The idea that consumers should control their own personal data has been circulating in technology policy circles for years. When Reputation.com announced plans to launch a data vault product—software that would allow consumers to grant or withhold permission for third-party advertisers to access their personal information—it represented one of the more ambitious attempts to build a market-based solution to the data privacy problem. That proposal still raises questions that shape today’s privacy law debates.
A data vault, as Reputation.com envisioned it, would act as a gatekeeper for personal information. Consumers could store their information in the vault and grant temporary, limited access to advertisers in exchange for something of value—coupons, discounts, or other benefits. Consumers could also pay to have their information removed from existing third-party data broker databases.
The concept flips the traditional data economy on its head. Rather than businesses collecting user data by default, users would affirmatively control who gets access and on what terms. The premise reflects a growing consensus in privacy law: personal data is a form of property, and individuals should have meaningful rights over it.
At the time Reputation.com proposed its data vault, U.S. privacy law was fragmented. There was no comprehensive federal privacy statute. The FTC regulated deceptive data practices under Section 5 of the FTC Act, and sector-specific laws like HIPAA and COPPA imposed requirements in narrow domains. State law was equally patchwork.
The absence of robust federal legislation created the environment in which private solutions like data vaults emerged. But the tech industry’s self-regulatory efforts ultimately proved insufficient, and legislators began filling the gap. California enacted the CCPA in 2018, granting consumers rights to know, delete, and opt out of the sale of their personal information. The CPRA, which amended and expanded the CCPA in 2020, created the California Privacy Protection Agency as a dedicated enforcement body.
The Reputation.com proposal specifically addressed data brokers—companies that compile and sell personal information about individuals, often without those individuals’ knowledge or consent. Data brokers aggregate information from public records, social media, purchase histories, and hundreds of other sources to build detailed consumer profiles.
Several states have now enacted laws specifically targeting data brokers. California’s Delete Act (SB 362), effective in 2024, requires data brokers to register with the California Privacy Protection Agency and honor deletion requests made through a centralized deletion mechanism. Vermont and Texas have enacted similar registration requirements.
For individuals whose personal information has been widely distributed by data brokers, reputation management involves both technical and legal strategies. On the legal side, available remedies depend on the nature of the harm:
The question Reputation.com’s proposal raised—whether private, market-based solutions can adequately protect consumer privacy—remains contested. The data economy has grown dramatically more sophisticated since the data vault concept emerged. Targeted advertising, AI-driven profiling, and real-time data trading have made the technical challenges of consumer data control far more complex.
The weight of legislative activity in the last decade suggests that private solutions alone have not been enough. Comprehensive state privacy laws in California, Virginia, Colorado, Connecticut, and more than a dozen other states now impose baseline obligations on businesses and grant consumers enforceable rights.
If you are a business navigating data privacy compliance or an individual seeking to understand or enforce your privacy rights, Revision Legal’s attorneys can help. Contact us today to discuss your situation.
Data brokers—companies that collect, aggregate, and sell personal information—operate largely outside the public consciousness but have significant impact on how individuals are perceived by employers, creditors, insurers, and advertisers. Major data brokers like Acxiom, LexisNexis, Experian, and hundreds of smaller competitors compile detailed profiles of Americans from public records, social media, purchase data, and hundreds of other sources.
The information these brokers hold can affect employment decisions, credit determinations, insurance underwriting, and even political targeting. Inaccurate data broker information can cost people jobs, credit opportunities, and housing. Until recently, individuals had no effective mechanism for knowing what data brokers hold about them or for correcting it.
California’s Delete Act (SB 362), effective January 2024, represented the most significant step toward direct consumer control of data broker information. The law requires data brokers to register with the California Privacy Protection Agency and to honor deletion requests submitted through a centralized deletion mechanism that the Agency is building. A California consumer who submits a deletion request through this mechanism will be able to require all registered data brokers to delete their information in a single action rather than contacting each broker separately.
Vermont enacted the first comprehensive data broker registration law in 2018. Texas enacted a data broker law in 2023. Additional states are expected to follow. For individuals concerned about their data broker profiles, state law is becoming an increasingly practical tool.
When data broker information is used for employment screening, credit decisions, or insurance underwriting, the Fair Credit Reporting Act (FCRA) provides additional protections. Consumer reporting agencies—a category that includes many data brokers when their information is used for covered purposes—must follow reasonable procedures to ensure accuracy, provide consumers with free annual reports, and investigate and correct inaccurate information upon dispute.
If inaccurate information in a data broker’s file has been used to deny you employment, housing, or credit, you may have an FCRA claim for actual damages, statutory damages of $100 to $1,000 per violation, and attorney’s fees. The FCRA’s private right of action makes these claims economically viable even for individuals with relatively modest damages.
Where a data broker’s profile contains factually false information—not merely private true information—defamation or false light invasion of privacy claims may be available. If the false information has been published to third parties and has caused reputational or economic harm, the elements of defamation may be satisfied. Courts have allowed defamation claims to proceed against data brokers that published false criminal history information, false bankruptcy records, or false arrest data.
The strategic challenge is that many data brokers are very large, legally sophisticated entities that have experience defending these claims. Successfully pursuing a data broker requires thorough preparation, including detailed documentation of the specific false information, proof of its publication to third parties, and evidence of concrete harm.
Revision Legal’s privacy attorneys advise individuals and businesses on navigating data broker regulation, enforcing state privacy rights, and pursuing legal action against data brokers who publish false or improperly obtained information. Contact us today to discuss your situation.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?