Data Privacy & Surveillance

The United States is the only major democracy without a comprehensive federal data privacy law, leaving Americans' personal information exposed to a $270 billion data broker industry and unchecked government surveillance.

Last updated: March 12, 2026

Domain

Technology & Civil Liberties → Digital Rights → Data Privacy & Government Surveillance

Position

Americans’ personal data is harvested, sold, and exploited on an industrial scale by corporations and accessed by government agencies — all without meaningful consent, transparency, or legal protection. The U.S. needs a comprehensive federal privacy law with strong enforcement, data minimization requirements, and limits on both corporate and government surveillance.

The global data broker market is valued at $270 billion and growing — built almost entirely on harvesting and selling Americans’ personal information without meaningful consent. Eighty-three percent of voters want Congress to pass national privacy legislation. Yet the U.S. remains the only major democracy without a comprehensive federal privacy law, while government agencies openly purchase personal data from brokers to bypass Fourth Amendment protections.

Key Terms

  • Data Brokers: Companies that collect, aggregate, and sell personal information — names, addresses, financial data, health information, location tracking, purchase history, and behavioral profiles — often without the knowledge or consent of the people whose data they sell. An estimated 5,000 data brokers operate globally, powering a $270 billion industry.

  • Data Minimization: The principle that companies should collect only the personal data necessary for a specific, disclosed purpose and delete it when that purpose is fulfilled. The opposite of current practice, where companies collect everything possible, retain it indefinitely, and find ways to monetize it later. Data minimization is a core requirement of the EU’s GDPR.

  • Fourth Amendment Loophole: The practice of government agencies purchasing personal data from commercial brokers rather than obtaining a warrant, effectively circumventing the Fourth Amendment’s protection against unreasonable searches. Agencies including DHS, ICE, the IRS, and the FBI have purchased location data, financial records, and other personal information that would otherwise require judicial authorization to obtain.

Scope

  • Focus: The case for comprehensive federal privacy legislation — data minimization, individual rights, data broker regulation, corporate accountability, and limiting government surveillance through commercial data purchases
  • Timeframe: Failed federal privacy bills through current legislative landscape (2022–2026)
  • What this is NOT about: Cybersecurity (network protection, hacking — a related but separate issue), encryption policy, or foreign intelligence surveillance (FISA) — though domestic surveillance intersects with all of these

The Case

1. Americans Have Virtually No Control Over Their Personal Data

The Point: Corporations collect vast amounts of personal data — location, health, financial, behavioral — without meaningful consent, and sell it through a massive data broker ecosystem that most Americans don’t know exists.

The Evidence:

  • The global data broker market was valued at $270 billion in 2024 and is projected to reach $473 billion by 2032. An estimated 5,000 data brokers collect and sell personal information including financial data, health records, location tracking, and behavioral profiles (Maximize Market Research, 2024).
  • Seventy-three percent of Americans believe they lack sufficient control over how companies use their data. Eighty percent express unease about how their personal data is used online, and only 21% feel confident that their data is being used for proper purposes (Pew Research Center, 2023).
  • Over the past year, 34% of Americans experienced some form of data breach or hacking incident. Only 29% of consumers find it easy to understand how well a company protects their personal data (Pew / CookieYes, 2024–2026).

The Logic: The current system is built on a fiction of “consent” — the idea that people freely agree to data collection by clicking through terms-of-service agreements that no one reads (and that are designed to be unreadable). In practice, there is no meaningful choice: either accept total data harvesting or don’t use the internet. Companies collect far more data than they need, retain it indefinitely, sell it to unknown third parties, and accept minimal liability when it’s stolen. This isn’t a market — it’s an extraction system that functions because there’s no law stopping it.

Why It Matters: Personal data isn’t just a privacy issue — it’s a power issue. When corporations know everything about you — your location, health conditions, financial vulnerabilities, political views, and behavioral patterns — they can manipulate pricing, target advertising to exploit psychological weaknesses, and sell that power to anyone willing to pay, including authoritarian governments and domestic surveillance agencies.

2. The Government Uses Data Brokers to Bypass the Fourth Amendment

The Point: Federal agencies purchase personal data — including location tracking, financial records, and communications metadata — from commercial data brokers, circumventing the warrant requirements that the Fourth Amendment was designed to enforce.

The Evidence:

  • Federal agencies including DHS, ICE, the IRS, the DEA, and the FBI have purchased personal data from commercial data brokers — including cell phone location data capable of tracking individuals’ movements with precision. The Brennan Center for Justice has documented this “data broker loophole” as a systematic end-run around constitutional protections.
  • Seventy-one percent of Americans are concerned about how the government uses data it collects about them — up from 64% in 2019. Seventy-one percent are specifically concerned that surveillance powers could be used to target political opponents or suppress dissent (YouGov, 2025).
  • Data brokers partner with the Social Security Administration and the Departments of Justice, Homeland Security, and State — providing personal information about Americans that these agencies would need a warrant to collect directly.

The Logic: The Fourth Amendment requires the government to obtain a warrant, based on probable cause, before searching your person, papers, or effects. But if the government can simply purchase the same information from a company that collected it without your meaningful consent, the constitutional protection is meaningless. The data broker loophole transforms the entire commercial data ecosystem into a surveillance infrastructure available to any government agency with a purchase order — no judge, no warrant, no probable cause required.

Why It Matters: This isn’t hypothetical — ICE has used purchased location data to track immigrants, and law enforcement agencies across the country use commercially acquired data for investigations that would otherwise require judicial oversight. The combination of corporate data harvesting and government purchasing creates a surveillance apparatus that the Founders could never have imagined and that the Fourth Amendment cannot address without legislative action.

3. Every Other Major Democracy Has Privacy Protections — America Does Not

The Point: The U.S. is the only major democracy without a comprehensive federal privacy law, leaving Americans with weaker protections than citizens of virtually every other wealthy nation and creating a patchwork of state laws that fails to provide consistent coverage.

The Evidence:

  • The EU’s General Data Protection Regulation (GDPR), enacted in 2018, provides EU citizens with rights to access their data, demand deletion, opt out of automated decision-making, and receive notification of breaches. It requires data minimization and imposes fines of up to 4% of global revenue. The U.S. has no federal equivalent.
  • The American Privacy Rights Act (APRA), introduced in April 2024 with bipartisan support from both the Senate Commerce and House Energy Committee chairs, aimed to establish the first comprehensive federal privacy standard — including the right to opt out of targeted advertising, data broker regulation, and requirements for “large data holders.” It failed to advance.
  • As of 2025, 19 states have enacted their own privacy laws — led by California’s CCPA/CPRA — but they vary dramatically in scope, enforcement, and individual rights. Workers, consumers, and businesses face a confusing patchwork that leaves most Americans in states with no privacy protection at all.

The Logic: The U.S. didn’t end up without privacy protections by accident — it’s the result of tech industry lobbying that has defeated every comprehensive privacy bill for over a decade. The ADPPA in 2022 and APRA in 2024 both had bipartisan support and both died. The pattern is consistent: industry mobilizes against any legislation with real enforcement teeth while supporting watered-down “self-regulatory” alternatives. Meanwhile, Americans have fewer data rights than citizens of Europe, Canada, Japan, Brazil, South Korea, and dozens of other countries.

Why It Matters: Without federal legislation, the state patchwork will continue expanding — creating compliance chaos for businesses and unequal protection for citizens. And the problems are accelerating: AI systems trained on personal data, deepfake technology, biometric surveillance, and algorithmic manipulation all require privacy protections that don’t exist. Every year of delay widens the gap between what technology can do and what the law prevents.

Counterpoints & Rebuttals

Counterpoint 1: “Privacy regulation would kill the internet economy — free services depend on data collection.”

Objection: The internet’s most popular services — search, social media, email, maps — are free because they’re funded by targeted advertising, which requires data collection. Strict privacy rules would destroy this business model, forcing companies to charge for services that are currently free, and harming consumers who can’t afford alternatives.

Response: The GDPR has been in effect since 2018 and hasn’t destroyed the internet economy in Europe. Google, Facebook, and Amazon all still operate there — profitably. What changed is that companies must be transparent about data collection, allow opt-outs, and minimize what they collect. The “free services” argument assumes that unlimited, unconsented data harvesting is the only possible business model — it’s not. Subscription options, contextual advertising (based on page content, not personal profiles), and data-minimal business models all exist and thrive. The real concern isn’t that free services would disappear — it’s that the companies built on surveillance capitalism would have to adapt.

Follow-up: “But European tech companies haven’t been able to compete with American ones — that proves regulation hurts innovation.”

Second Response: Europe’s tech gap predates GDPR by decades and has far more to do with venture capital ecosystems, market fragmentation, and talent pipelines than privacy regulation. And the argument proves too much: if “less regulation equals more innovation,” then America’s complete lack of privacy law should produce the best privacy protections in the world through market competition. It hasn’t. Instead, it’s produced a $270 billion data broker industry built on exploitation.

Counterpoint 2: “If you have nothing to hide, you have nothing to fear from data collection.”

Objection: Privacy concerns are overblown. Most data collection is harmless — used for advertising and service improvement. People who aren’t doing anything wrong shouldn’t worry about companies or the government knowing their browsing history.

Response: Everyone has something to “hide” — medical conditions, financial struggles, political views, religious beliefs, personal relationships. The question isn’t whether you’re doing something wrong; it’s whether you want corporations and government agencies to have comprehensive dossiers on your life that you didn’t consent to and can’t control. Seventy-one percent of Americans are concerned about government surveillance powers being used against political opponents — not because they’re criminals, but because they understand that surveillance is power, and power is abused.

Follow-up: “But I’d rather get relevant ads than random ones — personalization improves my experience.”

Second Response: You can have personalization with privacy — contextual advertising (based on what you’re reading, not who you are) is effective and doesn’t require a surveillance profile. And the “relevant ads” benefit is trivial compared to the risks: data breaches affecting 34% of Americans, discriminatory pricing based on personal profiles, political manipulation through micro-targeted misinformation, and government agencies purchasing your location data without a warrant. The trade-off isn’t “relevant ads vs. irrelevant ads” — it’s “marginally better advertising vs. total loss of informational autonomy.”

Counterpoint 3: “State laws are handling this — we don’t need a one-size-fits-all federal law.”

Objection: Nineteen states have enacted privacy laws tailored to their citizens’ values and needs. This federalist approach allows experimentation and prevents a single poorly designed federal law from preempting better state protections.

Response: The state patchwork is failing. Most Americans live in states with no privacy protection at all. Data crosses state lines instantly — a company in one state collects data from users in 50 states, making geographic regulation inherently inadequate. And businesses face compliance nightmares navigating 19+ different frameworks. The strongest state law (California’s CCPA) is better than nothing but far weaker than GDPR and doesn’t cover residents of the other 49 states. Federal legislation should set a floor, not a ceiling — protecting all Americans while allowing states to add stronger protections.

Follow-up: “But federal preemption would override California’s stronger law.”

Second Response: That’s a design question, not an argument against federal legislation. The APRA was specifically designed to allow states to maintain stronger protections in certain areas. A well-designed federal law establishes baseline rights for all Americans while preserving state authority to go further. The California preemption concern is legitimate but solvable — and it shouldn’t be used as an excuse to leave 300 million Americans without any federal protection.

Common Misconceptions

Misconception 1: “I agreed to this data collection when I accepted the terms of service.”

Reality: Terms of service agreements average 7,500–10,000 words and are written in legal language designed to be impenetrable. Studies show virtually no one reads them — and even those who do can’t meaningfully understand what they’re consenting to. “Consent” that requires a law degree to understand and offers no alternative except disconnecting from modern life isn’t meaningful consent.

Misconception 2: “My data is anonymized, so it can’t be traced back to me.”

Reality: Researchers have repeatedly demonstrated that “anonymized” datasets can be re-identified using a surprisingly small number of data points. Location data from a cell phone, combined with home and work addresses, can uniquely identify 95% of individuals in a dataset. True anonymization is extremely difficult and rarely achieved in practice.

Misconception 3: “The government needs a warrant to access my data.”

Reality: The Fourth Amendment protects against direct government searches — but doesn’t prevent the government from purchasing your data from commercial brokers who collected it. Federal agencies including DHS, ICE, and the IRS routinely buy personal data that they would otherwise need a warrant to obtain. The data broker loophole is the largest gap in Fourth Amendment protection.

Rhetorical Tips

Do Say

“Your personal data is being collected, sold, and used in ways you never agreed to — by companies you’ve never heard of, for purposes you’d never approve. You deserve the right to know who has your data and to say no.” Make it personal and concrete. Use the data broker industry’s size ($270 billion) as a shock number.

Don’t Say

Don’t say “regulate Big Tech” as a catchall — it triggers partisan reflexes. Don’t lead with government surveillance if your audience is conservative (they may support it); lead with corporate overreach. Don’t use the phrase “nothing to hide” — engage the argument directly when others raise it.

When the Conversation Goes Off the Rails

Come back to this: “The government buys your location data from data brokers instead of getting a warrant. That should concern everyone, regardless of party. A federal privacy law would close that loophole and give you control over your own information.”

Know Your Audience

For conservatives, emphasize government surveillance overreach, the Fourth Amendment loophole, and property rights in personal data. For moderates, lead with the $270 billion data broker industry, the 83% polling support for federal legislation, and the EU comparison. For progressives, emphasize corporate power, discriminatory profiling, and the intersection with racial justice (surveillance disproportionately affects communities of color).

Key Quotes & Soundbites

“The global data broker industry is worth $270 billion — built almost entirely on harvesting and selling your personal information without your meaningful consent. And the U.S. is the only major democracy without a law to stop it.”

“The government buys your cell phone location data from commercial brokers instead of getting a warrant. The Fourth Amendment means nothing if it can be bypassed with a purchase order.”

“83% of voters want Congress to pass a national privacy law. Congress has killed every comprehensive proposal for over a decade. The data broker lobby is winning.”

  • Facial Recognition & Policing — Facial recognition combines with mass data collection to create comprehensive surveillance infrastructure (see technology-civil-liberties/facial_recognition_policing)
  • AI Regulation & Worker Protections — AI systems trained on personal data amplify privacy harms (see technology-civil-liberties/ai_regulation_worker_protections)
  • Social Media & Section 230 Reform — Social media platforms are among the largest data collectors (see technology-civil-liberties/social_media_section_230)
  • Citizens United & Campaign Finance — Personal data enables micro-targeted political manipulation (see governance/citizens_united_campaign_finance)

Sources & Further Reading