Digital Privacy Crisis: Data Brokers' Impact

Published Date : 7/31/2025 

The recent tragic events in Minnesota have brought the dangers of unregulated data brokers to the forefront, sparking a national debate on digital privacy and public safety. 

During a solemn Senate Judiciary Subcommittee on Privacy, Technology, and the Law hearing, lawmakers heard testimony about how Americans are being systematically stripped of their digital privacy. The hearing highlighted the direct threat posed by online data brokers, who collect and sell personal information, leading to severe consequences, including the tragic deaths of former Minnesota House Speaker Melissa Hortman and her husband Mark, and the critical injuries of state Senator John Hoffman and his wife.

Hours before the attacks, the alleged assassin, Vance Luther Boelter, used commercial data-brokers and people-search websites to compile detailed dossiers on them and more than 70 other public figures. This incident has reignited the debate on regulating the data broker industry, which has been under increasing scrutiny in recent years.

Ranking subcommittee member Amy Klobuchar opened the hearing with a sweeping condemnation of the current digital data regulatory landscape. She emphasized how technology companies have amassed extraordinary volumes of personal data, tracking where Americans live, shop, work, and even how they feel. Klobuchar pointed out that Meta and Google generated $420 billion in advertising revenue in 2024, a sum largely made possible by unregulated data harvesting. She highlighted how data monetization has become a core business model for dominant tech platforms, noting that a U.S. Facebook user generated $68 in profit per quarter compared to just $23 for a European user protected under stronger privacy laws.

The tragic murder of Klobuchar’s friend, Melissa Hortman, and her husband has cast a spotlight on the ease with which individuals can weaponize the vast ecosystem of online data brokers. The scale and political nature of the Boelter case, coupled with the breadth of data he allegedly compiled, have escalated the stakes of the current policy debate. The chilling efficiency with which he was able to identify, locate, and target public figures has transformed abstract concerns about data privacy into matters of life and death.

The broader reckoning over how personal data is handled, who profits from it, who controls it, and how it can be used, has moved from academic privacy debates to the center of a national conversation about public safety. For the families of the victims, this conversation comes far too late. But for lawmakers, regulators, and the companies at the heart of the data-broker industry, it may finally be unavoidable.

According to law enforcement officials and court filings, Boelter utilized at least 11 different data-broker services, including well-known people-search sites like Spokeo, Intelius, and TruePeopleSearch. These platforms compile data such as home addresses, phone numbers, relatives, and voter registrations, often for just a few dollars. Federal prosecutors said Boelter used “interactive computer services” to stalk his victims and to build a digital roadmap for his attacks, suggesting premeditation and a clear reliance on data-broker platforms to locate targets.

This isn’t the first time public records have been implicated in violence. In 1989, Robert John Bardo murdered actress Rebecca Schaeffer outside her Los Angeles apartment. He obtained her home address by purchasing DMV records through a detective agency. The tragedy led to the enactment of the federal Driver’s Privacy Protection Act and California’s first anti-stalking statute. In October 1999, 20-year-old Amy Boyer was murdered outside her Chicago workplace by a man who had been stalking her using information he obtained from an online data broker.

Although people-search platforms typically disclaim responsibility for misuse, the digitization and centralization of personal data they enable stand in sharp contrast to traditional public records systems, which previously required considerable effort to access. What once involved visiting a county clerk’s office or navigating a patchwork of records in some obscure government office is now reduced to a few keystrokes and a small transaction fee.

In December 2024, the Biden administration’s Consumer Financial Protection Bureau (CFPB) under Director Rohit Chopra proposed a regulation to limit data brokers’ ability to sell highly sensitive personal information such as Social Security numbers, credit histories, income details, and precise location histories without a consumer’s explicit consent. The proposal, the Protecting Americans from Harmful Data Broker Practices (Regulation V), sought to classify data brokers as consumer reporting agencies under the Fair Credit Reporting Act (FCRA). This classification would have required these firms to comply with the same accuracy, consent, and access obligations already applied to credit bureaus and background-check firms, aiming to counter threats of fraud, stalking, espionage, identity theft, and surveillance.

CFPB leadership under Chopra emphasized that commercial surveillance fueled by data brokers represents a tangible threat to national security and personal safety. By bringing brokers under FCRA, the rule was intended to ensure transparency and protect consumers from misuse of their data in harmful schemes. More than 600 public comments were received on the regulation, many of which supported the proposed rule as a necessary update to outdated privacy laws.

Under President Donald Trump, however, there was a sweeping dismantling of the CFPB, leading to the agency’s functional collapse. On May 15, Trump’s hand-picked CFPB Acting Director, Russell Vought, formally withdrew the proposed rule, declaring it “no longer necessary or appropriate.” Vought said the proposed regulation did not align with the CFPB’s current interpretation of FCRA and that staff comments raised substantive legal and statutory authority concerns.

At the time of Vought’s withdrawal of the regulation, privacy advocates and consumer protection groups strongly condemned the move, calling it “deeply troubling.” They warned that it leaves Americans vulnerable to scams, surveillance, and targeted threats. Organizations like Demand Progress and the National Network to End Domestic Violence criticized the action as prioritizing profit over safety.

Writing in Lawfare in 2023, Global Cyber Strategies founder and CEO Justin Sherman said data brokers “offer would-be attackers a shortcut to their victims’ doorsteps” by transforming public records into weaponizable digital dossiers. What may appear to be benign aggregated public records become weaponized when packaged into searchable dossiers.

Vought said the matter would only be revisited if future analysis deemed it necessary. In the wake of Boelter’s alleged targeted killings using personal information he obtained from commercial data brokers, lawmakers and privacy rights advocates say that time is now, and the hearing this week reflected the urgency of these developments.

Alan Butler of the Electronic Privacy Information Center emphasized how companies’ data practices outpace legal protections. He called for a comprehensive federal privacy law that would give consumers meaningful control over their information and urged the Senate to grant enforcement power to the Federal Trade Commission (FTC).

Samuel Levine, a former senior official at the FTC and current UC Berkeley fellow, underscored the inadequacy of current enforcement mechanisms. He detailed how companies deploy dark patterns to manipulate users into surrendering their data and noted that without rulemaking authority and a clear statutory framework, the FTC remains ill-equipped to respond to evolving digital threats. He stated that data-driven pricing discrimination, biometric profiling, and unreviewable algorithmic decision-making are becoming normalized in both private and public sectors.

Kate Goodloe of the Business Software Alliance adopted a more industry-focused lens. While she acknowledged the need for strong data protections, she also warned against regulations that could impede innovation. Goodloe supported a national standard but urged lawmakers to avoid the pitfalls of overly burdensome or duplicative compliance mandates. She expressed concern that an overly broad federal law could impose complex reporting requirements on companies with limited consumer data risk profiles.

Speaking on behalf of brick-and-mortar businesses, Paul Martino of the Main Street Privacy Coalition described how smaller enterprises are overwhelmed by conflicting state laws and fear litigation over compliance ambiguities. Like others, he called for a uniform national law but stressed the need for reasonable thresholds that wouldn’t unfairly burden small businesses. He also highlighted how some small retailers lack the infrastructure to navigate privacy compliance on their own, which creates a market skew toward dominant e-commerce platforms.

Joel Thayer of the Digital Progress Institute provided a policy-centric critique, stressing the importance of centering any legislative solution around individual autonomy and clarity. He warned against ceding policymaking to the courts through continued inaction by Congress, arguing that only a clear federal framework could provide the stability required for both businesses and consumers. Thayer also described how the lack of federal action has allowed executive branch agencies and private actors to build parallel systems of identity verification, user tracking, and predictive surveillance with little accountability.

Complementing the hearing, the Consumer Technology Association (CTA) submitted a letter reiterating its long-standing position in favor of a comprehensive federal privacy law. The letter advocated for federal preemption, no private right of action, and tiered compliance obligations. It also criticized regulatory models modeled on Europe’s General Data Protection Regulation, warning they would stifle innovation and harm smaller firms. CTA recommended that enforcement authority be lodged with the FTC and supported public-private partnerships to maintain cybersecurity best practices. 

Frequently Asked Questions (FAQS): 

Q: What is the primary concern with data brokers?

A: The primary concern with data brokers is that they collect and sell personal information, which can be misused, leading to serious threats such as stalking, identity theft, and even targeted violence.

Q: What recent event has brought the issue of data brokers to the forefront?

A: The recent tragic events in Minnesota, where former Minnesota House Speaker Melissa Hortman and her husband were killed, and state Senator John Hoffman and his wife were critically injured, have brought the issue to the forefront.

Q: What is the proposed regulation to address data brokers?

A: The proposed regulation, the Protecting Americans from Harmful Data Broker Practices (Regulation V), seeks to limit data brokers' ability to sell highly sensitive personal information without explicit consumer consent.

Q: Why was the proposed regulation withdrawn?

A: The proposed regulation was withdrawn by the CFPB under President Trump’s administration, citing that it did not align with the CFPB’s current interpretation of the Fair Credit Reporting Act (FCRA) and raised legal and statutory authority concerns.

Q: What are the key recommendations for addressing data broker issues?

A: Key recommendations include a comprehensive federal privacy law, granting enforcement power to the FTC, and ensuring individual autonomy and clarity in data practices. 

More Related Topics :