The Data Broker Loophole: How Governments Buy Around Privacy Laws

Background

The Fourth Amendment protects against unreasonable searches and generally requires the government to obtain a warrant before accessing information in which a person has a reasonable expectation of privacy. In simple terms: if police want certain private information about you, they usually have to convince a judge there is good reason first.

A long-standing legal principle known as the third-party doctrine complicates that protection. Under it, information a person voluntarily shares with a third party — historically a bank or phone company — receives less constitutional protection. In the modern era, smartphones and apps continuously generate data shared with countless third parties, and brokers compile it into detailed profiles spanning geolocation, health indicators, and online activity.

The U.S. Supreme Court narrowed that doctrine in Carpenter v. United States (2018), ruling that the government generally needs a warrant to obtain extended cell-site location records that track a person’s movements. Critics argue the commercial-data market effectively routes around that ruling: rather than compelling a company to hand over records, an agency simply buys equivalent data from a broker.

How the Loophole Works

The relevant statutes were written for a different technological era. The Electronic Communications Privacy Act (ECPA) governs how the government compels disclosure of communications data, but it does not squarely address voluntary commercial sales of that data by brokers. According to the Brennan Center for Justice, agencies have used this and other statutory gaps to access personal information without the legal process the law would otherwise require.

The Electronic Frontier Foundation and the Electronic Privacy Information Center (EPIC) describe the practice as government evasion of the Fourth Amendment through commercial purchase. The Project On Government Oversight frames the core question simply: the government should not be able to buy data it would otherwise need a warrant, subpoena, or court order to obtain.

Documented Examples

Reporting and government records have identified several federal agencies that purchased commercial data. The Department of Homeland Security, FBI, IRS, and Secret Service have all acquired location data, and U.S. Immigration and Customs Enforcement (ICE) reportedly paid more than $1 million for access to cellphone geolocation databases in 2017 and 2018, according to reporting cited by Criminal Legal News.

Federal Trade Commission enforcement filings illustrate the scale of the underlying market. In its action against the data broker Mobilewalla, the FTC alleged the company collected more than 500 million unique consumer advertising identifiers paired with precise location data between January 2018 and June 2020. The FTC said such tracking can expose where service members are stationed or which medical treatments a person is seeking.

In December 2024, the FTC announced proposed settlements with Mobilewalla and with Gravy Analytics and its subsidiary Venntel — a broker repeatedly linked to government customers. Final orders issued in January 2025 restrict the sale of sensitive location data tied to places such as medical facilities, military installations, and houses of worship, and for the first time barred a company from collecting consumer data from real-time advertising auctions for unrelated purposes.

The Policy Response

Efforts to close the loophole have advanced furthest in Congress through the bipartisan Fourth Amendment Is Not For Sale Act, which would bar law enforcement and intelligence agencies from purchasing data they would otherwise need legal process to obtain. The House passed the measure 219–199 in April 2024, but it was not adopted by the Senate during the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act.

The issue has resurfaced as Section 702 again approaches a sunset deadline in 2026, with privacy advocates pressing to attach data broker restrictions to any reauthorization and some lawmakers favoring a “clean” extension. Public sentiment appears broadly supportive of reform: a 2023 YouGov poll cited by the Project On Government Oversight found that 80% of Americans believe agencies should obtain warrants before purchasing location and other sensitive data from brokers.

Action at the federal regulatory level has moved in the opposite direction. The Consumer Financial Protection Bureau withdrew a proposed rule on May 15, 2025, that would have treated certain data brokers as consumer reporting agencies under the Fair Credit Reporting Act, stating that the rulemaking was “not necessary or appropriate at this time.”

The State-Level Picture

States have become the most active arena for data broker regulation. By 2026, roughly 19 to 20 states had comprehensive consumer privacy laws in effect, collectively covering more than half of the U.S. population, according to trackers including MultiState and Bloomberg Law.

California has gone furthest. Its Delete Act (SB 362) created the Delete Request and Opt-out Platform (DROP), which launched January 1, 2026, allowing residents to submit a single request to delete their information from all registered brokers; brokers must begin processing those requests within 45 days starting August 1, 2026. A companion measure, SB 361, now requires brokers to disclose whether they sell data to specific categories of buyers — including foreign actors, federal or state governments, and developers of generative AI systems.

Montana has gone directly at the loophole itself, becoming, by some accounts, the first state to restrict law enforcement purchases of certain broker data without legal process — a state-level version of what the Fourth Amendment Is Not For Sale Act would do nationally.

Analysis

The data broker debate sits at the intersection of constitutional law, commercial regulation, and national security, which helps explain why it has produced incremental rather than sweeping change. Supporters of restrictions argue that constitutional protections lose meaning if agencies can purchase what they cannot lawfully seize. Defenders of current practice contend that commercially available information is already public-facing, that purchases can aid legitimate investigations and public-safety work, and that broad prohibitions could hamper national security.

Notably, the loophole persists not because privacy laws have been repealed, but because they were never written to anticipate a mature commercial data market. The legal protections remain on the books; the transaction simply occurs in a channel those protections do not reach. That structural feature is why reform proposals focus less on creating new prohibitions than on extending existing warrant requirements to cover purchased data.

Conclusion

For now, the patchwork holds: an active state-level regime expanding broker transparency and deletion rights, a federal legislative fix that has passed the House but stalled in the Senate, and a federal regulatory posture that has stepped back from new rules. The result is a system in which the legality of government data purchases turns less on what information is obtained than on how it is acquired — a distinction that, for the moment, keeps the practice on the lawful side of a contested line.

Key Takeaways

Governments can lawfully obtain personal data by buying it from brokers, bypassing warrant requirements without violating any statute — the “data broker loophole.”
The practice exploits the third-party doctrine and gaps in the Electronic Communications Privacy Act that predate the modern commercial data market.
FTC enforcement actions against Mobilewalla and Gravy Analytics/Venntel (finalized January 2025) restrict sensitive location data sales but do not close the government-purchase loophole.
The Fourth Amendment Is Not For Sale Act passed the House 219–199 in 2024 but has not become law; the debate has reopened around the 2026 FISA Section 702 sunset.
States lead on regulation: roughly 19–20 have comprehensive privacy laws, and California’s Delete Act and SB 361 now require brokers to disclose government and AI buyers.

Sources

Brennan Center for Justice, “Closing the Data Broker Loophole” — https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole
Federal Trade Commission, action against Mobilewalla (Dec. 3, 2024) — https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-mobilewalla-collecting-selling-sensitive-location-data
EPIC, “FTC Takes Action Against Data Brokers for Selling Sensitive Location Data” — https://epic.org/ftc-takes-action-against-data-brokers-for-selling-sensitive-location-data/
Criminal Legal News, “Federal Government Circumventing Fourth Amendment by Buying Data” — https://www.criminallegalnews.org/news/2025/apr/15/federal-government-circumventing-fourth-amendment-buying-data-data-brokers/
Project On Government Oversight, “Fact Sheet: Closing the Data Broker Loophole” — https://www.pogo.org/fact-sheets/fact-sheet-closing-the-data-broker-loophole
Federal Register, CFPB withdrawal of Regulation V data broker rule (May 15, 2025) — https://www.federalregister.gov/documents/2025/05/15/2025-08644/protecting-americans-from-harmful-data-broker-practices-regulation-v-withdrawal-of-proposed-rule
MultiState, “20 State Privacy Laws in Effect in 2026” — https://www.multistate.us/insider/2026/2/4/all-of-the-comprehensive-privacy-laws-that-take-effect-in-2026
EPIC, “FISA Section 702: Reform or Sunset” — https://epic.org/campaigns/fisa-section-702-reform-or-sunset/