End-Running Warrants: Purchasing Data Under the Fourth Amendment and the State Action Problem

Introduction

Weeks after the Supreme Court overturned Roe v. Wade, thirteen state legislatures banned and criminalized abortion.[1] Reproductive rights organizations decried the decision as a fundamental erosion of rights, while Republican lawmakers in red states declared the passage of these statutes a moral victory.[2] To third-party data broker SafeGraph, however, Dobbs presented a business opportunity.

SafeGraph, like other brokers, purchases users’ location data from ordinary apps and from other internet service providers (ISPs).[3] Such data is collected from virtually all applications—prayer apps, mobile games, the weather app, Google, rideshare apps, and more.[4] Brokers, in turn, repackage and sell geolocation data to willing buyers.[5] By aggregating cell service location information (CSLI) and other geolocation data across phone applications and other services, SafeGraph created a data package that traced users who visited any of Planned Parenthood’s 600 locations across the United States.[6] In the months leading up to the anticipated Dobbs decision, purchasers of SafeGraph’s “Planned Parenthood” data package could acquire a weeks’ worth of location data at a time, which, according to the company, answered questions like “how often people visit, how long they stay, where they came from, where else they go, and more.”[7] While SafeGraph “stopped selling information on visits to abortion clinics” in the wake of the leaked Dobbs decision,[8] as of August 2022, thirty-two other brokers continued to sell similar data.[9] Among the likely purchasers of these datasets are law enforcement agencies in states that recently banned abortion.[10]

The Fourth Amendment ordinarily requires law enforcement and intelligence agencies to obtain a warrant to conduct surveillance—for example, tracking people’s locations and searching their private records.[11] Katz v. United States explains that the Fourth Amendment “protects individual privacy against certain kinds of governmental intrusion.”[12] Under the Katz privacy test, a search occurs when “a person ha[s] exhibited an actual (subjective) expectation of privacy and . . . the expectation be one that society is prepared to recognize as ‘reasonable.’”[13] Thus, when the government invades a user’s reasonable expectation of privacy, it must obtain a warrant.[14]

Historically, this provision of the Bill of Rights has struggled to keep pace with the novel privacy issues that attend evolving surveillance methods.[15] In 2018, however, the Supreme Court ruled that users have a reasonable expectation of privacy in historic CSLI data.[16] Since cellphone use is “almost a ‘feature of human anatomy,’” historical location data presents a near infallible record of every location a user has frequented.[17] People do not relinquish their privacy expectations in these data merely because their phones transmit their real-time location to a third party (i.e., the internet service providers (ISPs)): phones are “‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.”[18] Compelling ISPs to hand over CSLI data, then, required the government to obtain a warrant. This denoted a landmark moment for privacy in the digital age: for the first time, users had Fourth Amendment rights in records they “likely [did] not even know exist[ed].”[19]

Rather than obtain a warrant to compel private actors to hand over this sensitive geolocation information, however, the government now simply purchases mass records from third-party brokers—without a warrant. The Department of Homeland Security (DHS) alone has spent millions of dollars buying CSLI data from two data brokers, Venntel and Babel Street, since 2017.[20] The Federal Bureau of Investigation (FBI)[21] and the Drug Enforcement Agency (DEA)[22] have purchased services and data from Venntel, a broker whose parent company claims to have access to location data on over 150 million devices.[23] The Defense Intelligence Agency (DIA) has also confirmed that it avails itself of third-party brokers’ data.[24] Even local police have purchased sensitive location data from brokers to support law enforcement investigations.[25]

Warrantless purchases do not violate existing statutory frameworks,[26] and courts have yet to pronounce on the constitutionality of the practice. While government agencies “do[] not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,”[27] numerous op-eds suggest the agency “interpretation is certainly vulnerable to legal challenge.”[28] But these short commentaries forego in-depth doctrinal analysis, and “it could be years before the courts resolve the issue.”[29] Instead, a group of twenty senators have introduced the Fourth Amendment Is Not For Sale Act (FAINFSA) to preemptively close this potential loophole in Fourth Amendment doctrine.[30] This law would ban government agencies from obtaining location information, the contents of communications, and other kinds of sensitive data “in exchange for anything of value.”[31]

Over two years have elapsed since legislators first proposed the law.[32] As the House has voted to reintroduce FAINFSA, the time is ripe for a full examination of whether an agency purchase of sensitive data from third-party brokers requires a warrant under the Constitution and whether FAINFSA is the best way to fill any constitutional gaps. This Note hence examines whether the Fourth Amendment regulates law enforcement and intelligence agencies’ purchases of sensitive location data.[33]

To accomplish this, the Note employs a two-part inquiry. Axiomatically, the Fourth Amendment only protects against “unreasonable searches” of people’s private records by the government.[34] Therefore, it first asks (I) whether a government purchase of data is “state action.” Then, it determines (II) whether users have a reasonable expectation of privacy in commercially available data (i.e., the Katz privacy test). For the Fourth Amendment to apply, both (I) and (II) must be answered in the affirmative.

This Note—the first comprehensive examination of government purchases under the state action doctrine[35]—proceeds in three parts. Part I addresses the first prong of the inquiry: it demonstrates that an agency purchase of data is not “state action” in the constitutional sense, and thus, the Fourth Amendment does not apply to these purchases. This Part then establishes that an open-market government purchase of user data does not convert either a service provider or data broker into a “state actor.” As a result, the Fourth Amendment does not prohibit a warrantless purchase of sensitive records.

Part II concerns the second prong of the two-part inquiry: it shows that users have a reasonable expectation of privacy in the location records sold by data brokers. Agency lawyers have suggested that users cannot have privacy expectations in commercially available data.[36] Yet this Note—the first in-depth assessment of this intuitive argument—advances that users do retain privacy rights in commercially available geolocation data. The fact that users agree to data-sharing provisions in Terms of Service Agreements does not undermine this conclusion, nor could ISPs or data brokers consent to a search on users’ behalf. But-for the state action problem, then, users would be protected from warrantless purchases of data.

In Part III, I demonstrate that this awkward result is in tension with the underlying purpose of the Fourth Amendment. Though not forged as a bulwark for privacy, this cornerstone constitutional protection was (partially) intended to shield people’s private lives—their political beliefs, religious associations, and personal activities—from government scrutiny.[37] By keeping personal lives invisible to prying government eyes, the Fourth Amendment hides people’s unorthodoxy and private dissent—the very things that could subject them to unjust persecution. Yet geolocation data can reveal precisely these same intimate aspects of our private lives: our faith,[38] political associations and beliefs,[39] sexual orientation,[40] immigration status,[41] and much more. There ought to be some protections against purchases of these location data, even if this protection does not fit within the confines of the Fourth Amendment.

Blanketly preventing only U.S. government agencies from purchasing these data (for example, through FAINFSA), would be misguided, however. Under FAINFSA, data brokers may not sell sensitive information to the U.S. government without a warrant, but they would still be free to sell to hostile foreign actors and governments without constraint. This creates a serious foreign intelligence threat. Instead, Congress must step in and pass privacy legislation to address this issue at its source by regulating transactions of sensitive data in the first place.

I.      Short-Circuiting the Warrant Requirement: The State Action Problem

The Fourth Amendment only protects people against unreasonable searches by the government, not from those conducted by purely private parties.[42] Thus, for the Fourth Amendment to require a warrant to purchase commercial geolocation data, the act of purchasing data itself must be considered a “government search” or “state action.” Even if users have a reasonable expectation of privacy in their commercial geolocation records under Carpenter, the government need not obtain a warrant if a purchase is not “state action.”

Courts have never directly addressed the question of whether a purchase can constitute a search in itself, and indeed, existing commentary also fails to address the significance of the state action question. Dori Rahbar, Matthew Tokson, and Jillian Chambers claim that a purchase of data from brokers is a search because users have a reasonable expectation of privacy in these records, but they do not evaluate whether the purchase is a “state action.”[43] This reflects a view of the Fourth Amendment as agnostic to the form of acquisition. But even Orin Kerr, who defends the constitutionality of the practice, expresses that “it is unclear how the state action doctrine applies to sales of records.”[44]

This section therefore addresses the first prong of the two-part inquiry: the state action problem. Two crucial yet underexplored doctrines point to the regrettable but inescapable conclusion that a purchase of data packages cannot constitute a search. First, under the “recurrent access” doctrine, a government acquisition of private material is not a search if (i) the material was already the subject of a private search, (ii) the private actor who conducted the private search voluntarily transferred that material to the government, and (iii) the government’s acquisition and use of the material did not extend past the scope of the private search.[45] A government purchase of records satisfies these criteria required by the recurrent access doctrine. Second, under other provisions of the Constitution, the government does not undertake any “state action” when operating as a mere market participant. A purchase thus cannot qualify as a government search. Agency purchases of sensitive data from private third-party corporations do not qualify as state action under either of these tests.

After asserting that a purchase is not state action and therefore not a search, this Part contemplates whether an agency purchase transforms either the ISP or data broker into a state actor. This Note concludes it does not and establishes that the Constitution permits warrantless agency purchases of sensitive, invasive data, regardless of whether users have a reasonable expectation of privacy in the commercial records.

A.     Is a Government Purchase a Search? The “Recurrent Access” and “Market Participant” Doctrine

When a private actor searches another person (and so, violates their reasonable expectation of privacy), the government itself violates the Fourth Amendment insofar as it compels (without a warrant or subpoena) the private searcher to hand over the information obtained from the search.[46]

However, when a private party invades a person’s reasonable expectation of privacy and voluntarily hands over that information to the government, the government’s acquisition is not itself a search.[47] In United States v. Jacobsen, the Supreme Court held that “additional invasions of respondents’ privacy by the government agent must be tested by the degree to which they exceeded the scope of the [initial] private search.”[48] Only if the government’s subsequent actions reveal more than what the private search already revealed can there be a government search.

The opinions in Walter v. United States illuminate how the court arrived at this reasoning. In Walter, a private party opened a clearly mistakenly delivered package, revealing rolls of contraband motion picture material.[49] The initial opening of this package constituted a “limited private search” which violated the intended consignee’s reasonable expectation of privacy.[50] The private party then voluntarily turned the carton over to the FBI, which viewed the films.[51] Walter had no majority opinion, but four years later in Jacobsen, the Court characterized the separate Walter opinions. The Jacobsen Court noted that “a majority [of justices in Walter] agree[d] on the appropriate analysis of a governmental search that follows on the heels of a private one”: a government search only occurs insofar as the government’s actions reveal more than what the private search exposed.[52] Thus, even if the initial material carries a reasonable expectation of privacy, a government acquisition of information already obtained by a private party is not necessarily a search.

The Supreme Court’s decision in Jacobsen consolidated the disparate Walter opinions to clarify this principle. The Jacobsen Court explained that a government examination of private material on the heels of a private search must be “tested by the degree to which they exceeded the scope of the private search,”[53] the standard adopted by a majority of justices in Walter.[54] In Jacobsen, the Court therefore held:

The Fourth Amendment is implicated only if the authorities use information with respect to which the expectation of privacy has not already been frustrated. In such a case the authorities have not relied on what is in effect a private search, and therefore presumptively violate the Fourth Amendment if they act without a warrant.[55]

By contrast, when the government relies strictly on a private search, and the government did not force the private party to hand over the searched material, no warrant is needed. Government authorities, therefore, do not need to obtain a separate warrant where (i) the search is confined to the scope of the private search, and (ii) the material obtained from the private search is handed over voluntarily to the government.

Applying this framework, the Jacobsen Court concluded that a government agent did not need a warrant to search a package previously examined by a private Federal Express employee. After all, the government’s examination “enabled the agent to learn nothing that had not previously been learned during the private search.”[56] The “agent’s viewing of what a private party had freely made available for [the government’s] inspection did not violate the Fourth Amendment.”[57]

Lower court rulings on recurrent access to prior private searches are consistent with Jacobsen and Walter. For example, in United States v. Lichtenberger, a suspect’s girlfriend opened the suspect’s laptop, and “then showed [an] officer a sample of what she had found.”[58] The Sixth Circuit noted that “this fact pattern was analogous to the critical elements of Jacobsen—a private search followed closely by a governmental search.”[59] But unlike Walter, the officer’s subsequent search involved a complete review of the laptop’s files, even though the girlfriend had revealed only a “sample of what she had found.”[60] Had the officer’s search not “exceeded [the scope] of [the girlfriend’s] private search,” the court would have held no government search occurred—even though the original material was protected by a reasonable expectation of privacy.[61] Indeed, even when people have a reasonable expectation of privacy in documents or other materials within the scope of a private search, the government still need not obtain a warrant to search these materials provided the search meets the requirements of the recurrent access doctrine. The Ninth Circuit, Sixth Circuit, and Eighth Circuit have made this point clear.[62]

A government purchase of data is “analogous to the critical elements of Jacobsen—a private search followed closely by a governmental search.”[63] Thus, whether a government purchase is itself a “search” turns on (i) whether the government’s actions extend past the scope of the data broker’s private search, and (ii) whether the private party transferred the material to the government voluntarily.

Addressing the first factor, when the government purchases a dataset, it conforms to the scope of the private search. Private parties thoroughly examine and process their data packages before the records change hands. The government therefore does not extend past the boundaries of the original search.

Some may reasonably suggest that a government’s acquisition of these same records could reveal more than the private search alone, even if the agency processes and examines the dataset no more thoroughly than the data brokers. This reflects the “mosaic theory” of the Fourth Amendment: while a single datapoint might reveal little in isolation, when put in conversation with other data, they reveal much more invasive and intimate information about a person—and so, can constitute a search.[64] In this case, the government might have access to such additional datasets that, when paired with the new acquisition, reveal more about their targets of surveillance.

Although the Supreme Court has debatably adopted this approach in some contexts,[65] Jacobson rejects this argument as applied to the types of aggregate purchases of private data discussed here. Jacobsen specifically contemplated that the FBI might have information about a particular suspect that, when put together with the reexamination of a private search, unveils even more about the private party than the initial search.[66] Yet that was not enough to suggest there was an “additional search” creating a separate invasion of privacy. Purchases of data thus do not transgress the scope of the initial private search, because the recurrent access doctrine expressly set aside mosaic theory-based considerations.

The remaining question, then, is whether an open-market transaction with the government counts as a voluntary transfer of a private search to the government.

Longstanding Fourth Amendment doctrine suggests that open-market transactions are presumptively voluntary. In the defining case Maryland v. Macon, an undercover official purchased obscene material from a willing seller. Crucially, that meant the vendor was not aware he was selling to law enforcement, and thus, sold the material without bending to any government pressure. Even though the government official sought to purchase the material, the Court held that the seller transferred it voluntarily. Any Fourth Amendment rights thus went away with the voluntary sale.[67] Since then, the Court has routinely made clear that even where the government’s identity is known, open market sales are presumptively voluntary on the private party’s behalf.[68]

There is no reason to doubt that brokers sell data packages to the government voluntarily. The market is estimated to be worth several billions.[69] Individual data brokers stand to profit enormously from selling user records, whether to advertisers or to the government.[70] And as discussed later in this section, the mere fact that the private actors stand to profit enormously is not enough to render a purchase involuntary.[71] This distinguishes situations where a private corporation is compelled by law enforcement to hand over data from a voluntary sale.[72]

Furthermore, under other provisions of the Constitution, not all of the government’s actions are regulated equally. When the government acts as a mere market participant, but does not exercise “coercive power,” its actions do not count as “state action.”[73] For example, in San Francisco Arts and Athletics v. United States Olympic Committee, the U.S. Olympic Committee’s “choice of how to enforce its exclusive [trademark] right to use the word ‘Olympic’ simply [was] not a governmental decision.”[74] In Brentwood Academy v. Tennessee Secondary School Athletic Association, the Court similarly held that certain decisions taken by a school association as a market participant—such as the sale of advertising—did not constitute state action.[75] An agency buyer of data is definitionally a mere market participant, especially since advertisers buy data packages too. As a result, a government purchase is not state action, and so, cannot constitute a government search regulated by the Fourth Amendment.

However, just because the government’s purchase of the data itself does not constitute state action does not end the inquiry: it remains possible that the prospect of a government purchase transformed either the service provider or the data broker into arms of the government.

B.     Do Government Purchases Convert Service Providers or Data Brokers into State Actors?

Even if the Fourth Amendment does not ordinarily regulate private actors, it does prohibit warrantless searches by private parties acting as mere instruments or agents of the government.[76] Finding that the government purchase converted either the ISP or brokers into state actors requires serious contorting of the doctrine, however. As a result, this Note suggests a government purchase does not implicate state action at all.

The touchstone of state action analysis is in the government’s level of “entwinement” with a private party’s actions. Here, the government buyer is uninvolved in the ISP’s initial collection of records and is not party to the sale of those records to the data brokers. Nor can it even be said that a broker’s sale of user data created state action, for open-market transactions do not ordinarily convert sellers into arms of the government.

State action doctrine further recognizes private actors as subject to the Bill of Rights when the government has induced a private party to do what it is constitutionally forbidden to do itself.[77] But even if the government offers huge monetary reward for access to the data packages brokers sell, economic incentive, no matter how large the potential windfall, does not ordinarily count as inducement for state action purposes.

Finally, private actors can be held accountable under the Fourth Amendment if they fulfill a public function traditionally reserved to the state. This exception is narrow, however, and its numerous conditions would not apply to the case of a data purchase.

This Note thus argues that an agency purchase converts neither the ISP’s initial collection nor the subsequent sales of data into compelled state action. No state action is implicated by a government purchase of data, and so, these transactions fall outside the scope of constitutional scrutiny.

1.     Is the ISP’s Initial Collection of Data “State Action”? What About Its Sale of Data to the Brokers?

Matthew Tokson cites the recent District Court decision in Cooper v. Hutcheson to gesture at the idea that a government purchase converts service providers into state actors for Fourth Amendment purposes.[78] In that case, Securus, a private company, sold a product designed to track suspect locations in criminal investigations. Securus “argue[d] that it [could] not be liable under § 1983 because it is not a state actor.”[79]

The District Court recounted that the “Supreme Court has recognized several circumstances in which a private party may also be characterized as a state actor.”[80] These include “where a private actor is a ‘willful participant in joint activity with the State or its agents,’” or “where there is ‘pervasive entwinement’ between the private entity and the state.”[81] Tokson thus concludes that “[b]ecause Securus was a willful participant in joint surveillance activity with the government, it could be considered a state actor for Fourth Amendment purposes.”[82] Based on this case, Tokson advances that service providers could similarly be considered a “willful participant” in government surveillance.[83]

Tokson overstates Cooper’s applicability to the question at hand. Cooper resolved a Motion to Dismiss, in which the District Court needed not conclude there was willful participation in a public function, but instead, merely a plausible inference of such.[84] More importantly, in Cooper, the Sheriff contracted to use Securus’ location-tracking service to collect information himself.[85] The Sheriff did not purchase data collected independently by Securus.

When the government purchases a dataset from a broker, an ISP is neither a “willful participant in joint activity with the State or its agents” nor “pervasive[ly] entwine[d]” with the government.[86] Private actors are “willful participants in joint activity” with the government when they directly collaborate with law enforcement and take direction from the government. This occurs, for example, when private parties work with and take direction from state officials to seize property.[87] Meanwhile, courts only find “pervasive entwinement” when government actors are themselves integrated into the private party’s internal structure, or a statutory scheme compels private parties to work with the government.[88] Under the Fourth Amendment, this requires direct and heavy-handed involvement from the authorities during the initial search—even if the material ends up in government hands. In the common carrier context, government regulations require airlines to hand over seized illegal material to the Transportation Security Administration or FBI; yet, because the search that leads to the (government) seizure does not involve any government agents, the initial search is wholly private.[89] In short, under both doctrines, direct government involvement in the initial search is required to render a private search a government search.

Government purchasers of data are not at all involved in the initial collection of user data by ISPs. Agencies do not direct ISPs to collect people’s data nor compel them to sell data to the brokers. All circuits agree that more than “mere knowledge and passive acquiescence by the Government” is required to render the private actor an arm of the government.[90] But the government does not even have “mere knowledge” in this case. Government actors may know whose data was collected ex post, but at the time of collection, they do not specifically know who the ISPs were tracking. Similarly, the government is not involved in the transaction between ISPs and data brokers, nor does it specifically know whose geolocation data the ISP sells to which brokers. Thus, service providers are neither “pervasive[ly] entwine[d]” nor “willful participants in joint activity” with the government. The initial collection and sale of data by ISPs therefore do not constitute state action under these formulations.

Notably, however, state action can be found outside these two circumstances. Whether a private company was acting as an arm of the government is a case-by-case determination, viewed in the totality of the facts, and turns on the degree of government involvement in the private party’s activities.[91] Courts use three factors (the “Walter factors”) to determine if sufficient government involvement exists to convert a private search into government action: (i) the advice, direction, and level of participation given by the government; (ii) whether the motive of the private actor was to assist law enforcement; and (iii) compensation or other benefits the private actor receives from the government.[92] Ultimately, these questions are used to determine if the private actor, in collecting or transferring information, was bending to the will of the government.

Even under these factors, a government purchase alone cannot transform the ISP’s initial collection (or its decision to sell user data to brokers) into compelled government action. First, as already established, government purchasers do not furnish advice, give direction, or participate in the initial collection of data by the ISPs. They furthermore are uninvolved in the initial sale of data from ISPs to the brokers. Without contemporaneous knowledge of whose information the ISP collects and sells, the government logically cannot instruct the ISPs on who to surveil.

Second, the ISPs’ purpose in collecting and selling geolocation data to brokers is driven by their ability to profit from selling user data, regardless of the buyer. The motive of the ISP, then, is to further its own ends—profit—and not to assist law enforcement. This factor, too, militates against finding state action.[93] Third, the ISP does not receive compensation or other benefits from the government; they sell to the brokers or to advertisers directly.

The Walter factors, then, discourage a finding of state action. In no way does a government purchase of records from a data broker convert the initial collection into state action: the ISP does not bend to the will of the government because of the indirect possibility of a purchase from a data broker. Ultimately, the government does not direct initial collection nor influence ISPs to sell user data to brokers. Nor is the prospect of a government purchase enough to suggest that the ISP was coerced into collecting user data.

2.     Did the Government “Induce” the Data Brokers to Sell Data Packages?

As established above, Maryland v. Macon articulates that a government purchase does not render a seller’s actions involuntary. Thus, Macon established that voluntary post-hoc transactions do not ordinarily convert willing sellers into state actors.[94] There is good reason behind this doctrine: if the Fourth Amendment regulated every open-market transaction, then every time a private party contracts with the government, they would become a state actor. Furthermore, as established above, there is no reason to doubt that brokers sell data packages to the government voluntarily, given individual brokers stand to profit enormously.

However, it is “axiomatic that a state may not induce, encourage or promote private persons to accomplish what it is constitutionally forbidden to accomplish.”[95] Can the prospect of a huge windfall count as “inducement” for Fourth Amendment purposes? What happens if the government becomes a routine and systematic purchaser of such information, such that the service provider can reliably depend on government purchases to sustain their business? Under the inducement principle, the government can transform private parties into state actors not only “when it has exercised coercive power,” but also when it “has provided such significant encouragement . . . that the choice must in law be deemed to be that of the State.”[96] Could the prospect of consistent profits due to government purchases provide “significant encouragement” rising to the level of inducement?

Even if the government were a systematic, monopsonist buyer of data that exerted serious power over brokers, economic inducement does not amount to “coercion” or “significant encouragement” needed to trigger Fourth Amendment scrutiny.[97] Courts have declined to recognize that free market forces can ever create inducement sufficient to invoke constitutional protections—even if private actors are actually bending to government preferences and changing their behavior accordingly. For example, bounty systems have been upheld as valid (i.e., held not to be considered state action) in the Supreme Court and most circuits.[98] Yet these systems more directly involve economic inducement: the (legal) market exists solely because the government is a buyer, and yet the Fourth Amendment does not protect against searches and seizures by bounty hunters. Bounty systems have been upheld as legitimate largely because the relationship arises out of a bounded contract rather than “legislative fiat,” suggesting that for compulsion to occur, it must be akin to legislative fiat.[99] Economic inducement certainly does not qualify under this criterion. Similarly, “private corporations whose business depends primarily on [government] contracts to build roads, bridges, dams, ships, or submarines” do not qualify as state actors either; their actions “do not become acts of the government by reason of their significant or even total engagement in performing public contracts.”[100] Thus, a voluntary post-hoc transaction, like a broker’s sale of data to the government, cannot induce or otherwise create state action.

3.     Does the Service Provider Fulfill a “Public Function”?

This section has established that ISPs and data brokers do not qualify as state actors, because the government is not involved in the initial collection, and because the prospect of a government purchase does not “induce” private actors for state action purposes. However, courts have held that private actors can be subject to the Bill of Rights even when there is no government entanglement in the initial collection activity. Under the “public function doctrine,” private actors are subject to the Fourth Amendment when they perform public functions ordinarily reserved for government. For example, in Marsh v. Alabama, the Court reasoned a privately-owned municipality was sufficiently analogous to a public town and subjected it to constitutional restrictions on state action. Thus, the town could not prosecute a Jehovah’s Witness for distributing religious pamphlets without implicating the First Amendment.[101]

Similarly, service providers might be said to assume a public function: surveillance. Courts, however, have generally applied the public function doctrine in extremely narrow circumstances. A private party satisfies the doctrine only where it usurps a power “traditionally exclusively reserved to the State [or other government actor].”[102] The Supreme Court has stressed that what cases under “the public-function doctrine have in common [is] the feature of exclusivity.”[103] Yet “[w]hile many functions have been traditionally performed by governments, very few have been ‘exclusively reserved to the State.’”[104] Education, for example, is not “exclusively reserved to the State,” for private schools have also served this public function.[105] Indeed, “no functions other than conducting elections for public office and running an entire town have been deemed to qualify.”[106] While policing would appear to be a public function exclusively reserved to the state, “the history of public policing is virtually inseparable from the history of private policing.”[107] As a result, “no aspect of policing, neither patrol nor detection, has ever-been ‘exclusively’ performed by the government, and all have at one point or another, been left largely to private initiative.”[108] This includes surveillance. Private parties (for example, store owners) have historically hired private detectives “to spy on[] everyone from insurance claimants and litigation opponents to employees, business partners, and even prospective neighbors.”[109] Surveillance, though a public function, was arguably not “exclusively reserved to the State.”[110] Service providers, then, may not satisfy the public function test.

But even if surveillance was exclusively reserved to the State, courts decline to find government action unless there is complete usurpation of a public function by the private sector. Marsh, for example, involved a complete private usurpation of all municipal functions of a privately-owned town: “Gulf Shipbuilding Corp. performed all the necessary municipal functions in the town of Chickasaw, Ala., which it owned.”[111] The Supreme Court recounted that, in other public function cases, “the Texas Democratic Party in Smith and the Jaybird Democratic Association in Terry effectively performed the entire public function of selecting public officials.”[112] Marsh further suggests that a private actor is only to be treated as a state actor when it has “taken on all the attributes of a town [or other government actor].”[113]

By contrast, ISPs and data brokers have not completely usurped government surveillance by any stretch of the imagination. The government still seeks warrants for location-tracking.[114] For the public function doctrine to apply, there would have to be virtually no government-conducted surveillance, and geolocation surveillance would have to be conducted exclusively by acquisitions of data collected by ISPs.

If agencies merely purchase data from brokers on an ad-hoc basis, it can hardly be said that the private sector has usurped a public function. However, if the government begins to routinely and systematically purchase data from brokers, and dramatically decreases its own surveillance activities, it might then begin to resemble the public function doctrine. But until the providers completely usurp the government’s surveillance function, or until the government openly directs the ISPs to collect records on specific people, state action doctrine will not apply. A purchase of data therefore remains untouched by the Fourth Amendment.

* * *

Consequently, when the government purchases data packages from third-party brokers, no government search occurs. The purchase itself is not state action, nor does it convert the initial collection or sales of user data into state action cognizable by the Fourth Amendment. Nor can the ISP’s initial collection of data be said to fulfill a public function that the government has abdicated.

Even assuming users have a reasonable expectation of privacy in the records sold by brokers, then, government purchases of data fall outside the bounds of the Fourth Amendment—because, at most, a mere private search has occurred. Thus, the government need not obtain a warrant to purchase data regardless of whether users have a reasonable expectation of privacy in their commercially available data.

II.     Users’ Reasonable Expectation of Privacy

Part I establishes that agencies need not obtain a warrant to purchase sensitive geolocation data. This Note nevertheless proposes that users do have a reasonable expectation of privacy in the records being sold to government agents, suggesting a disconnect between the spirit of the Fourth Amendment and its protections under current precedent.

Though state action doctrine is dispositive on the constitutional question, it is important to proceed with an inquiry into users’ reasonable expectations of privacy—the second step of the Fourth Amendment test—for several reasons. First, this analysis of purchasing data under the Fourth Amendment would be incomplete without an account of users’ reasonable expectation of privacy. While all existing scholarship on purchases of data hinge solely on the Katz test, no piece has yet been fully or comprehensively accurate in its privacy analysis. Crucially, no scholarship has addressed, in depth, the argument of agency lawyers as to why these purchases do not invade people’s privacy rights: information that is commercially available cannot reasonably be believed to be private since it can be bought by anyone. This Note is the first piece to respond to this argument in detail. Additionally, the conclusion that users do have a reasonable expectation of privacy in their geolocation data demonstrates that, but-for the state action problem, this data would constitute exactly the type of private information that the courts have interpreted the Fourth Amendment to protect. This tension underscores the need to affirmatively protect users’ privacy rights.

This Part first demonstrates that under Carpenter v. United States and Kyllo v. United States, users have a reasonable expectation of privacy in their geolocation records even if these records are commercially available. Second, it advances that users do not consent to a search by signing data-sharing Terms of Service (ToS) agreements, nor can ISPs or data brokers consent to a search on users’ behalves. But for the state action problem, then, users would retain constitutional privacy rights in these records.

Establishing that users have a reasonable expectation of privacy in their records under the Constitution consequently establishes that there ought to be some data privacy protections even if they do not stem from the Fourth Amendment. This suggests that Congress (and, in the interim, agencies) ought to step in to fill the gap left by the Fourth Amendment due to the state action problem.

A.     Establishing a Reasonable Expectation of Privacy in Commercial Data: Carpenter and the Third-Party Doctrine

Carpenter, the Supreme Court’s latest pronouncement on the Fourth Amendment in the information age, firmly establishes that users have a reasonable expectation of privacy in the records created on them that are ultimately sold to the government. Petitioner Timothy Carpenter was suspected as an accomplice to a series of robberies, and under the Stored Communications Act (SCA), a prosecutor obtained two court orders to compel Carpenter’s cellphone records from his wireless carriers. The first of these orders compelled seven days of Carpenter’s CSLI data from Sprint, and the second turned up 127 days of CSLI data from MetroPCS.[115]

Importantly, court orders under the SCA require mere “reasonable grounds” that the records “are relevant and material to an ongoing criminal investigation”[116]—a “showing [that] falls well short of the probable cause required for a warrant.”[117] The core question in Carpenter, then, was whether the government needed a warrant to procure these records. The Supreme Court answered in the affirmative: both the seven-day and 127-day CSLI records were protected by a reasonable expectation of privacy.

Carpenter represents a departure from established Fourth Amendment doctrine. Long-standing precedent suggests that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”[118] Under this “third-party doctrine,” people lose any reasonable expectation of privacy in incriminating information that is freely revealed to other people, whether they are strangers[119] or business associates[120]—even if they intended their conversations to be private.[121]

When users carry their phones to different places, ISPs contemporaneously trace and document their locations in extensive geolocation records.[122] In one sense, then, users like Timothy Carpenter voluntarily convey their location information to a third party when they use their phones. Under the third-party doctrine, they ought to lose their reasonable expectation of privacy. The Supreme Court held as much in the context of at least certain kinds of metadata. In Smith v. Maryland, for example, the authorities installed a pen register in a suspect’s phone to record all numbers dialed from that phone. Because phone companies create records on the numbers that any given telephone dials, users were conveying those metadata to the phone companies—a third party. As a result, the Court held the government’s use of a pen register was not a “search.”[123]

Four decades later, Carpenter declined to apply Smith’s third-party doctrine to historic CSLI data collected over the course of seven days.[124] The Court reasoned that even if people know their phones convey their locations to ISPs, using cellphones is inescapable. Phones are “‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.”[125] Therefore, people do not “voluntarily” “assume the risk” that their private information would be disclosed simply by using their phone.[126] Finding that there was a reasonable expectation of privacy, the Court held that a search occurred when the government compelled the ISP to hand over CSLI data.

Users bear an equally reasonable expectation of privacy over the records sold by data brokers. There is no reason to suspect that a user’s expectation of privacy changes depending on whether the government obtained those records via purchase or via Carpenter-style compulsion. Crucially, the fact that these data are commercially available does not obviate a user’s reasonable expectation of privacy, either.

1.     Applying Carpenter

Data brokers sell the same historic CSLI data contemplated in Carpenter to governments in large, anonymized data packages;[127] anonymized data packages, however, can easily be deanonymized.[128] These CSLI packages, like the historic data compelled in Carpenter, involve at least a week’s worth of data—and usually track much longer periods.[129] Whether the government purchases those data or compels ISPs to hand it over (as in Carpenter), users make their information equally available to a third party: the service provider. Thus, there is no reason to distinguish people’s reasonable expectation of privacy based on whether the government purchases or compels the ISP to obtain the same data.

While historic geolocation data represents virtually the entire market of (reported) law enforcement and intelligence agency purchases,[130] not all location data packages are of CSLI. Do users have a reasonable expectation of privacy over non-CSLI geolocation data? Formally speaking, Carpenter’s holding applies strictly to historic CSLI data collected over the course of at least seven days. The Court underscored that “[o]ur decision today is a narrow one. We do not express a view on matters not before us.”[131] That said, given that other geolocation data is just as invasive[132]—and is conveyed just as involuntarily—as CSLI data, Carpenter’s holding ought to extend. Indeed, Dori Rahbar’s Note in the Columbia Law Review ably chronicles how lower courts have uniformly extended Carpenter’s holding to acquisitions of non-CSLI geolocation data, chiefly location data collected by phone-based applications and ISPs.[133]

What if data brokers sell non-location information to law enforcement? While reported agency purchases of data involve geolocation information,[134] it bears mentioning that data brokers sell other kinds of data to private actors as well. Brokers sell credit card purchase histories, social media data, demographic information, and mental health data to advertisers and other private parties—and could eventually sell to the government.[135]

Given the narrowness of Carpenter’s holding, whether users have a reasonable expectation of privacy in those records turns on the nature of the specific kind of data being purchased. The Court expressly declined to overrule Smith v. Maryland,[136] which means that the third-party doctrine still applies to some metadata (e.g., pen registers) in a way it does not apply to CSLI data. Nevertheless, if brokers begin to sell certain categories of sensitive information to the government—like biomedical data, financial records, and the contents of communications—there is good reason to suspect such sales of mass data will soon be governed by Carpenter. Lower courts have routinely suggested the contents of communications and biomedical information are firmly protected by a reasonable expectation of privacy.[137] Additionally, most significant lower court cases that uphold Smith v. Maryland’s application of the third-party doctrine to sensitive data predate Carpenter.[138]

Carpenter’s potential embrace of the “mosaic theory” of the Fourth Amendment further suggests that even mass sales of other less-sensitive data (say, purchase histories) may be protected by a reasonable expectation of privacy.[139] At its core, the mosaic theory asks “whether a series of acts that are not searches in isolation amount to a search when considered as a group.”[140] Though the briefings for Carpenter hinged explicitly on the mosaic theory, the Court at no point grounds its opinion in the theory. That said, the Court stressed that the entire CSLI record, collected “over the course of 127 days,” created “an all-encompassing record of the holder’s whereabouts” and “near perfect surveillance.”[141] This is only possible if every CSLI datapoint is put in conversation with the others and viewed in the aggregate. This might suggest that “the Court . . . accept[ed] the mosaic theory by considering the data presented as a group.”[142]

A similar logic applies to all other kinds of data. When the Court decided Smith in 1979, the pen register in question was only able to reveal limited and discrete information: numbers dialed on a single landline.[143] Surveillance technology since then has evolved to near-omnipotence. While a single piece of data might not reveal much alone, when put together with other smaller, discrete collections, it can paint a comprehensive picture of a person’s habits and private activities.[144] As brokers venture to sell other kinds of mass data, if those data have the capacity to reveal information like people’s sexual orientation, political practices, religious affiliations, locations, and other details of their private lives, courts may be more likely to apply Carpenter to find a reasonable expectation of privacy.

As it stands, because the vast majority of (reported) sales of data packages to law enforcement and intelligence agencies involve large swaths of historic geolocation data, Carpenter applies, and users have a reasonable expectation of privacy.

2.     Do Users Have a Reasonable Expectation of Privacy in Commercially Available Data?

In internal memoranda authored by government attorneys, agencies have primarily contended that they should be able to purchase geolocation data packages without restriction because these packages are commercially available.[145] The Defense Intelligence Agency, for example, “does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes.”[146] That private actors can purchase these data, it is reasoned, suggests that users cannot expect privacy in these records.[147]

This argument is grounded in serious functional considerations: if foreign governments and private institutions can access these data for debatably nefarious purposes, why should U.S. national security agencies be inhibited from accessing these data? As much as this might make sense, doctrinally, the Fourth Amendment suggests that the mere commercial availability of the data would not disrupt users’ reasonable expectation of privacy. (For an extended discussion of a better way to balance civil liberties concerns with foreign threat vulnerabilities, see Section III.C.)

The agency lawyers’ theory has roots in Kyllo v. United States.[148] Kyllo identifies when a piece of information may be considered “exposed to public view” in the context of commercially available surveillance methods.[149] In that case, police used a thermal detection device to determine if a person’s home exhibited unique heat signatures indicative of illegal marijuana growth. The Court held that this “constitute[d] a search” partly because the device used to obtain the information was “not in general public use.”[150] Importantly, Kyllo was an application of “[t]he Katz test—whether the individual has an expectation of privacy that society is prepared to recognize as reasonable.”[151] Thus, lower courts have consistently extrapolated that when a surveillance technique is in general public use, people have a diminished expectation of privacy in the information the technique reveals.[152]

Even though brokers make data packages commercially available, the relevant inquiry is whether sensitive data purchases are in “general public use.” Tokson argues that these sensitive data packages are “functionally private” because they are stored in big anonymized blocks when not in government hands.[153] “[V]endors who sell such data often do so either exclusively to law enforcement agencies or in large anonymized chunks to other marketing companies for use in automated advertising.”[154] Indeed, when selling to advertisers and other private institutions, brokers sell large, aggregated, and anonymized chunks of mass data.[155] Data sold to private parties are at the “census block level” to help advertisers ascertain trends rather than individual-level information.[156] But when data packages are sold to government buyers, these data are (reportedly) deanonymized (some of the time).[157] This fact is critical: the applications and privacy implications of deanonymized (or even anonymized) individual-level data differ dramatically from aggregated blocks of anonymized data.[158] As a result, the product sold to the government and advertisers might properly be characterized as different—meaning that deanonymized dataset purchases are not in general public use.

Law enforcement agencies, however, reportedly purchase anonymized datasets as well.[159] Are anonymized data packages in general public use? Even when individual user data is nominally anonymized, a New York Times report revealed that user location data can easily be deanonymized with just a few corroborating data points.[160]

Even setting aside the ease with which anonymized datasets can be deanonymized, purchases of anonymized packages would be difficult to characterize as in “general public use.” Admittedly, advertisers—private actors—are major buyers in the data broker market, routinely purchasing the packages also sold to government clients.[161] Brokers, however, do not sell to ordinary people: they sell to private institutions, not natural people. Thus, “[y]ou and I generally cannot purchase location tracking data on our fellow citizens from these vendors.”[162]

The critical question that Tokson overlooks is whether something that is commercially available (i.e., anonymized data) but only purchased and used by big companies can qualify as being in “general public use.” No circuit courts have directly opined on this issue. Nor does Kyllo provide much guidance: as the dissent complains, “how much use is general public use is not even hinted at by the Court’s opinion.”[163]

Nevertheless, there is good reason to doubt that anonymized dataset purchases are in general public use. Whether something is “expose[d] to the public” depends “not upon the theoretical possibility, but upon the actual likelihood, of discovery by a stranger.”[164] Only if a random stranger could realistically purchase those records, then, would data packages for sale qualify as being in “general public use.”[165] This suggests the “general public use” inquiry centers not on mere commercial availability to extremely wealthy institutional actors, but instead, the realistic likelihood that an ordinary person would happen upon such information. Because brokers sell to institutional buyers rather than individuals, and because data packages are prohibitively expensive for most,[166] there is only a theoretical possibility that these data are exposed to the public. As a result, the commercially available nature of data packages does not defeat users’ reasonable expectation of privacy.

This calculus may change if a single institutional buyer purchases a data package and sells individuals’ data at a more affordable rate to the general public. In the context of facial tracking technology, one company purchased ClearView AI and allowed individuals to conduct a single search of the database at a fixed, affordable rate—effectively turning ClearView AI, which normally targets institutional customers, into a retail product.[167] Even just a single seller in the market, then, might convert these functionally private data packages into a technique in “general public use,” thereby shattering the reasonable expectation of privacy.

B.     Privacy Persists: No Consent to Searches

Even though Carpenter establishes users’ reasonable expectation of privacy, it is possible for them to waive their privacy rights and consent to a search. First, when users use phone-based applications that track their location, they often accept Terms of Service (“ToS”) Agreements (via a pop-up button, or toggling location services) that expressly state that their data may be shared with “trusted third-parties.”[168] Scholars assert that circuits are split over whether signing ToSs with these terms constitutes consent to a search.[169] However, this Note suggests that existing case law is consistent and compels the same conclusion: for a ToS to constitute a waiver of privacy expectations, specific and detailed notice that user data may be sold to the government is required. Generic data-sharing provisions cannot reach this demanding standard.

Alternatively, could ISPs or data brokers consent to a search of these records on the user’s behalf? ISPs and data brokers hold equal and common authority over the records sold to the government. On this basis, Orin Kerr advances a novel theory premised on third-party consent: ISPs, brokers, and users have equal power to consent to a search of the records. Though creative, this theory is inaccurate. Brokers and ISPs do not share common authority over the users’ records, because third-party consent is premised on the users’ voluntary assumption of the risk that ISPs or brokers might authorize a search. As a consequence, these institutional actors cannot consent to a search on the users’ behalf.

1.     Do Users Consent to Searches via Terms of Service Agreements?

To use certain phone applications, users must accept ToS agreements that expressly provide that their data might be shared with and sold to “trusted third-parties.”[170] These ToSs manifest as a “single click-through” in response to which users must click “accept” or simply toggle a button.[171] For example, to use popular rideshare or navigation applications, users must toggle the location services button, which in turn gives permission to share data with third-parties.[172] For other, non-location-based phone applications, people reflexively click through ToSs that might contain data-sharing provisions.[173] Indeed, generic ToSs on phone-based applications provide that user information may be shared with “trusted third-parties,” with some specifying that user data may be shared in compliance with government requests.[174] But few, if any, specifically provide that user data may be sold to government bodies.[175]

The question is whether reflexively accepting these ToSs amounts to a waiver of privacy rights, and thus consent to a government search. While not raised in Carpenter, lower courts have begun to address this question in the context of sharing the contents of communications with law enforcement. Though the doctrine is emerging, the best reading of the law is that ToSs need to give users sufficient notice that the acceptance of the terms may trigger a buying-and-selling chain reaction. On this understanding, generic data-sharing provisions cannot amount to a waiver of privacy rights; at the bare minimum, ToSs must specify that user data may be shared with the government.

In cases where courts have ruled that ToSs did not waive privacy rights, the ToSs contemplated did not specify that user data may be shared with the government. The Sixth Circuit contemplated a ToS that provided that the ISP may access and share “individual Subscriber information . . . as necessary to protect the Service.”[176] This is similar to the ToSs users sign to access different applications on their phone.[177] The Court stressed that the agreement “[did] not diminish the reasonableness of [appellee’s] trust in the privacy of his emails.”[178] Thus, when the government compelled the company, NuVox, to turn over emails without a warrant, a search occurred.[179] Two district courts followed and expanded on the Sixth Circuit’s approach. First, in United States v. Irving, the District of Kansas found that a ToS granting Facebook the right to handle and share user data however it saw fit did not mean that Facebook could share the user’s communications with the government.[180] In United States v. DiTomasso, the Southern District of New York further suggested that “when employees constructively consent to searches by their supervisors, it does not automatically follow that they also consent to searches by law enforcement.”[181] Importantly, in none of these cases did the waivers sufficiently “put[] users on notice” that their data may be shared with the government.[182]

Thus, general information-sharing and handling provisions are not enough to create consent to a government search, for they do not put users on notice. Insofar as a ToS’s terms provide merely that information may be shared with a “trusted third party,” the waiver does not constitute consent to a search.

But even including in ToS provisions the mere fact that information may end up in government hands may not be enough to create consent to a search. Data-sharing provisions may require sufficient detail about the potential buying-and-selling chain reaction to put users sufficiently on notice. Otherwise, the chain of consent is too attenuated, suggesting users did not agree to what transpired.

This theory has roots in the recent Eastern District of Virginia opinion United States v. Chatrie. In Chatrie, a user signed a ToS that permitted Google to “save [] and use []” location data in “any Google service where [he was] signed in to give [him] more personalized experiences.”[183] Though this ToS expressly warned the user that his location data would be harvested, the Chatrie court ruled it could not waive his privacy rights. After all, Google did not sufficiently detail just how extensive the location tracking was to be:

[C]onsent flow did not detail, for example, how frequently Google would record Chatrie’s location (every two to six minutes); the amount of data Location History collects (essentially all location information); that even if he “stopped” location tracking it was only “paused,” meaning Google retained in its Sensorvault all his past movements; or, how precise Location History can be (i.e., down to twenty or so meters).[184]

This suggests that ToS agreements must be specific and extensively detailed to put people on notice. To waive a user’s privacy in the data brokering context, then, would require the ToS specify that a buying-and-selling chain reaction might occur upon acceptance of its terms. Under this high bar, a majority of phone-based app ToSs—which do not put users on notice of the potential for government purchase of data—could not qualify as consent to a search.[185]

This position is consistent with the decisions of courts that have upheld ToSs as creating consent to a search. These courts only ruled that ToSs waived privacy rights because their contractual terms specified the precise circumstances under which user data would be shared with law enforcement. First, in United States v. Adkinson, T-Mobile handed user records to the FBI in response to an investigation involving multiple robberies at its stores. The Seventh Circuit ruled that the suspect (a T-Mobile user) waived his privacy rights. That ToS expressly provided that T-Mobile may disclose private information about user accounts “to satisfy any applicable . . . governmental request” that helps “protect [T-Mobile’s] rights or interests, property or safety.”[186] T-Mobile thus satisfied the ToS’s articulated circumstances under which user data could be shared with the authorities, since the data were shared only in response to a criminal investigation. Following this decision, the Pennsylvania Supreme Court considered a ToS between a university’s network service and a student user of that network who was alleged to have committed a robbery. The ToS for use of that network provided that the “institution has the right to inspect information stored on its system at any time, for any reason, and users cannot and should not have any expectation of privacy with regard to any data, documents, electronic mail messages, or other computer files created or stored on computers within or connected to the institution’s network.”[187]

While these general terms alone were not dispositive, the ToS also established that information and communications using that service were “subject at any time to disclosure to institutional officials, law enforcement, or third parties” in connection with investigations.[188] The Court held that accepting this latter term constituted specific consent to sharing information. These ToSs, then, only diminished privacy expectations because they expressly provided that user data could be shared with the government under a certain set of circumstances, thereby putting users on notice.

Even if ToSs were written to specify that user data may trigger a chain of sales leading to government acquisition, however, the notice problem persists. Rahbar’s student note correctly explains that “[w]hen users consent to location data collection through user agreements (say, by ‘reflexively’ toggling their ‘location services’ on) they often have desperately insufficient notice that such consent might set in motion a buying-and-selling chain reaction” that ends with user data in law enforcement hands, because these terms are buried within location services policies.[189] The Southern District of New York case supports Rahbar’s assertion: the court held that ToSs can constitute consent to searches only if users are sufficiently and obviously put on notice.[190] And importantly, in Chatrie, Google was found to have not sufficiently put the user on notice of tracking activities not just because of the contractual terms of the ToS, but also because of the “limited and partially hidden warnings provided by Google.”[191] After all, the provision authorizing location-tracking appeared to Chatrie only in “a single pop-up screen.”[192]

Similar notice problems abound in the context of data-sharing provisions ToSs, where often a single pop-up can “set in motion a buying-and-selling chain reaction” that means their data “enters the open market, reaches the government, and is used by law enforcement.”[193] Indeed, swaths of empirical studies establish that users do not understand the implications of data-sharing provisions.[194] This suggests that ToSs, to actually constitute a consent to search, must clearly and obviously alert users to the possibility that accepting the ToS may trigger a series of sales resulting in government acquisition of user data. These consent-to-share terms, furthermore, must not be buried deep in the bowels of the ToS.

Even if some data are connected to valid ToSs that provide adequate notice to users, aggregation of data across apps virtually guarantees that validly shared data are intermingled with data collected under deficient, generic waivers. Attempting to distinguish said waivers within mass datasets, of course, poses massive administrability concerns. The data that remain, furthermore, may be infinitesimal in comparison to the original size of the data package, given that most ToSs in phone-based applications contain inadequate, vague data-sharing permissions.[195] For these practical reasons, the mere fact that some ToSs might adequately put users on notice is not enough to defeat users’ reasonable expectation of privacy in data packages.

Furthermore, even setting aside textually insufficient contractual provisions, Carpenter may even preclude the significance of ToS waivers to privacy expectations altogether. The functionality of many phone-based applications depends on consenting to location services ToSs; otherwise, Uber, Google Maps, and other applications simply cannot work.[196] Yet even other location-agnostic phone-based apps require users to consent to sharing permissions, but will draw location data from navigation applications.[197] Drawing on the logic of Carpenter, these ToSs cannot be said to have been accepted voluntarily, given the inescapable need to use one’s phone in the modern day. Indeed, the Chatrie court confirmed that “unlike in Carpenter, Chatrie apparently took some affirmative steps to enable location history”: enabling location tracking via a “single pop-up screen.”[198] Nevertheless, “those steps likely do not constitute a full assumption of the attendant risk of permanently disclosing one’s whereabouts during almost every minute of every hour of every day.”[199]

Controversially, one scholar even suggests that ToSs can never create consent to a government search, because “Terms of Service can define relationships between private parties, but private contracts cannot define Fourth Amendment rights.”[200] After all, “Fourth Amendment rights are rights against the government, not private parties,” which is allegedly true “across the range of Fourth Amendment doctrines, including the ‘reasonable expectation of privacy’ test, consent, abandonment, third-party consent, and the private search doctrine.”[201]

Even if one does not endorse this sweeping objection, there is nevertheless good reason to doubt that the signing of a ToS undermines the reasonable expectation of privacy or that it amounts to consent to a search, because of the notice issues. Under existing doctrine, a ToS cannot constitute consent to a search unless it specifies that users’ information might be shared with the government via a sale. Generic ToSs today do not satisfy this standard.[202]

2.     Can Service Providers or Brokers Consent to a Search of the User’s Records on Their Behalf?

Conceding that users have a reasonable expectation of privacy, Orin Kerr asserts that ISPs and brokers could nevertheless authorize a search on the user’s behalf. He dubs this the “Common Access Theory.” According to Kerr, when multiple parties have equal authority to the same shared information, any one of those parties can authorize access. So, either data brokers, service providers, or users who are the subject of data being sold can consent to a search. In his words, “[a] company can sell Carpenter-protected records without Fourth Amendment oversight because it has the common authority over the records.”[203]

The Common Access Theory derives from doctrine on third-party consent to searches of people’s homes. One roommate in a house can authorize the police to search the entire home, even if another roommate would not have consented to a search. As the Supreme Court stated in Matlock, “mutual use of . . . property by persons generally having joint access or control for most purposes” gives any one of those people “the right to permit the inspection [of the property] in his own right.”[204] Common access, then, empowers third parties to consent to a search on the other cotenant’s behalf.

Even if one roommate expressly objects to the police searching their home, if that person is not physically present, the authorities can obtain consent to search from the remaining roommate.[205] Georgia v. Randolph suggests that when there is a physically present objector, “widely shared social expectations” would militate against going inside the home.[206] The Court reasoned that when one roommate invites a person into their home but “a fellow tenant stood there saying, ‘stay out,’ no sensible person would go inside.”[207] But when the objecting tenant is not physically present, “social expectations” suggest that people can enter into the house.[208] In the context of data purchase, even if a user is not “present” for a sale of their data, the others that share common access and common authority over those records may authorize a government search.

Kerr marshals support for this point by gesturing at two cases where an employer turned over records of communications that an employee made over work devices—suggesting that if employers were allowed to turn over the information, so too may a data broker. Two circuits ruled that employers had common authority over the employee’s records, and could authorize government access.[209] In Walker v. Coffey, the Third Circuit held that a university had common access to a defendant’s emails sent on a work account and work laptop, and so had the authority to turn over the communications to the Pennsylvania Attorney General.[210] In U.S. v. Ziegler, the Ninth Circuit held that an employer could hand over documents evincing an employee’s crimes, which were saved on his work laptop. Though the employee had a Fourth Amendment privacy interest, the employer shared common access over the records saved on the laptop.[211] This extinguished the employee’s Fourth Amendment rights.

Though creative, Kerr’s theory does not apply to the purchase of data. The Supreme Court’s pronouncements on third-party consent (in the context of roommates) reflect “that it is reasonable to recognize that any of the co inhabitants has the right to permit the inspection in his own right.”[212] But this reasonableness is premised on the fact that the cotenants voluntarily “assumed the risk that one of their number might permit the common area to be searched.”[213] Thus, common authority exists between roommates over a space because they agreed to live with each other. Through this voluntary decision, they risked that one of their number might consent to a search.

Ordinary users, by contrast, do not voluntarily “assume[] the risk” that an ISP or broker might sell their records just because they use their phones. As Carpenter held, phone usage is so pervasive and necessary to function in the modern world that using one’s phone does not amount to a “voluntary” transmission of information to a third-party. Similarly, because phone usage is inescapable, it cannot be said that the users voluntarily “assumed the risk” that the ISP or broker might grant access to the records created on the users. They are forced to accept the risks to use their phone. Tenants of a home, by contrast, can choose other roommates.

The lower court decisions that Kerr references in the context of employers are distinguishable as well. In Randolph, the Supreme Court suggested that when one tenant of a house invites a person into their home but “a fellow tenant stood there saying, ‘stay out’ . . . no sensible person would go inside.”[214] However, the Court grounded its decision on the fact that the cotenants do not “fall within some recognized hierarchy, like a household of parent and child or barracks housing military personnel of different grades.”[215] There was no “superior and inferior” cotenant in Randolph.[216] In Ziegler, meanwhile, the Ninth Circuit ruled that an employer could authorize access to employee documents saved on a workplace computer containing evidence of criminal activity: there is a clearly “recognized hierarchy” in the workplace, and certainly, over control of work devices.[217] Similarly, in Walker, the university employee used the school’s email system that was “controlled and operated by Penn State.”[218] Thus, “for purposes of the Fourth Amendment, the emails [that the employers handed over to the authorities] were subject to the common authority of Walker’s employer. Walker did not enjoy any reasonable expectation of privacy vis-à-vis Penn State.”[219] Employees, then, do not enjoy a reasonable expectation of privacy when using devices or networks obviously owned and managed by their employers. Unlike equal cotenants of a house, employees are subordinate to their employers. Thus, employers may authorize access to employee communications and documents that were created on work devices and transported across work networks.

By contrast, there is no “recognized hierarchy” between a user and a service provider—certainly not one as clear as the employer-employee relationship. Neither party is superior nor inferior. As a result, a service provider cannot authorize access to a user’s records in the same way an employer can.

Some nevertheless may suggest that the property right data brokers have over the user’s records authorizes them to consent to a search. Ziegler, after all, mentioned that “Ziegler could not reasonably have expected that the computer was his personal property, free from any type of control by his employer.” [220] But Ziegler did not turn on the fact that the employer could access and create records on user activity. As the Sixth Circuit made clear in U.S. v. Warshak, providers of previous technology “retained similar [access and property] rights” without diminishing Fourth Amendment rights.[221] For example, the phone company in the seminal Katz case had a right to tap calls and create records on those calls, yet that did not interfere with Katz’s reasonable expectation of privacy.[222] Thus, the mere fact that an employer owns employee records on work devices is not enough to conclude common authority over the records: crucial to Ziegler and Walker is that the employer rests higher on the hierarchical ladder than the employee in the records stored on work devices.

* * *

A search occurs when “an expectation of privacy that society is prepared to consider reasonable is infringed.”[223] Carpenter establishes a reasonable expectation of privacy in commercially available records, and the decision in Kyllo, the signing of waivers, and the Common Access Theory do not suggest otherwise.

However, as established in Part I, this is not dispositive of the inquiry. For the warrant requirement to apply to a purchase of sensitive geolocation data, the government’s act of purchasing data itself must constitute a search. Therein lies the core issue for the Fourth Amendment’s applicability to this case: the state action problem. Because agency purchases of data do not constitute state action, the Fourth Amendment does not protect against warrantless purchases, even if users have privacy rights in these records.

This result underscores an awkward tension in Fourth Amendment law: even though users bear a reasonable expectation of privacy over their commercial records and the spirit of the Fourth Amendment points to the need for data privacy protections, the state action doctrine decisively cuts against the warrant requirement. While the government cannot obtain users’ sensitive geolocation data without a warrant, it could purchase those records without triggering Fourth Amendment protections. In light of this disconnect, Congress must step up and fill this privacy gap.

III.   Rewiring the Fourth Amendment: The Imperative of Congressional Action

This Note’s analysis has shown that Fourth Amendment doctrine does not protect against the warrantless purchase of users’ sensitive geolocation data. Part III will demonstrate that a core purpose of the Fourth Amendment was to make illegible to the government the very kinds of information that geolocation data reveals.[224] This suggests the need for some privacy protections for these data transactions.

Yet, as this Part establishes, attempts to colorfully stretch existing state action doctrine to cover these unfamiliar digital-age circumstances are misguided. A doctrinal shift of this magnitude is not only unlikely, but also affirmatively undesirable.

Relying on the Fourth Amendment as the primary data privacy bulwark or even passing legislation like FAINFSA leaves open a serious intelligence vulnerability. Neither FAINFSA nor the Fourth Amendment prohibit foreign governments from purchasing the very same sensitive geolocation data that U.S. agencies would be forbidden from obtaining without a warrant. Disabling U.S. agencies tasked with protecting national security in this way presents serious foreign threat risks.

Instead, the inapplicability of the Fourth Amendment presents a profound opportunity for Congress to reimagine the way we think about and protect privacy. As a result, this Note calls for Congress to enact privacy legislation that regulates sales of people’s private data, rather than government purchases. This legislation would address the dangers posed by data brokers at their source—dangers similar to those that initially inspired the Fourth Amendment.

A.     Purchases and the Fourth Amendment’s Anti-Persecution Purpose

The Fourth Amendment was designed to prevent persecution by keeping people’s private lives (political opinions, religious beliefs, and private activities which could supply the basis for persecution) invisible to the government. Because purchases of location data can reveal precisely these things, there ought to be some privacy protection against mass purchases of geolocation data by the government.

Above all, the Fourth Amendment was forged to prevent general warrants.[225] The Star Chamber—the tyrannical British judicial body presided over by the King—weaponized general warrants not only against known “criti[cs] of the Crown.”[226] General warrants allowed the government to rummage through people’s personal papers and correspondence to unveil their political beliefs and rebellious activities, and persecute them on that basis.[227] Crucially, then, this device enabled the monarchy to discover unknown critics, dissenters, and rebels.

In the foundational English case Entick v. Carrington, counsel for plaintiff described the general warrant as a “monster of oppression” and so underscored the need to “tear into rags this remnant of Star Chamber tyranny.”[228] The Entick Court ruled for the plaintiff, likening the general warrant to “so many Star Chamber decrees” that could not “be justified by the common law.”[229] This rejection of the general warrant, then, represented a repudiation of the Star Chamber’s method of uncovering unknown dissent, unorthodoxy, and private activity.

The Supreme Court pronounced Entick as a guide to understanding what the Framers meant in framing the Fourth Amendment[230] and characterized the decision as when “individual liberty and privacy . . . finally won.”[231] In Keith, the Supreme Court reiterated that “the fear of unauthorized official eavesdropping” must not “deter vigorous citizen dissent and discussion of Government action in private conversation. For private dissent, no less than open public discourse, is essential to our free society.”[232] Under these circumstances, the Court stressed, “Fourth Amendment protections become [all] the more necessary.”[233]

The Fourth Amendment was thus intended to make people’s private political activities and individual lives illegible to the government (absent probable cause of criminal activity). In doing so, it prevented the possibility of government persecution for people’s political beliefs, religious associations, and private activities.

Yet location data can reveal some of the most intimate details of people’s lives. Location data can reveal whether someone is visiting an abortion clinic;[234] what faith they practice and how frequently they attend religious gatherings;[235] what their political associations and beliefs are;[236] what their immigration status is;[237] and much more.

Data brokers could sell extensive location records of people who visited abortion clinics to state governments that criminalize abortion.[238] National security agencies have already purchased location data from Muslim prayer and Muslim dating applications, each of which have tens of millions of users.[239] Immigration and Customs Enforcement purchased location data on individuals in sanctuary cities, even though those cities passed ordinances rejecting federal immigration detention requests.[240] And agencies may soon get into the business of purchasing other kinds of sensitive information like transaction and credit card histories.

The Fourth Amendment was forged to keep these kinds of information private to shield people from government persecution. This suggests a pressing need for some reform to protect against warrantless purchases of data. Yet, as the next section demonstrates, Fourth Amendment doctrine cannot supply the appropriate privacy protection.

B.     Problems with Reinterpreting State Action

This Note established above that the key reason the Fourth Amendment does not regulate a government purchase of data is that purchases are not state action, nor does a purchase convert private actors into state actors. Because state action is the critical doctrinal pressure point, privacy proponents may believe that the best way to vindicate the purpose of the Fourth Amendment would be to creatively expand these stale concepts. Ultimately, though, the massive expansions in doctrine needed to regulate warrantless purchases are not only unlikely, but unattractive. This section will describe two potential expansions of Fourth Amendment doctrine that would expand state action to cover government purchases of data, and then describe the flaws and unintended consequences of both of these approaches.

First, the public function doctrine could be expanded to include service providers’ initial collection, at least when the information collected ends up in government hands. This would require lowering the bar from complete usurpation of a public function to partial fulfillment. Alternatively, inducement doctrine could be expanded to include economically induced sales of data packages. These broad doctrinal applications, however, risk creating enormous second-order effects.

Instead, Congress must step in to regulate sales of data. Congressional action presents several practical benefits that relying on the shifting sands of the Fourth Amendment preclude: mainly, that Congress can regulate more than just state actors. This Note thus underscores an urgent need for legislative action.

1.     Expanding Public Function Doctrine: Monumental Collateral Consequences

Current public function doctrine recognizes that a private party can become a government actor when they completely usurp a public function exclusively reserved for the state. Even though they purchase user location data from brokers, law enforcement and intelligence agencies still seek warrants to obtain location data. While exact figures are not known, government purchases represent only a fraction of intelligence activities.[241] Thus, to extend the reach of the Fourth Amendment the bar must be lowered from usurpation to at the very least “partial fulfillment” of a public function. (This sets aside even the concern that surveillance is not “exclusively reserved” to the state.)

The unintended ramifications of such a doctrinal expansion are massive. Social media platforms, for example, have displaced town halls and other public forums as venues that host speech.[242] Twitter, Facebook, and every other social media app, then, would become government actors subject to the First Amendment. Content moderation that blocks offensive and harmful content may therefore become unconstitutional.[243] Beyond the monumental consequences on social media platforms, virtually any time the government enters into a contract with a private party to outsource its functions, those private parties would become government actors. When the government hires Boeing to construct new weapons systems, or a municipality hires a trash-collecting company to clean the streets, they would become state actors for constitutional purposes. In short, the risks of extreme overinclusion counsel against applying the public function doctrine in this way. But less expansive adjustments to the public function doctrine would fail to capture service providers under the Fourth Amendment.

2.     Expanding Inducement Theory: Insufficient Reach

Expanding state action doctrine to cover a purchase of data, then, might be best accomplished through a creative application of inducement theory. However, suggesting that any open-market transaction with the government counts as economic inducement would similarly risk extreme overinclusion, as that would transform every actor that sells to the government into extensions of it (even if, for example, a contractor merely provides catering services to a military base). To limit second-order effects and remain faithful to the underlying rationale that animates the doctrine, economic inducement could be said to produce government action only where economic pressures render a transaction involuntary. Realistically, a transaction does not become involuntary solely as a result of market forces most of the time. But if there is any circumstance in which an open-market sale may not be voluntary due to purely economic factors, it is when the market is controlled by a single buyer.[244] If the government dominated the data market as a monopsonist or near-monopsonist buyer, brokers would depend on the existence of the government as a buyer. In that circumstance, there is good reason to believe that the prospect of a government purchase actually induces the brokers to sell user data and fully bend to the will of the government.[245]

This suggested amendment is doctrinally feasible. The idea that economic inducement cannot product inducement-as-state action derives largely from bounty hunting cases. Bounty systems have been upheld as legitimate largely because of the historic rule of Taylor: it is not state action because the relationship arises out of a bounded contract rather than legislative fiat.[246] Many commentators rightfully argue this doctrine is antiquated and that bounty hunters ought to be regarded as state actors precisely because of the inducement principle.[247] Such a proposal would also convert government contractors, such as builders of roads and defense contractors like Lockheed Martin and Northrop Grumman, into state actors; this, in turn, would require overturning Rendell-Baker v. Kohn.[248]

But problems exist with even this more limited proposal. Conceptually, if the new inducement principle is that “the government induces where it dominates the market,” then all data brokers need to do to render the practice constitutional is to find other major buyers. This is a strange result.[249]

Pragmatically, even if this proposed doctrinal change was adopted, the current state of the world is a far cry from the circumstances under which the new inducement principle would kick in. As detailed above, data brokers do not just sell to law enforcement and intelligence agencies; large buyers include advertisers and other private actors in media, retail, and healthcare.[250] Fourth Amendment protections would not follow until the government becomes a monopsonist or dominant buyer. Stretching inducement theory, therefore, either produces overbroad collateral effects but would subject data brokers to the Fourth Amendment, or limits second-order effects but would only apply in a hypothetical future scenario.

C.     Reprogramming the Fourth Amendment—via Legislation

Given the difficulty of applying existing state action doctrine to regulate the purchase of data, Congress is better suited to resolve this vexing privacy puzzle via legislation. To accomplish this, Congress ought to pass comprehensive privacy legislation that both regulates the sale of sensitive data and bans foreign governments from buying these datasets. Such a law would address the privacy problem at its source, while mitigating a potentially grave foreign intelligence threat. This would require mixing elements of the proposed American Data Protection and Privacy Act with tight restrictions on sales to foreign governments.

A comprehensive privacy law of this kind is preferable to a sweeping ban on all government purchases, like FAINFSA—which was Congress’s initial response to the privacy gap exposed by data brokers.[251] And, having passed the House Judiciary Committee,[252] it appears to be Congress’s preferred mode of addressing the data broker problem. But passing this law would be the wrong way to protect privacy.

Admittedly, passing FAINFSA or a similar law would vindicate the promises of the Fourth Amendment. The Bill provides that a “law enforcement agency of a governmental entity and an element of the intelligence community may not obtain from a third party in exchange for anything of value”[253] any “contents of communications” and “location information”[254] on any “covered persons.”[255] Covered persons include people located in the United States and U.S. persons as defined by the Foreign Intelligence Surveillance Act, including citizens, aliens lawfully admitted for personal residence, and certain associations and corporations.[256]

Passing such a law might even present other benefits as well. Pushing for passage of the law might be more feasible than relying on creative applications of state action doctrine. Furthermore, codifying such a principle via doctrine runs the risk of allowing new factual development to change the privacy analysis. For example, the contractual terms of ToSs may begin to specify that data may be shared with government and may start to properly put users on notice. If a vendor begins selling people’s data at a retail level, as one company did with ClearView AI, data purchases may suddenly become in “general public use,” and disrupt users’ reasonable expectation of privacy. Passing legislation presents the most promising way to plug this critical Fourth Amendment gap.

The principal problem with FAINFSA and similar legislation, then, is that it hobbles national security agencies relative to foreign threats. In the summer of 2023, the Office of the Director of National Intelligence confirmed in a declassified report that foreign governments already purchase Americans’ data from third-party brokers.[257] Thus, these laws would only prohibit warrantless purchases of data by the U.S. government, but under FAINFSA (or the Fourth Amendment), brokers would still be free to sell sensitive geolocation data to hostile foreign threats and governments without restraint. The Framers never could have envisioned a world where private actors would have better surveillance capabilities than the government, let alone be able to sell that information to hostile foreign threats.

In light of this problem, some may believe the appropriate solution is to shore-up the wall between intelligence and law enforcement agencies, imposing tighter collection rules on the latter but permitting laxer restrictions on the former; after all, it is law enforcement agencies that have the power to enact violence on individuals by sending them to prison and prosecuting them.

Rather than regulate a downstream effect, however, Congress should address the source of this problem: that these invasive kinds of data are transacted on the market in the first place. This key vulnerability thus counsels in favor of regulating data sales by private actors, whoever the buyer happens to be.

Indeed, appetite for this kind of solution has been aptly demonstrated on the Hill. A similar but less direct foreign intelligence threat vulnerability prompted a bipartisan coalition of Senators (Wyden, Whitehouse, Rubio, Lummis, and Hagerty) and Representatives (Eshoo and Davidson) to propose the Protecting Americans’ Data From Foreign Surveillance Act (PADFFSA) in summer 2022, largely in response to the surge in popularity of TikTok.[258] Senator Wyden alerted his fellow legislators to the fact that “[r]ight now it’s perfectly legal for a company in China to buy huge databases of sensitive information from data brokers about the movements or health records of millions of Americans, and then share that information with the Chinese government.”[259] Senator Lummis similarly offered that “[a]llowing foreign adversaries unrestricted access to Americans’ private, sensitive data . . . threatens our national security.”[260] Representative Eshoo, too, lamented that “there are no laws preventing foreign companies from purchasing and sharing large quantities of Americans’ personal data.”[261] Senators Rubio, Hagerty, and Whitehouse expressed similar sentiments. But this law sought to regulate purchases by foreign companies via reforms to export control laws as regulated by the Commerce Department. Even more direct than TikTok and foreign company purchases, foreign intelligence apparatuses are free to buy data directly from third-party brokers. Rather than create a patchwork of regulation by restricting categories of buyers, Congress ought to regulate this problem at the source: the seller. Indeed, several states have recently passed laws requiring data brokers to register and report on their activities concerning citizens (though have declined to adopt more extensive regulatory restrictions).[262]

This Note therefore advances a mix of two different proposed laws to tackle this privacy problem: PADFFSA and the American Data Protection and Privacy Act (ADPPA). The ADPPA element would address the fundamental privacy problem by regulating sales of sensitive data, regardless of buyer. ADPPA would create a “third party registry,” much like California’s data broker registry. In addition to meeting reporting requirements, these third parties would only be permitted to transfer people’s data if they first obtained the “affirmative express consent of the individual.”[263] This would require the data transferor (e.g., a broker) to make a “specific request” to the individual, make a “clear and conspicuous standalone disclosure,” and identify with particularity the data the third party seeks to transfer.[264] Absent this, data can only be transferred when “necessary to comply with a legal obligation imposed by . . . law,” to “prevent an individual from imminent injury,” or “at the direction of a government entity” insofar as it is authorized by law, or to “establish, exercise, or defend legal claims.”[265] Notably, these match the “legal bases” under which the data may permissibly be processed under the GDPR.[266] ADPPA, however, “does not permit . . . the transfer of covered data for payment or other valuable consideration to a government entity.”[267] And like the California Consumer Protection Act and the GDPR, users would have the right to delete personal information collected on them, the right to know about the records collected on them, and the right to opt out of data sales—rights that can be enforced on the Federal Trade Commission (FTC) website.[268] To foster compliance, the FTC would have the power to bring enforcement actions and levy hefty fines. Individuals and states would have the right to bring suit as well. The FTC, furthermore, would have rulemaking authority power to define new categories of sensitive data subject to these restrictions.

The provisions of the ADPPA present effective solutions to the privacy puzzle posed by data sales. By limiting most transactions to those which users have unambiguously consented and providing for rights to opt-out, users can finally feel secure that their information is private from not only the government, but from everyone. Granting an agency rulemaking authority to define new categories of sensitive data is sensible too, vindicating the mosaic theory of the Fourth Amendment: categories of data that once may not have been invasive can, when put in conversation with other data, become deeply revealing. It makes sense to allow an agency to update the kinds of data that qualify as sensitive. Finally, as the fines issued under the GDPR aptly demonstrate, granting the relevant agency the power to bring enforcement actions is an effective method of enforcing data privacy.

Regulating sales under the provisions of ADPPA alone, however, does not address the foreign intelligence threat discussed above. ADPPA permits transfers of sensitive data to government entities, but only insofar as it is legally authorized—and would not permit the government to purchase the data as an end-run around warrants. Theoretically, registered brokers could sell the data of consenting Americans to foreign corporations, governments, and instrumentalities.

That is why new comprehensive legislation should combine the ADPPA with elements of PADFFSA. This would manage the foreign intelligence threat by enacting even tighter restrictions on sales to foreign entities. PADFFSA, a proposed amendment to the Export Control Reform Act, would empower the Secretary of Commerce to control the export of personal data—i.e., data sales to foreign entities. The Secretary, in coordination with other elements of the U.S. government, would identify categories of sensitive data that could either (A) “be exploited by foreign governments or foreign adversaries,” and (B) “harm the national security of the United States” if sold in a large enough quantity (which is a threshold to be determined by the Secretary).[269] Through administrative rulemaking, the Secretary would identify data falling in each category, and would determine the threshold that would apply to data under category (B). These kinds of data would be subject to exports control procedures, and generally require a license or specific authorization to proceed with the data sale.[270]

Comprehensive data privacy legislation should stitch together these two laws. This would address the privacy gap posed by data sales at the foundation, while not putting U.S. intelligence agencies at a tactical disadvantage relative to foreign entities. Granted, this Frankenstein legislation would require consolidating the parallel procedures established in these two laws. Most notably, ADPPA would grant the FTC rulemaking power to define categories of sensitive data, while PADFFSA would give the Secretary of Commerce this authority. Comprehensive privacy legislation would streamline these parallel processes by empowering one data protection authority to define the categories of sensitive data, while allowing the FTC to bring enforcement actions against U.S.-based data brokers (and other sellers of sensitive data) and the Commerce Department to restrict data sales to foreign companies. This Note does not take a position on where this authority ought to be seated. But this cohesive approach to protecting privacy is superior to FAINFSA’s.

Congress, unhindered by the state action constraints inherent in the Fourth Amendment, is free to regulate not just government purchases of data, but the original sales of sensitive data. Indeed, the General Data Protection Regulation (GDPR)[271] and the American legislation it inspired[272] opt to regulate the private sector rather than the public sector. This presents Congress with a profound opportunity to restore the principles that animate the Fourth Amendment and keep people’s personal lives truly secure—not just against state and federal government, but against everyone.

Conclusion

The data brokering market denotes a serious loophole in privacy protections, but it is emblematic of a wider, systemic issue. Despite some strides in Carpenter, Fourth Amendment doctrine has repeatedly demonstrated itself unfit to keep pace with the novel privacy issues that attend evolving surveillance technology. Brokers are thus just one speck in a wider constellation of emerging privacy challenges raised by new surveillance methods. Short of doctrinal overhaul, contorting constitutional law is unlikely to transform the Fourth Amendment into the anti-persecution bulwark that it was meant to be. The Constitution’s inability to address these privacy issues alone underscores an urgent need for Congress to forge a regulatory scheme to keep up with emerging issues that attend novel surveillance practices. Otherwise, people may become victim to electronic general warrants.