State consumer privacy laws, though increasingly important in the absence of a comprehensive federal privacy framework, fail to effectively regulate the practices of data brokers who exploit de-identified data. Laws like the Tennessee Information Protection Act (TIPA) exempt de-identified data from key protections, leaving significant gaps in oversight.

While the Health Insurance Portability and Accountability Act (HIPAA) establishes standards for de-identification, advanced analytics and linkage techniques employed by data brokers render this data increasingly susceptible to re-identification. The Federal Trade Commission (FTC) has taken steps to address these risks, but its limited authority highlights the need for comprehensive solutions.

This Note proposes two key approaches to addressing the privacy risks posed by data brokers and the re-identification of de-identified data: enacting federal privacy legislation and adopting synthetic data generation to mitigate re-identification risks to close regulatory loopholes. Together, these measures aim to address the shortcomings of state and federal privacy frameworks, ensuring stronger protections for de-identified data in an evolving data ecosystem.

PDF Download Link