For years, Congress has stalled on giving Americans control over their personal data—the ability to see, correct, or delete it. That inaction has allowed the data broker industry to operate in a largely unregulated gray market, collecting and selling personal information on millions of people with little accountability.
Several states, including California, Virginia, and Texas, have passed their own laws requiring data brokers to register, honor deletion requests, and disclose their data collection practices. But enforcement remains spotty, and companies operating across state lines face minimal consequences for noncompliance. This patchwork approach leaves protections dependent on where a person lives, creating a system that critics say is fundamentally unfair.
Two new federal bills—the SECURE Data Act and the GUARD Financial Data Act—represent the latest attempt to bring data brokers under federal law. However, both measures contain significant gaps that could leave consumers exposed, according to legal experts and consumer advocates.
The SECURE Data Act establishes data minimization requirements, opt-in rules, and a public Federal Trade Commission registry for data brokers. But it defines data brokers as companies that derive at least 50 percent of their revenue from selling raw personal data. That threshold excludes massive data aggregators that don't sell raw data but instead sell derived profiles—risk scores, behavioral assessments, and creditworthiness evaluations—gleaned from harvested information.
These aggregators operate quietly, assembling data from across the internet and selling conclusions about individuals rather than names and addresses. Their outputs increasingly influence real-world outcomes, such as mortgage approvals, auto loan interest rates, and targeted marketing. Yet they evade the few consumer protections that exist because the law targets companies that sell raw data, not those that sell inferences drawn from it.
The GUARD Financial Data Act takes a different approach, defining financial data aggregators for the first time in federal statute. But its credential provisions are disclosure-based only, meaning aggregators can still harvest, retain, and resell data as long as they bury the disclosure in fine print that consumers rarely read. Critics argue this does little to protect privacy in practice.
The legislative effort faces political headwinds. A June 3 hearing before the Commerce, Manufacturing and Trade subcommittee of the House Energy and Commerce Committee revealed that some lawmakers oppose preempting existing state data protection laws with a national standard. But without federal action, the current patchwork leaves consumers at a disadvantage, with protections varying by area code.
Gerard Scimeca, an attorney and chairman of the consumer nonprofit CASE, argues that the definitional loophole is deliberate. “Massive data aggregators don’t just sell your personal information—they sell conclusions about you,” he said. “The distinction is not a technicality but a deliberate architectural choice that has kept this industry in a regulatory no-man’s-land for decades.”
While the SECURE Data Act gives consumers the right to opt out of certain profiling decisions, it stops short of restricting the secondary use and sale of derived data outright. As the Canadian redistricting model shows, well-designed regulations can close loopholes, but U.S. lawmakers have yet to follow suit.
With the 2024 election cycle heating up, as seen in races like California’s 22nd district and Lindsey Graham’s Senate primary, the fate of data privacy legislation remains uncertain. Meanwhile, the data aggregator industry continues to operate beyond the reach of the law, leaving consumers with little recourse against the misuse of their personal information.
