The Electronic Frontier Foundation (EFF) and a nonprofit privacy rights group have called on several states to investigate why “hundreds” of data brokers haven’t registered with state consumer protection agencies in accordance with local laws.
An analysis done in collaboration with Privacy Rights Clearinghouse (PRC) found that many data brokers have failed to register in all of the four states with laws that require it, preventing consumers in some states from learning what kinds of information these brokers collect and how to opt out. These findings could be explained by variations in the definition of a data broker, but they may indicate some brokers are breaking the law.
Data brokers are companies that collect and sell troves of personal information about people, including their names, addresses, phone numbers, financial information, and more. Consumers have little control over this information, posing serious privacy concerns, and attempts to address these concerns at a federal level have mostly failed. Last month, LexisNexis Risk Solutions disclosed a data breach that may have revealed the names, Social Security numbers, driver’s license numbers, and contact information for over 364,000 people.
Four states — California, Texas, Oregon, and Vermont — do attempt to regulate these companies by requiring them to register with consumer protection agencies and share details about what kind of data they collect. Consumers in California, for example, can use the online database to search for different data brokers registered in the state, see contact information, and find steps on how to opt out of data collection. Meanwhile, in Texas, data brokers must follow certain security measures designed to protect consumers’ information.
In letters to the states’ attorneys general, the EFF and PRC say they “uncovered a troubling pattern” after scraping data broker registries in California, Texas, Oregon, and Vermont. They found that many data brokers didn’t consistently register their businesses across all four states. The number of data brokers that appeared on one registry but not another includes 524 in Texas, 475 in Oregon, 309 in Vermont, and 291 in California.
As noted by the EFF, differences in how each state defines a data broker could explain some of these discrepancies. It’s also possible some brokers don’t collect data from people in all these states — although the industry typically casts a wide net.
Conversely, the EFF also says this analysis wouldn’t include the data brokers that “disregard state laws by failing to register in any state.”
The EFF and PRC suggest that California, Texas, Oregon, and Vermont look into the companies that failed to register across other states, writing that their findings “could indicate a systematic failure of compliance” in each state. They add that an investigation and enforcement actions could “send a powerful signal” regarding a state’s commitment to privacy.
