Amid persistent considerations about how businesses make use of knowledge brokers, a brand new congressionally chartered report recommends organising an authorization framework to control the federal authorities’s use of commercially obtainable data.
Rep. Lori Trahan (D-Mass.) this week launched a brand new report on modernizing the Privateness Act of 1974. The 68-page doc includes a vary of proposals to replace the 52-year-old legislation.
Trahan’s report has garnered consideration for addressing Privateness Act vulnerabilities allegedly exploited in high-profile cases by Division of Authorities Effectivity (DOGE) personnel over the past 12 months.
However the report’s suggestions transcend DOGE’s actions and tackle a number of longstanding points, together with how federal businesses use knowledge about Individuals that may be bought by way of non-public brokers.
“The Privacy Act’s authors could not have foreseen the proliferation of commercially available information (CAI) in the decades following the Act’s passage – especially CAI containing personally identifiable information (PII) sold by data brokers – nor federal agencies’ voracious appetite for such data,” the report states.
It recommends organising a course of to authorize federal use of commercially obtainable data modeled on the Federal Danger and Authorization Administration Program. Often called FedRAMP, this system assesses the safety of cloud choices utilized by federal businesses.
“By modeling this process on or incorporating it into the Federal Risk and Authorization Management Program … Congress could standardize evaluations of commercially available datasets and mitigate privacy risk,” the report states. “Moreover, Congress could stipulate that such authorizations be made publicly available via a centralized portal, facilitating its own oversight while simultaneously improving accountability.”
‘Messy’ state of affairs
The Privateness Act’s protections “generally” cowl CAI that accommodates personally identifiable data, the report acknowledges. However CAI “presents emergent privacy risks that demand additional quality and transparency controls which Congress is uniquely positioned to mandate.”
Trahan’s report factors to how civilian businesses depend on knowledge brokers to confirm identification and forestall fraud, somewhat than utilizing knowledge from different federal businesses. The Privateness Act “engenders a dynamic in which civilian agencies under pressure from Congress to meet statutory deadlines routinely look to commercial data brokers rather than other agencies or individuals for requisite data,” Trahan’s report states.
In the meantime, legislation enforcement and intelligence businesses depend on “copious exceptions” in legislation to purchase and share commercially obtainable data.
“This state of affairs is messy, inefficient, and indefensible,” Trahan’s report states.
Civil liberties teams have additionally argued that businesses use knowledge brokers to bypass the Fourth Modification and evade Privateness Protections. In response to a 2024 request for data from the Workplace of Administration and Funds, privateness advocates pointed to the sorts of data the info dealer trade collects and sells on people.
“This data includes, but is not limited to, detailed location histories; demographic information, including membership in legally protected groups, interests, affinities, and associations; and information about finances and wealth, property, healthcare, and internet search and browsing history,” a gaggle of civil liberties nonprofits advised OMB.
In a separate response, the Federation of American Scientists argued businesses like Immigration and Customs Enforcement have used broker-purchased knowledge to trace people with out warrants.
Like Trahan’s proposal, the FAS has advisable utilizing FedRAMP to authorize third-party knowledge sources. “An authorization framework for CAI containing PII would ensure a standardized approach for data collection, management, and contracting, mitigating risks, and ensuring ethical data use,” FAS wrote.
The Democratic congresswoman’s report mentioned a standardized authorization framework for CAI must be one which “meaningfully mitigates privacy risk for individuals, improves quality control, and eliminates redundant procurements.”
Very like how FedRAMP makes use of third-party assessors to judge whether or not cloud companies meet safety controls, a “FedRAMP-for-CAI” resolution would “identify appropriate CAI products and services, and evaluate those products and services against a common baseline of privacy controls,” Trahan’s report states.
“Agency authorizing officials use this information to make informed, risk-based, and efficient decisions concerning the use of those CAI products and services,” it provides.
Copyright
© 2026 Federal Information Community. All rights reserved. This web site isn’t supposed for customers positioned inside the European Financial Space.
