The data brokers who’ve made fortunes from collecting and sharing millions of people’s personal information tend to fly under the radar. Names like LiveRamp or RELX might not be familiar to most Americans, but they’re making themselves known on Capitol Hill. Collectively, data broker spending on lobbying in 2020 rivaled the spending of individual Big Tech firms like Facebook and Google. The Markup searched lobbying disclosures in the U.S. Senate’s Lobbying Disclosure Act database and the watchdog Center for Responsive Politics’ tool OpenSecrets for the names of companies that registered as data brokers in Vermont or California. Those states are the only two that require companies to annually disclose that they collect, sell, or share people’s personal information without having a direct relationship to them. All in all, we found 25 companies whose combined spending on federal lobbying totaled $29 million in 2020. Many of the top spenders were not pure data brokers but companies that nonetheless have massive data operations. Oracle, which has spent the past decade acquiring companies that collect data, spent the most by far, with disclosure documents showing $9,570,000 spent on federal lobbying. Oracle has its own data collection arm but has also built its portfolio by buying up companies like DataRaker, Compendium, and Crosswise. The companies, which were acquired in 2012, 2013, and 2016, respectively, take data from a variety of sources. DataRaker gets data from millions of smart meters and sensors for utilities companies, while Compendium delivers targeted ads. Crosswise allows Oracle to track people across devices, claiming to process data from billions of devices every month. Oracle also acquired Datalogix, in 2014, which connected offline purchases to online profiles. Additionally, Oracle combines datasets from more than 75 other data brokers, which it calls “the world’s largest collection of third-party data.” Our report comes as the data broker industry is not only growing but also facing scrutiny for the first time. California recently passed a statewide privacy law that establishes an agency focused on regulating data privacy issues. Virginia and Maine have also passed regulations to protect people’s online information. California’s and Virginia’s privacy laws hit at the core of what data brokers do by requiring companies to delete data collected about people upon request and allowing people to prevent their personal information from being used for targeted advertising. Maine’s privacy law prevents internet service providers from sharing personal information with data brokers until people give “express, affirmative consent.” And the past year also saw concerns raised about how well these brokers protect their massive troves of data—Oracle, for instance, suffered a data breach after security researchers found billions of records from its BlueKai data collection were left exposed on a server. The Markup contacted all 25 companies for comment on their lobbying activities. Several companies, like Inmar Intelligence and LiveRamp denied being data brokers, though they had self-identified as such to California and/or Vermont regulators. “Inmar Intelligence does not generally consider itself a data broker though one of our entities, Inmar-OIQ, LLC, is registered as such in a couple of states,” Holly Pavlika, a corporate marketing senior vice president for Inmar Intelligence, said. The industry itself is hard to define—many companies, including tech giants, make money off of personal data, though the technical details of how they use that data vary. So The Markup relied on companies that self-reported to Vermont and California as members of the industry. The list, 480 companies long, shows just how pervasive it has become for companies to traffic in personal information. The list includes businesses that are primarily data brokers, like CoreLogic, which claims to have collected data on 99 percent of property and homeowners in the U.S. and spent $215,000 on lobbying in 2020; and Acxiom, which spent $360,000 on lobbying in 2020 for issues related to data security and privacy. Acxiom’s InfoBase boasts of datasets on more than 250 million people and collects information including location data, purchases, interests, life events, and behaviors, according to its marketing material. Our list also includes credit monitoring services like TransUnion, Equifax, and Experian, which each spent about $1.4 million lobbying in 2020 on issues related to credit score reform, like the Protecting Your Credit Score Act of 2020, the Credit Access and Inclusion Act of 2019, and the Clarity in Credit Score Formation Act of 2019. TransUnion also owns subsidiaries like Callcredit, Iovation, and Signal, which has been used for collecting and profiling users for gambling apps, according to The New York Times. Some registered data brokers also didn’t lobby specifically on privacy issues. Refinitiv, which collects data on people for its risk assessment tool, spent $120,000 lobbying on banking issues, the National Defense Authorization Act for Fiscal Year 2021, and cybersecurity legislation. Notably, our tally also does not include lobbying by trade associations that data brokers are a part of, such as the Interactive Advertising Bureau and the Digital Advertising Alliance. Oracle, the biggest spender, used lobbyists to advocate on issues like annual defense and intelligence budgets and “competition and antitrust in the mobile telecommunications and digital advertising industries,” according to public records. The company didn’t respond to requests for comment. The second largest spender was Accenture—a technology and consulting company that boasts a marketing and analytics branch called Accenture Interactive. According to its marketing materials, the company can combine datasets from sources including people’s purchase history and location to help its clients build customer profiles for advertising. In 2020, the company spent $3,250,000 lobbying on issues like artificial intelligence, the Digital Dollar, and COVID-19 contact tracing, according to public records. When The Markup reached out to Accenture, the company pointed us to two statements CEO Julie Sweet made on data privacy legislation in 2018. The statements called for a federal privacy law that would preempt state laws. PricewaterhouseCoopers, a major accounting firm, spent $2,820,000 lobbying the federal government in 2020, third most among registered data brokers. PWC collects data from advertising networks and data analytics partners including personal information like names and addresses, which it uses to help clients personalize advertising campaigns, according to the company’s privacy statement. Spending went to monitoring privacy legislation and accounting and auditing issues. PWC didn’t respond to a request for comment. Other big spenders included Deloitte, which was awarded a $106 million Department of Defense contract to build a development environment for the Joint Artificial Intelligence Center this summer. The company spent $2,400,000 on federal lobbying in 2020, including on bills like the Artificial Intelligence in Government Act and the Artificial Intelligence Initiative Act. Deloitte is an auditing and advisory company but provides services like PredictRisk, which uses information including people’s hobbies, interests, and financial data provided by data brokers to generate a health risk prediction score and help life insurance companies figure out how likely people are to buy their products. And RELX, which spent $2,375,000 on federal lobbying in 2020, including on data privacy bills like the Data Accountability and Trust Act, the Information Transparency & Personal Data Control Act, and the Data Broker Accountability and Transparency Act; and on bills related to data privacy and COVID-19, including the Covid-19 Consumer Data Protection Act and the Exposure Notification Privacy Act. RELX is a major data broker that owns companies like LexisNexis and ThreatMetrix, which has customers in law enforcement, insurance, and financial services. ThreatMetrix alone boasts tracking on 4.5 billion devices, according to a statement from RELX in 2018. Deloitte and RELX didn’t respond to a request for comment.
An industry increasingly under fire
Some of the bills targeted by lobbyists would have regulated the data broker industry, though disclosures do not specify whether they lobbied for or against the bills. The Data Accountability and Trust Act looked to establish security standards and require postbreach audits for data brokers and also prohibit collecting information under false pretenses. The Information Transparency & Personal Data Control Act would have required data brokers to get consent to collect sensitive data and go through an annual privacy audit. The Data Broker Accountability and Transparency Act of 2020 wanted to mandate opt-outs from data brokers and for the FTC to create a national list of data brokers. While lobbying records don’t always list specific bills, filings show that RELX paid lobbyists to address all three bills. Deloitte records show that some of its lobbying efforts went toward addressing the Data Accountability and Trust Act. Both COVID-19 data privacy bills looked to provide stronger controls over data related to contact tracing. None of the bills named in this story passed Congress, except for the National Defense Authorization Act, which was enacted. Some of the companies that showed up in lobbying records faced other sorts of pressure during 2020. For instance, Apple and Google banned X-Mode’s trackers from their app stores last December following a series of reports from Motherboard on how the location data broker was providing information to contractors who passed that information to the U.S. military. X-Mode spent $30,000 on lobbying in the last quarter of 2020, during the height of the public pressure. Both X-Mode and Venntel, another location data broker, which spent $160,000 on lobbying, are facing scrutiny from Congress over their location data sales. Sen. Ron Wyden, a Democrat from Oregon who signed on to a letter calling for an investigation on Venntel, called the data broker industry “out of control,” in a statement to The Markup. “Americans are learning more every day about the secretive and shady data broker industry and they’re demanding new laws to protect our privacy,” Wyden said in the email to The Markup. “It’s no surprise data brokers are trying every avenue they can think of to ward off the common sense protections Americans desperately need.” X-Mode and Venntel didn’t respond to a request for comment. Some companies said they were lobbying to have a voice on legislation, including potential federal laws on privacy. “With increased momentum, attention and legislative activity in multiple states, we support a federal data privacy law that can rebalance the system and set standards that rebuild trust with the people providing the data—consumers,” Christine Travis, a senior communications director for LiveRamp, said in an email. “A federal approach to data privacy and security is better than a patchwork of state laws for all stakeholders.” LiveRamp was the top lobbying spender among companies whose primary focus is collecting data for advertising purposes. The company, which connects people’s activity across the web and from offline purchases for advertisers, spent $630,000 on lobbying in 2020 on issues such as the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act and Privacy Shield. Privacy Shield was a framework for transferring data between the European Union and the U.S. but was declared invalid last July for failing to meet the EU’s privacy regulations. LiveRamp collects its datasets from a multitude of sources, including credit card transactions and location data, and connects it to people’s online profiles for advertisers. The company claims to have data on more than 250 million Americans. Travis denied that LiveRamp is a data broker despite being listed on California’s data broker registry, insisting instead that the company is a “data connectivity platform.” Experts said scrutiny and oversight is fairly new to the data broker industry. “When somebody shows up on the lobbying records, or in meetings or in trade associations, it just tells me they’ve probably recently woken up to this issue and they see a real threat to their business model by privacy regulations,” Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation, said. Others, however, said Congress is not doing nearly enough to regulate the unwieldy industry. “What is widely understood now in Congress and among independent agencies like the FTC are the ways in which large tech companies like Facebook and Google are extracting data from consumers and using that to monopolize markets like the advertising industry,” Jane Chung, a Big Tech accountability advocate at the consumer advocacy group Public Citizen, said. “What a lot of people don’t understand is how data brokers fit into that ecosystem.” This article by Alfred Ng and Maddy Varner was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.