State consumer privacy laws are leaving public servants exposed to data broker-enabled threats, according to a report from the Public Service Alliance's Security Project.
Researcher Justin Sherman analyzed 19 state privacy laws and found a critical gap: while all give consumers the right to opt out of private-source data sales, none prevent brokers from selling personal information, including home addresses, when sourced from public records like property filings or court documents. None include private rights of action allowing individuals to sue over violations.
The timing matters. Violent threats against U.S. public servants have increased sharply since 2015, with local officials (school board members, election workers) representing nearly a third of 1,600+ documented threats between 2015-2025. The report identifies a "data-to-violence pipeline" where easily accessible broker data enables escalation from online threats to physical attacks.
The Minnesota case illustrates the risk: A man charged with assassinating state representative Melissa Hortman allegedly used people-search engines to compile lists of officials' home addresses. Court records showed he had researched 11 different data broker sites.
The enterprise tech angle: Government agencies are buying this same broker data, bypassing Fourth Amendment protections. The CFPB's December 2024 notice of proposed rulemaking targets broker practices under FCRA, flagging risks to public servants. DOJ charged three brokers (Epsilon, Macromark, KBM) in 2020-2021 for selling data on vulnerable groups to scammers, enabling millions in fraud.
Reporters have demonstrated the loophole's breadth, purchasing geolocation data tracking SEC officials to their homes. Brokers also sell sensitive military personnel financial data, creating foreign blackmail risks.
The report suggests regulating digital access to public records rather than limiting them entirely, balancing First Amendment concerns with safety. What changed: Pre-internet, accessing public records required knowing which courthouse to visit. Now brokers aggregate nationwide records into searchable databases sold via API.
The pattern is clear: voluntary industry "controls" haven't worked. One broker overrode its own scam protection to complete a sale. CTOs and CISOs in government tech need to account for this in threat models, especially as agencies increasingly rely on third-party data services.