Well let's see if Lina Khan's FTC actually has teeth and whether the federal government can start to fix some of the Privacy and Data Rights and Antitrust stuff.
Some folks in congress are trying to get the FTC to create a "do not call"-style registry empowered to insert itself as a bottle-neck in any data broker activity by creating a database of hashed PII attributes which these companies would be required to query before data processing activities, or risk being charged with "unfair or deceptive business practices".
It is a simple, elegant solution that "only" relies on the federal government being able to fund and operate a service at web scale and not fuck up storing hashed identifiers… i am … pessimistic, cautiously pessimistic? in general i am pessimistic on Lina Khan's FTC being able to act on the goals she's laid out (in e.g. Lina Khan's 2021 published memo to her staff) even if it is ideologically quite in line with the sort of governance i am interested in seeing.
The summary on govtrack is … not so clear how it would work in practice but the bill lays out a set of system requirements which let us envision how this centralized "do not track" registry would function. This bill is interesting in that it puts the FTC in the position of being the bottle-neck for the entire Data Broker ecosystem by operating a service which would operate by, and is funded by an indirect tax on the data brokers by being required to "subscribe" to this sytem:
- Requiring all "data brokers" to register with the FTC and pay a fee to subscribe to
- A database of hashed personal identity attributes submitted by individuals
- A from for individuals to submit those attributes for inclusion, to be included for 2 years in the database
- Data brokers would be required to consult this database for all data ingestion and processing. That is to say, when they get a piece of [meta]data which contains a PII identifier they would hash the identifier in the same way that the FTC has, and query the database to see if there is a match.
- The FTC would not be storing the PII itself, nor would they be providing a copy of un-hashed identifiers to these brokers
- Data brokers would be required to subscribe to this database, self-report on its use, and failure to do so would open them up to FTC "unfair or deceptive business practice" enforcement.
The questions I end up with are simple: can the FTC operate a system like this at "web scale"? Is there appetite for enforcement action which would make this bill valuable? will it get out of the gridlocked legislature? How will post-hoc deletion of already collected/processed/etc data be curtailed in this system? can it be? it's easier to stop processing early than delete data which has already been processed…
California passed a DELETE Act
This bill would require the agency to establish, by January 1, 2026, an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2026, require a data broker to access the mechanism at least once every 45 days and, among other things, process all deletion requests, except as specified. Beginning July August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer’s data pursuant to the bill’s provisions, the bill would require the data broker to delete all personal information of the consumer at least once every 45 days, as specified, and would prohibit the data broker from selling or sharing new personal information of the consumer, as specified. The bill would, beginning January 1, 2028, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions and would require the data broker to submit an audit report to the agency upon the agency’s written request, as specified. The bill would authorize the agency to charge a fee to data brokers for accessing the accessible deletion mechanism, as specified.
This bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for civil penalties, administrative fines, fees, and costs, as specified, and would raise the amount of the existing civil penalty provisions described above. The bill would require that moneys collected or received by the agency and the Department of Justice under these provisions be deposited in the Data Brokers’ Registry Fund, which the bill would require to be administered by the agency, instead of the Consumer Privacy Fund and would expand the specified uses of moneys in the Data Brokers’ Registry Fund to include the costs incurred by the state courts and the agency in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.
California passed a version of the Federal DELETE Act, and that could be fun. Data Rights Protocol overlaps abound.