Control Over Personal Data: A Federal Challenge
For many years, Congress has endeavored to enable Americans to manage their personal data effectively: granting the ability to access, correct, and delete it. This persistent challenge has left citizens vulnerable to the exploitation of their data, as the data broker industry persistently gathers and sells personal information within a largely unchecked market.
State Legislation: Filling the Federal Void
In response to congressional inertia, states like California, Virginia, and Texas have enacted laws that require data brokers to register with the state, honor requests for data deletion, and disclose the collected data. Despite these efforts, enforcement varies, and coverage remains inconsistent. Companies operating across multiple states often face minimal repercussions for failing to comply.
Introducing Federal Legislation
Two recent bills, the SECURE Data Act and the GUARD Financial Data Act, have emerged as potential solutions to regulate data brokers comprehensively. However, efforts to impede federal protections have come to light. A House subcommittee hearing on June 3 exposed opinions within Congress opposing federal preemption of existing state laws with a national standard. Without federal action, consumers face a fragmented protection system, which varies based on geographic location.
Massive Data Aggregators: A Regulatory Challenge
Adding complexity to consumer protection efforts is a category of companies that avoid being classified as data brokers. Massive data aggregators focus on harvesting data from various sources online, compiling risk scores, behavioral profiles, and credit assessments. Unlike traditional data brokers, they do not sell personal details directly but analyze data to impact real-world outcomes, such as mortgage approvals and loan interest rates. Their operations evade existing consumer protection laws due to definitional discrepancies.
Challenges in Legislation and Oversight
The SECURE Data Act and the GUARD Financial Data Act represent progress in legislating the industry. The GUARD Financial Act sets a definition for financial data aggregators, while the SECURE Data Act introduces requirements for data minimization, opt-in, and develops a Federal Trade Commission broker registry. Nonetheless, gaps remain, allowing mass data aggregators to continue largely unregulated. The revenue threshold in the SECURE Data Act excludes data aggregators generating income from profiling rather than direct data sales.
Massive data aggregators still manipulate and resell personal data legally due to GUARD Financial Data Act’s disclosure-focused credential provisions. Even though SECURE Data Act gives consumers opt-out rights, derived data usage remains unchecked, leaving risk scores and profiles vulnerable to exploitation.
Industry Context and Consumer Advocacy
Gerard Scimeca, an attorney and consumer advocate, serves as the general counsel at CASE, an organization advocating for consumer rights. While efforts to regulate the industry advance, significant challenges persist in adequately protecting consumer data against unauthorized use and sales.
Copyright 2026 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.