Thus far, Tim Cook’s proposal for a data broker clearinghouse has generated a lot of support from privacy advocates. And it has even generated support from prominent data broker Acxiom, which has supported Cook’s call for GDPR-like regulation. According to Acxiom, a data broker clearinghouse would be a great way to root out the “nefarious players” in the ecosystem and force everyone to play by the same rules.
The big picture view, of course, is that the data broker clearinghouse would eventually become part and parcel of a national privacy law, which Tim Cook also supports. It would restore power to consumers, and would place data brokers under the regulatory purview of the federal government. The FTC, for example, is charged with the task of protecting consumers from fraud and deceptive business practices, so it’s only natural to extend their scope and reach into what has thus far been a very unregulated data broker ecosystem.
Vermont embraces the data broker clearinghouse concept
Importantly, one U.S. state – Vermont – has already put into place legislation that creates a statewide data broker clearinghouse. According to a new state law that went on the books on January 1, all data brokers collecting data on Vermont citizens must register with the state by the end of January 2019 and provide transparency information, including information about any security breaches, information about how customers can opt out of data collection and data sharing, and information about any data collected on minors. In addition, Vermont lawmakers suggested that any national data broker should assume that it has collected information about Vermont citizens and register with the state. This is essentially the data broker clearinghouse concept envisioned by Tim Cook, applied at the state level.
In many ways, this Vermont data broker clearinghouse is going to be an important test case. The data broker law that went into effect at the start of the year is the first of its kind in the country, and the probability is high that other states will soon follow with data broker laws of their own.
What is also notable about the new Vermont law is how detailed all of the requirements are for data brokers. In addition to providing all necessary transparency information to consumers, they must also create a comprehensive security program, train employees on security, and encrypt all records that they are transmitting to third parties. Moreover, Vermont is also very detailed in how it defines “data broker” and how it defines the type of data (including “biometric data”) that is included as part of the law. The idea is clear: it’s time to hold data brokers to a much higher standard, especially from a consumer reporting perspective.
The first step towards comprehensive privacy legislation
For privacy advocates, the Vermont law and the public support of tech companies like Apple is a positive sign that momentum is starting to build for national privacy legislation in the U.S. that would be at least as stringent as the European General Data Protection Regulation (GDPR), which went into effect in May 2018.
This legislative momentum is important because, even after the FTC created a 110-page report on the data broker industry back in May 2014, little has been done to regulate the industry. Even after the massive Equifax data breach in 2017, which impacted nearly 140 million people, nothing was done in terms of comprehensive legislation. 2019 might finally be the year that momentum for a data broker clearinghouse leads to legislation at the national level in order to protect consumers from unscrupulous data brokers.