Lawmakers and experts are expressing concerns that the draft American Privacy Rights Act does not do enough to rein in data brokers. 

The debate centers in large part on a provision in the draft bill that would require consumers to request that each data broker delete their data one by one instead of giving individuals the ability to make one delete request to all registered brokers with the push of a button, as is now the case in California.

“Under APRA’s current draft a consumer would have to individually visit 871 data brokers’ websites and affirmatively delete their personal data,” Rep. Lori Trahan (D-MA) said at a House Energy and Commerce Committee hearing on Wednesday. “That's how many have registered in the state of Vermont and that's just not feasible.”

California, Texas, Oregon and Vermont now require data brokers to register, but only California offers a one-stop shop for consumers to request their data to be deleted. 

Trahan, who is co-sponsoring a Delete Act similar to California’s law, noted that a previous version of comprehensive federal privacy legislation, the American Data Privacy and Protection Act (ADPPA), contained language creating a centralized opt-out tool for consumers seeking deletion of their data.

That bill passed out of committee with a 53-2 vote in 2022 but was never brought to a vote on the House floor. APRA is an attempt to revive that legislation, but some elements have been tweaked, including the data broker language.

Rep. Frank Pallone, Jr. (D-NJ), the minority leader of the Energy and Commerce Committee, echoed Trahan in his opening remarks at Wednesday’s hearing, saying the committee should “explore whether there are additional tools that we can give consumers to control the data in the possession of data brokers.”

Despite its flaws, APRA would take important steps to minimize the data brokers can collect, store and sell about consumers, testified Samir Jain, vice president of policy at the Center for Democracy and Technology.

Other experts have lamented that the draft legislation creates loopholes allowing many data brokers to dodge the law.

For example, the draft bill defines data brokers only as third party data collectors, or those trading in data for consumers they do not have any direct relationship with, which would exclude a large portion of the overall ecosystem.

The industry relies heavily on first-party collectors, such as mobile apps that sell customer information, data broker expert Justin Sherman said in an interview with Recorded Future News. He added that there would be almost no market for hundreds of millions of people's geolocation data if mobile apps — first party collectors — were not selling data belonging to their own users. 

The draft bill also fails to regulate many of the largest data brokers by including language that says only companies whose biggest source of revenue comes from selling data are covered by the legislation, said Sherman, who is CEO of Global Cyber Strategies and led a Duke University study showing how data brokers sell military service members’ financial, health and other data.

“This idea Congress has that data brokers are only third parties is misguided, but it's also silly to say that you need to make a majority of your revenue from brokering data,” Sherman said, citing the fact that some of the largest data brokers in existence, including Oracle, Thomson Reuters and LexisNexis, have separate and profitable lines of business which likely jointly account for a majority of their revenue.

The APRA committee hearing unfolded the same day as the House passed a tough anti-data broker bill known as the Fourth Amendment is Not for Sale Act, which would prohibit the government from buying citizens’ data from brokers without a warrant.