Democrats' sweeping data broker legislation could signal political sea change on privacy


🔊 Podcast: The Equifax Data Breach

MLex Senior Correspondent Joshua Sisco and Chief Global Digital Risk Correspondent Mike Swift discuss the recent data breach of credit reporting agency Equifax and the potential regulatory implications.


14 September 2017. By Mike Swift

Within hours of news breaking of the Equifax data breach last week, it was clear that the exposure of Social Security numbers and other sensitive personal data of more than half of the adult US population would bring intense regulatory scrutiny on the consumer credit rating industry.

But the sweeping legislation proposed Thursday by a group of Democratic senators to regulate a much broader swath of companies that collect and sell the personal information of Americans suggests that the Equifax data breach might have changed the politics of privacy — or at least that many Democrat have concluded that privacy is an issue that will help them beat Republicans in the 2018 and 2020 elections. 

The legislation introduced Thursday by Senators Edward J. Markey of Massachusetts, Richard Blumenthal of Connecticut, Sheldon Whitehouse of Rhode Island and Al Franken of Minnesota would empower the US Federal Trade Commission to set new rules for the entire data broker industry, not just consumer credit rating companies such as Equifax.

"We need to shed light on this 'shadow' industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans," said Markey, a member of the Commerce, Science and Transportation Committee.

The proposed Data Broker Accountability and Transparency Act also would allow consumers to access and correct their personal information, and to block data brokers from using, sharing, or selling their personal information for marketing. The senators' rationale for using the Equifax breach to regulate a much broader cross-section of US companies than the big three credit reporting agencies — Experian and TransUnion are the other two — is that Equifax is also a data broker, selling data profiles on consumers.

In those powerful proposed changes, the US data broker bill would include restrictions similar to the EU's General Data Protection Regulation, which will have a significant impact on the data collection and processing practices of US companies when it becomes effective next year. 

The US data broker bill defines data brokers broadly, covering any "commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information." 

In another sign of the impact of the Equifax breach, the FTC, which normally does not comment or confirm active investigations, took the rare step Thursday of confirming that it has launched an investigation into the breach. The data broker bill would significantly expand the FTC's privacy regulatory powers, giving it a new enforcement tool in addition to prohibitions against deceptive or unfair conduct, as well as specific privacy rules for children and financial rating companies.

The FTC would be empowered to create specific regulatory rules for data brokers within one year, and also would set up a website portal that would list covered data brokers. Each individual data broker also would be required under the law to set up its own website where consumers could review what information the broker is holding about them and opt out of the collection of that data.

The bill would confer enforcement powers on state attorneys general as well as the FTC. And it comes with financial teeth, including a civil penalty of $16,000 for each separate violation, with provisions for an escalation of that penalty for inflation.

Whether the bill has much chance of passing a Republican-led House and Senate may be beside the point. In the wake of the decision by Congress this year to block the implementation of the Federal Communication Commission's privacy rules for Internet service providers, a decision that has sparked multiple states to consider their own ISP privacy rules, the Democrats may see the data broker bill as an opportunity to promote their party as better stewards of personal information. 

With the Equifax breach, "this has finally boiled up, and part of this is that the Democrats have polled and seen that privacy is a really popular issue. They think the Trump administration and the Republicans are vulnerable because they overturned the FCC rules," said Jeff Chester, a privacy advocate in Washington who helped lead the effort to pass the Children's Online Privacy Protection Act in 1998.

"The fact that millions of American now have to put a freeze on their credit reports is a game changer. It's now giving millions of Americans a first-hand sense of what the big data broker industry is like," said Chester, executive director of the Center for Digital Democracy.

Whether privacy will help Democrats gain ground on Congress in 2018 and regain the White House in 2020 remains to be seen, of course. While polling data often show that Americans are worried about their privacy and data security, they appear to belie those worries by happily sharing the intimate details of their lives and families with search engines, social networks and other online services.

Another Equifax-related bill introduced Thursday by Senator Elizabeth Warren, a Massachusetts Democrat, would prohibit employers from requiring job applicants to disclose their credit history.

Democrats appear to be making the calculation that the Equifax breach may represent a sea change on privacy, in that Americans are increasingly enthusiastic about stricter data protection and privacy rules. 

"The unprecedented breach of Equifax's databases, which compromised the sensitive data of 143 million Americans, underscores the need for transparency and accountability from the companies that trade on our privacy," said Franken, the senior Democrat on the Judiciary Subcommittee on Privacy, Technology and the Law. "This bill will help ensure consumers regain control of their personal information."

Privacy report