Editing Data broker (section)

==Privacy issues and regulation==
[[Information privacy law]]s are not as strict [[Privacy laws of the United States|in the United States]] as in the [[European Union]], where data brokers work hard to get around the [[General Data Protection Regulation]] (GDPR) regulations, brought into operation in 2018. Under GDPR, data can only be collected for re-use on one of six legal bases. The rather vague term "legitimate interest" is often abused or misinterpreted.<ref name=clearcode/> Explicit consent from users is required for information storage. In addition, data processing related with political opinion and religious belief is prohibited unless the consent of data subject is granted.<ref>{{Cite web|title=Answer to Question No E-000054/19|url=https://www.europarl.europa.eu/doceo/document/E-8-2019-000054-ASW_EN.html|access-date=1 December 2020|website=www.europarl.europa.eu}}</ref>

In the US, individuals generally cannot find out what data a broker holds on them, how a broker got it, or how it is used.<ref>{{Cite web | url=https://www.privacyrights.org/online-info-broker-faq | title=Online Information Broker FAQ | work=Privacy Rights Clearinghouse | publisher=privacyrights.org | date=4 October 2010 | access-date=6 May 2014 | archive-date=19 August 2016 | archive-url=https://web.archive.org/web/20160819202252/https://www.privacyrights.org/online-info-broker-faq | url-status=dead }}</ref> There is no [[federal law (United States)|federal law]] that permits or enables consumers to see, make corrections to, or [[opt out]] of data compiled by brokers.<ref name=ste/>

Files on individuals are generally sold in lists; examples cited in testimony to the [[U.S. Congress]] include lists of [[rape]] survivors, seniors with [[dementia]], financially vulnerable people, people with [[HIV]], police officers (by home address),<ref name="worldprivacyforum.org" /><ref name="commerce.senate.gov" /> alcoholics, and people with [[erectile dysfunction]].<ref name=clearcode/><ref>{{cite web | last=Hill | first=Kashmir | title=Data broker was selling lists of rape victims, alcoholics, and 'erectile dysfunction sufferers' | website=Forbes | date=19 December 2013 | url=https://www.forbes.com/sites/kashmirhill/2013/12/19/data-broker-was-selling-lists-of-rape-alcoholism-and-erectile-dysfunction-sufferers/ | access-date=12 March 2021}}</ref>

=== Calls for regulation in the US ===
A 2007 [[University of California, Berkeley|University of California]] study, after requesting and analyzing information-sharing practices at 86 companies, found many operating under an [[opt-out]] model that it described as inconsistent with consumer expectations, and recommended that the [[California State Legislature|California state legislature]] require companies to disclose their information-sharing policies using clear, unambiguous language, and consider creating a centralized, user-friendly method for consumers to opt out of information-sharing.<ref>{{Cite journal | ssrn=1137990 | title=Consumer Information Sharing: Where the Sun Still Don't Shine | last=Hoofnagle, and Jennifer King | first=Chris Jay | date=17 December 2007 | journal=(working Paper) }}</ref>

The proposed US Data Accountability and Trust Act (introduced in 2009)<ref>{{cite web | title=Data Accountability and Trust Act: Federal Breach Notification, Data Security Policies and File Access Addressed | website=Privacy Compliance & Data Security | date=7 May 2009 | url=https://dataprivacy.foxrothschild.com/2009/05/articles/proposed-law/data-accountability-and-trust-act-federal-breach-notification-data-security-policies-and-file-access-addressed/ | access-date=12 March 2021}}</ref> contained a number of requirements for auditing and verification of accuracy of data held by information brokers, and additional measures in the case of a security breach. The bill also gave identified individuals the means and opportunity to review and correct the data held that related to them. It passed through the [[United States House of Representatives]] in the [[111th United States Congress]], but failed to pass the [[United States Senate]]. It was revived by the [[112th United States Congress]] in 2011 as H.R. 1707.,<ref>[http://www.govtrack.us/congress/bills/112/hr1707 Data Accountability and Trust Act (2011; 112th Congress H.R. 1707)]. GovTrack.us. Retrieved on 12 November 2013.</ref> but died after being referred to committee. The bill was first introduced by Rep. [[Bobby Rush]] [D-IL1] on 30 April 2009, H.R. 2221.<ref>{{Cite web | url=http://www.govtrack.us/congress/bills/111/hr2221 | title=Data Accountability and Trust Act (2009; 111th Congress H.R. 2221) | publisher=govtrack.us | access-date=12 November 2013}}</ref>

In 2009, the [[Federal Trade Commission|U.S. Federal Trade Commission]] had recommended the United States Congress develop legislation enabling consumers to see the information that data brokers hold about them, a recommendation it renewed in subsequent reports in 2012 and 2014. In 2013, the [[Government Accountability Office|U.S. Government Accountability Office]] also called for Congress to consider legislation.<ref name="Government of the United States" /><ref name="FTC">{{Cite web | title=TC Recommends Congress Require the Data Broker Industry to be More Transparent and Give Consumers Greater Control Over Their Personal Information | date=27 May 2014 | url=http://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more | publisher=Federal Trade Commission | access-date=31 May 2014}}</ref>

In October 2019, California Governor Gavin Newsom signed into action statute AB 1202. This bill "would require data brokers to register with, and provide certain information to, the Attorney General. The bill would define a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions".<ref>{{Cite web|url=https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1202|title=Assembly Bill No. 1202|date=2019}}</ref> This law was created to safeguard against the "cloak of invisibility" (unregistered, unregulated, untracked information broker) that previous data brokers roamed in.  It was also meant to regulate the purchasing of data in commercial third party buyers, and tracks the data brokers information trades.{{Clarify|date=September 2024}}<ref>{{Cite web|url=https://www.latimes.com/business/story/2019-11-05/column-data-brokers|title=Column: Shadowy data brokers make the most of their invisibility cloak|last=Lazarus|first=David|website=[[Los Angeles Times]]|date=5 November 2019}}</ref> 

Due to the interest in federal regulation, data broker firms have [[Lobbying|lobbied]] and spent $29 million in the year 2020.<ref name=":1" />

In 2025, Zhou Shuai and Yin Kecheng, two China based data brokers wanted by the FBI<ref>{{cite web | url=https://www.fbi.gov/wanted/cyber/zhou-shuai | title=Zhou Shuai }}</ref><ref>{{cite web | url=https://www.fbi.gov/wanted/cyber/yin-kecheng | title=Yin Kecheng }}</ref> were accused by the [[United States Department of State]] of selling sensitive American data to [[Ministry of Public Security (China)|China’s Ministry of Public Security (MPS)]].<ref>{{cite web | url=https://www.state.gov/sanctions-on-china-based-hacker-and-data-broker/ | title=Sanctions on China-Based Hacker and Data Broker }}</ref>

=== Criticisms, consumer rights and breaches===
A United States Senate Committee in 2013 published ''A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes''.<ref name="commerce.senate.gov" /> It states that "Today, a wide range of companies known as 'data brokers' collect and maintain data on hundreds of millions of consumers, which they analyze, package, and sell generally without consumer permission or input." Their main findings were that:
*Data brokers collect a huge volume of detailed information on hundreds of millions of consumers.
*Data brokers sell products that identify financially vulnerable consumers.
*Data broker products provide information about consumer offline behavior to tailor online outreach by marketers.
*Data brokers operate behind a veil of secrecy.

The information produced by data brokers has been criticized for enabling discrimination in pricing, services and opportunities. For example, a May 2014 White House report found that web searches that included black-seeming first names such as Jermaine were more likely to result in ads being displayed that include the word "arrest," compared with web searches including white-seeming first names such as Geoffrey.<ref name=":0" />

An Online Information Broker FAQ<ref>{{Cite web | url=https://www.privacyrights.org/online-info-broker-faq | title=Online Information Broker FAQ | access-date=20 April 2012 | archive-date=19 August 2016 | archive-url=https://web.archive.org/web/20160819202252/https://www.privacyrights.org/online-info-broker-faq | url-status=dead }}</ref> is published by [[Privacy Rights Clearinghouse]] (PRC), a nonprofit [[consumer organization]] in the United States. PRC also maintains a list of information brokers, with links to their privacy policies, terms of service, and opt-out provisions.<ref>{{Cite web | url=https://www.privacyrights.org/online-information-brokers-list | title=Privacy Rights Clearinghouse | access-date=20 April 2012 | archive-date=11 September 2016 | archive-url=https://web.archive.org/web/20160911213818/https://www.privacyrights.org/online-information-brokers-list | url-status=dead }}</ref>

Data brokers have also faced legal charges for security breaches due to poor data security practices.<ref>{{Cite web | url=http://www.ftc.gov/news-events/press-releases/2008/03/agency-announces-settlement-separate-actions-against-retailer-tjx | title=Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers Data | date=27 March 2008 }}</ref>