E&C Leaders Continue Bipartisan Investigation into Data Brokers' Potential Exploitation of Americans' Privacy
Members press companies to answer what information is collected and where it is sold Washington, D.C. — House Energy and Commerce Committee Republicans, led by Chair Cathy McMorris Rodgers (R-WA) and Committee Democrats, led by Ranking Member Frank Pallone, Jr. (D-NJ), today wrote to the heads of data broker companies, requesting information to help the Committee protect Americans’ data from misuse. They were joined by Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA) and Ranking Member Kathy Castor (D-FL), Subcommittee on Innovation, Data and Commerce Chair Gus Bilirakis (R-FL) and Ranking Member Jan Schakowsky (D-IL), Subcommittee on Health Chair Brett Guthrie (R-KY) and Ranking Member Anna G. Eshoo (D-CA), and Subcommittee on Communications and Technology Chair Bob Latta (R-OH) and Ranking Member Doris Matsui (D-CA). BACKGROUND: The Subcommittee on Oversight and Investigations launched a bipartisan investigation at a hearing on April 19, 2023, titled “Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy.” Data brokers purchase, collect, aggregate, license, sell, or otherwise share a wide range of information from Americans, including but not limited to demographic, location, and health data. These companies profit from trading in Americans’ personal information, including sensitive information, often with little government oversight and in some cases, without any concern for how buyers use the consumer data that they purchase from brokers. A recent study from Duke University found, for example, that “some data brokers are marketing highly sensitive data on individuals’ mental health conditions on the open market, with seemingly minimal vetting of customers and seemingly few controls on the use of purchased data.” KEY EXCERPT: “American privacy concerns in the data broker industry are not new, and existing laws do not sufficiently protect Americans’ data from misuse. In 2014, the FTC issued a report recommending that Congress require data brokers to increase transparency and give Americans more control of their data. However, data brokers can easily circumvent existing rules and laws regarding the collection and sharing of certain types of data, such as HIPAA. “Enacting a comprehensive federal privacy law is a top priority for the Committee on Energy and Commerce. Currently, Americans do not have control over whether and where their personal data is sold and shared; they have no guaranteed way to access, delete, or correct their data; and, they have no ability to stop the unchecked collection of their sensitive personal information. According to the Electronic Privacy Information Center, the overcollection and secondary uses of personal data, including the sale to and use by data brokers, are inconsistent with the reasonable expectations of online consumers and may lead to discriminatory targeting that violates the privacy and autonomy of consumers.” The leaders asked the companies for information pertinent to helping the Committee understand how data brokers purchase, collect, use, license, and sell Americans’ data, including: What data elements do you possess on Americans and market to your clients? In particular, do you possess any of the following: Americans’ health data? If yes, what kind of health data? Americans’ location data? If yes, what data elements? Americans’ phone data, such as data on any apps downloaded on their mobile devices? If yes, what data elements? Information revealing Americans’ purchase history? If yes, what data elements? Information about children under the age of 13? Information about children between the ages of 13 and 18? Are there any categories of Americans’ personal information that you will not purchase, collect, aggregate, license, or sell and, if so, what categories are those? When you license, sell, or otherwise share Americans’ personal information with your clients, do you require your clients to disclose the purpose(s) for which they will use the data? If so, what do you do, if anything, to confirm they are using the data for the stated purpose(s)? How much money did you spend in each of the past five years on purchasing or licensing Americans’ personal information? What percentage of your annual revenue for each of the past five years was derived from selling or licensing Americans’ personal information? How many clients did you sell or license Americans’ personal information to? Does your company use the personal information of Americans that you purchase, collect, or aggregate to categorize people based on income, sex, age, race, or other categories? What steps, if any, does your company take to protect data of users under eighteen? When you become aware that you or your clients have transferred Americans’ personal information to a foreign adversary or a company beholden to a foreign adversary—currently defined by the Secretary of Commerce to include China, Russia, North Korea, Cuba, the Maduro regime in Venezuela, and Iran—do you notify the individual(s) whose personal information has been transferred or any U.S. government entity? If not, why not? You can view the letters below: Acxiom LLC AtData Babel Street CoreLogic Solutions, LLC Epsilon Data Management, LLC Equifax Experian Gravy Analytics, Inc. Intelius, LLC Kochava Inc. LiveRamp, Inc. Mylife Oracle America, Inc. PeopleConnect, Inc. Placer.ai RELX Safegraph Inc. Spokeo, Inc. Thomson Reuters TransUnion Verisk Analytics Whitepages, Inc.