In a report roughly 18 months in the making, the FTC has released “Data Brokers: A Call for Transparency and Accountability,” which both defines the data broker industry and includes strenuous recommendations for legislative action. Through 130 pages of report, appendices and exhibits, the FTC commissioners have unanimously raised a series of concerns over data brokerage while offering a series of pointed fixes.
The study accumulated information, via order to file special report, from nine data brokers starting in December, 2012: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future. The information gleaned, said FTC Chairwoman Edith Ramirez in a conference call accompanying the report’s release this morning, “has led us to conclude that the industry suffers from a fundamental lack of transparency … We want to lift the veil of secrecy that shrouds the data broker industry’s practices.”
To do that, the FTC calls for legislation that would accomplish four main goals. First, the report says there needs to be a “centralized mechanism” where consumers can identify which broker holds which data and provides an ability to both correct that information and an ability to opt out of it being used. Second, the brokers should be forced to provide the conclusions they draw about the consumer based on the data they hold. Third, brokers would be required to identify the source of any data they hold. Finally, any company that sells data to brokers would be required to notify consumers of that fact.
On the conference call, Maneesha Mithal, head of the FTC’s Division of Privacy and Identity Protection, which did much of the work in preparing the report, acknowledged that this last provision “will affect a lot of companies.” However, she said, “we’re trying to get at how the consumer will ever learn that a data broker even exists.” She said many companies already notify consumers that they are selling their data, “we’re just suggesting we legislate the practice.”
There is a further recommendation for data broker legislation: That lawmakers should “consider” some kind of express consent mechanism for the collection of any “sensitive” information, such as health data, regardless of potential future use.
While the FTC report acknowledges some consumer benefits derived from the industry, such as fraud prevention, it also identifies risks and concerns, which are given more attention, ranging from the risk that someone will be denied a service based on faulty information they have no way of knowing how to correct to the security risks inherent in any company possessing that much information on so much of the populace.
Further, the FTC found that choices for consumers about how their data is collected and used are “largely invisible and incomplete.” A person might be placed into a data broker-created category such as “Financially Challenged” or “Urban Scramble,” and not know why or how, or that they’ve been placed in such a category in the first place.
Commissioner Julie Brill, in a concurring public statement released alongside the report, noted that while being in a category might mean consumers get offers more germane to their lifestyle, “these profiles can also be used to determine whether and on what terms companies should do business with us as individual consumers, and could result in our being treated differently based on characteristics such as our race, income, or sexual orientation. If data broker profiles are based on inaccurate information or inappropriate classifications, or used for inappropriate purposes, the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm.”
It’s this potential for “significant harm” that has led the FTC to follow up on legislative recommendations made in 2012’s report, “Protecting Consumer Privacy in an Era of Rapid Change,” and as far back as the 1990s. In fact, the report notes, “despite the Commission’s call for greater transparency in the 1990s, the Individual References Services Group (“IRSG”) self-regulatory experiment to improve transparency of data broker practices was short-lived.”
In her public statement, Commissioner Brill goes so far as to call for two more legislative actions: First, she believes Congress should require data brokers “to employ reasonable procedures to ensure that their clients do not use their products for unlawful purposes” and, second, “require data brokers to take reasonable steps to ensure that their original sources of information obtained appropriate consent from consumers.”
When asked whether any legislators had yet been approached to sponsor bills that would accomplish these goals of the FTC and Commissioner Brill, Chairwoman Ramirez said it was still early days, and mentioned only Sen. Jay Rockefeller (D – WV) by name.
“The main message in today’s report for chief privacy officers and other privacy professionals is that they need to pay attention to where their companies’ data is going and how they are using profiles – even if they don’t work for or represent a data broker – because the different parts of the data broker ecosystem are all connected,” Commissioner Brill told The Privacy Advisor in an emailed comment. “All companies that are active in this space – data brokers themselves, their data sources, and their customers – need to provide more transparency and establish greater accountability.”
Editor’s note: Speakers will expand on the data broker industry and the meaning of the FTC Data Broker report at the IAPP Privacy Academy, in San Jose, CA, Sept. 17-19.