The Federal Trade Commission (FTC) is calling for legislation to shed some light on data brokers’ practices and give consumers some control over the use of their personal information. In its 110-page report, “Data Brokers: a Call for Transparency and Accountability”, published on May 27, 2014, the FTC outlines the content of legislation that it is recommending to enable consumers to learn of the existence and activities of data brokers and to have reasonable access to information about them held by data brokers.
This report is the result of an 18 month-study of the practices of nine data brokers – Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. This study started in December 2012, when the FTC served orders on these data brokers, requiring them to provide information about their collection and use of consumers personal data.
In its Data Broker Report, the FTC observes that data brokers collect and store billions of data elements covering nearly every U.S. consumer. The extent of consumer profiling is such that these data brokers know every minute details of consumers’ everyday lives, such as income, socioeconomic status, political and religious affiliations, online and in-store purchases, social media activity, magazine subscriptions. The ability to create such detailed and precise profiles creates significant privacy concerns. According to the FTC Data Broker Report, one of the data brokers studied holds 700 billion data elements, and another adds more than 3 billion new data points to its database each month.
In most cases, data is collected behind the scenes, without consumer knowledge. The FTC Data Broker Report notes that personal data often passes through multiple layers of data brokers who share data with each other. Data brokers combine online and offline data, which may result in potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age, or health conditions, such as pregnancy, diabetes, or high cholesterol. Many of the purposes for which data is collected pose risks to consumers, such as the unanticipated secondary uses of the data. For instance, data collected to offer discounts to potential purchasers of motorcycles, could also be interpreted by an insurance provider as a sign of risky behavior, resulting in an increase in life insurance premium. Some data brokers unnecessarily store data about consumers indefinitely, which may create security risks, in addition to the privacy risks described above.
The FTC Data Broker Report recommends that Congress enact legislation to require the following:
For brokers that provide marketing products:
- The creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access and opt-out tools;
- Data brokers to give consumers access to their data, including any sensitive data, at a reasonable level of detail;
- Data brokers to inform consumers that they derive certain inferences from raw data;
- Data brokers to disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with the original source;
- Consumer-facing entities (e.g., retailers) to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing; and
- Consumer-facing entities to obtain consumers’ affirmative express consent before collecting and sharing sensitive information with data brokers.
For brokers that provide “risk mitigation” products:
- When a consumer-facing company uses a data broker’s risk mitigation product to assist in the decision making process, that company would have to identify the information on which it relied when it decided to limit a consumer’ ability to complete a transaction;
- Data brokers to allow consumer to access the information used and to correct it, as appropriate.
For brokers that provide “people search” products:
- Data brokers to allow consumers to access their own information;
- Data brokers to allow consumers to opt-out of having the information included in a people search product;
- Data brokers to disclose the original sources of the information so consumers can correct it;
- Data brokers to disclose any limitations of an opt-out feature.
What the FTC Data Broker Report means for data brokers and others
For the past few years, the Federal Trade Commission has monitored, and attempted to guide online behavioral advertising and behavioral targeting. However, while it has repeatedly requested the advertising industry to self regulate its practices, it has not suggested, or even less outlined, proposed legislation.
With its 18-month evaluation of the data broker industry, and the issuance of its Data Broker Report on May 27, 2014, the Federal Trade Commission increases the pressure. This time, without asking for self-regulation, the FTC calls directly for legislation requiring transparency and accountability from data brokers and the availability of access and correction rights for consumers. This is an important step, which may also provide guidance in related areas.
In its Data Broker Report, the Federal Trade Commission limited the scope of its initiative to the use of big data by data brokers, i.e. entities that collect and process data for resale or licensing purposes. It did not address the use of big data by non-brokers – entities that are using the new, sophisticated tools available from big data technologies to mine a wide range of data about their own customers that they have accumulated over the years. While limiting its focus to a segment of the big data users, the FTC made a powerful call for legislation, and provided very specific direction on the principles that should be addressed in that legislation.
The FTC Data Broker Report is a major milestone, compared with the recent White House Big Data Report (May 2014), which suggested legislation that would be based on the White House Consumer Privacy Bill of Rights (February 2012), but did not identify with specificity the elements that this legislation should address or contain, or pointed to the White House Consumer Privacy Bill of Rights without explaining in what way legislation that would be based on the White House Consumer Privacy Bill of Rights would address the specific and unique issues raised by the use of big data technologies and techniques by data brokers.
The FTC Data Broker Report, on the other hand, provides a blue print for legislation that focuses on the unique issues raised by the massive collection of personal data. The principles outlined by the FTC are more directly useable, more practicable, and more pragmatic. They are also better adapted to the idiosyncracies of the world of data brokers, where all uses of data are secondary uses, and were not anticipated – and probably not disclosed – in the privacy disclosures of the customer facing companies that collected the data in the first place. Thus, it would be much easier to act upon the call for action, and draft legislative text.
It should be further noted that, while the FTC Data Broker Report is limited to a specific market, the ideas that it submits to the U.S. legislator could easily be expanded or extrapolated to all users of big data, i.e. those entities other than data brokers who use big data techniques and massive computing powers for their internal purpose. Thus, entities other than data brokers that process large amounts of data with the intent of producing personal profiles or inferring personal interests, practices, or other characteristics of individuals should consider evaluating the guidance provided in both the FTC Data Broker Report – in addition to that provided in the White House Big Data Report – when trying to anticipate the direction that laws, regulations, and enforcement might take in the next few years with respect to the secondary uses of personal data.
The FTC Data Broker Report is published at: http://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more