive trade practices through funding; staff; the establishment of a Privacy Bureau; and civil fining authority; 2) limiting the ability of law enforcement agencies to purchase information from data brokers; 3) enacting sectoral legislation for uniquely high-risk technologies, such as facial recognition; or 4) updating existing laws, such as the Fair Credit Reporting Act, to more effectively cover emerging uses of data.

FPF will continue to provide expert testimony to governing bodies and organizations to shape privacy best practices and policies, both in the United States and globally.