Those trading in your personal information face regulation in Oregon – and it needs to be strong

Experience in other states shows that the data brokerage industry isn’t as forthcoming as state officials anticipated.

February 9, 2022 11:25 am
Oregon Capitol State Seal

Oregon would regulate data information brokers under pending legislation in the 2022 Legislature. (Amanda Loman/Oregon Capital Chronicle)

Thousands of companies you do no business with and that you hardly ever heard of possess astonishing amounts of information about you, your residence, your family, your work, your religion, your credit score and more.

They are called data brokers, and you have no way to find out from them what they have and do with all of your personal information, much less control how they use it.

Few social problems leave so many of us with such a feeling of helplessness.

Any solution would seem to be federal or even international. In June 2019, 40 state attorneys general proposed a federal clearinghouse of data broker information to combat the “loss of privacy that occurs when consumers are subject to increasingly extensive monitoring without increased public awareness or oversight.”

It hasn’t happened. Since then, some states have more directly tried taking a crack at it.

Oregon is the latest.

Attorney General Ellen Rosenblum has proposed House Bill 4017 for a state data broker registry. That idea is that any company trading in data about Oregonians has to register with and pay a fee to the Oregon Department of Consumer and Business Services. Then, according to Rosenblum’s press release, “The data broker must provide contact and other business information that will be posted on a public website hosted by DCBS. Consumers can use the registry to contact data brokers directly to ask questions, or to request that the broker no longer sell their personal information.”

She told legislators in early February, “It’s one thing for a consumer to willingly turn over data for a specific purpose. But the widespread sale of data, often done without our knowledge or our consent, gives data brokers broad latitude to do whatever they want with it. The data broker industry includes some reputable companies that are crucial to the modern economy, but I think all of us would agree that when companies use our personal information for profit, it should be incumbent upon them to operate with transparency and responsibility.”

Is this an answer to our data control quandary, or a grain of sand tossed at a steel wall?

The answer is in the details, especially ensuring the legislation grows fangs to ensure compliance and offers enough useful information and pushback for consumers.

Quite a few states have developed legislation in this area, but two have had significant recent specific experience with data broker regulation.

California in 2019 set up an online data broker registry. Its legislative measure required “data brokers to register with, and provide certain information to, the attorney general. The bill would define a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions,” according to a legislative digest.

The legislation required the state attorney general to make publicly available information about the brokers and provided enforcement tools if data brokers didn’t register with California authorities.

How well has it done?

One Silicon Valley analyst said, “This law needs more teeth to get more data brokers to register. The Cal AG determined per this document that the number of data brokers worldwide was 4,000 and projected that 1,000 would register with California.  Yet nearly a year into the law only 414 data brokers have registered.”

Beyond that, much of the information that companies provided in California was inadequate, not nearly enough to give consumers the intended information about what the companies had on them, how they used it or how to stop it.

Vermont, the other state with such a registry, has had a similar experience. Vermont does require more of brokerage than California, including what information they have on minors and whether their data has been breached.

Still, one news report said of the Vermont effort that, “Dozens of firms registered, but few offered clear answers about what they do with data and whether users may remove themselves from databases.”

That doesn’t mean any of these efforts are without value. (The California state database is a great trove of information for a deep dive.) But it does mean careful thought should be given to the Oregon law, to make sure it is not merely a gesture but actually consumer-useful.

To do that, evidently, it will have to incorporate some longer, sharper fangs than the industry has seen before.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.

Randy Stapilus

Randy Stapilus has researched and written about Northwest politics and issues since 1976 for a long list of newspapers and other publications. A former newspaper reporter and editor, and more recently an author and book publisher, he lives in Carlton.