Many privacy regulations — such as the EU General Data Protection Regulation and the California Consumer Privacy Act — aim to protect consumers’ personally identifiable data from abuse, misuse and overuse. Yet personal data continues to be legally collected, aggregated, analyzed, packaged and resold. Information brokering has now become a revenue stream for many commercial organizations.
The information broker industry has emerged to profit from brokering consumer data. Industry trade groups, like the Association of Independent Information Professionals and the Data & Marketing Association, lead the way. It is important to examine just how private your personal data really is and what we can do to promote consumer data transparency.
Scoping the problem
In 2013, World Privacy Forum Executive Director Pam Dixon appeared before the U.S. Senate Committee on Commerce, Science and Transportation where she testified about problems with the information brokering industry.
The data broker industry includes about 4,000 companies, ranging from multinational corporations to small offshore operators. Their business models and data flows are complex, weaving through many affiliates of data brokers, resulting in an “affiliate storm” that makes it difficult for consumers to find the original compiler and seller of the data. To exacerbate this problem, the Center for Humane Technology has identified several growing trends:
- Enrichment of personal data coalesced from a wide range of unrelated sources.
- Exponential use of enriched data to push coercive advertising, social and political views.
Their 2020 documentary "The Social Dilemma" describes a case where frequently visited locations, garnered from GPS coordinates tracked on your mobile device, can associate one’s group of friends and relatives, and then apply those third-party preferences — buying habits and political views — back to the original target.
Even the use of so-called “privacy-centric” browsers and search engines are suspect to user tracking and data sharing. It was recently reported that DuckDuckGo — whose tagline is “The search engine that doesn't track you” — shares data exclusively with Microsoft.
While current privacy legislation attempts to reduce personal information sprawl by requiring minimal data collection, these same regulations provide no assurance mechanisms to enforce it until it is too late. In addition, laws and regulations meant to ensure that such data is managed securely only allow for shallow consumer control; much of the onus of implementation is on the data collector themselves.
A 2013 U.S. Government Accountability Office report “Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace” highlighted the lack of regulatory oversight of data brokers. It expressed concerns that existing regulations are being circumvented by unscrupulous affiliates collecting and selling personally identifiable information.
Recent legislation such as the California Consumer Privacy Act and the GDPR has focused on consumer choices to opt out, request what data has been collected about them, or update and remove specific elements of their collected data.
Although the CCPA applies to secondary data brokers as well as consumer-facing businesses, the onus has been on consumers to explicitly exercise their rights against the data usage defaults put forth by the company. Those defaults typically stipulate consumers follow the companies’ data collection practices as the first tollgate to access their products and services.
The GDPR’s “right to be forgotten” requirement is equally ineffective, as it applies to the organization that originally captured your information, not to all the downstream buyers who received that data in the space between information origination and the consumer exercising that right. According to the Irish Council for Civil Liberties report on Real-Time Bidding, “On average, a European user’s data is shared with advertising and adtech middlemen 376 times per day — and for Americans, it’s double that: 747 times daily … Every time you load up a webpage, there’s a span of about 200 milliseconds where the webpage shares data about you and your browser.”
The Data Broker Accountability and Transparency Act of 2020 proposed mandated optouts to be required by data brokers, in addition to the U.S. Federal Trade Commission creating a national list of data brokers. According to a recent study, in 2020 more than $29 million was spent for lobbying against data broker regulations and the big tech data firms that collect personal data spent more than $100 million dollars to protect their interests. To no surprise, the bill did not even receive a vote.
Organizations themselves can be perplexed by the sheer number of statutes around data collection and usage which leads to inadvertent complexities in managing data. In the U.S. alone, there are a myriad of data privacy requirements embedded in many regulations, including but not limited to: the Graham Leach Bliley Act; Fair Credit Reporting Act; Fair and Accurate Credit Transactions Act; Commodity Exchange Act: Dodd-Frank Wall Street Reform and Consumer Protection Act; Personal Information Protection and Electronic Documents Act.
Regardless of the regulatory landscape, data brokers are not consumer-facing and do not abide by the requirement for minimal data collection. Once a set of data has been sold, the control of that data no longer under control of the seller or the consumer.
Since June, two major pieces of U.S. legislation have been introduced to address personal data privacy control in this $200 billion industry:
The American Data Privacy and Protection Act attempts to establish consumer rights using the term duties of loyalty which includes “additional requirements for large data holders (defined as organizations having sensitive personal data on 100,000 or more individuals or non-sensitive data on 5 million or more individuals) and third-party service providers that process data.” As progressive as this sounds, the act has a laundry list of exceptions to areas of state preemption, private right of action, centralized opt-out, et al.
U.S. Sen. Elizabeth Warren, D-Mass., along with several other senators, introduced legislation to ban data brokers from selling Americans' location and health data. Given the vastly nested network of resale channels of user data, it remains to be seen how this regulation will be effective in attributing violations of data origin and enforcement.
Various privacy and cybersecurity experts have taken independent, different approaches to educate and support consumers.
The Center for Humane Technology focuses on educating the public about the overreach of technology and social media companies to “connect the dots” and build complex user profiles. Inrupt, co-founded by computer scientist and World Wide Web founder Tim Berners-Lee and Resilient Systems CEO John Bruce, allows consumers to build their own data repository where they can choose what elements to share with subscribed companies. The Electronic Frontier Foundation helps consumers control shared personal information through a number of tools. Author Michael Bazzell published "Extreme Privacy: What It Takes to Disappear," which helps a layperson recognize and minimize data collection techniques.
While useful for consumer education in promoting secure behaviors, these efforts do not affect the current dominion of data brokering.
Managing privacy through transparency
Dixon’s testimony supplies a concept that merits deeper consideration: A consumer at the receiving end of all the data reselling has difficulty finding the original compiler and seller of their own, otherwise private, data. The privacy gap lies in the need for transparency in the flow of personal information.
Hence, we must develop a new model for consumer data transparency: personal information privacy ontology.
To highlight a parallel effort, a 2021 presidential executive order now requires organizations doing business with the U.S. government to maintain a software bill of materials, disclosing all the programmatic ingredients — third-party software libraries — in their systems and software. This level of operational transparency ideally allows an organization to find and quickly remediate vulnerable or unsanctioned software components.
Like the visibility that SBOM affords software owners, a data privacy ontology is needed. Such an ontology may be sparse at first, but as more organizations are required to comply, a more complete picture of one’s collective data will be visible.
PIPO is a call for organizations to address two cascading issues of privacy: existing and future data sprawl.
- Status Quo: Where existing data has been sold and/or shared. If a consumer can see a trail of their existing data, they are enabled to act under any applicable legislation across the entire footprint of organizations holding their data.
- Data Flow: Where potential data will be sold and/or shared. When consumers can see a complete topology of where their personal data will be used, they can make more informed decisions about continuing to use a particular company or product.
Data Classification and Enrichment
The first step toward responsible data transparency needs to happen at the collection point, the consumer facing organizations. Each organization would need to employ either a chief data officer or data privacy officer to architect and oversee the classification and enrichment of personal data elements collected by that organization.
Each personal data element passing into an organization should be meta-tagged with four essential attributes:
- Purpose: What was the intended direct usage of collecting that data element?
- Upstream Collection: Where was the data collected from? (Identify all sources, if multiple.)
- Manipulation: What is being done with the data, how is it being enriched?
- Downstream Distribution: Where is this data being shared and/or resold?
This meta-tagging exercise can also help reduce data storage costs by providing deduplication and nonrepudiation of data elements.
To prevent the gaming of transparency requirements, it is imperative to apply PIPO to any element of personal information, not just the literal definition of PII. This nuance will prevent the loophole of sharing and distributing PII into nonidentifiable pieces only to be reassembled beyond the scope of any tracking/disclosure obligation.
The plethora of privacy laws discourages the desire to add more regulation. However, in the case of building a consistent implementation of transparency, there is no incentive for the data broker industry to self-monitor transparency and provide “data care” responsibility. The data broker industry which has been wildly profitable without regulatory oversight.
There needs to be a global standard for defining and managing the data transparency structure as well as inter-company processing. This standard then needs to be enforced through national regulations that are congruently supported by multi-national agreements.
One successful example of such enforcement is the Payment Card Industry Data Security Standard which started as a standard and eventually became a mandatory requirement in 2014 for all credit card transactions.
Call to action
As an organization, ensure the identification, use and storage of consumer information is sufficiently tracked, since this will bolster both the security and privacy of those data elements. The results of this effort will assist with auditing and cyber-insurance compliance and materially reduce the impact radius of any breach.
As an individual, write to your local federal representative, and implore the resurrection of the Data Broker Accountability and Transparency Act of 2020.
Where possible, exercise that “right to be forgotten” before the data is packaged/sold (which is usually transmitted to data brokers in milliseconds). This may mean that one must forego that “free” mobile application, that “discounted” deal or the patronage to a popular web store.
When patronizing in person, actively exercise your consumer rights at the outset of any transaction: right to be informed, the right of access, the right to restrict processing, the right to data portability and the right to be forgotten; and remind participating organizations these rights need to be applied to their downstream information brokers.
While PIPO will not thwart unscrupulous practices, it is a prescriptive call for organizations to be proactive with data privacy and compliance because without visibility, regulatory controls cannot be effective.
Finally, if you are still unsure about the impact of data brokers on your life, take some time to watch John Oliver’s episode of Last Week Tonight on the topic of data brokers.
If you want to comment on this post, you need to login.