The Federal Trade Commission (FTC) has dominated the news cycles as of late. Specifically, they withdrew a proposed rule on regulating data brokers, who collect and sell sensitive personal information about Americans. This decision came out in the dark early morning hours on a Tuesday and we believe made it officially into the Federal Register. That rule change was almost entirely overshadowed. It would have a far-reaching effect on a multibillion-dollar industry that is, as you all know, drawing increased scrutiny over its privacy and security practices.
Zack Whittaker, security editor at TechCrunch, was instrumental in calling attention to this withdrawal. It follows a series of disturbing breaches involving data brokers. In fact, in the past year alone two of these data brokers were hit by large hacks. Yet these breaches exposed the Social Security numbers of millions of healthcare consumers and reams of their users’ location information. These breaches have raised deep concerns about the security of our personal information. They monitored the movement of millions of people, without their knowledge and consent.
Data brokers are companies that mine, aggregate, and sell personal and financial information on almost all Americans. They make billions selling access to these vast troves of data. They are key players in an industry that has grown exponentially. Sometimes they do so under the cover of privacy laws’ perverse incentives. These complaints exposed a dark underbelly of the data broker ecosystem — some were illegally stalking people and pooling their information without consent. In 2024, the FTC followed through on these weighty allegations with a ban of multiple data brokers to penalize these unfair practices.
The Consumer Financial Protection Bureau (CFPB) was involved in discussions surrounding the rule change, emphasizing the need for more robust protections for consumer data. The rule, as originally proposed, would have prevented data brokers from collecting sensitive location data for the purposes of tracking people. We must pass this measure to protect individuals’ privacy rights.
Wired was the first to cover the proposed rule change. This would be a major second step by the FTC towards the imposition of stricter rules in the expanding data broker industry. Yet the sudden withdrawal of the rule shows that the line between good regulatory leave and bad industry regressive retreat is often blurred. The second major critique is that data brokers will continue to operate with minimal accountability. Absent strong and transparent oversight, they continue to threaten consumers’ privacy and security on an ongoing basis.
The implications of this withdrawal are far-reaching. These opaque data broker companies are amassing incredible amounts of sensitive personal data. The end result is that consumers are exposed to ever-greater privacy intrusions and the harmful misuse of their data. These hacks that exposed sensitive data to the world are a terrible reminder of the industry’s dangers. The absence of any regulation whatsoever has dangerous real-world implications.