The same advancements that pulled swaths of humanity out of factories and fields and plopped them behind desks have left consumers outgunned and ill-prepared for life under constant surveillance. Shadowy data brokers constrained by few laws gather and supply mountains of information to companies and government agencies with enormous sway over everyday facets of life—from getting a job and purchasing a home, to reaping the benefits of taxpayer-funded safety nets.

While armed with a broad mandate to shield Americans from the negligent and dishonest behaviors of technology firms trading in personal data, US regulators facing murky and complex business practices augmented by artificial intelligence have all but surrendered the farm. Legal experts say it’s past time they reclaim the powers they already have.

“Data brokers’ practices are especially egregious because they circumvent the Fair Credit Report Act and value data without valuing the accuracy of that data,” says Lauren Harriman, a staff attorney at the Georgetown Law Communications and Technology Law Clinic and counsel for Just Futures Law, a legal nonprofit. Data brokers, she says, “pay handsome sums to your utility company for your name and address, turn around and package your name and address with other data, fail to conduct any type of accuracy analysis on the newly formed data set, and subsequently sell the new data set at a steep profit.”

In a letter sent today to Consumer Financial Protection Bureau chief Rohit Chopra, obtained exclusively by WIRED, Just Futures Law is joined by a slew of other nonprofits, including Demand Progress and the National Consumer Law Center, in demanding the nation’s top consumer watchdog take swift action to begin enforcing violations of the Fair Credit Report Act (FCRA) that have long escaped redress. The legal groups—a coalition focused on immigrant, consumer, and privacy rights—are targeting a wide range of practices disproportionately punishing society’s most vulnerable.

Urging Chopra to crack down on data brokers that have demonstrated violations of the FCRA, the nation’s first major privacy law, attorneys say that while the nonconsensual trafficking of Americans’ personal information has netted enormous profits for a few, an epidemic of impropriety throughout the industry has led a considerable number of people to be “denied jobs, government benefits, or even housing.”

“The law is supposed to protect us from this,” says Harriman, who adds that the lack of FCRA enforcement has given data cartels carte blanche to ignore inaccuracies in their data—including data that US law enforcement agencies have purchased—resulting in a widespread deprivation of civil rights. 

The attorneys point to an array of statements by data collectors in recent years, including Kochava, an analytical advertising platform the US Federal Trade Commission (FTC) sued last year for tracking the mobile devices of millions in and around reproductive health clinics, domestic violence shelters, and places of worship. The company’s data harvesting exposed, the FTC said, an unaware population to “threats of stigma, stalking, discrimination, job loss, and even physical violence.” In a legal complaint, the agency cited Kochava’s boasting of capabilities that allowed it to track the locations of roughly 125 million devices per month. 

The letter also points to databases maintained by the British multinational RELX and the Canadian conglomerate Thomson Reuters, which, according to CUNY law professor Sarah Lamdan, author of Data Cartels: The Companies That Control and Monopolize Our Information, contain dossiers on roughly two-thirds of the US population, tracing their whereabouts and mapping social and familial relationships. 

In 2020 alone, data brokers bled out some $29 million while vying to undermine legislative efforts to rein in their industry, according to lobbying disclosures unearthed by The Markup. 

While many major data collectors acknowledge falling under the jurisdiction of the FCRA, others have evaded regulatory scrutiny by relying on what the lawyers petitioning Chopra deem erroneous legal analysis. Other firms partition their products and the surveillant data they gather to exempt from compliance what the credit reporting industry calls “header information,” traditionally consisting of people’s names, birth dates, and Social Security numbers, in addition to phone and residential histories. This, even when that data is derived from sources clearly subject to the law. 

“Data brokers are packaging the same personal data points about us into different products for sale and then claiming that certain products are beyond the reach of key legal protections,” says Laura Rivera, an attorney with Just Futures Law. “It’s dishonest, exploitative, and leads to real harm to consumers of all backgrounds, but especially low-income communities of color, including immigrants.”

“In advocating for coverage of data brokers, we’re simply asking the CFPB to restore the scope of the Act as Congress originally intended,” adds Chi Chi Wu, a staff attorney at the National Consumer Law Center who identified a series of constricting court rulings over the years that watered the FCRA down. 

Historically disadvantaged communities face the brunt of the harm, Wu says, pointing to the sale of information on some of America’s poorest communities to predatory “payday” lenders. In fact, data brokers derive significant profit from businesses whose whole purpose is identifying consumers who face financial instability. A 2013 US Senate report noted, for example, that these purchases were often made by companies that “sell high-cost loans and other financially risky products”—unscrupulous businesses making bread and butter out of the economically vulnerable, including widows. 

Companies playing fast and loose with personal data have drawn the ire of consumer protectionists and Capitol Hill privacy hawks for years, leading to meager gains for consumers. In 2021, a slew of utility companies that had long pilfered cable, phone, and energy customers of sensitive data for their own profit agreed to end the practice of selling it to Thomas Reuters, which had, in turn, supplied it to government agencies and police, including US Immigration and Customs Enforcement. 

“Selling personal information that people provide to sign up for power, water, and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” said US Senator Ron Wyden, a Democrat of Oregon and leading government-surveillance critic, in a letter to Chopra at the time. 

The US Defense Intelligence Agency, Defense Counterintelligence and Security Agency, and Customs and Border Protection (CBP) are among a wide range of federal agencies known to purchase Americans' private data, including that which law enforcement agencies would normally require probable cause to obtain. The US Supreme Court ruled in 2018 that police and intelligence agencies had no right to compel businesses to turn over location data derived from cellphones and other devices without a legal warrant. 

The decision did little to stop the government from sidestepping the courts. The Justice Department, the Office of the Director of National Intelligence, the Pentagon, and hundreds if not thousands of state and local police agencies have interpreted the ruling as having placed no restrictions on their ability to simply buy location data instead.