How Tim Cook’s Data Broker Registry Might Actually Work

China News Service/Getty Images

In an op-ed in TIME last week, Apple CEO Tim Cook called for a new federal privacy bill and a registry for data brokers that buy and sell data from third parties. Doing so would shed light on an insidious industry that many people may not even realize exists. It also wouldn't be easy.

For all of the talk over the last year about cracking down on companies like Facebook, Cook wrote that it’s this “shadow economy” of companies, most of whom the average consumer has never heard of, that deserves a closer look.

“You might have bought a product from an online retailer—something most of us have done. But what the retailer doesn’t tell you is that it then turned around and sold or transferred information about your purchase to a ‘data broker,’” Cook wrote . “We think every user should have the chance to say, ‘Wait a minute. That’s my information that you’re selling, and I didn’t consent.’”

Cook proposes that these brokers register with the Federal Trade Commission, allowing consumers to see which information is bought and sold, and enabling them to delete it if they want to. The pitch received resounding praise from senators Ed Markey (D-MA) and Ron Wyden (D-OR), as well as some skepticism from industry executives like Facebook’s vice president of ads, Rob Goldman.

But floating such a broad idea is far easier than implementing it. How would a data broker registry work? What companies would it include, and which would it leave out? And what would it really accomplish? As with all privacy legislation, answering those questions will likely require a messy battle between powerful interests in the data economy.

License and Registration

Requiring certain industry groups to register with the federal government is hardly a novel ideal. Lobbyists in the United States already have to register at the state and local level. Attorneys register in the state where they’re licensed. Anyone who wants to can probe public databases to find out more about the people doing this work.

"A good federal bill has to cover data brokers. But it has to cover the tech giants and brick and mortar stores, too."

Privacy Advocate Mary Ross

That those disclosures are commonplace in some industries doesn't mean data brokers would accept them without a fight. Just this month, Vermont's data broker law—the first of its kind in the United States—went into effect after a hard-fought battle in the state legislature the year before. That law stops short of Cook’s proposal, requiring only that companies that handle data from people who are not their direct customers register as data brokers with the state. As part of that registration, they must also disclose whether they allow people to opt out of having their data collected and sold, as well as the number of data breaches they’ve experienced in the prior year.

The law was narrowly focused by design, says Ryan Kriger, assistant attorney general of Vermont. "We wanted a registry of actual data brokers, not 100,000 companies," he says. "Creating a definition was very tricky."

They also needed a law that stood a chance of passing in a state as small as Vermont, says Mary Ross, who was part of the group that pushed for a far more expansive privacy bill that was signed into law in California last year. That bill doesn't create a formal registry, but it does allow consumers to ask businesses that sell their data about the categories of data they're sharing, and with whom they're sharing it. The California law also requires businesses to stop selling a person's data at their request. These far-reaching policies passed, despite staunch criticism from business groups and members of the tech community. "Companies aren't going to not do business with Californians," Ross says. "But in Vermont, they don't have that protection."

The Vermont bill's narrow scope means it doesn't require anything of businesses, like Facebook, that collect data directly from their customers. It doesn't require companies to let people opt out of data collection and sales, and it doesn't require that data brokers give people access to the information they’ve collected.

And yet even this limited proposal provoked fierce opposition from industry groups, including the Internet Association and TechNet, which both represent tech giants, and the Association of National Advertisers. In written testimony before the law was finalized, TechNet's northeast region executive director Matt Mincieli said that for Vermont to define "data broker" alone would be a "fool's errand." Mincieli warned state officials that the law could "make Vermont such a significant outlier as to negatively impact the state’s technology sector." Meanwhile, a letter signed by more than a dozen companies and industry groups, including the Internet Association, The Association of National Advertisers, and giant data brokers like Acxiom, Experian, and RELX Group, argued that Vermont residents wouldn't need a registry of data brokers, because, the letter said, "companies already include the type of information that would have to be reported to the Secretary of State in their privacy policies."

But consumers generally don't know that these companies exist, much less where to find their labyrinthine privacy policies. That's the whole point. "The problem is if you don't know who has your data, you don't know where to send your request," says Adam Schwartz, a senior staff attorney at the Electronic Frontier Foundation, which supported the bill.

Even with the passage of the Vermont law, determining which companies qualify remains a work in progress. For instance, Facebook spokesperson Andy Stone told WIRED the company is not required to register, pointing to a report written by Vermont's attorney general that specifically states that social media companies "fall outside of the scope" of the law. And yet, up until last year, Facebook did buy data from brokers like Acxiom and Experian, and the company does hold some data on non-Facebook users, which it uses for security and other purposes. Ross says this suggests that even the bright lines lawmakers draw can quickly blur.

Going National

Enacting a data broker law at a federal level without accounting for massive data collectors like Facebook and Google would constitute a missed opportunity, Ross says. Even the biggest data brokers are orders of magnitude smaller than Silicon Valley's largest companies. "I don't think data brokers are worse than the tech giants," she says. "I think that a good federal bill has to cover data brokers. But it has to cover the tech giants and brick and mortar stores, too."

Even some data brokers have come around to the idea of a federal privacy law, as long as it levels the playing field for all industries in all states. After Cook's op-ed published, Acxiom, which opposed the Vermont law, released a statement saying it too "supports a national privacy law," particularly if it supersedes individual state laws.

"We opposed the data broker registry in Vermont because we believe it is unnecessary to single out a specific industry (in this case, 'data brokers,') when first-party data controllers often have as much data as companies like Acxiom," the company's chief data ethics officer Jordan Abbott told WIRED by email.

Cook's call for a more tightly regulated data economy isn't selfless. The company's main competitors in tech—Google, Facebook, and Amazon among them—rely much more heavily on data than Apple's hardware-driven business does. Taking a firm stance in favor of privacy presents a natural way for Apple to stand out at a time when trust in tech is flagging. Companies like Facebook and Google, meanwhile, which at least have a direct relationship with consumers, eagerly point to third-party data brokers as the real source of the problem.

Each of these companies has spent millions of dollars on lobbying to ensure that lawmakers will represent their interests in the high-stakes privacy battle. Google, Amazon, Facebook, Microsoft, and Apple spent a combined $64.2 million on federal lobbying last year, representing a 10 percent increase from the year before.


The WIRED Guide to Data Breaches

According to Dan Jaffe, vice president of the Association for National Advertisers, there are sound economic reasons to defend these companies' business models, too. "There’s been a tremendous amount of value to the world, to society through the digital revolution," he says. "People talk about privacy as if it’s something that stands alone. Privacy is part of a system. It’s intertwined with everything else."

During an interview in Davos, Switzerland this week, Facebook's chief operating officer Sheryl Sandberg also defended her company's data-driven advertising model, saying it helps small businesses grow. "I think fundamentally disallowing this business model would hurt a lot of people all over the world," Sandberg said.

Ultimately, it's up to lawmakers to weigh the economic consequences of these laws, and industry lobbyists are working hard to ensure they're informed. Over the last two months alone, several proposals have been introduced in the Senate. There's senator Brian Schatz's (D-HI) Data Care Act, which would require companies to "reasonably secure" user data, and give the FTC new powers to fine companies that abuse that data. Senator Marco Rubio (R-FL), meanwhile, introduced a bill that would entrust the FTC with crafting new privacy guidelines to be approved by Congress. Following Cook's piece in TIME, senator Markey announced his intention to reintroduce the Data Broker Accountability and Transparency Act , which would enable people to request their data from data brokers, and either correct it or order brokers to stop using it. Of course, at a time when the government has been shut down for more than a month and bipartisan consensus seems harder than ever to come by, the fate of these bills is uncertain.

The fate of these bills is uncertain, in light of a prolonged shutdown and partisan bickering. And none of them is as comprehensive as advocates like Ross and Schwartz would like to see. But, says Ross, "It’s just the way Washington works. Everyone wants their voice out on the table." Including Tim Cook.

  • The millions Silicon Valley spends on security for execs
  • Trump, a Russian agent? The alternative is too awful
  • Speed up your kitchen routine: get a food processor
  • One couple’s tireless crusade to stop a genetic killer
  • As tech invades cycling, are bike activists selling out?
  • 👀 Looking for the latest gadgets? Check out our picks, gift guides, and best deals all year round
  • 📩 Get even more of our inside scoops with our weekly Backchannel newsletter