Beware the Tech Industry’s Latest Privacy Trojan Horse

Did you hear the story about the do-gooder tech company that is pushing new state “privacy” bills across the nation?

The pitch by that company, — which is so effective its Oregon bill was introduced with more than 40 co-sponsors — is that patients’ health information is being sold for big money without their consent and without providing them any compensation. The solution these bills propose is to prohibit such information from being sold without patients’ permission and without giving them a cut of the profits when their information is sold. Sounds like a big win for privacy and consumers.

Only it’s not. Beware the tech industry’s latest privacy Trojan Horse.

If these bills were purely designed to prevent the sale of patient’s personal information without their express permission, the ACLU would wholeheartedly support such “opt-in” privacy measures. But that is far from these bills’ goal.’s real goal is to use state legislation to create a new way for data sellers to profit off of consumers’ personal information. The current bills being pursued are limited to medical patients, but future iterations are likely to cover a broader range of consumers.

Currently, profits on the sale of patient information are captured when the information is initially sold by a health care provider to a data broker, marketer, or other user and again if the information is resold. While the overall market for personal consumer information, which is predicted to hit $203 billion by 2020, is huge, it is also fairly saturated with existing data mining and selling companies.

Rather than compete with the high volume of companies in the existing market, is looking to create a new, less-populated niche from which to generate profits. And that is what is behind the company’s current multi-state legislative push.’s strategy is to use legislation to artificially generate a robust market for “customer information sales agents” who will facilitate — and profit from — the sale of patients’ medical information. That is why’s legislation, after it mandates patient consent before selling their information, undermines its own privacy provisions by requiring all consent forms notify patients they can “elect to receive a share of any remuneration received” from the sale of their information — an election’s business model is designed to effectuate.  And whereas in the past, health care providers could sell patient information directly to data brokers,’s legislation effectively requires that health care providers use companies like itself to complete the transaction.

Turns out the big “P” in these bills is for “profit-shifting” not “privacy”.

The problem for is “please help us get rich at the expense of consumers’ privacy” is not a great legislative pitch. So the company instead is casting itself as deeply committed to advancing consumer privacy. In a creative maneuver worthy of George Costanza, even the company’s “humanity” name, and its framing of their work as addressing a “human rights” issue, suggests the company is a nonprofit or some other type of public-good focused entity. It is not. is a for-profit company that promotes a data-as-property model — which even Forbes calls “discredited” and “a privacy nightmare rather than a privacy paradise” — in order to artificially generate market demand and substantial profits through government action. argues that, insofar as patient data is already being sold, its legislation is merely designed to give consumers “ownership” of their data and a cut of the profits. But savvy bill readers will note that the proposed laws contain no defined percentage of the profits patients are entitled to, so they could receive mere pennies of’s revenue in return for giving up their privacy.

This lack of transparency and equity is enough to throw these bills’ motives into doubt, but there is a much bigger problem. Namely, that they will adversely and disproportionately impact the privacy of the most vulnerable consumers.

It is well-documented that a wealth-based digital divide exists when it comes to privacy. Wealthier persons are able to afford encrypted iPhones and private email accounts, while poorer persons must buy less secure Android phones and use free email services like Gmail, whose contents are tracked. Under these proposed bills, wealthier persons will easily be able to say no to selling their private information, while poorer persons, who are struggling to pay their bills, will have a far more difficult time refusing the additional income, even if it is small. 

Simply put, these proposed bills do not empower consumers; they take advantage of the most powerless consumers.

All people should be entitled to robust privacy protections, not just the wealthy. The privacy bills the ACLU supports are the type that ensure privacy is protected for all by default; legislatures should certainly enact protections requiring consent before medical information is sold — but without counterproductive strings attached.’s Trojan Horse bills are designed to create a new market in which companies, like theirs, act as sales agents to underinformed or financially strapped consumers, who the law will enable them to coax into selling their information.

The disturbing fact here is’s misleading sales pitch has been working on lawmakers who have a genuine commitment to privacy and protecting consumers. For those well-meaning elected officials, the ACLU has a simple message: You are being duped.’s bills are being rolled out from coast to coast. By its own admission, the company is currently targeting Arizona, California, Georgia, Hawaii, Maryland, Massachusetts, Montana, New Jersey, Oregon, Pennsylvania, and Washington. Other states will likely follow. In each and every state they emerge, these bills must be rejected by legislators.

View comments (8)
Read the Terms of Use


"Wealthier persons are able to afford encrypted iPhones and private email accounts, while poorer persons must buy less secure Android phones . . ." This is patently false. Some cheaper Android phones are less secure, but your wording makes it sound like all iPhones are superior to all Android phones when it comes to security. Samsung and Google branded phones are both at least as secure as current iPhones if not moreso. Besides that, you provided no source for your information, instead relying on "common sense" or "common knowledge." Please update your article with a source or a correction.


I thought the same thing. That paragraph is ludicrous and had me wondering if there was some other hidden agenda here. I work in tech, ACLU, that piece of your argument is embarrassingly mythical.

Ms. Gloria Anasyrma

This is America, they are always going to find some new way to screw you.


The ubiquitous "they"?


Voters need to support the ACLU’s “Campaign Finance Reform” guidelines and change the pay-to-play system. As I understand it, the ACLU plan doesn’t ban corporate donations to Congress and state legislatures. The ACLU plan basically says that an organization with 1 million members paying a $1 each to lobby should have more representation in Congress/state legislatures than 1 guy spending $1 million. If we had such a system, consumers would driving this privacy issue instead of being forced upon us by big business.


" . . . is that patients’ health information is being sold for big money without their consent and without providing them any compensation."

And this is happening on so many levels. A website that I have no affiliation with, never authorized to compile a dossier on me, and which sells more information on me at the click of a mouse -- seems to me the authority on my life. In fact, the website name is And they would induce me to participate, by rating my life with their ratio of my quality(?), and seeking to get me to update their database on me. They offer all kinds of information on me, mostly general information on my age, race, net worth, religion, political affiliation, residence location and the like. They offer court filings, lawsuits, sex offender status, family and friends, neighbors, classmates, pictures, previous employers, and school history and perhaps grades.

I don't know how they could have so much information, except to say, some credit information company like EquifaxTransunion could have provided the info for use on subcontract, or was hacked of the details. But someone is selling information on me, and their process is to put as much on the Web as possible to get me to buy-into it, so that I'll even update it. I won't. But at some point, we'll see this website and others of a similar nature start adding historical medical conditions, drug purchases, DNA ancestry break-out of genetic origin, and who knows what else. I cannot opt out -- unless there is a back-channel way to pay them off to do so. Now, take this one step further, this is what can be found out on a person using the regular Internet, include the dark-web database information and there's so much out there.


This is an unusually slanted article from the ACLU. I looked at the company being attacked here, they are actually a very small company trying to clean up the mess from big tech. This piece seems like an attack. I can't find the bills, but it sounds like the devil is in the details. Chad, would you post the link to the bills please?


Chad, does the entire ACLU feel this way, or is this just your opinion?

Stay Informed