Cybersecurity & Tech

Data Broker Registries in Bills: the ADPPA and the DELETE Act

Justin Sherman
Tuesday, June 6, 2023, 8:15 AM
Two bills from the previous Congress could make some data brokers register with the federal government. Here’s how they stack up.
The U.S. Capitol Building in Washington, D.C. (Marnie Webb, https://flic.kr/p/6wp9Cw; CC BY-NC-SA 2.0, https://creativecommons.org/licenses/by-nc-sa/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Tennessee just enacted the United States’ eighth comprehensive state privacy law. Just days before that, Indiana’s governor signed a comprehensive privacy bill, which enters into effect on Jan. 1, 2026. As other privacy bills are in discussion at the state level as well, the congressional debate about a comprehensive privacy law continues.

On April 19, I testified at a hearing held by the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations entitled “Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy.” In my written testimony, I discussed the “data brokerage ecosystem,” or the multibillion-dollar industry of companies gathering and selling data on Americans, and the privacy, safety, and national security risks. The discussion was wide-ranging. It covered scams of elderly Americans and people with Alzheimer’s disease, stalking and gendered violence, the collection and sale of information about children and teenagers, and the sale of data on U.S. military service members. On the policy side, several of the members’ questions focused on the need for a comprehensive federal privacy law and the idea of creating a national, public registry of data brokers.

This article focuses on two bills from the previous Congress, each that propose creating a national, public registry of companies that could be engaged in data brokerage: the American Data Privacy and Protection Act (ADPPA) and the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act. While neither bill has yet to be reintroduced in the current Congress, this could change at any moment. This is especially true for the ADPPA, which was by many estimates the closest the U.S. has come to passing a comprehensive federal privacy law. The bills also differ slightly in their proposals for a national data broker registry. Drawing out these differences and understanding their policy implications, along with identifying how they could be improved, is vital, as legislators consider ways to address the harms caused by the data brokerage ecosystem.

In short, the ADPPA and the DELETE Act have many similar provisions for a registry for companies involved in brokering data. Both bills’ registries focus on third-party companies only (not the “first parties” that collect data directly on users), include information that is publicly published and searchable online, and establish a centralized opt-out mechanism for consumers. Simultaneously, they can each improve by incorporating aspects from the other. The ADPPA can learn from the DELETE Act by eliminating its low penalty ceiling for third-party data brokers that violate its provisions. It could also use the DELETE Act’s technical approach to opt-out requests—by replacing the submitted opt-out information with a string of numbers and letters—to reduce the amount of data about consumers provided to brokers when those people opt out of data collection. For the DELETE Act’s part, it can learn from the ADPPA by having the federal government notify covered data brokers immediately when a consumer files a data deletion request, rather than allowing those third-party brokers an additional, arbitrary 31 days to keep selling that individual’s data.

Neither bill is perfect. For instance, neither bill outright bans the brokerage of certain kinds of particularly sensitive data—such as mobile apps and websites selling individuals’ location and health data. But they would each improve on the status quo, and their proposals for a national data broker registry hold important lessons for regulating the data broker industry.

The ADPPA and a National Registry of “Third-Party Collecting Entities”

The American Data Privacy and Protection Act was a bipartisan bill introduced into the 117th Congress on June 21, 2022, sponsored by Reps. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), and supported in the Senate by Sen. Roger Wicker (R-Miss.). They first released the bill in discussion draft form (not yet formally introduced) on June 3, 2022.

Members have marketed the ADPPA as a comprehensive federal privacy law for consumers that would introduce requirements for how companies store, process, and share data about individuals. The data covered under the bill is “information that identifies or is linked or reasonably linkable” to an individual or “a device that identifies or is linked or reasonably linkable to an individual.” There are exceptions for “de-identified data” (as discussed later), “employee data” (such as emergency contact information or information collected on a job application), “publicly available information,” and inferences drawn from publicly available information that do not reveal sensitive data about people.

Section 206 of the bill concerns “third-party collecting entities,” which is not a synonym for data brokers per se (which will be discussed below) but would encompass some data brokers. The term “third party” is defined as:

(A) … any person or entity, including a covered entity, that—

(i) collects, processes, or transfers covered data that the person or entity did not collect directly from the individual linked or linkable to such covered data; and

(ii) is not a service provider with respect to such data; and

(B) does not include a person or entity that collects covered data from another entity if the 2 entities are related by common ownership or corporate control, but only if a reasonable consumer’s reasonable expectation would be that such entities share information.

This is an intuitive and straightforward definition. If a company is not directly collecting data about individuals from those individuals, then it has a third-party relationship with that person. A first-party relationship, by contrast, would involve a company gathering data directly on consumers.

The ADPPA, meanwhile, defines a third-party collecting entity as:

(i) … a covered entity whose principal source of revenue is derived from processing or transferring covered data that the covered entity did not collect directly from the individuals linked or linkable to the covered data; and


(ii) does not include a covered entity insofar as such entity processes employee data collected by and received from a third party concerning any individual who is an employee of the third party for the sole purpose of such third party providing benefits to the employee.

This definition is not dissimilar from the definitions used in many other federal bills and state laws on data brokers. The ADPPA does not make specific reference in this definition, nor in its entire text, to the sale of data; thus, it does not explicitly make “third-party collecting entities” a synonym for data brokers per se. But the language is clearly designed to address the third-party players in the data broker industry. Such a definition omits, as discussed later, the first-party collectors that gather data directly from consumers and then subsequently sell it, such as a mobile app that gathers individuals’ phone geolocation data and then sells it to marketing companies. This definition also excludes third-party collectors who do not make their “principal source of revenue” from processing or transferring covered data.

Section 206 of the bill has three core components: notice, registry, and penalties. First, every third-party collecting entity with a website or mobile app would have to place a conspicuous notice on their website. The notice would have to include language from the Federal Trade Commission (FTC), to be developed through rulemaking, and a link to the FTC’s to-be-created registry of third-party collecting entities. Said notice must be “reasonably accessible to and usable by individuals with disabilities.” Second, by Jan. 31 of each year, any third-party collecting entity that processed ADPPA-covered data in the year prior about more than 5,000 devices or people—linked or reasonably linked to those individuals—would have to register with the FTC. The registration submission would include a $100 fee as well as the entity’s legal name, primary physical and email addresses, website, and contact information (such as contact person, phone number, email, and mailing address). FTC registration would also include a “description of the categories of covered data the third-party collecting entity processes and transfers.” This last inclusion is a beneficial one, because it would provide consumers and regulators with more insights into the types of data processed by third-party collecting entities, including data sold by third-party data brokers.

The FTC would then have to create and maintain a public, searchable, central registry of the companies and all of their submitted information. The website would also enable an individual to “easily” submit a “Do Not Collect” request to all listed entities that are not consumer reporting agencies, under the Fair Credit Reporting Act (FCRA). This is quite interesting. FCRA-covered consumer reporting agencies would still have to register with the FTC as third-party collecting entities, but they would be exempted from a centralized opt-out process. The bill’s authors likely included this provision to deconflict the ADPPA with the FCRA, which has its own process for consumers to contact consumer reporting agencies. Yet this exemption in the bill prevents consumers from doing anything about the fact that all three credit reporting agencies—Equifax, Experian, and TransUnion—are in the business of brokering other kinds of data besides FCRA-covered credit reporting information. As described in their annual filings, these credit reporting agencies collect and broker data spanning individuals’ health, identity, phone activity, insurance claims, digital devices, lifestyle and behaviors, and much more. Equifax, for example, has publicly stated that it brokers individuals’ biometric information, internet and online activity data, geolocation data, and sensory data, among others, including to advertisers, data analytics companies, other data brokers, insurance firms, retail merchants, social networks, and utility providers. While some of Equifax, Experian, and TransUnion’s activities are indeed already regulated under the FCRA, the companies are engaged in other data brokerage activities that are not regulated and would be exempted from the ADPPA’s registry opt-out provision. This is one weakness of the bill’s approach to third-party collecting entities.

Nonetheless, the ADPPA’s “Do Not Collect” registry mechanism would give consumers a one-stop shop to tell third-party collecting entities to delete all covered data about them that the companies did not collect directly “or when acting as a service provider.” (Under the bill, a “service provider” collects, processes, or transfers data for—and receives data from—a government organization.) The registered entities must fulfill these data deletion requests within 30 days of receipt. They must then ensure they no longer collect covered data about those consumers without their “affirmative express consent,” except when “acting as a service provider.” There is one exception to this opt-out compliance. If a third-party collecting entity has “actual knowledge” that the person submitting the request “has been convicted of a crime related to the abduction or sexual exploitation of a child,” and the collected data in question “is necessary to effectuate the purposes of a national or State-run sex offender registry” or the congressionally authorized National Center for Missing and Exploited Children, the company can decline the deletion request.

The third and final registry provision would fine companies $100 each day for failing to register or provide notices on their websites, not to exceed $10,000 in a year. Entities would additionally be liable for the equivalent of a registration fee ($100) for each year they did not register. For all the ADPPA’s many improvements on the privacy status quo, this is a weak penalty. As pointed out in testimony by Georgetown Law professor Laura Moy, a fellow witness at the recent House data broker hearing, the fines for non-registration must be large enough for data brokers to care about breaking the law. Even the smallest data brokers can easily make a few hundred or few thousand dollars from selling one single data set. Many larger data brokers make hundreds of millions or even billions of dollars a year. Contrasted against a maximum of $10,000 a year for failing to register, the incentives are overwhelmingly skewed for third-party data brokers, especially the large ones, to avoid registration—and thereby conveniently evade the need to delete consumers’ data when asked.

An improved provision in the bill could, for example, greatly increase the non-registration and non-notice penalty for companies over a certain size. These fines exist alongside the ADPPA’s other enforcement provisions, which would require the FTC to establish a Bureau of Privacy and declare any violation of the ADPPA as an unfair or deceptive act or practice under Section 5 of the FTC Act (15 U.S.C. § 45).

Other provisions would indirectly impact data brokerage. For example, Section 203 of the ADPPA provides consumers with some data rights. Sections 203(2) and 203(3) require that individuals can request an ADPPA-covered entity to, respectively, correct covered data about them and delete covered data about them. In both cases, the covered entity would have to make “reasonable efforts to notify all third parties or service providers to which the entity transferred such covered data” of the correction or deletion request. This would ostensibly include third-party data brokers to whom a company may have sold (“transferred”) ADPPA-covered data. But it also seems this notification is just that—a notification. For a third-party collecting entity to stop transferring data about an individual, that individual would have to submit a deletion request through the FTC.

The bill also exempts “de-identified data” from “covered data.” De-identified data is defined as “information that does not identify and is not linked or reasonably linkable to a distinct individual or a device, regardless of whether the information is aggregated” and is contingent on three additional factors. Those are whether the covered entity or service provider (a) takes reasonable measures to ensure the data cannot be re-identified to an individual, (b) publicly commits to process and transfer the information in de-identified form and to not make any attempt to re-identify it, and (c) contractually obligates anyone receiving the data to comply with the previous two points and to put those requirements into their own contracts. In theory, this is a much better provision than most around “de-identified data.” Rather than completely exempt “de-identified data” from coverage, this provision has additional requirements, including that companies not link data back to individuals. In practice, though, it remains to be seen whether a legal interpretation of “reasonable” measures to “de-identify” will reflect the latest computer science techniques and statistical research on identifiability or fall back into the outdated notion of removing a name or Social Security number as sufficient to “de-identify” data.

The DELETE Act and a National Data Broker Registry

The DELETE Act was a bipartisan bill introduced on Feb. 9, 2022—by Sens. Bill Cassidy (R-La.) and Jon Ossoff (D-Ga.) in the Senate and by Rep. Lori Trahan (D-Mass.) in the House. Unlike the ADPPA, which is written as a comprehensive federal privacy law, the DELETE Act is focused on a single objective: establishing a “centralized system to allow individuals to request the simultaneous deletion of their personal information across all data brokers.”

It defines a data broker as “an entity that knowingly collects or obtains the personal information of an individual with whom the entity does not have a direct relationship and then”:

(i) uses the personal information to perform a service for a third party; or

(ii) sells, licenses, trades, provides for consideration, or is otherwise compensated for disclosing personal information to a third party.

This definition does not include first-party collectors that sell data about customers and users. Instead, it focuses just on third-party data brokers dealing in “personal information.” For the bill’s purposes, personal information is defined as “any information held by a data broker, regardless of how the information is collected, inferred, created, or obtained, that is linked or reasonably linkable by the data broker to a particular individual or consumer device.” This is a very strong definition. It does not hinge on how the data was gathered—or, critically, “inferred,” which is a main way in which brokers get information. (For example, a broker could use the knowledge that someone has a Christian news app or Muslim prayer app installed to predict religion or use the installation of an LGBTQ+ dating app to make inferences about sexual orientation.) The definition also recognizes that data need not be “linked” to an individual at present for it to be linked to that individual later. Decades of computer science research underscore that it is possible to combine supposedly “anonymized” or “de-identified” data sets to identify specific individuals.

Within a year of its passage, the bill would require the FTC to establish a process for third-party data brokers to register with the commission. To submit that registration, beginning no later than 18 months after the bill’s passage, each covered data broker would have to submit:

  • Its name, primary physical and email addresses, and website.
  • If it “permits an individual to opt out of the data broker’s collection or use of personal information, certain sales of such information, or its databases,” the method for opting out, any limits on opting out (such as on the “type of data collection, uses or sales”), and whether an individual can authorize a third party to opt out for them.
  • Information specified by the FTC about “the types of information the data broker collects or obtains and the sources from which the data broker obtains data.”
  • Whether the broker implements a “credentialing process” and, if so, a description.
  • “Any additional information or explanation the data broker chooses to provide concerning its data collection practices.”
  • Anything else the FTC deems appropriate.

This is a considerable improvement on the ADPPA’s registration provision. Covered third-party data brokers would have to submit the same kinds of basic information here—including, essentially, the types of data collected. The DELETE Act requirements, however, go much farther. Registry information would include “the sources from which the data broker obtains data,” which is information that most brokers closely hold or even outright hide from policymakers and the public. More insights into those sources would help to identify the ways that Americans’ data—such as health and location data—become available on the open market for sale in the first place. Additionally, many data brokers claim that they implement controls on their sale of data, but the little public information about data brokers’ sale processes often points to the opposite. Requiring disclosure of whether a broker has a “credentialing process” for prospective buyers (and if so, what it looks like) would help to address these questions and to better inform legislation and regulatory enforcement. On top of that, the DELETE Act would critically empower the FTC to require covered brokers to submit additional information that could provide further insights.

The FTC would establish a centralized system to store and display this information, except if displaying an entry “is not in the interest of public safety or welfare.” (If that was the case, the FTC would have to provide a justification of its assessment.) It would also state on the website that it cannot confirm the accuracy of registered brokers’ responses and that “individuals may contact such data brokers at their own risk.” Within a year of the bill’s passage, the FTC would promulgate regulations for how to pair this registry with a centralized opt-out system. It would have to maintain reasonable security procedures and allow any individual, through a single, free submission, to request that every registered data broker with “any persistent identifiers” delete all “personal information” related to that individual. That deletion would also apply to any legal entities affiliated with the data brokers. The submission would include the person’s name, email, phone number, address, and any other persistent identifier the FTC deemed necessary. Once submitted, the centralized system would hash the information on FTC systems—that is, formulaically convert an entry into a standard-length string of letters and numbers. Then, data brokers could retrieve it by submitting their own hashed queries. After an individual submits information in a request, the FTC would keep it for two years before automatically deleting it.

From there:

  • Covered third-party data brokers must access deletion requests at least once every 31 days and, within 31 days of access, delete individuals’ information as requested. After that deletion, the broker must send the FTC the number of individuals about whom it just deleted data.
  • Those brokers need not delete personal information retained as part of human subjects research, information necessary to comply with legal requirements (warrants, subpoenas, court orders, etc.), and information necessary for activity under (e)(3)(B).
  • The FTC has 18 months after the bill’s passage to promulgate regulations about a “suppression list.” This is a list of individuals who have submitted a deletion request and about whom a covered third-party broker could not collect information going forward without the individuals’ explicit consent. Brokers can retain information as part of the suppression list.
  • Covered brokers must submit an annual report on deletions and on suppression list effectiveness to the FTC. Within three years of the bill’s passage, and every three years after, each covered broker would have to undergo an independent, third-party audit on their compliance and submit an audit report to the FTC within six months.
  • Within three years of the law’s passage and every four years thereafter, the FTC would submit a report to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee on the legislation’s implementation and enforcement.

Failing to register or violating any other DELETE Act provision is explicitly defined under the bill as an unfair or deceptive act or practice, under Section 5 of the FTC Act. This would clearly place the FTC in charge of enforcing potential data broker violations of the bill.

How Do the Bills Stack Up?

Both the ADPPA and the DELETE Act would improve on the status quo with respect to data brokerage. Presently, there are some federal laws and regulations focused on some kinds of entities gathering and selling some kinds of data. The Health Insurance Portability and Accountability Act (HIPAA), for example, has strict requirements on hospitals, health care institutions, and other covered entities’ ability to share personal health information. However, many gaps remain. Numerous apps, websites, social media companies, data brokers, and other entities that are neither HIPAA-covered entities nor have business relationships with covered entities are legally free to collect and sell Americans’ health information. The proliferation of meditation, telehealth, and other apps and virtual services during the coronavirus pandemic has exacerbated this set of privacy risks. In other areas, there is virtually no regulation of data brokerage, such as with apps gathering and selling Americans’ geolocation data. Imposing more requirements on data brokerage than already exist would be an important step to reducing the harms to consumers.

At least one place where the DELETE Act could be improved by incorporating an ADPPA provision is the timeline for processing data deletion requests. Under the ADPPA, covered entities must comply with deletion requests within 30 days of receipt, and under the DELETE Act, covered entities must comply within 31 days of receipt. These provisions are almost identical. However, the ADPPA seems to suggest that data brokers would receive deletion requests immediately. It is not stated explicitly but seems implied that once the FTC opt-out system receives a request, it forwards it right away to covered brokers. The DELETE Act, by contrast, says brokers must query the hashed delete-my-data requests once every 31 days. This is a significant difference. A consumer could file a DELETE Act request with a data broker, and the broker could continue to sell that individuals’ data for another 62 days—the first 31, without even accessing the deletion request filed to the FTC, and for the next 31, taking the maximum permitted amount of time to comply. It is realistic that companies need time to delete an individual’s data once a request comes in (that is, the second, 31-day half of that window). But if the FTC is going to build a centralized opt-out system for data brokers, it is unclear why it would not forward the request immediately to brokers or require brokers to query the system daily. The DELETE Act could improve by maximizing a consumer’s ability to opt out of the sale of their data as soon as possible.

Conversely, the ADPPA should adopt the DELETE Act’s approach to  non-registration and non-notice penalties. The latest version of the ADPPA had small fines and a relatively low penalty limit ($10,000 maximum per year) for third-party collecting entities that fail to register with the FTC and provide required notice to consumers. In that scenario, data brokers making millions or billions of dollars each year will not be sufficiently incentivized to comply. One path forward could be increasing the non-registration and non-notice penalties for companies over a certain size. But that would leave in place the low ceiling on monetary penalties. The staff working on a possible reintroduction of the ADPPA could thus draw on the DELETE Act: Forgo an explicit monetary limit on penalties and leave it up to the FTC under its Section 5, unfair or deceptive acts or practices authority. This would provide the legislation with clear enforcement teeth.

The ADPPA could also consider the DELETE Act’s use of a hashing system, managed by the FTC, to process data deletion requests. The resulting system and process is more complex and would require more resources to configure and manage. But it could reduce the amount of consumers’ data provided to brokers in the process of those people opting out of data collection.

A weakness shared by both bills, in the scheme of the broader data brokerage ecosystem, is focusing data broker controls on third parties. As I have written repeatedly, the multibillion-dollar industry of companies gathering and selling data on Americans includes both first-party collectors and third-party collectors. There is indeed an important distinction between them. Consumers interacting directly with a company (the first-party category) at least know that the company exists; that is often not the case with companies, including data brokers, that do not directly interact with consumers (the third-party category). But both kinds of entities are involved in brokering access to consumers’ data, and regulation of data brokerage should target both. The FTC did not contain its focus to third-party data brokers in its landmark 2014 report, writing that data brokers are “companies that collect consumers’ personal information and resell or share that information with others.” Then-FTC Commissioner Julie Brill remarked in her supporting statement on the report: “Creating appropriate levels of accountability requires addressing data flows both ‘upstream’ (from data suppliers to data brokers) and ‘downstream’ (from data brokers to users of their products).”

The Consumer Financial Protection Bureau (CFPB) made a similar comment in its open Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information. It stated explicitly that “data brokers encompass actors such as first-party data brokers that interact with consumers directly, as well as third-party data brokers with whom the consumer does not have a direct relationship.” This broader definition matters, because many first-party collectors share or sell data about their own users and customers. Health and location data sold by brokers, for example, often come from first parties. The FTC’s 2021 finalized order with Flo Health, a period and ovulation tracking app that shared users’ health data, and its 2023 enforcement action against GoodRx, the prescription drug provider and telehealth company that also shared its customers’ health conditions, underscore this point. Legislation that would control some third-party data brokerage is an important step, but the issue of first-party collectors selling their own customers’ and users’ data deserves special attention. 

Nonetheless, the ADPPA’s comprehensive approach to consumer privacy is much needed and would take some important steps to reduce the harms caused by the data brokerage ecosystem. It still requires consumers to opt out of the collection of their data—rather than opting consumers out of the sale of their data by default—but the United States has a policy fixation on default opt-ins. Such a disposition may be unlikely to change soon. The DELETE Act may have less of a chance of passage than something more comprehensive, but it remains to be seen. A more narrowly targeted bill in general could have a better chance of passage, although Congress has strayed away from passing bills targeted at specific privacy issues in favor of continuing to deliberate a comprehensive framework. Regardless, the DELETE Act still holds important lessons for the ADPPA’s supporters, particularly as they work on a possible reintroduction of the larger bill.


Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare