This article first appeared in The Hill.
As the world races to develop artificial intelligence models that will make it easier to extract and act on people’s sensitive information, the United States still lacks a comprehensive data privacy law. That has allowed commercial data brokers to collect vast amounts of Americans’ personal information, often without our knowledge or meaningful consent, and sell it to paying customers, including the U.S. government.
A pair of bipartisan bills — the American Privacy Rights Act, expected for subcommittee markup this week, and the Fourth Amendment Is Not For Sale Act, which passed out of the House in April — gives Congress an opportunity to put an end to these privacy invasions.
Instead of a robust federal statute, the U.S. makes do with a ragged patchwork of outdated privacy laws and “notice-and-consent” regimes — under which internet users are asked to read and “accept” lengthy legalistic policies before surrendering control over their data.
Companies have long exploited this regulatory void to collect and trade in massive amounts of personal data, including detailed location information, health information, purchase history and browsing history. Within this $200 billion industry, commercial data brokers gather information from mobile apps, cookies, cars and other sources that, alone or combined, can reveal the most intimate details of our lives: our movements, habits, associations, health conditions and ideologies.
These companies then sell this sensitive information not only to advertising companies but also to stalkers, scammers and foreign actors — and the U.S. government.
Over the past two decades, law enforcement and intelligence agencies have increasingly turned to data brokers to secretly purchase access to our geolocation information and other personal data. In many instances, this is the kind of information the government would need a warrant, court order, or subpoena to obtain.
But the U.S. government has exploited legal loopholes to bypass those protections using data brokers. The government can use this information to exercise its coercive powers, including the ability to arrest, imprison, deport, tax, fine and even use lethal force.
The list of agencies engaging in this practice is alarming.
In 2020 it was reported that the Defense Department purchased location information from popular prayer apps to track Muslim communities. Immigration and Customs Enforcement has acquired utility data and mobile phone geolocation data to surveil minority communities and deport immigrants. The FBI, National Security Agency, IRS, Drug Enforcement Agency and multiple components of the Department of Homeland Security have similarly bought access to Fourth Amendment-protected location data.
State and local police departments have followed suit, purchasing information to track racial justice protesters. In states where abortion is illegal, police can acquire location data to track people involved in providing or accessing reproductive health services.
Some parts of the government are beginning to acknowledge the threat this kind of surveillance poses to Americans’ privacy and other basic rights.
Earlier this month, the Office of the Director of National Intelligence released a set of principles for how intelligence agencies should collect and use information from data brokers. If implemented effectively and robustly, these standards could bring much-needed transparency into the government’s acquisition and use of data purchased from commercial entities.
But the framework contains too much wiggle room for intelligence agencies to undermine its principles, and it fails to prohibit purchasing information that would otherwise be subject to statutory or constitutional protections. Ultimately, it is no substitute for congressional action prohibiting government agencies from engaging in this practice.
Congress has started to crack down. The House recently passed the bipartisan Fourth Amendment Is Not For Sale Act. The bill prohibits law enforcement and intelligence agencies from purchasing certain sensitive information from data brokers, including location information, communications-related information and information obtained through illegitimate scraping practices. The Senate should take up the bill and pass it.
But Congress can and must do more. While the bill provides vital protections, it would not fully cover certain sensitive information like health, financial or biometric information. Nor would it address unrestricted data collection by data brokers and other companies, or the trafficking of personal information to private entities or foreign governments — practices that will intensify with the proliferation of AI models reliant on vast data sets.
The American Privacy Rights Act can help fill those gaps. Rather than rely on individuals to read and accept complicated privacy policies, the act restricts the collection and transfer of personal information to only what is necessary to provide a service requested by an individual or to achieve certain specified “permissible purposes.” It also provides individuals more control over their data, including the right to opt out of data collection and to delete data collected by data brokers. In practice, this model would reduce the amount of personal information flowing into and out of the hands of data brokers.
But when it comes to data purchases by government agencies, the bill falls short. It largely excludes from its coverage companies that collect, process or transfer data on behalf of a government entity. This carveout would exempt nearly all government purchases of data from data brokers. For companies not acting on the government’s behalf, the bill contains broad law enforcement-related exceptions that would permit them to collect, process or transfer data to the government without sufficient justification or legal process.
Congress should strengthen the American Privacy Rights Act by prohibiting data transfers to law enforcement or intelligence agencies absent clear indications of a threat to public safety, a security incident, fraud, harassment, or criminal activity, or unless the government has followed the legal process required for compelled disclosure.
As the Brennan Center explained in proposing similar modifications to an earlier comprehensive data privacy bill, these reasonable restrictions would strike an appropriate and workable balance between Americans’ privacy and the legitimate needs of law enforcement.
Taken together, the Fourth Amendment Is Not For Sale Act and a strengthened American Privacy Rights Act present an opportunity to bring U.S. privacy law in line with the modern threats to personal privacy and to end companies’ exploitation of our personal data. Congress must not squander it.
Emile Ayoub is counsel in the Liberty and National Security Program at the Brennan Center for Justice at NYU Law.