Congress Cybersecurity & Tech

The 2024 NDAA, Data Brokers, and Members of Congress

Justin Sherman
Friday, August 11, 2023, 10:59 AM
Members of Congress want their information removed from data brokers’ databases—but not that of their constituents.
The U.S. Capitol Building in Washington, August 12, 2015. (Photos by Clark, bit.ly/3s95SOl; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Editor’s Note: This article has been corrected to reflect the fact that the amendment being discussed failed to make it into either the House or Senate version of the National Defense Authorization Act for 2024.

As one of few bills that Congress can expect to pass every year, the National Defense Authorization Act (NDAA) is known for including a wide variety of provisions that, in some cases, have nothing to do with defense or the military. One amendment to this year’s NDAA, from Sens. Amy Klobuchar (D-Minn.) and Ted Cruz (R-Texas), sought to introduce some privacy protections for members of Congress, their families, and their staff from some data brokers and other businesses. It is clear that an intended target is people search data brokers, which are in the business of scraping websites and government records—such as property filings, voting registries, and marriage certificates—and then aggregating the data and posting it online for search and sale.

The amendment ultimately failed to make it into the NDAA. But it’s still significant because it arrived at a time when Congress has stalled in reintroducing a bipartisan, comprehensive consumer privacy package. It is also significant because it shows that legislators are attempting to introduce these privacy protections for themselves, their families, and their staff, but not their constituents.

This article unpacks the amendment—looking at its considerable gaps, such as in exempting many data brokers from coverage, as well as its potentially negative effects on press reporting and speech about members of Congress. Notwithstanding the many regulatory gaps and speech issues in the bill, it also takes a stab at a difficult, often untouched conversation around “publicly available information,” data brokers, and risks to individuals’ safety.

Data Brokers and Members of Congress

The amendment sought to limit the publication and sale of home addresses and other information about members of Congress, their families, and their staff. It would have attempted to do so by placing limits on what some third-party data brokers can sell and what some other businesses and associations can publish online. However, the amendment had considerable gaps, and potentially significant implications for journalism and speech about members of Congress.

The amendment afforded protections to “at-risk individuals.” It defined an “at-risk individual” as someone who is either a member of Congress; their spouse, parent, sibling, child, or anyone for whom a member stands in loco parentis (acts as a parent); anyone living with a member of Congress; and any employee of the House or Senate who is identified by the respective security head as “the target of an ongoing threat.”

One of the most obvious criticisms of the amendment stands out immediately: Members of Congress were attempting to protect themselves, their families, and their staff from data brokers and the public availability of their information. Notably not included in the list of “at-risk individuals” were the many women and other people who have been stalked, harassed, intimidated, assaulted, and even murdered over the past few decades because people search websites have sold their information to abusive individuals. The list also did not include other groups such as military service members or state judges that the U.S. government might deem important from a security perspective. (Federal judges can in some cases have their information removed from public websites and from some data brokers’ data sales under the Daniel Anderl Judicial Security and Privacy Act of 2022, which was passed in the 2023 NDAA after a misogynistic lawyer went to the home of New Jersey federal judge Esther Salas, shot her husband, and shot and killed her 20-year-old son. As discussed below, the protections implemented after this horrific attack have some considerable gaps.) These legislators’ constituents as a whole are not protected from the publication of their home address and other information online, and this amendment would not have changed that for those individuals.

The amendment then described several types of “covered information”:


(A) a home address, including a primary residence or secondary residences;

(B) a home or personal mobile telephone number;

(C) a personal email address;

(D) a social security number or driver's license number;

(E) a bank account or credit or debit card number;

(F) a license plate number or other unique identifier of a vehicle owned, leased, or regularly used by an at-risk individual;

(G) the identification of a child, who is under 18 years of age, of an at-risk individual;

(H) information regarding schedules of school or day care attendance or routes taken to or from the school or day care by an at-risk individual;

(I) information regarding routes taken to or from an employment location by an at-risk individual; or

(J) precise geolocation data that is not anonymized and can identify the location of a device of an at-risk individual.

This home address, contact information, geolocation, and other data is of the kind regularly gathered and sold by data brokers.

A “data broker” was defined by the amendment as

a commercial entity engaged in collecting, assembling, or maintaining personal information concerning an individual who is not a customer, client, or an employee of that entity in order to sell the information or otherwise profit from providing third-party access to the information.

It excluded from this definition consumer reporting agencies covered under the Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681 et seq.), financial institutions subject to the Gramm-Leach-Bliley Act (15 U.S. Code § 6801 et seq.), and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191). These are fairly standard exclusions in privacy bills, designed to avoid conflicts with existing laws and regulations. In a data broker context, however, it undermines the legislation’s intended goal. Some of the people search websites that members of Congress are seemingly worried about—data brokers that might scrape public records, aggregate them, and then post members’ addresses online for search and sale—are covered under the FCRA. For instance, the people search website Spokeo paid an $800,000 fine to the Federal Trade Commission (FTC) in 2012 for operating as a consumer reporting agency and violating FCRA’s protections for consumers. Among other things, the FTC noted that Spokeo sold data about people to human resources, background screening, and recruiting companies; then, when Spokeo changed its terms of service in 2010 to say that it was not a consumer reporting agency, it failed to ensure existing users were not using its brokered data for FCRA-covered purposes. The FTC’s Tony Rodriguez and Jessica Lyon put it simply in January 2013 (referring to another FCRA case): “Just saying you’re not a consumer reporting agency isn’t enough.” While some FCRA-covered entities (like consumer reporting agency TransUnion) are not in the business of publishing individuals’ home addresses online,  people search websites and “background check” data brokers can be covered under the FCRA. If Sens. Klobuchar and Cruz want to comprehensively protect their information, such as home addresses, from publication and sale online, exempting FCRA-covered entities creates a considerable gap. (The aforementioned Daniel Anderl Judicial Security and Privacy Act also exempts consumer reporting agencies under FCRA from its provisions.)

The amendment also excluded from the “data broker” definition companies engaged in “reporting, news-gathering, speaking,” and other activities intended to inform the public on matters of concern; providing 411 directory services; using personal information internally, including by “selling or providing data for a transaction or service requested by or concerning the individual whose personal information is being transferred”; and “providing publicly available information via real-time or near-real-time alert services for health and safety purposes.” These last several exclusions raise more questions. For example, many data brokers sell individuals’ information for a transaction “concerning” that individual, and it does not mean the individual is fully informed about the existence and extent of that data-sharing. If a company buys data from a third-party data broker to verify the identity of someone creating an account, or if a prospective employer buys information about job applicants from a third-party data broker to inform a hiring decision, the data in both cases “concerns” an individual who may not necessarily be aware of what is happening. Again, the legislators are clearly concerned about cases in which data brokers may publicly publish their information but have created a number of potential gaps in the legislation.

The provision then imposed restrictions on government agencies and restrictions on data brokers and other businesses. On government agencies:

  • At-risk individuals could notify executive agencies (defined in 5 U.S.C. § 105) and “any agency in the judicial branch of legislative branch” of their “at-risk individual” status and have the agencies mark covered information about them as private. The agencies would then have been prohibited from publicly posting covered information about an at-risk individual.
  • After receiving notification that an individual is “at-risk,” covered agencies had to remove that person’s covered information from public posting within 72 hours.
  • The rules did not apply to agencies providing covered information to a third party when there was a court order, a signed release from the individual, a confidentiality agreement with third party, or when the jurisdiction of the Gramm-Leach Bliley Act applied.
  • Members of Congress’s staff (“legislative officers”) could provide agencies, data brokers, persons, businesses, or associations with a list of members and their immediate family, and that constitutes notice under the amendment.

Second, the provision made it illegal for a “data broker” to “knowingly sell, license, trade for consideration, or purchase covered information of an at-risk individual.” Again, recalling the discussion above, this would not have included (among others) any first-party collector of data selling data about their own customers—to include mobile apps selling their own users’ geolocation data—or any data broker covered by the FCRA. Additionally, it stated that “no person, business, or association shall publicly post or publicly display on the internet the covered information of an at-risk individual” if they or their immediate family member had requested that said information not be disclosed.

This would have created implications for online speech and journalistic investigations of members of Congress, their families, and their staff. The definition of “data broker,” as mentioned, explicitly excluded commercial entities engaged in reporting, news-gathering, speaking, or informing the public on matters of concern. The restrictions on persons, businesses, and associations posting information explicitly did not apply if an at-risk individual voluntarily published the covered information online, if the covered information was provided by a federal government source, or “if the information [wa]s relevant to and displayed as part of a news story, commentary, editorial, or other speech as a matter of concern.” Redress provisions in the bill—allowing at-risk individuals to bring legal action if their covered information is made public in violation of the bill—stated that the legislation should not have been construed to prohibit, restrain, or limit (among others) the “lawful investigation or reporting by the press of any unlawful activity or misconduct alleged to have been committed by an at-risk individual” or “the reporting on an at-risk individual regarding matters of public concern.” Yet, simultaneously, the text stated that the bill “shall be broadly construed to favor the protection of the covered information of at-risk individuals.”

Fifty-four organizations—including the ACLU, National Newspaper Association, Freedom of the Press Foundation, and PEN America—raised concerns about these speech implications in an open letter. In particular, the organizations cited risks associated with the ambiguity around this language (including the “broadly construed” phrase) and the numerous ways the “matters of public concern” language could be interpreted. They argued that “the predictable result will be that virtually anybody who participates in congressional oversight or related public debates will face enormous incentives to sideline themselves,” adding that

For individuals, community newspapers, and non-profit organizations, even the threat of a lawsuit, let alone the penalties or sanctions potentially imposed during litigation and the attorneys’ fees, could be ruinous and enough for them to simply disengage.

It is certainly possible that elected officials could weaponize the ambiguity around the language in the bill to harm press reporting or other speech, if it were enacted into law.

What Next?

Despite its failure, this bipartisan amendment is significant for several reasons. While the amendment will not appear in this year’s NDAA, it may yet be revived in relation to future legislation. Notably, members of Congress have yet to reintroduce an updated version of the American Data Privacy and Protection Act, the comprehensive privacy bill from the last Congress, that could include these kinds of data broker-focused regulations rather than sticking them in the NDAA, as with this amendment.

Further, within the sphere of data brokers, state consumer privacy laws across the country have not limited the availability of government-records-derived information on people search websites. This is because the emerging state consumer privacy laws completely exempt government records from any kind of data broker regulation. For example, the oft-cited California Consumer Privacy Act (and its amendments) explicitly excludes “publicly available information”—including information from federal, state, or local government records—from inclusion under its “personal information” definition. Similar language is found in other state privacy bills. These exempted public records, in turn, are one major source of data for people search data brokers, which aggregate information from property filings, voter registries, marriage certificates, court documents, and many other government records to build and sell profiles on individuals. Given that many state-level bills have not touched this question of public records and risks to individuals’ safety, Congress’s attempt to take this on—even with the gaps in the amendment’s stated objective—is noteworthy.

All told, this legislation simultaneously attempted to tackle a small slice of an important, often untouched issue associated with data brokers and risks to individuals’ safety; sought to provide privacy protections to members of Congress but not to any of their constituents, including survivors of gendered violence; and, ultimately, failed to robustly control for the very risks about which members appear concerned. Broadly exempting FCRA-covered entities means that many people search websites would not have been covered under the bill. Excluding first-party collectors that sell customers’ and users’ data meant that mobile apps can continue selling the location data of “at-risk individuals” to data brokers, as long as they do not publicly publish the information on their websites. These gaps, especially with people search websites, undermined the stated objective of mitigating risks to members of Congress’s safety. (And in doing so, it would have created risks vis-a-vis reporting and speech about members.)

At the same time, people search data brokers have enabled stalking and gendered violence for over 30 years by scraping public records and websites and then selling the data to abusive individuals. There are risks to elected officials, too. Sen. Klobuchar stated in responding to the criticism: “This is for, solely for, private information that allows deranged people to show up and basically hit the speaker of the House’s husband over the head with a hammer[.] … I would think that there’s a lot of reporting going on, that isn’t going to be affected by putting addresses [that] aren’t on the internet.” The notion that all information that is available in government records should be allowed to be aggregated, linked to individual profiles, and published online for search and sale incorrectly suggests that the process of digitization, aggregation, and publication does not introduce an enhanced risk to individuals. It does. Yet this perspective that people search websites make little or no difference persists; even in the aforementioned letter opposing this amendment, the numerous advocacy groups—alongside other, important points about investigative journalism and government oversight—wrote that:

These damaging outcomes must also be weighed against the fact that Members of Congress, like all Americans, are already protected by a variety of criminal statutes and civil remedies against conduct such as stalking and assault, which make much of the legislation superfluous.

Putting aside the groups’ relevant concerns about speech and holding elected officials accountable, the notion that the criminalization of stalking makes the publication of home addresses online “superfluous” is contradicted by decades’ worth of gendered violence associated with the aggregation and publication of that very information. Selling a person’s address and other data online for just a few dollars, on a website that anyone can publicly access and search, enhances risks to individuals’ safety.

This legislation had many problematic implications and considerable gaps. It would simultaneously be worthwhile for elected officials, privacy advocates, and others to have a more nuanced conversation about “publicly available information” carve-outs in state privacy laws, the importance of protecting press reporting and speech about elected officials, and how to better protect individuals’ safety from stalking and violence. That conversation could fit well into a debate about privacy protections for all Americans, especially vulnerable ones—not just for elected officials, their families, and their employees.


Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare