The Digital ‘Me’ For Sale: On Clearance
The United States lacks any form of comprehensive federal policy to regulate data brokers, allowing these entities to collect, aggregate, and sell personal information across apps, platforms and a variety of other services[1]. In the absence of regulation, the unchecked trade of personal data introduces critical cybersecurity vulnerabilities, facilitating surveillance, fueling disinformation campaigns, and leaving Americans susceptible to digital profiling and exploitation[2]. The unregulated trade of personal data in the U.S. is not merely a privacy concern, it is a growing cybersecurity and national security threat that demands comprehensive federal oversight. U.S. citizens’ location data, behavioral profiles, and metadata can be bought and sold without consent, but the risks are especially acute for military personnel, journalists, activists, and marginalized communities. It is these groups that have experienced a precedent of malicious surveillance and influence operations.
The Precedent: Half Measures
Data is now a strategic asset, and a liability. As technology accelerates, so does the ability to weaponize aggregated data at scale. Without proactive regulation, the U.S. risks falling behind in defending against commercial surveillance, foreign espionage and the erosion of digital civil liberties. The Federal Trade Commission (FTC) has made it clear that commercial surveillance is out of control, sounding the sirens, a warning of serious consequences, including a rise in cyberattacks fueled by aggregated personal data, increased threats to civil liberties, and expanded opportunities for foreign espionage.
Recent enforcement actions by the FTC and the Biden administration underscore the seriousness of the current regulatory gap[1]. In late 2024, the FTC began targeting data brokers, such as Gravy Analytics and Mobilewalla, for the unlawful collecting and selling of sensitive location data. These companies were found to have tracked individuals near military bases and religious institutions[2]. The FTC is not the only federal agency to intervene: the Consumer Financial Protection Bureau (CFPB) also attempted to mitigate risks associated with data brokerage by proposing an extension of the Fair Credit Reporting Act (FCRA) to require informed consent before personal information could be sold or shared. However, the CFPB later withdrew the proposed rule change, citing that such an amendment was unnecessary.[3]. Data privacy as an issue has only deepened into a national security issue, as investigative reports have revealed that China-linked hacking group, Salt Typhoon, have exploited weaknesses in U.S. telecommunication infrastructure to access user data, further stressing the urgent need for comprehensive oversight regulation and stronger cybersecurity protections[4].
The U.S. Federal Government has made minimal efforts to address these problems credibly. Executive Order 14117 (effective April 8, 2025) seeks to prevent the transfer of U.S. sensitive personal and government-related data to “countries of concern[5].” While this marks a significant step toward limiting foreign exploitation of American data, the order primarily targets cross-border data flows and does not address the domestic data broker ecosystem that enables such vulnerabilities in the first place. Without comprehensive federal legislation regulating how data is collected, aggregated, and sold within the U.S., cybersecurity risks will persist and only continue to escalate. The proposed American Privacy Rights Act (APRA) offers a framework for addressing domestic concerns, yet it remains under debate and lackluster.
While the FTC has initiated actions against certain data brokers, there is no overarching federal legislation that comprehensively regulates data brokerage practices and measures remain reactive rather than proactive. The U.S. relies on a patchwork of state laws[6][7][8][9][10], executive orders[5], and sector-specific regulations[11][12][13][14], which are insufficient to address the broad scope of data brokerage activities. Enforcement actions occur after violations have taken place, and the lack of standardized regulations allow many data brokers to operate without meaningful oversight. The current fragmented approach fails to mitigate the systemic risks posed by unregulated data aggregation and sales. Leaving only one sustainable path forward, substantial federal regulation.
Recommendation
The European Union’s General Data Protection Regulation (GDPR)[15] has not only radicalized global norms around data privacy, but it has also proven that comprehensive data protection laws can effectively safeguard personal information and enhance cybersecurity. Drawing from this example, the United States must pursue a unified federal approach, one that moves beyond fragmented sectoral laws and voluntary compliance, to meaningfully regulate the domestic data brokerage industry.
The American Privacy Rights Act (APRA), introduced in 2024[16], provides a critical starting point. It proposes mandatory data broker registration, limitations on the collection and sale of sensitive personal information, and baseline security standards for data storage and processing. I propose strengthening and building upon the APRA foundations by prioritizing cybersecurity enforcement, mandating national security-grade risk standards, and introducing third-party audits and public transparency tools. This broader approach addresses not only the privacy harms of data brokerage, but the cyber-infrastructure vulnerabilities they increasingly represent.
However, while promising, the APRA has yet to be enacted and faces ongoing political negotiation – and it still falls short in addressing cybersecurity concerns. To address these systemic vulnerabilities, I propose two key policy enhancements to strengthen the APRA and move the U.S. towards a more secure digital infrastructure.
First, theAPRA should mandate integration of the National Institute of Standards and Technology (NIST) aligned standards for data storage and transfer. Primarily this would be a means of establishing clear, enforceable technical benchmarks across sectors. Unlike APRA’s general call for “reasonable”16 security measures, NIST’s cybersecurity framework outlines specific protocols for identifying, mitigating, and responding to threats[17]. These standards are already trusted across critical infrastructure sectors and federal agencies but are not currently mandated for private data brokers or consumer platforms. Requiring compliance with NIST would ensure consistency, measurability, and auditability shifting enforcement from vague interpretation to proactive prevention.
Second, the APRA should include the addition of third-party audits of data brokers, similar to the data protection impact assessments (DPIAs) required under the EU’s GDPR[15]. These audits would serve not only to evaluate technical safeguards such as encryption standards, access controls, and breach detection protocols, but also to ensure compliance with privacy requirements like data minimization and consent management. Unlike APRA, which places enforcement responsibility largely on federal agencies post-violation, this proactive audit regime would embed accountability into the operational lifecycle of data brokerage itself.
Together, these policy additions represent a necessary evolution in U.S. data governance, one that not only protects individual privacy but also fortifies the nation’s cybersecurity posture. Data brokers do not just pose a commercial or consumer protection issue; they operate within a strategic blind spot in federal regulation that foreign adversaries and malign actors are already exploiting. By embedding technical standards, and routine audits into law, this framework may move beyond the reactive enforcement model of today toward a proactive, risk-based approach. As data becomes a critical vector for both personal harm and national threat, the United States must act with the urgency this moment demands. Anything less invites continued exploitation of American data, systems, and citizens. In the absence of urgent federal action, data brokerage will remain a backdoor for surveillance, foreign influence and digital harm. Harm that no firewall can fix.
Sources
[1] Umar Shakir, “Two Data Brokers Banned from Selling ‘sensitive’ Location Data by the FTC,” The Verge, December 3, 2024, https://www.theverge.com/2024/12/3/24312313/ftc-bans-sensitive-location-data-brokers-gravy-analytics-venntel-mobilewalla.
[2] Dell Cameron Dhruv Mehrotra, “FTC Says Data Brokers Unlawfully Tracked Protesters and US Military Personnel,” Wired, December 3, 2024, https://www.wired.com/story/ftc-mobilewalla-gravy-analytics-orders/.
[3] Dell Cameron Dhruv Mehrotra, “CFPB Quietly Kills Rule to Shield Americans from Data Brokers,” Wired, May 14, 2025, https://www.wired.com/story/cfpb-quietly-kills-rule-to-shield-americans-from-data-brokers/.
[4] John Sakellariadis and Maggie Miller, “China-Linked Hackers Stole Wiretap Data from Telcos, FBI and Cisa Say – Politico,” Politico, November 13, 2024, https://www.politico.com/news/2024/11/13/china-hackers-wiretap-data-telcos-00189445.
[5] Department of Justice, “Executive Order 14117: Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” Federal Register, 2024, https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern.
[6] The CPRA, accessed May 6, 2025, https://thecpra.org/.
[7] “California Consumer Privacy Act (CCPA),” State of California – Department of Justice – Office of the Attorney General, January 28, 2025, https://oag.ca.gov/privacy/ccpa.
[8] “Virginia Law,” Code of Virginia Code – Chapter 53. Consumer Data Protection Act, accessed May 6, 2025, https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/.
[9] C Kibby et al., US State Privacy Legislation Tracker, accessed May 15, 2025, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
[10] “Colorado Privacy Act (CPA) – Colorado Attorney General | Colorado Attorney General,” Colorado Attorney General, accessed May 7, 2025, https://coag.gov/resources/colorado-privacy-act/.
[11] Peter F. Edemekong, “Health Insurance Portability and Accountability Act (HIPAA) Compliance,” StatPearls [Internet]., November 24, 2024, https://www.ncbi.nlm.nih.gov/books/NBK500019/.
[12] Stephanie T. Nguyen, “Children’s Online Privacy Protection Rule (‘coppa’),” Federal Trade Commission, May 1, 2025, https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.
[13] Stephanie T. Nguyen, “Gramm-Leach-Bliley Act,” Federal Trade Commission, February 6, 2025, https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act.
[14] “Electronic Communications Privacy Act of 1986 (Ecpa),” Bureau of Justice Assistance, accessed May 6, 2025, https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285.
[15] “General Data Protection Regulation,” General Data Protection Regulation (GDPR), April 22, 2024, https://gdpr-info.eu/.
[16] “Text – H.R.8818 – 118th Congress (2023-2024): American Privacy Rights Act of 2024 | Congress.Gov | Library of Congress,” Congress.gov, accessed May 7, 2025, https://www.congress.gov/bill/118th-congress/house-bill/8818/text.
[17] NIST, “Privacy Framework,” NIST, April 15, 2025, https://www.nist.gov/privacy-framework.
