LexisNexis, a data brokerage firm, is being sued by Illinois activists for the collection and sale of immigrant data to U.S. Immigration and Customs Enforcement. What data is legal or illegal to sell? Who can access it? And what can they do with it?
LexisNexis, a data brokerage firm, is being sued by Illinois activists for the collection and sale of immigrant data to U.S. Immigration and Customs Enforcement. The $22.1 million contract with LexisNexis allows ICE to look up personal information on immigrants, including their address, license plates, and previous roommates and romantic partners, in order to conduct warrantless surveillance. While this issue is particularly dangerous for immigrants, personal information on anyone with a digital footprint is constantly being collected and sold, often without consent.
To better understand the lawsuit and how surveillance data is being used by law enforcement in Illinois, we spoke with Aziz Huq, a University of Chicago law professor who teaches courses on technology and law. He helped us answer some commonly asked questions on what’s legal regarding the collection and sale of data.
What types of data do data brokers like LexisNexis collect?
Data brokers aggregate and sell information about you that they’ve collected from loads of sources, including the websites you’ve visited, apps you’ve downloaded, memberships you’ve signed up for, and content you like, share and follow on social media. They also purchase data from other companies including phone and credit card companies. So they have access to plenty of data which includes, but is not limited to your:
- Phone number
- Email address
- Home and work addresses (past and present)
- Social Security number
- Family and marital status
- Education levels
- Web browsing history
- Political affiliation
And Lexis Nexis is not alone in collecting this type of data. “By and large, apart from [consent rules], there’s no limit on who can collect data,” said Huq. Generally speaking, there are no limits to who can buy your data, either, Huq says.
What information does LexisNexis in particular have access to?
LexisNexis markets to law enforcement agencies, which means they also have access to data that isn’t available to the general public. So while they have all of the information listed above, they also have access to driving records, real-time booking information, auto collision information and license plate reader data.
If this lawsuit is successful, what will it accomplish?
It’s difficult to say. Huq believes that a state’s ability to monitor and regulate data brokerage is unlikely. And there’s nothing that would stop another data company from taking over the contract with ICE, similar to LexisNexis taking over for Thomson Reuters in 2021.
“Could a state regulate the data brokerage market? I think it would be hard to do that because so much of it is just hard to see,” said Huq. “Data might be gathered in Illinois, but it’s almost certainly not kept in Illinois. Data has a physical storage place. And if you have data that’s produced initially in Illinois, but then is bought and sold somewhere else, I don’t know how the state will ever find out about it to enforce its rules. I have a hard time seeing how it would work in practice.”
What are the current state-by-state regulations?
Current state regulation is fragmented. “The law is very piecemeal when it comes to data privacy, and there are many different sources of limits on the use of data depending upon whether it’s public or private,” said Huq. “The availability of that kind of protection with respect to one or another kind of private data gathering varies tremendously between different states, so the result is a real patchwork of protections — or lack of protections.”
California, Colorado, Connecticut, Utah and Virginia are the only states that have comprehensive consumer data privacy laws. Other states provide fragmented protections to individuals.
Illinois has regulations in place around the collection of biometric information, or the physical characteristics of an individual that can be used to identify them. These include the Biometric Information Privacy Act (BIPA) and the Illinois Consumer Fraud and Deceptive Business Practices Act, which prohibits businesses from deceptive or fraudulent acts, and pertaining to data privacy, can mean the non-consensual collection and sale of consumer data.
Is there opportunity for federal legislation to affect how companies use our personal data?
But according to Huq, passing federal legislation that provides privacy protection is unlikely to occur.
“We’re not going to get a federal law, because we don’t have a functioning federal legislature,” said Huq.
Legislation called The Fourth Amendment Is Not For Sale Act was proposed in 2021 by several senators that, if passed, would ultimately close the legal loophole that allows brokers to sell personal information to law enforcement and other intelligence agencies without court oversight. Under this act, agencies like ICE would need to obtain a court order before purchasing data from brokers. As of February 2023, the bill has not been passed.
How do I know if LexisNexis has information about me?
Individuals can see what information LexisNexis has about them by requesting a Consumer Disclosure Report online, by mail or by phone. They require an address, date of birth, Social Security number, and driver’s license number in order to verify the requester.
Is there a way to opt out or scrub my information from LexisNexis?
LexisNexis provides an opt out form, but the form requires a reason for the removal, and depending on the response, an individual may be asked to submit additional documentation via email, fax or postal mail. Additionally, the requestor has to confirm their identity by providing either an address or a Social Security number, potentially further validating and growing the information collected on the individual.
Is there a way to protect my data?
“There are people who argue you should essentially go off the grid,” said Huq. “You should just switch off all of your technology that involves data acquisition — transition to cash, don’t carry a cell phone, stuff like that. But that’s not practical for most people.”
But some options to keep in mind are being scrupulous with what you share online, make your social media accounts private, and use a web browser that includes ad-blocking and tracker-blocking software like DuckDuckGo. Most sites also offer you a cookieless experience upon visiting, and opting out will keep the site from downloading advertiser cookies on your browser.
When it comes to in-person interactions and purchases, things can be a bit more difficult. Huq compared the daily activities of today to the 1980s. Credit cards are the predominant mode of payment now, which result in a data trail.
“When you go into shops, often when you sign a keypad, you’re effectively signing their terms of service, and those contracts have privacy provisions in them,” said Huq. And unless you want to only carry cash, or forgo purchasing a smartphone, vehicle or house, it’s nearly impossible to avoid this data transaction.
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.