Urgent Need for US Data Broker Regulation

Published Date : 7/31/2025 

A recent Senate hearing highlights the dangers of unregulated data brokers, which have been linked to several violent incidents, including the murder of former Minnesota House Speaker Melissa Hortman and her husband. Lawmakers are now pushing for stricter regulations to protect personal data and public safety. 

During a solemn Senate Judiciary Subcommittee on Privacy, Technology, and the Law hearing, lawmakers heard testimony about how Americans are being systematically stripped of their digital privacy. Online data brokers pose a direct threat to the lives of individuals whose information they collect and sell.

The hearing came on the heels of a tragic attack that killed former Minnesota House Speaker Melissa Hortman and her husband Mark. Hours earlier, state Senator John Hoffman and his wife were critically wounded in a separate attack. The alleged assassin, Vance Luther Boelter, was found by investigators to have used commercial data-brokers and people-search websites to compile detailed dossiers on them and more than 70 other public figures.

Ranking subcommittee member Amy Klobuchar opened the hearing with a sweeping condemnation of the current digital data regulatory landscape. She said technology companies have amassed extraordinary volumes of personal data and are tracking where Americans live, shop, work, and even how they feel. “We are the product,” she said, referencing how Meta and Google generated $420 billion in advertising revenue in 2024, a sum made possible largely by unregulated data harvesting.

Klobuchar pointed to how data monetization has become a core business model for dominant tech platforms, explaining that a U.S. Facebook user generated $68 in profit per quarter compared to just $23 for a European user protected under stronger privacy laws. She then invoked the tragic murder of her friend, Melissa Hortman and her husband, whose deaths have cast a spotlight on the ease with which individuals can weaponize the vast ecosystem of online data brokers.

The scale and political nature of the Boelter case, coupled with the breadth of data he allegedly compiled, have escalated the stakes of the current policy debate. The chilling efficiency with which he was able to identify, locate, and target public figures has transformed abstract concerns about data privacy into matters of life and death that simply cannot be ignored any longer.

The broader reckoning over how personal data is handled, who profits from it, who controls it, and how it can be used, has moved from the realm of academic privacy debates to the very center of a national conversation about public safety. For the families of the victims, that conversation comes far too late. But for lawmakers, regulators, and the companies at the heart of the data-broker industry, it may finally be unavoidable.

According to law enforcement officials and court filings, Boelter utilized at least 11 different data-broker services, including well-known people-search sites like Spokeo, Intelius, and TruePeopleSearch. These platforms compile data such as home addresses, phone numbers, relatives, and voter registrations, often for just a few dollars. Federal prosecutors said Boelter used “interactive computer services” to stalk his victims and to build a digital roadmap for his attacks, suggesting premeditation and a clear reliance on data-broker platforms to locate targets.

But this isn’t the first time that public records have been implicated in violence. In 1989, Robert John Bardo murdered actress Rebecca Schaeffer outside her Los Angeles apartment. He’d obtained her home address by purchasing DMV records through a detective agency. The tragedy caused the federal Driver’s Privacy Protection Act and California’s first anti-stalking statute to be enacted.

In October 1999, 20-year-old Amy Boyer was murdered outside her Chicago workplace by a man who had been stalking her using information he obtained from an online data broker. Although people-search platforms typically disclaim responsibility for misuse, the digitization and centralization of the personal data that they enable stands in sharp contrast to traditional public records systems which previously required considerable effort to access.

In December 2024, the Biden administration’s Consumer Financial Protection Bureau (CFPB) under Director Rohit Chopra sought to address the matter by proposing a regulation that would have limited data brokers’ ability to sell highly sensitive personal information such as Social Security numbers, credit histories, income details, and precise location histories without a consumer’s explicit consent.

That proposal, the Protecting Americans from Harmful Data Broker Practices (Regulation V), sought to classify data brokers as consumer reporting agencies under the Fair Credit Reporting Act (FCRA). That classification would have required these firms to comply with the same accuracy, consent, and access obligations already applied to credit bureaus and background-check firms. The proposal was explicitly designed to counter threats of fraud, stalking, espionage, identity theft, and surveillance, including risks posed to public officials, military personnel, and survivors of domestic violence.

CFPB leadership under Chopra emphasized that commercial surveillance fueled by data brokers represents a tangible threat to national security and personal safety. By bringing brokers under FCRA, the rule was intended to ensure transparency and protect consumers from misuse of their data in harmful schemes. More than 600 public comments were received on the regulation, many of which supported the proposed rule as a necessary update to outdated privacy laws.

Under President Donald Trump, however, there has been a sweeping dismantling of CFPB that has led to the agency’s functional collapse. Then, on May 15, Trump’s hand-picked CFPB Acting Director, Russell Vought – who came from the Heritage Foundation – formally withdrew the proposed rule, declaring it was “no longer necessary or appropriate.” Vought said the proposed regulation did not align with CFPB’s current interpretation of FCRA, and that staff comments raised substantive legal and statutory authority concerns.

At the time of Vought’s withdrawal of the regulation, privacy advocates and consumer protection groups strongly condemned the move, calling it “deeply troubling.” They presciently warned that it leaves Americans vulnerable to scams, surveillance, and targeted threats. Organizations like Demand Progress and the National Network to End Domestic Violence criticized the action as prioritizing profit over safety.

Writing in Lawfare in 2023, Global Cyber Strategies founder and CEO Justin Sherman said data brokers “offer would-be attackers a shortcut to their victims’ doorsteps” by transforming public records into weaponizable digital dossiers. Indeed, what may appear to be benign aggregated public records become weaponized when packaged into searchable dossiers.

Vought said the matter would only be revisited if future analysis deemed it necessary. In the wake of Boelter’s alleged targeted killings using personal information he obtained from commercial data brokers, lawmakers and privacy rights advocates say that time is now, and the hearing this week reflected the urgency of these developments.

Alan Butler of the Electronic Privacy Information Center emphasized how companies’ data practices outpace legal protections. He called for a comprehensive federal privacy law that would give consumers meaningful control over their information and urged the Senate to grant enforcement power to the Federal Trade Commission (FTC).

Samuel Levine, a former senior official at the FTC and current UC Berkeley fellow, underscored the inadequacy of current enforcement mechanisms. He detailed how companies deploy dark patterns to manipulate users into surrendering their data and noted that without rulemaking authority and a clear statutory framework, the FTC remains ill-equipped to respond to evolving digital threats. He stated that data-driven pricing discrimination, biometric profiling, and unreviewable algorithmic decision-making are becoming normalized in both private and public sectors.

Kate Goodloe of the Business Software Alliance adopted a more industry-focused lens. While she acknowledged the need for strong data protections, she also warned against regulations that could impede innovation. Goodloe supported a national standard but urged lawmakers to avoid the pitfalls of overly burdensome or duplicative compliance mandates. She expressed concern that an overly broad federal law could impose complex reporting requirements on companies with limited consumer data risk profiles.

Speaking on behalf of brick-and-mortar businesses, Paul Martino of the Main Street Privacy Coalition described how smaller enterprises are overwhelmed by conflicting state laws and fear litigation over compliance ambiguities. Like others, he called for a uniform national law but stressed the need for reasonable thresholds that wouldn’t unfairly burden small businesses. He also highlighted how some small retailers lack the infrastructure to navigate privacy compliance on their own, which creates a market skew toward dominant e-commerce platforms.

Joel Thayer of the Digital Progress Institute provided a policy-centric critique, stressing the importance of centering any legislative solution around individual autonomy and clarity. He warned against ceding policymaking to the courts through continued inaction by Congress, arguing that only a clear federal framework could provide the stability required for both businesses and consumers. Thayer also described how the lack of federal action has allowed executive branch agencies and private actors to build parallel systems of identity verification, user tracking, and predictive surveillance with little accountability.

Complementing the hearing, the Consumer Technology Association (CTA) submitted a letter reiterating its long-standing position in favor of a comprehensive federal privacy law. The letter advocated for federal preemption, no private right of action, and tiered compliance obligations. It also criticized regulatory models modeled on Europe’s General Data Protection Regulation, warning they would stifle innovation and harm smaller firms. CTA recommended that enforcement authority be lodged with the FTC and supported public-private partnerships to maintain cybersecurity best practices. 

Frequently Asked Questions (FAQS): 

Q: What is a data broker?

A: A data broker is a company that collects and sells personal information about individuals. They gather data from various sources, including public records, social media, and other online activities, and sell it to third parties for marketing, advertising, and other purposes.

Q: Why are data brokers a concern for public safety?

A: Data brokers compile and sell personal information that can be used by malicious actors to target individuals. This information can include home addresses, phone numbers, and other sensitive details, making it easier for stalkers, identity thieves, and other criminals to locate and harm their victims.

Q: What is the proposed regulation to address data brokers?

A: The proposed regulation, known as the Protecting Americans from Harmful Data Broker Practices (Regulation V), would limit data brokers' ability to sell highly sensitive personal information such as Social Security numbers, credit histories, and precise location histories without a consumer’s explicit consent.

Q: What happened to the proposed regulation under the Trump administration?

A: Under President Donald Trump, the proposed regulation was withdrawn by Acting Director Russell Vought of the Consumer Financial Protection Bureau (CFPB). Vought declared the regulation was no longer necessary or appropriate, citing legal and statutory concerns.

Q: What are the key arguments for and against regulating data brokers?

A: Proponents argue that regulating data brokers is necessary to protect personal privacy and public safety, prevent identity theft, and reduce the risk of targeted attacks. Opponents argue that regulation could stifle innovation, impose burdens on small businesses, and create complex compliance requirements. 

More Related Topics :