Violence Against Minnesota Lawmakers Could Prompt State Regulation, Registry of Data Brokers
Some state lawmakers are looking to pass legislation regulating the data broker industry in the wake of the shooting deaths last month of former Minnesota House Speaker Melissa Hortman (D) and her husband and the attempted killing of John Hoffman (D), a Minnesota senator, and his wife.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The legislators are looking to New Jersey’s Daniel’s Law, whose goal is to protect the privacy of certain public officials, principally those who work in and around courts, as an example to follow. Last month's violence in the homes of Minnesota lawmakers is prompting legislators to consider expanding coverage of Daniel's Law-type measures.
Daniel’s Law was established after a litigant targeted a federal judge, obtaining the judge's personal information from data-broker sources. Intending to assassinate the justice at her residence, the litigant instead killed the judge's son, Daniel, and wounded her husband.
Even before the tragedy in Minnesota, Vermont state Rep. Monique Priestley (D) was considering a measure similar to Daniel's Law (see 2503110077). The legislation, H-342, was ultimately held back and is expected to be raised during next year’s session (see 2505010013).
“Rather than risk having weak bills passed, we paused to take the summer to further … do on-the-ground education with constituents, but also in-the-building education,” Priestly said in an interview with Privacy Daily.
Especially after Minnesota, “I've gotten not only my colleagues asking about us adjusting [or] amending what's currently on the wall, but also people from all across the country asking for … more or less a model to copy what I've got right now, so that they can do their own versions,” she said.
To facilitate this, Priestley plans on hosting information sessions about data brokers where legislators can learn about the industry, its issues and potential regulation. “Only four [states] have passed data-broker registry legislation, so some states have to start there,” she said.
For example, Maryland, one of the more aggressive states on privacy, lacks a data-broker registry. Maryland Sen. Katie Fry Hester (D) told us she recognized that her state must start small and eventually build a sophisticated privacy framework. “I don't see why every single person shouldn't have some level of protection,” she said. “What I've seen work well in Maryland is you pass [legislation] for one thing, and then you expand it” later.
Priestley's hope is that information sessions can help educate lawmakers from other states and inspire them to introduce legislation similar to H-342, the bill she introduced this past session based on Daniel's Law (see 2503110077).
Fry Hester liked Priestley’s proposed legislation because “it's one of the boldest ones we've seen, and it doesn't just acknowledge the harm that data brokers can cause, it offers real tools for people to protect themselves."
For example, the Maryland senator said she liked that the Vermont bill would establish a one-stop deletion website where an individual can make a single request to have their personal information deleted from all data brokers. And it would require brokers to disclose if they have highly sensitive information, such as geolocation or reproductive data, she said.
Don Marti, vice president of ecosystem innovation at media company Raptive, thinks that type of statute is a necessary change from a typical privacy law. “What's really encouraging about the Daniel's Law approach is that instead of starting from kind of a vague idea of privacy, you start with a specific kind of threat and work backward to try to address some of the practices that enable it,” he said.
Expanding the Scope of Coverage
At the end of June, Wisconsin passed a bill amending a law protecting judges' privacy, and a New Jersey legislator floated legislation that would expand Daniel’s Law to prohibit disclosure of state legislators’ personal information (see 2506250019).
Even before the shootings in Minnesota, Priestley received questions about why legislators' information wasn’t covered in her bill. “I said we could,” with the caveat that “in other states that stopped bills from moving forward,” she said.
“The hard part about including legislators in [the bill, written] by the legislature is obviously the pushback from the public. ‘Why are you protecting yourselves without protecting other people and … not prioritizing the general public?’”
But Priestley said she introduced the bill in part “because I figured it would push the conversation about who deserves privacy. And that's what happened.”
Marti added that expanding the scope of a Daniel’s Law-type statute could help advance security discussions. “A lot of the state privacy laws are a little bit retro in how they focus on data brokers and not so much [on] social media platforms,” he said. “We had a peak data broker era that is now kind of winding up as a lot of that information sort of disappears behind the firewall of big social media and platform companies.”
The scope of Priestley's bill broadened quite a bit from when she introduced it, the Vermont legislator said. In addition to the persons covered under New Jersey’s statute -- active and retired judges, law enforcement and prosecutors -- Vermont’s version also includes victims’ advocates, mental health crisis workers and employees of the Vermont Human Rights commission, to name a few.
Letting Individuals Sue
“A private right of action is really important” to have in a Daniel's Law-type of measure, Fry Hester said. “If people get harmed, you can't always wait for the state to open up a lawsuit,” so “sometimes it's better to have that private right of action.”
Though some privacy lawyers say the 2023 amendment to Daniel's Law that allowed third parties to bring suits on behalf of covered persons has led to an abuse of the statute (see 2503120025), Priestley said “the frivolous lawsuits [argument] is a red herring in a lot of ways.”
“In general, private right of action is the only way to make industry change what they're doing,” she said.
Aside from the controversy of including a private right of action in this type of statute (see 2504160040), opponents of the law are finding other alleged issues with Daniel's Law. In New Jersey, a case in front of the 3rd U.S. Circuit Court of Appeals is considering the constitutionality of the statute (see 2504040031). Separately, on June 17, the New Jersey Supreme Court upheld Daniel’s Law, rejecting a journalist’s First Amendment challenge against it protecting certain public officials' personal information (see 2506180038).
The 3rd Circuit held a hearing Tuesday in a separate Daniel's Law case brought by a consolidated group of data brokers, real estate firms, marketing businesses and other companies. Two of the data brokers in that case, We Inform and People Searchers, didn't respond to a request for comment.
Another issue lawmakers are grappling with includes mixing regulation with revenue. For instance, Fry Hester is interested in a potential tax on data brokers. “Two things for me kind of converge,” the senator said. “The fact that these data-broker companies are making a ton of money off of harvesting and reselling people's data, [where] we're not really getting any value from it,” and “at the same time, we have to enforce the laws around data privacy and around … kids’ online safety, and we don't have a funding source.”
She also said “it would be really interesting to have a third-party audit of data-broker practices so that we have an independent assessment of what they are doing and what they are selling.”
If you boil it down, “it's the transparency” that we need, Fry Hester said. “There has to be that registry with the state, and there has to be [a] private right of action, and there should be penalties for people to break it, and then we need that enforcement piece.”
Fry Hester believes the average citizen cares "about their data, and they don't want to be profiled,” she said. “They don't want their data to be used in decisions where humans aren't involved, and they certainly don't want to be on a hit list.” She noted that privacy is at the intersection of other crucial issues as well. “When I think about the data privacy space, it's not just a tech issue,” she said. “It's about public safety, it's about democracy, it's about consumer protection.”
Marti agreed. “We're starting to see more of a constructive approach to state privacy laws, where legislators are taking a look at real concerns -- like the national security concerns around user tracking -- and trying to make laws that better address those real harms,” instead of “the ‘Well let's dump a bunch of compliance paperwork on small legit companies’ era of privacy.'”
The demise of a 10-year moratorium on state AI regulation enforcement in the U.S. Congress' reconciliation bill (see 2507010070) shows how privacy is a major area of agreement, Fry Hester argued. “What's interesting is that when you look at who opposed it, it was across party lines, across state lines, and across sectors,” she said. “Everybody cares about this stuff.”
However, “until we have comprehensive federal privacy legislation," the Maryland senator added, "it's up to the states to do this."
Priestley is similarly eager to continue to push for protective legislation. “The data-broker industry is out of control and profiting off of people's data in ways that puts everyone at risk,” she said. “I look forward to regulating them.”