The root problem here is that these databases exist in the first place. Even if the CDC were prohibited from buying them directly, they would just use commercial intermediaries to analyze and inform policy. The only way to start getting mass surveillance under control is for the US to get some privacy laws that have teeth, like the EU's GDPR. Surveillance companies like "Safegraph" and "Cuebiq" shouldn't even exist.