For many years, Congress has struggled to give Americans control over their personal data. The aim was for people to see, correct, and delete their data at will. This lack of action leaves individuals with little protection against data misuse, while the data broker industry collects and sells millions of pieces of personal information without much oversight.
Some states, including California, Virginia, and Texas, have enacted laws requiring data brokers to register, honor deletion requests, and disclose data collection practices. However, enforcement remains inconsistent. Companies that operate across states often face minimal consequences for non-compliance.
Two new bills, the SECURE Data Act and the GUARD Financial Data Act, seek to regulate the data broker industry. The challenge is bringing data brokers under legal authority at the federal level. However, there are concerns about federal protections overshadowing existing state laws. A hearing on June 3 by the House Energy and Commerce Committee showed some in Congress prefer not to replace state-level protections with national standards.
The current patchwork of laws leaves consumers vulnerable. The laws vary by location, relying on where an individual resides. Some companies avoid classification as data brokers to sidestep regulations. Unlike traditional data brokers, large data aggregators gather online data to create risk scores and profiles. These profiles influence real-world matters like mortgage approval and interest rates without directly buying or selling personal data.
The loophole arises because existing laws target companies making at least 50% of revenue from raw data sales. Large data aggregators sell analyses and profiles, exploiting this gap to operate without regulation. This lack of oversight has persisted for years.
The SECURE Data Act and the GUARD Financial Data Act aim to address accountability. The GUARD Financial Act defines financial data aggregators in federal law for the first time. The SECURE Data Act introduces data minimization and opt-in requirements, alongside a Federal Trade Commission data broker registry.
Yet, both laws have significant limitations. The SECURE Data Act’s revenue threshold excludes aggregators relying on profile sales, leaving advanced data extraction methods unregulated. The GUARD Financial Data Act’s disclosure requirements are weak, allowing aggregators to continue data practices if buried in unread disclosures.
While the SECURE Data Act permits consumers to opt out of profiling decisions, it does not prevent the sale of inferred data. Gerard Scimeca, an attorney and chairman of Consumer Action for a Strong Economy, has highlighted these challenges. The regulation landscape remains complex.

Leave a Reply