‍Introduction

Companies in the networked information economy collect personal data to provide their services. Businesses are also always keen to develop other ways to monetize this consumer information. A handful of the largest leverage their platforms to serve content or ads on behalf of paying advertisers. After all, many companies are willing to pay handsomely for targeted access to potential buyers across devices. Others sell the data to third parties who find further commercial uses for it.

Current legal doctrine allows this last category—data brokers—to sell or license personal data although they are not the ones to collect it from consumers.[1] Meanwhile, most people do not know or understand these background deals and practices, even when they consent to them. Most consumers feel that they have no choice but to click yes and accept the terms of service.

To put it starkly: the prevailing regulatory approach in the United States has effectively normalized data exposure.

This state of affairs is rife with risk and peril for consumers. Companies have claimed to collect information for one reason only to commercialize it for different ones, often to the detriment of the consumers they ostensibly serve. They employ subtly deceptive interface features to entice consumers into either purchasing things that they would not otherwise[2] and deepfakes that lull consumers into giving more information than they would otherwise volunteer.[3]

The market for consumer information is also a bonanza for individuals whose aim is to stalk, harass, and otherwise torment vulnerable individuals. To be sure, laws in the United States forbid stalking and online abuse.[4] But they nevertheless fail to block such harms from actually happening. In 2023, 16 percent of high school students reported being electronically bullied.[5] A 2021 Pew Research study revealed that about 41 percent of Americans have experienced online harassment.[6] About half of this group cited politics and ideological disagreement as the reason.[7] A growing number, however, are the victims of severe sexual harassment or stalking. According to a 2025 report, most among these are young women and people who identify as LGBTQ.[8] And this challenge is more harrowing in the context of the proliferation of deepfake abuse, where 1.2 million children from eleven countries reported that their images had been manipulated into sexually explicit deepfakes in the past year.[9]

Under current law, consumers generally bear the primary responsibility for ending their harassment. This is hard work. Among other things, victims must identify and then contact the myriad sites and services that make their personal information publicly available. On the internet, where data is notoriously impossible to erase completely, this effort often resembles a game of whack-a-mole. Some victims can afford to enlist third-party reputation management firms to help. Most, however, must shoulder the burden of protecting their reputation alone, whether or not they have the time, expertise, or inclination. None of this is inevitable. Federal policymakers have simply failed to adapt law to the current workings of the market for personal data. This is all the more glaring given that countries around the world and American states have updated their laws, even as some are more effective than others.

In Brokering Safety, Sharma, Kadri, and Adler urge federal policymakers to impose on data brokers the greater duty of policing and stemming online stalking, harassment, and related abuse; that burden should not fall to victims, they argue. The article makes this case by, first, carefully (and empathetically)[10] describing both the primary and secondary harms that consumers endure. The first level of harm is the one that immediately follows the exploitation of personal data. Victims generally feel a constant fear of discovery, forcing them to retreat from social life and professional engagements. Such events tend to have a lasting impact.

But it is the second level harm that matters most for Brokering Safety: the burden of navigating the obscure and unintuitive processes for removing their personal information from each broker database in possession of their information.[11] This is always bound to be a horrifying challenge because brokers require victims to complete idiosyncratic “opt-out” forms that ironically require disclosure of additional sensitive personal information.[12] This burden does not go away when the victim makes the request; they must remain vigilant for years.[13] Meanwhile, third-party services that offer to handle these opt-out requests on behalf of victims present other challenges, including costliness.[14] All of this causes “retraumatization.”[15]

The authors show that current laws only do so much. First, they mostly kick in after the harm has been done. Second, they require victims to prove that the brokers in question intended to harm the victim, which is an impossible feat given the scale at which they operate. This is to say nothing of the characteristic incredulity or unresponsiveness that victims encounter when they enlist the help of law enforcement. Meanwhile, laws that forbid nonconsensual data collection, like the California Consumer Privacy Act, could be useful if they were not “riddled with loopholes” for “publicly available information.”[16] (More on this below.) And laws that restrict the disclosure of certain sensitive information are important, but they, too, require victims to do the hard work of hunting down brokers after-the-fact.

In the end, Brokering Safety argues for federal rules that would require data brokers to administer “victim requests to opt-out of the dissemination of their personal information.” That is, victims would be able to report abuse through a sworn statement and not secondary documentation like a police report or a protective order. Pursuant to the authors’ proposal, victims would only have to do so once to a centralized, government-administered system that data brokers would have to regularly follow and abide.[17] This is a low barrier to access that does not impose undue nor disproportionate obligations on companies. The article also details considerations regarding the scope of covered entities and data, implementation (including broker registration), standards of care and government agency oversight, civil penalties for broker violators, and narrow immunities for inadvertent mistakes.

Among other things, this proposal would close the unevenness among state laws, “shift the burden of oversight away from victims,” and, importantly, “ensure[] accountability at a systemic level, addressing gaps in enforcement that allow brokers to evade meaningful consequences.”[18] The authors point to successful examples in the private and public sector to illustrate that centralized systems are possible. Through the STOP Non-Consensual Intimate Image Abuse (STOP NCII) initiative and, separately, the National Center for Missing and Exploited Children’s database, for example, a coalition of companies, developers, and consumer groups collaborate in the development of technologies for monitoring, marking or “hashing,” and reporting abusive or unlawful material for adults and kids, respectively.[19] The article also features the Federal Trade Commission’s Do Not Call Registry.[20] (The example of the European Union’s “right to be forgotten” under the General Data Protection Regulation is also an effective authority but is decentralized unlike the other examples.) All of these show that companies, including some data brokers, have come together to do the right thing while also saving victims the burden of protecting themselves for all time.

The article also recommends closing loopholes for publicly traded information in current law, including the California DELETE Act, as well as shorter intervals for data brokers to verify that they do not distribute information that victims or their advocates have flagged and an ongoing obligation to make sure that flagged data does not resurface. The authors propose, moreover, that data broker laws afford victims stronger foothold in the ways in which companies decide to takedown information. One such way to do this would be to provide for a private right of action and an appeals process.

I. Data Brokerage: Another Predictable Manifestation of the U.S.’s Outmoded User-Centered Regulatory Approach

Brokering Safety is timely and useful. Its proposal would align legal responsibility with economic power. The authors convincingly show that the Kafkaesque setup in the market for consumer data is the necessary consequence of the canonical presumption in United States law that individuals ought to be able to effectuate their preferences and manage their online experiences—that consumer choice and consent are paramount.[21] For perhaps a decade or more now, however, scholars have come to agree that such a regulatory approach is simply inapt given the ways in which the networked information economy actually works. Recent developments in Congress and state legislatures suggest that more structural changes can be advanced, even in the present moment.

Yet, the one-stop-shop solution that Brokering Safety proposes also accedes to the core neoliberal presumption all over again insofar as it individualizes harm. Consider that the authors are mostly in conversation with privacy and data protection scholarship on “practical obscurity.”[22] This is the idea that law should, where necessary, make personal information difficult to access if not altogether erase it. But this framing seems to just return us to the task of containing the availability of a given victim’s personal information, one consumer at a time. It does not dampen the incentives that drive companies to collect and monetize that data as a matter of course in the first instance; it does not directly redress the market-wide commercial surveillance incentives at the root of the problem. I do not doubt that Brokering Safety’s one-stop-shop is a good solution for abuse victims once the primary harm manifests. But the article never really considers structural constraints on upstream collectors and administrators of consumer data, like social media, financial institutions, and insurance companies.

To put this a little differently: online abuse, like dark patterns and surveillance pricing, for example, are just a couple of the many inevitable consequences of the laissez-faire regulatory approach to commercial surveillance in the United States.[23] Even if self-attestation is a good signal of consumer preference, it still requires individuals to assume responsibility in the first instance for an industry-wide problem. Given the authors’ stated concern about information asymmetries,[24] we might assume that they would turn to structural fixes like broad purpose limitations or data minimization rules that reduce the pecuniary incentive to traffic in personal data. Consider moreover that such measures have the added advantage of mostly avoiding the First Amendment hurdle to the extent they are neither content-based nor have incidental effects on the lawful distribution of truthful information.

Congress has at least twice come close to passing structural commercial surveillance reforms that would go well beyond the proposed federal DELETE Act, the main focus of Brokering Safety. These did not simply curtail data broker practices and, as in the TAKE IT DOWN Act, the distribution of nonconsensual sexual content.[25] For example, in 2022 and 2024, Congress was on the verge of enacting legislation that would forbid companies from collecting or using information for anything beyond the specific purposes for which they collect the information.[26] These proposals would have established consumer data protection rights, including the right to access, correct, delete, and export data, as well as consent or opt-in/out mechanisms for the transfer of sensitive data and the receipt of targeted advertising. Had those bills prevailed, Congress would have limited data brokers’ downstream access to personal data and, one can only assume, diminished stalking, harassment, and other abuses that depend on it. In the end, even with wide bipartisan support, however, these failed to become law. The main stumbling blocks were over state preemption, a private right of action, and civil rights protections.[27] The point here, however, is that these bills were close to passage; indeed, they were arguably as likely to pass as the narrowly tailored data broker law that the article recommends would.

States have also enacted laws that span commercial surveillance practices well beyond data brokerage. For example, they have enacted statutes that protect against harmful service design features and commercial surveillance practices. Illinois was an early leader, with its statutory protections against abuses of biometric data.[28] Vermont was among the first to pass comprehensive protections from the data broker industry.[29] Other strong state laws, like those of California, Colorado, Minnesota, and Oregon, establish individual rights to notice, access, correction, and deletion.[30] Most also impose limitations on how companies collect, retain, or sell their residents’ personal information, as well as some combination of disclosure requirements and impact assessment requirements.[31] These laws generally give consumers the ability to opt out of targeting and profiling, and in some cases also require impact assessments for activities conducted by data controllers that have a heightened risk of harm. Many states also impose restrictions on the companies’ use of automated decision-making systems.[32] California, again, stands out because its Consumer Privacy Act established an independent agency, the California Privacy Protection Agency (CPPA), with the responsibility of implementing the statute.

II. Policymakers Agree: Data Brokerage Has Gone Too Far. The One-Stop-Shop Model Would Be a Good Start.

Despite Brokering Safety’s modest proposal to create a one-stop-shop, recently passed federal laws and on-going Federal Trade Commission enforcement actions reflect an appetite for broader structural regulations of data brokers, even at the federal level, than Brokering Safety suggests.

Brokering Safety acknowledges that its proposal is modest. The authors offer two reasons for this tact. The first is doctrinal: First Amendment law today presents significant hurdles to government regulation of a wide range of information flows on the internet. Restrictions on access to information that is otherwise publicly available may be invalid if those rules are not limited to unlawful or deceptive content. The Constitution generally forbids people’s access to truthful information.[33]

Second, laws that single out data brokers run up against the doctrine’s strict scrutiny of status- or identity-based restrictions on the distribution of information. Why impose restrictions on data brokers when social media, for example, monetizes consumer data as well? Brokering Safety uses this state of affairs in the doctrine to set out an alternative framing for how courts ought to evaluate free speech doctrine. Drawing on Robert Post’s writing, they urge a less formalistic application of a “listener’s right” to facts and, instead, an approach that affords the most robust protection to speakers who “imbue[] facts with an expressive” element.[34] Data brokers under this scheme would not get the same protection as noncommercial speech or, perhaps, even some forms of commercial speech. They engage in a commercial practice that is wholly indifferent to expressiveness as such and, accordingly, should not prevail under any level of heightened scrutiny for protected speech.[35]

The second reason for Brokering Safety’s caution is short-term feasibility. The authors propose a solution that will provide immediate support for victims today. In this regard, the authors have every reason to be skeptical that meaningful structural reform is possible: Congress today is as ineffectual as it has been in generations. The current President has exploited deep divisions in the national polity to advance his own personal ambitions and overtly exact a capricious and intemperate campaign of retribution.[36] The Republican leadership of Congress has allowed the Administration to have its way on just about everything, with barely a hint of significant oversight.

But I would not so quickly concede that the current state of affairs will last.[37] We know that national-level reform is possible in the United States because federal policymakers have in the past couple of years enacted measures that move in the right direction.

In the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), Congress actually enacted a statute that, along with aiming to block the national security threat that “foreign adversary controlled applications” pose to U.S. consumers and elections, forbids data brokers from “selling, transferring, or disclosing” “personally identifiable sensitive data” to any applications controlled by geopolitical rivals, including China, Russia, Iran, and North Korea.[38] And one year later, during the current legislative session, Congress enacted a law that criminalizes the creation or distribution of nonconsensual intimate images, including AI-generated deepfakes.[39] To be sure, these two interventions were narrow legislative reforms. The first only related to applications controlled by foreign adversaries. And the second concerned nonconsensual images. These veryrecent laws evince a mood for reform on the very practices and harms that animate Brokering Safety. They go even further, in some regards.

And then there are the states. Of course, as Brokering Safety explains, the California Delete Act set the bar high for the states by creating a one-stop-shop system called the Data Broker Request and Opt-out Platform (DROP) through which residents may request data brokers to delete their personal information.[40] Following that statute’s passage, the CPPA established a dedicated Data Broker Enforcement Strike Force that has brought cases against a variety of data brokerages from across the country. These include cases against data brokers that expose consumers’ sensitive personal information[41] or fail to register.[42] Importantly, the California Privacy Protection Agency enforces the state’s influential law. In 2025, the CPPA imposed its largest fine ever pursuant to the CCPA against America Honda for violations in the company’s manufacture of connected vehicles and related technologies, effectively forcing the company to change its business practices.[43]

Vermont, however, passed the nation’s first data broker legislation in 2018, requiring data brokers to register with the Secretary of State and provide certain information about their data collection activities.”[44] Meanwhile, Texas and Oregon recently passed laws that require data brokers to register with pertinent authorities in order to do business in the state.[45] In 2024, Texas sued Allstate and its data broker subsidiary, Arity, for allegedly violating the state’s Data Broker Law by failing to register and for deceptive practices regarding how they collected driving data.[46]

Federal agencies have also taken concrete steps to end some of the most dangerous data broker practices, even if the current administration has dismantled many of those efforts. In the last month of the Biden administration, for example, the Consumer Financial Protection Bureau proposed a rule that would have forbidden data brokers from selling sensitive personal data to scammers, stalkers, and foreign adversaries.[47] The Department of Health and Human Services, meanwhile, made clear in a major bulletin and subsequent enforcement actions that the Health Insurance Portability and Accountability Act forbids hospitals websites from transmitting sensitive patient data to third-party brokers through online tracking technologies (i.e., pixels).[48]

In spite of the Supreme Court’s anti-regulatory turn of the past couple of decades, federal agencies have mostly used their enforcement authority to go after risky or harmful data broker practices. The Justice Department, for example, has brought actions against companies that sell Americans’ information to fraudsters,[49] including those that predate on the elderly.[50] In 2025, it also issued a final rule pursuant to a Biden-era executive order that prohibits data brokers from engaging in transactions with China, Russia, and other “countries of concern” involving sensitive U.S. residents’ data.[51] The Securities and Exchange Commission, meanwhile, settled a securities fraud case against App Annie, a leading consumer data analytics provider for the mobile app industry.[52] The agency alleged that, among other things, the company was not forthcoming about how it monetized non-aggregated and non-anonymized personal data.[53] And the Federal Communications Commission has imposed multi-million dollar fines on companies that sell real-time location data to data brokers, who then resold it to third-party services.[54]

The Federal Trade Commission (FTC) has the longest track record of protecting consumers from the data broker industry. During the Obama administration, for example, it issued orders requiring such companies to provide the agency with information about how they collect and use data about consumers.[55] During the Biden administration, moreover, the FTC began a rulemaking proceeding that inquired into the prevalence of harmful commercial surveillance and data security practices that harm consumers, including those of data brokerage.[56] This led to a further inquiry into harmful surveillance pricing practices.[57]

More pertinently, the FTC has brought several enforcement actions against data brokers, many of which have ended in fines and behavioral constraints on the companies. Consider the series of consent decrees that the agency entered in 2024 with Avast,[58] X-Mode,[59] InMarket Media,[60] Gravy Analytics,[61] and Mobilewalla,[62] all data brokers that, as alleged, unfairly sold precise location data, including information about people’s visits to sensitive locations like medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.[63] This was not a fanciful worry. In the wake of Dobbs, state law enforcement authorities threatened to prosecute women who travel to neighboring states for reproductive health services when their states of residence forbid it, as well as the establishments that provide those services lawfully.[64]

The ongoing case against Kochava, however, stands out. Among other things, the company collects and monetizes precise mobile device location, including timestamped latitude and longitude coordinates paired with the persistent identifier of each respective users.[65] Kochava uses this data to track consumers’ movements for up to a year and sells that non-anonymized information to its paying customers.[66] It also markets a “360-degree perspective” of consumers, that includes a catalog of sensitive data, including name, address, phone number, as well as gender, age, ethnicity, yearly income, marital status, and “interests and behaviors.”[67]

The FTC’s legal theory rested on its statutory authority to protect against “unfair” commercial practices—not just the latent deception in repurposing sensitive personal data for pecuniary self-regarding aims.[68] Specifically, it alleged that Kochava’s use and public disclosure of precise location information was likely to cause consumers substantial injury, that consumers could not avoid, and that this harm is far greater than any benefit.[69] Kochava eventually backed down and settled after the district court hearing the case rejected the company’s motion to dismiss.[70]

The FTC’s unfairness theory in Kochava is on all fours with Brokering Safety’s argument for protecting victims from secondary harms. And, in some ways, it goes further. Brokering Safety’s focus on historically marginalized people, especially cyberstalking and sexual assault victims is compelling, but as then-Bureau of Consumer Protection Director Levine explained, these practices endanger all consumers one way or another.[71] This observation feels especially salient given the ways in which federal immigration law enforcement authorities have obtained information about people on suspicion that they are in the United States unlawfully.[72]

Conclusion

Today’s regulatory approach to commercial surveillance in the United States effectively normalizes the traffic and exposure of personal data. Brokering Safety’s recommendations for firming up the one-stop-shop idea in the DELETE Act and the California version of the law would be an important step in the right direction. But, as I mean to show here, these should complement a far more sweeping regulatory focus on curbing commercial surveillance practices. While purpose limitations and data minimization rules, for example, would not wholly eradicate cyberbullying and other forms of online abuse, they would make consumers safer to the extent they impose the greater burden of administering consumer data on the companies best situated to do it. If well crafted, they also have the virtue of eluding First Amendment restrictions. All it takes is political will to put them in place, which may be more in the offing than ever before.

Copyright © 2026 Olivier Sylvain. I am grateful to Jack Froude and Rebecca Vangelos for their research assistance on this response for the California Law Review—and beyond.

[1]See generally In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001).

[2]See, e.g., Press Release, Federal Trade Comm’n, FTC Secures Historic $2.5 Billion Settlement Against Amazon(Sept. 25, 2025), https://www.ftc.gov/news-events/news/press-releases/2025/09/ftc-secures-historic-25-billion-settlement-against-amazon (last visited Mar. 2, 2026) [https://perma.cc/7NRG-E4QH].

[3]See, e.g., Claudia Koon Ghee Wee Artificial illusion: Global governance challenges of deepfake technology, Int’l Ass’n of Privacy Pros. (Apr. 23, 2025), https://iapp.org/news/a/artificial-illusion-global-governance-challenges-of-deepfake-technology [https://perma.cc/J2SL-8JBG].

[4]See, e.g., U.S. Att’y’s Off., D. Me., Federal Domestic Violence & Stalking Statutes: Elements for Federal Prosecution (2023), https://www.justice.gov/d9/2023-12/dv_stalking_oct_2023_0.pdf [https://perma.cc/H4L3-5MZE]. Last year, Congress passed the TAKE IT DOWN Act, which could very well change things. See generally TAKE IT DOWN Act, Pub. L. No. 119-12, 139 Stat. 55 (2025).

[5] U.S. Dep’t of Health & Hum. Servs., What is Cyberbullying?, StopBullying.gov, https://www.stopbullying.gov/cyberbullying/what-is-it (last visited Mar.3, 2025) [https://perma.cc/2PFP-PCDS].     

[6] Emily A. Vogels, The State of Online Harassment, Pew Rsch. Ctr. (Jan. 13, 2021), https://www.pewresearch.org/internet/2021/01/13/the-state-of-online-harassment/ [https://perma.cc/6EKN-BYHC].

[7]Id.

[8] Univ. of the Coll. of Lond., Cyberstalking growing at faster rate than other forms of stalking, UCL News, (July 31, 2025), https://www.ucl.ac.uk/news/2025/jul/cyberstalking-growing-faster-rate-other-forms-stalking [https://perma.cc/F4WM-2PCH]; Statista, Most common types of online abuse or harassment experienced by women worldwide as of July 2017, STAISTA (Nov. 2017), https://www.statista.com/statistics/784833/online-harassment-women-types/#statisticContainer (last visited Mar. 2, 2026) [https://perma.cc/PX4B-UNBC].

[9] Press Release, U.N. Child.’s Fund, Deepfake Abuse is Abuse, UNICEF (Feb. 4, 2026), https://www.unicef.org/press-releases/deepfake-abuse-is-abuse.

[10] Thomas Kadri, Networks of Empathy, 2020 Utah L. Rev. 1075 (2020), https://dc.law.utah.edu/cgi/viewcontent.cgi?article=1271&context=ulr.

[11]See Chinmayi Sharma, Thomas E. Kadri, & Sam Adler, Brokering Safety, 114 Calif. L. Rev. 481 (2025).

[12]Id.

[13]Id.

[14]Id.

[15]Id.

[16]Seeid. at 131, n.126, 158, n.183.

[17]Id. at 167.

[18]Id. at 138.

[19] StopNCII, https://stopncii.org/ [https://perma.cc/K7ZM-DN9U]; Nat’l Ctr. for Missing & Exploited Child., https://www.missingkids.org/ourwork/ncmecdata [https://perma.cc/P2KJ-UZH5].

[20]The Do Not Call Registry, Federal Trade Comm’n,https://www.ftc.gov/news-events/topics/do-not-call-registry [https://perma.cc/6K8V-63VT].

[21] I and so many others have critiqued this consumer sovereignty model. See, e.g., Ari Waldman, Privacy’s Rights Trap, 117 Nw. U. L. Rev. 88 (2022); Julie Cohen, 126 Harv. L. Rev. 1904, 1907 (2013); see also Olivier Sylvain, Middleware and the Illusory Promise of End-User Control, 715 Annals Am. Acad. Pol. & Soc. Sci. 80 (2025); Olivier Sylvain, Regulating for Asymmetric Market Power: Beyond the Consumer Sovereignty Model, 25 Scis. Po L. Rev. 37 (2024).

[22]SeeDep’t of Justice v. Reps. Comm. for Freedom of the Press, 489 U.S. 749 (1989); see also Woodrow Hartzog & Frederic Stutzman, The Case for Online Obscurity, 101 Calif. L. Rev. 1 (2013).

[23] Olivier Sylvain, Reclaiming the Internet: How Big Tech Took Control—and How We Can Take It Back (2026).

[24] The article makes passing references to such solutions in its discussion of the opt-out registry but does not really engage the point. See Sharma et al., supra note 12.

[25] Data Elimination and Limiting Extensive Tracking and Exchange Act, S. 1287, 119th Cong. (2025-2026) (“DELETE” Act); TAKE IT DOWN Act, Pub. L. No.: 119-12, 139 Stat. 55 (2025).

[26]See American Data Privacy and Protection Act, H.R. 8152, 117th Cong. (2021-2022) (“ADDPA”); see also American Privacy Rights Act, H.R. 8818, 118th Cong. (2023-2024) (“APRA”).

[27] Joseph Jerome, The Goal of a National Privacy Law in the United States, Tech Pol’y Press (June 27, 2024), https://www.techpolicy.press/the-goal-of-a-national-privacy-law-in-the-united-states/ [https://perma.cc/4KNV-W6AQ].

[28] Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. (2008).

[29]Privacy and Data Security, Off. of the Vt. Att’y Gen., https://ago.vermont.gov/privacy-data-security [https://perma.cc/T4AW-BABC].

[30] Müge Fazlioglu, US State Comprehensive Privacy Laws Report 2025, IAPP (Oct. 27, 2025), https://iapp.org/resources/article/us-state-privacy-laws-overview [https://perma.cc/C4SB-FVFT].

[31]Id.

[32]Id.

[33]See United States v. Alvarez, 567 U.S. 709 (2005).

[34] Sharma et al., supra note 12, at 190 (citing Robert Post¸ Encryption Source Code and the First Amendment, 14 Berkeley Tech. L.J. 713, 714 (2000)). But see Amy Kapcynski, The Lochernized First Amendment and the FDA: Toward a More Democratic Political Economy, 118 Colum. L. Rev. 7 (2018); Amanda Shanor, The New Lochner, 2016 Wis. L. Rev. 133 (2016); Mary Anne Franks, Fearless Speech: Breaking Free from the First Amendment (2024); Genevieve Lakier, The Anti-Authoritarian First Amendment and Its Limits, Reconstruing Free Expression Blog (Feb. 23. 2026), https://knightcolumbia.org/blog/the-anti-authoritarian-first-amendment-and-its-limits [https://perma.cc/26VS-65ES]. Moreover, consider rent opinions by the U.S. Supreme Court in Free Speech Coalition, Inc. v. Paxton, 606 U.S. 461 (2025) (discussing Texas state age verification law) and TikTok, Inc. v. Garland, 604 U.S. 56 (2025) (discussing federal law barring data collection by foreign adversary-controlled social media), as well as a handful of decisions from the U.S. Courts of Appeals that have rejected or been skeptical of the sweeping claims about the constitutionality of state regulations of commercial surveillance practices).

[35]See Sharma et al., supra note 12 at 96.

[36]See, e.g., Robin Levinson-King, Trump pushes justice department to prosecute his political opponents, BBC News (Sept. 21, 2025), https://www.bbc.com/news/articles/c1wgg4vgeedo [https://perma.cc/2H4G-MN4V]; Peter Eisler et al., Trump’s campaign of retribution: At least 470 targets and counting, Reuters (Nov. 26, 2025), https://www.reuters.com/investigates/special-report/usa-trump-retribution-tracker/; Tony Romm, In Trump’s Fraud Crackdown, Political Foes Face Harshest Scrutiny, N.Y. Times (Feb. 3, 2026) https://www.nytimes.com/2026/02/03/us/politics/trump-fraud-minnesota-snap-medicaid.html.

[37] I do not pretend here to be in the business of predictions about United States electoral politics. To be sure, in the next few years, federal policymakers will have much to do to repair the damage that the current administration has wrought, as well as a handful of recent decisions in the emergency docket and otherwise from the Supreme Court that have enabled well beyond tech policy. I am here thinking of federal agency enforcement capacity as well as the credibility of federal executive authority generally.

[38] In 2024, Congress passed a law that authorizes the President to ban “foreign adversary controlled” social networking services whose data collection practices pose a threat to U.S. national security. Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-50, 138 Stat. 955 (2024). The statute singled out ByteDance, the Chinese owner of TikTok, and, accordingly, required the company to divest from the popular social media service. Congress was concerned about the ways in which the company would effectively be a way by which the Chinese government could gain valuable information about Americans and manipulate voter opinion in the weeks before an election. The Supreme Court later upheld the statute as a non-content-based regulation since its focus was corporate governance and data protection. (The Court significantly downplayed the content-based reasons for the law.) Even after the Supreme Court decision, however, the President stalled enforcement against TikTok until, one year later, it helped to reconstitute the company’s ownership to comply with the statute’s divestment provisions; see also Sam Levin & Mark Sweney, TikTok announces it has finalized deal to establish US entity, sidestepping ban, The Guardian (Jan. 23, 2026), https://www.theguardian.com/us-news/2026/jan/22/tiktok-us-venture-oracle [https://perma.cc/JRN6-E5Q7].

[39] TAKE IT DOWN Act, Pub. L. No.: 119-12, 139 Stat. 55 (2025).

[40]Delete Request and Opt-Out Platform (DROP), Cal. Priv. Prot. Agency, https://privacy.ca.gov/drop/ (last visited Mar. 2, 2026) [https://perma.cc/289N-KAW7].

[41]CPPA Brings Enforcement Action Against Florida Data Broker, Cal. Priv. Prot. Agency (Feb. 20, 2025), https://cppa.ca.gov/announcements/2025/20250220.html [https://perma.cc/SLW2-SA2Y].

[42]CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers, Cal. Priv. Prot. Agency (Jan. 8, 2026), https://cppa.ca.gov/announcements/2026/20260108.html [https://perma.cc/UDN5-VSYQ].

[43]Honda Settles With CPPA Over Privacy Violations, Cal. Priv. Prot. Agency (Mar. 12, 2025), https://cppa.ca.gov/announcements/2025/20250312.html [https://perma.cc/RCM3-QZM6].

[44] Matthew S. Borick & Jennifer Drake, Vermont: Overview of the Data Broker Act, Downs Rachlin Martin PLLC (Jan. 21, 2022), https://www.drm.com/resources/data-broker-act-vermont/ [https://perma.cc/PYJ8-6AKD].

[45]Data Brokers, Texas Sec. of State Jane Nelson, https://www.sos.state.tx.us/statdoc/data-brokers.shtml (last visited Mar. 2, 2026) [https://perma.cc/EUD8-Q6EY]; Daniel Levin & Kelsey Harclerode, Oregon Becomes Fourth State Requiring Data Broker Registration, ZwillGenBlog (Nov. 7, 2023), https://www.zwillgen.com/privacy/oregon-data-broker-registration/.

[46] Press Release, Ken Paxton, Attorney General of Texas, Attorney General Ken Paxton Sues Allstate and Arity for Unlawfully Collecting, Using, and Selling Over 45 Million Americans’ Driving Data to Insurance Companies (Jan. 13, 2025), https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45 [https://perma.cc/V7JW-3GL9].

[47] Press Release, CFPB Proposes Rule to Stop Data Brokers from Selling Sensitive Personal Data to Scammers, Stalkers, and Spies, CFPB (Dec. 3, 2024), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-stop-data-brokers-from-selling-sensitive-personal-data-to-scammers-stalkers-and-spies/ [https://perma.cc/6XJT-WUJV]. The current administration promptly withdrew the proposal months after taking office. Protecting Americans From Harmful Data Broker Practices (Regulation V); Withdrawal of Proposed Rule, 90 Fed. Reg. 20568 (withdrawn May 15, 2025), https://www.federalregister.gov/documents/2025/05/15/2025-08644/protecting-americans-from-harmful-data-broker-practices-regulation-v-withdrawal-of-proposed-rule [https://perma.cc/37SG-PQKQ].

[48]Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, U.S. Dep’t of Health & Hum. Servs. (June 26, 2024), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html [https://perma.cc/TM9L-646U]. Meanwhile, the current administration has stated that it will pursue enforcement actions to protect access to and exchange of patient data by “providers and certain health IT entities,” including health-related apps. Press Release, HHS Announces Crackdown on Health Data Blocking, U.S. Dep’t of Health & Hum. Servs. (Sept. 3, 2025), https://www.hhs.gov/press-room/hhs-crackdown-health-data-blocking.html [https://perma.cc/56U8-KHNH]. While not necessarily at odds with protecting against the distribution of information to data brokers, this effort means to open access to sensitive data to more companies in the name of innovation.

[49]See Information, United States v. Macromark, Inc., No. 3:20-cr-00171-AWT (D. Conn. Sept. 25, 2020); Joint Notice of Agreement and Motion for Deferral of Prosecution, United States v. KBM Group, LLC, No. 1:21-cr-00198-PAB (D. Colo. June 14, 2021).

[50] Press Release, U.S. Dep’t of Just., Marketing Company Agrees to Pay $150 Million for Facilitating Elder Fraud Schemes (Jan. 27, 2021), https://www.justice.gov/archives/opa/pr/marketing-company-agrees-pay-150-million-facilitating-elder-fraud-schemes [https://perma.cc/54Z9-CC4X].

[51] Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 90 Fed. Reg. 1706 (Jan. 8, 2025) (to be codified at 28 C.F.R. 202).

[52] Press Release, SEC, SEC Charges App Annie and its Founder with Securities Fraud (Sep. 14, 2021), https://www.sec.gov/newsroom/press-releases/2021-176 [https://perma.cc/6WRN-6WRZ].

[53]Id.

[54] Press Release, Fed. Commc’ns Comm’n, FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data (Apr. 29, 2024), https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf [https://perma.cc/LU2Q-Q8EF].

[55] Press Release, Fed. Trade Comm’n, FTC to Study Data Broker Industry's Collection and Use of Consumer Data (Dec. 18, 2012), https://www.ftc.gov/news-events/news/press-releases/2012/12/ftc-study-data-broker-industrys-collection-use-consumer-data [https://perma.cc/FYZ6-UKH9].

[56] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (proposed Aug. 22, 2022). A month before the current FTC Chair Andrew Ferguson took this leadership position, he expressed significant reservations about this rulemaking effort in a dissent from the FTC’s “Regulatory Plan and Agenda.” The agency’s role is to be the “cop on the beat,” not a rulemaker. Dissenting Statement of Commissioner Andrew N. Ferguson Fall 2024 Regulatory Plan and Regulatory Agenda Matter No. P072104, FTC (Dec. 13, 2024) https://www.ftc.gov/system/files/ftc_gov/pdf/ferguson-dissent-2024-annual-regulatory-plan-agenda.pdf [https://perma.cc/2GQZ-M98X].

[57] Press Release, Fed. Trade Comm’n, FTC Surveillance Pricing Study Indicates Wide Range of Personal Data Used to Set Individualized Consumer Prices (Jan. 17, 2025), https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-surveillance-pricing-study-indicates-wide-range-personal-data-used-set-individualized-consumer [https://perma.cc/4B98-A59R].

[58]See generally Decision, In re Avast Ltd., No. 2023033 (Fed. Trade Comm’n Feb. 22, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/D%26O-Avast.pdf [https://perma.cc/V2NY-TF5R]; Avast, FTC (Feb. 24, 2025), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast.

[59]See generally In re X-Mode Social, Inc., Decision and Order, File No. 212-3038, Docket No. C-4802 (Fed. Trade Comm’n Apr. 11, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/X-ModeSocialDecisionandOrder.pdf [https://perma.cc/H98S-HYQ5]; Press Release, Fed. Trade Comm’n, FTC Finalizes Order with X-Mode and Successor Outlogic Prohibiting It from Sharing or Selling Sensitive Location Data (Apr. 12, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-order-x-mode-successor-outlogic-prohibiting-it-sharing-or-selling-sensitive-location [https://perma.cc/2YM8-Z9CA].

[60]See generally In re InMarket Media, LLC, File No. 202-3088, Docket No. C-4803, Decision and Order (Fed. Trade Comm’n May 1, 2024), https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc [https://perma.cc/VX3S-5HXZ]; Press Release, Fed. Trade Comm’n, FTC Finalizes Order with InMarket Prohibiting It from Selling or Sharing Precise Location Data (May 1, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/05/ftc-finalizes-order-inmarket-prohibiting-it-selling-or-sharing-precise-location-data [https://perma.cc/A8PC-2XVJ].

[61]See generally In re Gravy Analytics, Inc., File No. 212-3035, Docket No. C-4810, Final Consent Order (Fed. Trade Comm’n Jan. 14, 2025), https://www.ftc.gov/legal-library/browse/cases-proceedings/212-3035-gravy-analytics-inc-matter [https://perma.cc/T4U4-8SU6]; Press Release, Fed. Trade Comm’n, FTC Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data (Jan. 14, 2025), https://www.ftc.gov/legal-library/browse/cases-proceedings/212-3035-gravy-analytics-inc-matter [https://perma.cc/LQU7-WXSY].

[62]See generally In re Mobilewalla, Inc., File No. 202-3196, Docket No. C-4811, Decision and Order (Fed. Trade Comm’n Jan. 14, 2025), https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter [https://perma.cc/26SM-NDG3]; Press Release, Fed. Trade Comm’n, FTC Finalizes Order Banning Mobilewalla from Selling Sensitive Data (Jan. 14, 2025), https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-order-banning-mobilewalla-selling-sensitive-location-data [https://perma.cc/546H-38YX].

[63]See Fed. Trade Comm’n, supra note 41; Fed. Trade Comm’n, supra note 42.

[64]See Press Release, U.S. Dep’t of Just., Justice Department Files Statement of Interest in Case on Right to Travel to Access Legal Abortions (Nov. 9, 2023), https://www.justice.gov/archives/opa/pr/justice-department-files-statement-interest-case-right-travel-access-legal-abortions; Geoff Mulvihill & John Hanna, Next Abortion Battlefront Opens Between States with Clashing Laws, PBS (Apr. 10, 2023), https://www.pbs.org/newshour/politics/next-abortion-battlefront-opens-between-states-with-clashing-laws.

[65]SeeFTC v. Kochava, 671 F. Supp. 3d 1161, 1166-67 (D. Idaho 2023).

[66]Id.

[67] Second Amended Complaint for Permanent Injunction and Other Relief at 6, FTC v. Kochava Inc., No. 2:22-cv-00377-BLW (D. Idaho July 15, 2024).

[68]Id. at 39-40.

[69]Id. at 2-3.

[70]SeeFTC v. Kochava, 715 F. Supp. 3d 1319 (D. Idaho 2025); see also Ufonobong Umanah, Kochava Inc. Settles Location Data Trade Practice Suit With FTC, Bloomberg News (Feb. 27, 2026), https://news.bloomberglaw.com/litigation/kochava-inc-settles-location-data-trade-practice-suit-with-ftc.

[71] Samuel L. Levine, Dir. of the Bureau of Consumer Protection, Fed. Trade Comm’n, Remarks at the Fourth Annual Reidenberg Lecture at the Fordham School of Law (Apr. 17, 2024).

[72] Jude Joffe-Block, Your data is everywhere. The government is buying it without a warrant, NPR (Mar. 25, 2026), https://www.npr.org/2026/03/25/nx-s1-5752369/ice-surveillance-data-brokers-congress-anthropic [https://perma.cc/9KX7-ZN5Y]; Johana Bhuiyan, US immigration agency explores data loophole to obtain information on deportation targets, The Guardian (Apr. 20, 2022), https://www.theguardian.com/us-news/2022/apr/19/us-immigration-agency-data-loophole-information-deportation-targets [https://perma.cc/H3FS-GM37].