The Federal Trade Commission (FTC) has joined Sens. John D. Rockefeller (D-WV) and Ed Markey (D-MA) in claiming that something needs to be done about data brokers. In a 100-page report published on May 27, the FTC unanimously recommended that Congress consider legislation that would provide greater transparency about data brokers’ practices and give consumers reasonable access to the information that data brokers hold about them.
The report’s findings echo much of what Markey and Rockefeller said about data brokers prior to introducing the Data Broker Accountability and Transparency Act of 2014 (DATA Act)—a bill intended to provide greater transparency and access. Whatever one’s position may be on the need for greater oversight in the data broker industry, the current draft of the DATA Act illustrates the challenges of regulating the industry. As we discuss in more detail below, the draft version of the DATA Act would impact a broad range of entities—including those not typically considered data brokers—and could establish unclear obligations for entities falling under the scope of the legislation.
For some time now, the practices of data brokers—companies that collect personal information about consumers in order to sell or share that information with other organizations—have been under the microscope. Rockefeller and Markey were sharply critical of the industry during a December hearing before the Senate Committee on Commerce, Science, and Transportation, and they claim that the information reseller industry lacks transparency and accountability. The FTC in its 2012 privacy report urged Congress to pass legislation that would give consumers the right to access and correct their personal information held by data brokers. In the last quarter of 2013, the Government Accountability Office issued a report discussing whether the U.S. statutory framework for consumer privacy adequately addresses concerns about data brokers. The report concluded that the current framework has gaps and “that Congress should consider strengthening the consumer privacy framework.” And the recent FTC report on data brokers finds that the industry operates with “a fundamental lack of transparency.”
The DATA Act is intended to promote greater transparency and accountability in the data broker industry. Under the act, consumers would have the right to access and correct personal information relating to them that is stored by data brokers, and data brokers would be required to implement measures to maintain accurate information. Data brokers would also have to provide consumers with a mechanism to opt out of having their personal information used or shared for marketing purposes. The FTC would be tasked with promulgating the DATA Act’s implementing regulations. Along with state attorneys general, the FTC would be authorized to enforce those regulations by seeking fines of up to $16,000 per violation.
Although the DATA Act will almost certainly undergo refinements if it moves through the legislative process, the current draft version, if adopted, would have significant and perhaps unintended impacts:
The definition of “data broker” is quite broad. The DATA Act defines “data broker” as “a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.” Data brokers would clearly fall within the scope of the definition, but so would many other organizations. Newspapers, biographers, and private investigators also collect personal information about individuals in order to provide third parties with access to that information.
“Personal information” is not defined. Although the DATA Act regulates how data brokers may process “personal information,” the bill does not define the term. This could lead to great uncertainty for organizations. If the DATA Act were adopted, the FTC would likely clarify the meaning of that term, as it has done for the Children’s Online Privacy Protection Act (COPPA). However, even COPPA provides a statutory definition of the term, which guides the FTC’s interpretation.
“Marketing purposes” is not defined. The DATA Act would require data brokers that use, share, or sell information for “marketing purposes” to offer consumers the ability to request that their information not be used for those purposes. However, the DATA Act does not define what “marketing purposes” are. Sending advertisements, offers or other materials promoting a good or service would likely be considered marketing purposes. But should the generation of aggregated reports about market segments or consumer behaviors be considered a marketing purpose?
The accuracy requirement is unclear. The DATA Act would require data brokers to “establish reasonable procedures to ensure the maximum possible accuracy of the personal information” they collect. Organizations governed by the legislation would likely struggle to determine whether they should implement reasonable procedures or strive to attain maximum possible accuracy. If the latter, data brokers could end up devoting undue resources for limited gain. For example, if an information reseller providing mailing lists recorded the birthdate for an individual that was off by just one or two days, that would likely have little impact on the mailings or consumers and would likely create a significant compliance burden.
As drafted, the DATA Act has the potential to apply to a broad range of organizations and data practices. The act does not provide for a private right of action. So, data brokers would not have to face a rash of class action suits focused on ambiguities in the law or its regulations. Through its rulemaking authority under the DATA Act, the FTC could clarify the scope of the law. However, the current version of the legislation offers little guidance to the commission about how to interpret the ambiguous provisions. Given the nature of the ambiguities and the differential impacts of conflicting clarifications, the rulemaking proceedings would likely be lengthy and involved.
If you want to comment on this post, you need to login.