The Privacy Paradox – Part 2

By Timothy Page

Continued from Part 1…

The Major Players in America’s Surveillance Economy

The data broker industry represents a massive and growing surveillance economy, valued at $270.40 billion in 2024 and expected to reach $473.35 billion by 2032. Recent analysis identified 750 unique data broker groups operating across the United States, dominated by several key players who collectively maintain detailed profiles on hundreds of millions of Americans—including detailed dossiers on everyday Vermonters.

The Big Three Credit Bureaus have expanded far beyond credit reporting into comprehensive consumer surveillance. Experian maintains detailed consumer profiles and marketing databases that extend well beyond credit information. Equifax collects financial data on over 800 million consumers globally, while TransUnion serves as another major credit and marketing data provider, leveraging credit histories to build broader consumer profiles. All three maintain extensive files on Vermont residents.

Marketing data giants specialize in consumer profiling for commercial purposes. Acxiom stands as one of the world’s largest data brokers, offering data across 62 countries and maintaining profiles on 2.5 billion consumers—representing about 68% of the world’s internet population. Their databases undoubtedly include detailed profiles on most Vermont adults. Epsilon specializes in marketing data and customer insights, while CoreLogic focuses on property and real estate data that enables detailed location-based profiling—particularly relevant in Vermont’s active real estate market spanning from lakefront properties in the Champlain Valley to ski chalets near Mount Snow.

Legacy data brokers with deep government connections represent perhaps the most concerning category. LexisNexis provides extensive data services to government agencies and corporations, maintaining vast databases of personal information. ChoicePoint, now part of LexisNexis, historically demonstrated the industry’s explosive growth, with sales jumping from $585 million in 2000 to over $1 billion by 2006—illustrating how profitable American surveillance has become.

These companies collectively maintain profiles on virtually every Vermont adult, often without their knowledge or explicit consent, creating a surveillance infrastructure that dwarfs what TikTok could have accomplished with a single app.

Vermont’s Registry: A Window into the Data Economy

Vermont’s unique data broker registry provides concrete evidence of the industry’s reach. Under Act 171, data brokers must register annually with the Vermont Secretary of State by January 31 of each year, beginning in 2019, revealing companies that most Vermonters have never heard of but that know intimate details about their lives.¹⁷ These range from household names like Experian and LexisNexis to obscure firms with innocuous names that belie their extensive surveillance operations.

The registry demonstrates both the value and limitations of Vermont’s approach. While registration creates transparency, it doesn’t restrict what data brokers can collect or how they can use Vermont residents’ information. Under the Vermont Data Broker Regulation, it is illegal for any person or business to acquire personal information through fraudulent means or for purposes of harassment, fraud, or discrimination, but the law does not prevent legitimate data collection and sales.¹⁸ A data broker registered in Vermont can legally compile detailed profiles of Green Mountain State residents—tracking their shopping habits at local stores, their online behavior, their property records, and their personal relationships—then sell this information to anyone willing to pay.

This gap between transparency and protection becomes more stark when compared to Vermont’s swift action on TikTok. The state moved quickly to ban TikTok from government devices over data collection concerns, yet it continues to allow data brokers to operate with minimal restrictions on their far more extensive surveillance of Vermont residents.

The Challenge of Incomplete Protection

Even with Vermont’s new Kids Code in place, the challenges remain significant. The bill would also require data brokers to set up a system to delete the personal information of any consumer who makes a request. However, this provision applies only to the stalled H.211 legislation, leaving current data broker operations largely unchanged despite the signing of the Kids Code.

Clark emphasized the urgency of comprehensive data protection: “We have been asking for a comprehensive data privacy law for a while now, and to me every year it becomes more urgent.” Her office’s Consumer Assistance Program receives thousands of scam reports per year, highlighting the real-world consequences of inadequate data protection.

Government Hypocrisy: Vermont’s Mixed Record

Perhaps most troubling is how government agencies themselves exploit the data broker loophole. The Brennan Center for Justice has documented how federal agencies routinely purchase data from brokers to circumvent Fourth Amendment protections that would otherwise require warrants for such surveillance.¹⁹ This practice allows law enforcement and intelligence agencies to buy their way around constitutional privacy protections—the very protections that lawmakers claimed to defend when banning TikTok.

Vermont’s own experience illustrates this contradiction. While the state pioneered data broker regulation and swiftly banned TikTok from government devices, there’s no evidence that Vermont agencies are prohibited from purchasing data from the brokers on their own registry. A Vermont state agency could theoretically ban TikTok from employee phones while simultaneously purchasing detailed surveillance data about those same employees from registered data brokers.

“Congress must pass legislation that prohibits government agencies from buying its way around the Fourth Amendment and other legal privacy protections,” argues the Brennan Center.²⁰ Yet no such comprehensive legislation exists, despite years of documented abuse, and even progressive states like Vermont haven’t fully closed this loophole at the state level.

Selective Privacy Protection: Vermont’s Partial Solutions

The contrast becomes even more stark when examining recent legislative efforts. While Congress moved swiftly to ban TikTok, comprehensive federal privacy legislation has languished for years. The only significant federal action on data brokers came in April 2024 with the Protecting Americans’ Data from Foreign Adversaries Act, which restricts data sales specifically to China, North Korea, Russia, and Iran.²¹ This law notably does nothing to prevent domestic data brokers from selling American data to domestic buyers, including private companies and government agencies.

Vermont’s experience shows both the promise and limitations of state action. The state’s Act 171 represented a significant first step, but it only protects Vermont’s 650,000 residents while the remaining 330 million Americans lack similar protection. Meanwhile, the Consumer Financial Protection Bureau proposed new rules in December 2024 to limit data broker sales of sensitive financial information, but these regulations remain in flux and face uncertain prospects under the current administration.²² As MIT Technology Review noted in January 2025, “The US still has no federal privacy law” despite growing concerns about data broker practices.²³

Industry Pushback and Implementation Challenges

Vermont’s recent legislative efforts have faced significant industry opposition. Adam Locklin, executive director of the Vermont Technology Alliance, argued that the Kids Code bill’s threshold is too broad: “A reservation app for a restaurant built in Vermont, or ones that operate in Vermont, do they hit 2% of under 18? Probably. They would be susceptible to this, even though making a reservation has nothing to do with the point of this bill.”

Five senators voted against S.69, with Senator Samuel Douglass, R-Orleans, expressing concerns about implementation: “I do not believe that this bill will accurately identify minors. We were told multiple times that age verification methods are very difficult, if not impossible, to implement.”

The Real Privacy Threat: A View from Vermont

Critics argue that this selective approach to privacy protection reveals the true motivations behind the TikTok ban. While lawmakers expressed grave concerns about Chinese access to American data, they’ve shown little urgency in addressing domestic data collection that may be even more extensive and invasive. This disconnect is particularly visible in Vermont, where residents can theoretically identify which data brokers are registered to collect their information, yet have limited recourse to stop them.

Vermont’s data broker registry reveals companies that don’t just collect user-generated content—they compile comprehensive dossiers on citizens’ financial status, health conditions, political affiliations, and personal relationships. A registered data broker in Vermont might know which Burlington residents are considering divorce (based on online searches), which Rutland families are struggling financially (based on credit and shopping patterns), or which Brattleboro voters are most likely to support particular candidates (based on demographic profiling and purchase history).

“For these companies, consumers are the product, not the customer,” explains the Electronic Privacy Information Center, highlighting how data brokers profit from surveillance while consumers bear the privacy costs.²⁴ Unlike TikTok users who at least chose to download the app, Vermonters have little choice in whether data brokers collect and sell their information. They can check the Secretary of State’s registry to see who’s registered to watch them, but they largely can’t stop the surveillance.

Clark has identified biometric data as a top priority for regulation: “Taking ownership of who owns our own data, especially data about us that is exclusive to us, is critical. I really feel like we need to enter an era where it is very clear that our data belongs to us.”

This concern takes on new urgency as Vermont continues to lead on privacy issues while federal action remains stalled.

A Double Standard Exposed: Lessons from the Green Mountain State

The TikTok ban reveals a fundamental inconsistency in American privacy policy, one that Vermont’s pioneering efforts help illuminate. If data collection and potential foreign surveillance justify restricting constitutional rights and banning popular platforms, then surely the extensive domestic surveillance economy warrants similar scrutiny. Yet while TikTok faced the ultimate penalty for its data practices, American data brokers continue to operate with minimal restrictions, even in privacy-conscious Vermont.

Vermont’s experience demonstrates both what’s possible and what’s insufficient. The state proved that data broker regulation is feasible, creating the first successful registry system that other states have begun to emulate. Vermont showed that swift action on platforms like TikTok is possible when policymakers prioritize it. The recent signing of the Kids Code proves that comprehensive digital protection can advance even in the face of industry opposition.

Yet Vermont’s partial solutions also reveal the limits of state-by-state privacy protection in a national digital economy. A data broker registered in Vermont can easily sell detailed profiles of Green Mountain State residents to buyers in other states with no privacy protections. A Vermont resident who successfully navigates the state’s transparency requirements might still find their information held by dozens of other brokers operating outside Vermont’s jurisdiction. TikTok was banned nationwide because privacy threats don’t respect state boundaries, yet data broker regulation remains a patchwork of inconsistent state laws.

The Path Forward: Lessons from Vermont’s Legislative Journey

Representative Priestley remains optimistic about Vermont’s comprehensive approach despite mixed results: “I think that they all have good chances of making it through the biennium. People are really starting to realize and think about the fact that everything they are, and everything they do, is in records online and can be used against them.”

Vermont’s three-pronged approach—targeting age-appropriate design, consumer data protection, and data broker regulation—provides a model for comprehensive privacy protection that addresses different aspects of the surveillance economy. The success of the Kids Code demonstrates that meaningful protection is achievable when legislators persist despite industry opposition.

This double standard suggests that the TikTok ban was less about protecting American privacy and more about geopolitical competition. True privacy protection would require comprehensive reform of data collection practices across all platforms and industries—foreign and domestic alike. Until lawmakers address the massive domestic surveillance apparatus that operates with their tacit approval, the TikTok ban appears more like selective enforcement than principled privacy protection.

Vermont’s example shows that meaningful privacy protection is possible, but it requires consistent application of privacy principles regardless of corporate nationality. The state’s data broker registry should be a model for national transparency requirements. Its registration mechanism should inspire federal oversight systems. Its swift action on TikTok shows that politicians can act quickly when they choose to prioritize privacy. And the new Kids Code demonstrates that comprehensive digital protection can become law even when facing significant industry resistance.

As Americans adjust to life without TikTok, Vermonters can check their state’s data broker registry to see which companies are legally buying and selling their most intimate data without their knowledge or consent. The answer to which poses the greater threat to privacy—a Chinese-owned app they chose to download, or the dozens of American companies registered with Vermont’s Secretary of State—reveals much about the true priorities of America’s privacy policy.

Until Congress follows Vermont’s lead in regulating domestic data collection with the same urgency it applied to TikTok, Americans will continue to live in a surveillance economy that profits from their privacy while claiming to protect it. Vermont’s recent legislative victories show the path forward, but they also underscore how much work remains to achieve comprehensive privacy protection in the digital age.

Footnotes

17. VeraSafe, “What is the Vermont Data Broker Regulation?” December 30, 2019, https://verasafe.com/blog/why-you-should-be-aware-of-the-vermont-data-broker-regulation/
18. Zwillgen, “Vermont Data Broker Regulations Now Effective,” October 5, 2020, https://www.zwillgen.com/general/vermont-data-broker-regulations-now-effective
19. Brennan Center for Justice, “Data Brokers Are Running Wild, and Only Congress Can Rein Them In,” https://www.brennancenter.org/our-work/analysis-opinion/data-brokers-are-running-wild-and-only-congress-can-rein-them
20. Brennan Center for Justice, “Closing the Data Broker Loophole,” https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole
21. Wiley Law, “New Federal Data Broker Law Will Restrict Certain Foreign Data Sales Effective June 23,” April 24, 2024, https://www.wiley.law/alert-New-Federal-Data-Broker-Law-Will-Restrict-Certain-Foreign-Data-Sales-Effective-June-23
22. TechCrunch, “US agency proposes new rule blocking data brokers from selling Americans’ sensitive personal data,” December 3, 2024, https://techcrunch.com/2024/12/03/us-agency-proposes-new-rule-blocking-data-brokers-from-selling-americans-sensitive-personal-data/
23. MIT Technology Review, “What’s next for our privacy?” January 16, 2025, https://www.technologyreview.com/2025/01/07/1109301/privacy-protection-data-brokers-personal-information/
24. Electronic Privacy Information Center, “Data Brokers,” https://epic.org/issues/consumer-privacy/data-brokers/