In a report roughly 18 months in the making, the FTC has released “Data Brokers: A Call for Transparency and Accountability,” which both defines the data broker industry and includes strenuous recommendations for legislative action. Through 130 pages of report, appendices and exhibits, the FTC commissioners have unanimously raised a series of concerns over data brokerage while offering a series of pointed fixes.

The study accumulated information, via order to file special report, from nine data brokers starting in December, 2012: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future. The information gleaned, said FTC Chairwoman Edith Ramirez in a conference call accompanying the report’s release this morning, “has led us to conclude that the industry suffers from a fundamental lack of transparency … We want to lift the veil of secrecy that shrouds the data broker industry’s practices.”

To do that, the FTC calls for legislation that would accomplish four main goals. First, the report says there needs to be a “centralized mechanism” where consumers can identify which broker holds which data and provides an ability to both correct that information and an ability to opt out of it being used. Second, the brokers should be forced to provide the conclusions they draw about the consumer based on the data they hold. Third, brokers would be required to identify the source of any data they hold. Finally, any company that sells data to brokers would be required to notify consumers of that fact.

On the conference call, Maneesha Mithal, head of the FTC’s Division of Privacy and Identity Protection, which did much of the work in preparing the report, acknowledged that this last provision “will affect a lot of companies.” However, she said, “we’re trying to get at how the consumer will ever learn that a data broker even exists.” She said many companies already notify consumers that they are selling their data, “we’re just suggesting we legislate the practice.”

There is a further recommendation for data broker legislation: That lawmakers should “consider” some kind of express consent mechanism for the collection of any “sensitive” information, such as health data, regardless of potential future use.

While the FTC report acknowledges some consumer benefits derived from the industry, such as fraud prevention, it also identifies risks and concerns, which are given more attention, ranging from the risk that someone will be denied a service based on faulty information they have no way of knowing how to correct to the security risks inherent in any company possessing that much information on so much of the populace.

The FTC report's visualization of how data brokerage works.

Further, the FTC found that choices for consumers about how their data is collected and used are “largely invisible and incomplete.” A person might be placed into a data broker-created category such as “Financially Challenged” or “Urban Scramble,” and not know why or how, or that they’ve been placed in such a category in the first place.

Commissioner Julie Brill, in a concurring public statement released alongside the report, noted that while being in a category might mean consumers get offers more germane to their lifestyle, “these profiles can also be used to determine whether and on what terms companies should do business with us as individual consumers, and could result in our being treated differently based on characteristics such as our race, income, or sexual orientation. If data broker profiles are based on inaccurate information or inappropriate classifications, or used for inappropriate purposes, the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm.”

It’s this potential for “significant harm” that has led the FTC to follow up on legislative recommendations made in 2012’s report, “Protecting Consumer Privacy in an Era of Rapid Change,” and as far back as the 1990s. In fact, the report notes, “despite the Commission’s call for greater transparency in the 1990s, the Individual References Services Group (“IRSG”) self-regulatory experiment to improve transparency of data broker practices was short-lived.”

In her public statement, Commissioner Brill goes so far as to call for two more legislative actions: First, she believes Congress should require data brokers “to employ reasonable procedures to ensure that their clients do not use their products for unlawful purposes” and, second, “require data brokers to take reasonable steps to ensure that their original sources of information obtained appropriate consent from consumers.”

When asked whether any legislators had yet been approached to sponsor bills that would accomplish these goals of the FTC and Commissioner Brill, Chairwoman Ramirez said it was still early days, and mentioned only Sen. Jay Rockefeller (D – WV) by name.

“The main message in today’s report for chief privacy officers and other privacy professionals is that they need to pay attention to where their companies’ data is going and how they are using profiles – even if they don’t work for or represent a data broker – because the different parts of the data broker ecosystem are all connected,” Commissioner Brill told The Privacy Advisor in an emailed comment. “All companies that are active in this space – data brokers themselves, their data sources, and their customers – need to provide more transparency and establish greater accountability.”

Editor’s note: Speakers will expand on the data broker industry and the meaning of the FTC Data Broker report at the IAPP Privacy Academy, in San Jose, CA, Sept. 17-19.

Written By

Sam Pfeifle


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»