data brokers, data broker registries
Image: Recorded Future News

Delete-your-data laws have a perennial problem: Data brokers who fail to register

Laws requiring data brokers to register are catching on at the state government level, but so far they have not been adequately enforced, allowing large numbers of brokers to operate under the radar even in states maintaining registries, privacy experts say.

Four states have now passed laws requiring registration, and in the two states with operative registries, advocates say the number of listed companies does not reflect the size or reach of the industry.

The effect is that hard-fought privacy laws are not protecting the public the way they should, leaving individuals vulnerable to data brokers who collect, share and sell their most sensitive personal information. Privacy advocates say that even tough laws such as one in California could be undercut by the fact that many brokers fail to register.

In California, which began requiring registration in 2020, 528 data brokers are registered as of now, but another 144 are classified as “incomplete registrations pending 2023 payment,” according to the office of the state attorney general. Subsidiaries of major corporations such as TransUnion appear as incomplete registrants. (TransUnion did not respond to a request for comment.) The list does not capture those who never started the registration process at all.

After California passed its registration law in 2019, the state estimated 1,000 brokers would register, according to an economic impact statement prepared by the California Department of Justice at the time. The state indicated that it based its estimate in part on the digital marketing agency WebFX’s estimate of more than 4,000 data brokers operating worldwide.

Last week, California enacted landmark legislation allowing citizens to force brokers to erase their data with the push of a button. The Delete Act includes tougher fines for companies that don’t register, in a seeming acknowledgement of the problem, but many watchdog groups worry that some brokers will still hide. If brokers don’t register, there essentially will be no way to track them under the new law.

Vermont, the first state in the country to require brokers to register, has a law similar to California’s but just 257 registered brokers. When searching for Vermont data brokers of any status — including canceled, expired, or inactive — the number jumps to 707. Experts say that, as with California, the 257 number seems low.

The discrepancies in the states’ numbers are “suspicious,” according to Emory Roane, policy counsel at Privacy Rights Clearinghouse, which co-sponsored the Delete Act. The organization has done significant research on the industry’s business model.

Determining the reason for the wildly different totals seems like “low-hanging fruit for enforcement actions” by state regulators, Roane said in an interview.

But he added that he hasn’t seen any enforcement actions for non-registration in California, where Privacy Rights Clearinghouse is based.

A spokesperson for the California Department of Justice, which has been overseeing enforcement of its registry law, sent an email response saying the agency has “contacted businesses that have failed to complete their form or pay the $400 annual registration fee.” The email did not address how many enforcement actions have been taken.

The spokesperson said the state’s initial target of 1,000 registrations was a “rough estimate” and pointed out that many types of data brokers are exempt from the California law. For example, entities covered by the federal Fair Credit Reporting Act or the Health Insurance Portability and Accountability Act are not subject to enforcement actions.

The Vermont law also is enforced by the state attorney general’s office, which did not return several calls.

Despite the non-registration problem, more states are following California and Vermont’s lead. Oregon is the most recent to pass a data broker registry law, but it does not go into effect until January. Texas passed its law in May and the registry is not yet live. There is no federal registry for data brokers.

Sunlight on a secretive industry

Data broker expert Justin Sherman told Recorded Future News that despite the large number that have apparently failed to register in California, the state government has not been transparent about the problem and therefore has obscured the fact that there is a dire need for better enforcement.

“It's not clear what's happened with any of these companies,” Sherman said, referring to the non-registered brokers.

“There's no update on the state website to say we fined these companies who haven't complied,” said Sherman, who is the founder and CEO of Global Cyber Strategies, a research and advisory firm, as well as a senior fellow at Duke University’s Sanford School of Public Policy.

The Delete Act promises a one-stop shop where consumers can force brokers to erase their personal data with the push of a button.

Fines will be higher for non-registration under the new law — $200 instead of $100 for each day a data broker fails to register and an additional $200 “for each deletion request for each day the data broker fails to delete information” as required, according to the statute. But experts say many brokers may still hide in the shadows and, if they do, consumers’ delete requests will not be as far-reaching.

A few months after Vermont’s registry went live in 2019, state Attorney General TJ Donovan told privacy leaders that forcing data brokers to make themselves known could have a major impact on some of their more secretive practices.

“Simply shedding sunlight and transparency on this industry has the effect of changing troubling behaviors, such as trading in information like the home addresses of police officers,” Donovan told the International Association of Privacy Professionals at the time.

The stakes are only getting higher: The Wall Street Journal reported last week that an India-based broker had until recently shared data gleaned from a network of other brokers and advertising exchanges with the Defense Department and intelligence agencies.

The Vermont attorney general’s office estimated in 2018 that between 400 and 1,200 data brokers purchased and sold state residents' data, according to news reports at the time and the California AG’s economic impact statement (which named the Vermont AG as the source for the number). However, only 134 brokers were registered within a few months of the law going into effect in 2019, according to a report from the Vermont attorney general.

Soon after Vermont’s law went into effect, the deputy secretary of state at the time, Chris Winters, told the investigative news website the Vermont Digger that “given what we know about how our data is used out there, anecdotally, I think we all expected it to be higher than this.”

Roane said that both the California and Vermont registries were passed to “shine a light” on the industry, but many brokers don’t register because they are “just making the calculus that there hasn't been any enforcement actions for non-registration and so they can eat that cost.”

During a speech last month, a Federal Trade Commission official said that research shows the industry was valued at $240 billion in 2021, with that number expected to surge to $450 billion-plus in the next decade.

The difficulty of protecting data

Data deletion services are all too familiar with the problem of brokers operating in secret.

BlackCloak, which brands itself as providing an invitation-only “concierge” data deletion service primarily servicing Fortune 1,000 companies, dedicates significant resources to blocking brokers from tracking its clients, according to founder and CEO Chris Pierson.

Pierson says that before BlackCloak intervened, 99% of clients had personal information available on more than three dozen online data broker websites. A large percentage were listed on more than 100. Seventy percent had personal social media information and pictures posted. Forty percent of online broker sites revealed IP addresses for home networks, he said.

Pierson likened keeping up with the brokers’ activity to “mowing the lawn,” saying that every couple of months brokers relist the data of individuals he works for, requiring a new round of take down requests.

The California Delete Act will be a major step in the right direction, said Pierson, who served for over a decade on the Department of Homeland Security’s advisory committee on data privacy, including its cybersecurity subcommittee. But he conceded that he “would not be surprised” to see some data brokers, either intentionally or unintentionally, avoid registering.

The industry is growing so fast that it is hard to keep up with, even for a firm as well-resourced as BlackCloak, Pierson said in an interview.

“New data brokers pop up here and there each and every day so it really becomes quite insidious,” he said. “It’s fair to say that you can’t achieve 100% removal.”

A building block

Briana Gordley played a leading role in getting Texas’ new data broker registry law through the state legislature. She said the problem of non-registration was a consideration from the start and one that came up in her discussions with officials and advocates in Vermont and California.

But even if the registry is only partially successful, Gordley, who is a senior policy analyst at the nonprofit public interest organization Texas Appleseed, said she considers the state’s law a “very, very first step in a larger goal that we’re working toward,” referring to a Delete Act-like bill.

Gordley said it is clear to her that there has been widespread failure to register in Vermont and California and she worries about similar noncompliance in Texas.

“We haven't really seen any actions being brought against any data brokers for failing to register so I honestly don't expect that to happen in Texas, either,” Gordley said.

Part of the problem is how hard it is to track the brokers who hide in plain sight.

“You just don't know what you don't know,” she said.

In Texas, as in Vermont, fines for brokers who fail to register will cap at $10,000 annually — a tiny amount for companies operating in a very profitable industry.

“They don't want to be brought from the shadows,” Gordley said. “Enforcement, as of now, is weak so the goal to move forward is to put more teeth behind it.”

For now, Gordley said, Texas advocates were bent on getting something passed even if it is far from perfect.

John Davisson, director of litigation at the Electronic Privacy Information Center, said there is something to Gordley’s strategy. Noting the “meager penalties” for brokers who don’t comply, he said the registries alone are “not all that helpful.”

They are useful for giving policy makers and advocates an “initial look at the scale of the market,” but not its full scope or any real hint at what each broker is doing, he said.

“The registry is an important first step,” Davisson added, calling California’s Delete Act a good example of what can follow.

Tom Kemp, a California-based advocate who helped push the Delete Act through and worked with Gordley shaping the Texas law, said he thinks the Delete Act will lead many more brokers to register.

He said transferring enforcement power to the California Privacy Protection Agency and increasing fines will help address the problem.

“Data brokers that haven't previously registered will now be a little bit more motivated,” Kemp said in an interview. “There'll be a little bit more of a stick.”

It’s a stick that experts say is needed to protect everyday Americans who often don’t realize just how much of their personal data is up for sale.

Pierson underscored how thoroughly data brokers penetrate people’s lives, saying his firm has seen brokers list not only information about individuals, but also their parents, siblings and children, including cell phone numbers.

“All that information is there in a very, very easy to find manner and it is all aggregated right there,” he said. “It can be used by cybercriminals, by fraudsters, by others.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.