- July 1, 2026
- Updated 1:35 am
Challenges in Regulating Data Brokers and Recent Legislative Efforts
- 18 Views
- admin
- June 10, 2026
- Cybersecurity Technology
For many years, Congress has attempted unsuccessfully to provide Americans with control over their personal data. This includes the rights to access, amend, and delete their data. Their inaction has left the public with little defense against data misuse, while data brokers continue to collect and sell personal information in a largely unregulated market.
States like California, Virginia, and Texas have enacted laws requiring data brokers to register, fulfill deletion requests, and disclose collected data. However, enforcement is inconsistent, and states have struggled to gain full compliance from companies that operate across different jurisdictions. These companies often face minimal consequences for non-compliance.
The SECURE Data Act and the GUARD Financial Data Act are recent legislative attempts to bring data brokers under legal oversight. However, efforts to prevent such federal protections face opposition. In June, a hearing by the Commerce, Manufacturing, and Trade subcommittee of the House Energy and Commerce Committee highlighted some lawmakers’ reluctance to override existing state laws with a national standard. Without federal laws, consumers remain at a disadvantage, with protections differing based on their location.
A further complication arises from companies avoiding classification as data brokers to bypass regulations. These companies, known as massive data aggregators, collect data from various sources and create profiles such as risk scores and assessments of creditworthiness. These profiles influence real-world decisions, including loan approvals and marketing strategies.
The lack of regulation for massive data aggregators results from a gap in definitions. Current laws target companies that derive over half their revenue from selling raw personal data. Aggregators sell inferences and insights rather than raw data, utilizing algorithms to transform it into profiles.
The SECURE Data Act and the GUARD Financial Data Act represent progress in holding this industry accountable. The latter defines financial data aggregators in federal law, while the former establishes data minimization and opt-in requirements along with a Federal Trade Commission data broker registry. Despite these measures, both laws have notable omissions. The SECURE Data Act excludes aggregators whose revenue comes from inferred profiles, while the GUARD Financial Data Act mandates only disclosure, allowing aggregators to conceal terms within lengthy agreements.
Consumers have opt-out rights under the SECURE Data Act for certain decisions, but the law does not limit the secondary use or sale of derived data, such as risk scores and profiles. Additional measures are needed to enforce transparency and protect consumer data fully.