I feel like the definition of what counts as a data broker and also the idea of information “directly collected” will be abused.

Regardless, it’s a good step. I would also like to see long term liability for security breaches, including lifelong compensation for identity theft and stuff. And for it to be applied retroactively.