Edith Ramirez, the chair of the US Federal Trade Commission (FTC or the Commission), has often said that “with really big data, comes really big responsibility.” What she meant was not always clear.
In May 2014, however, the FTC issued its long-awaited report on data brokers, a significant segment of what the Commission calls “this Big Data economy.”1 The Report categorizes data brokers and gives recommendations, both for legislation and for best practices. Data brokers—and even companies that deal with data brokers—should make sure they are aware of the Commission’s recommendations. Until Congress acts—and perhaps thereafter—the FTC likely will continue to play an active role in policing perceived privacy violations by data brokers and their business partners. And plaintiffs’ class-action lawyers often follow the FTC’s lead.
The Report divides data brokers into three categories, depending on the types of products they furnish: (i) marketing products, including traditional and online advertising, as well as market analytics; (ii) risk-mitigation products, such as identity-verification and fraud-detection tools; and (iii) people-search products, which provide profiles and other available information about individuals.2 Pursuant to its authority to order reports under section 6(b) of the Federal Trade Commission Act (FTCA),3 the Commission surveyed nine such companies4 and found: that the data-broker industry is complex, characterized by sales of data not only to consumers but between various data brokers; and that brokers obtain information from numerous sources, including each other, public databases and online web-crawlers (which search Internet “cookies” for data).
According to the Report, data brokers collect and store “billions of data elements” representing “nearly every US consumer,” and they market to consumers based both on online activities (e.g., online shopping, social networking) and offline activities (e.g., filling out warranty cards reported to retailers and home purchases reported to local governments). This is all done, according to the FTC, largely without consumer knowledge, raising concerns over privacy, transparency and security. To the extent consumers are given choices regarding the collection and use of their data, the choices are largely invisible or incomplete, in the Commission’s view. Plus, the Commission concluded that it could be “virtually impossible” for consumers to retrace the path of data to its original source.
Nevertheless, the Commission expressly recognized the benefits of data brokers, including fraud prevention, improved products and targeted advertising.5 In proposing legislation, the Commission does not intend to “limit the ability of data brokers … to provide important products and services,” but to increase consumer information and choice.6 Transparency is key according to the Commission. More specifically, the Commission provided recommendations for each type of the data-broker products it identified:
- Marketing Products: The Commission recommends legislation requiring data brokers to give consumers access to their data and the opportunity to opt out of data-sharing for marketing purposes. The Commission further suggests that consumer-facing companies that share data with brokers: (i) notify consumers of the data sharing, including the entities involved; (ii) disclose that data may be used in its raw form and to form derivative inferences; and (iii) offer an opt-out. The Commission also suggests a centralized mechanism, such as an web portal, for data brokers to identify their practices.
- Risk-Mitigation Products: Where risk-mitigation products prevent or limit a customer’s ability to complete a transaction or obtain a benefit, the Commission recommends legislation giving consumers notice, access to the underlying data (or at least the resulting reports and a description of how results are developed) and an opportunity to cure flawed reports, similar to protocols established under the Fair Credit Reporting Act.
- People-Search Products: The Commission recommends legislation requiring data brokers offering people-search products to provide consumers (i) access to their information; (ii) disclosure of data sources (so that consumers may correct erroneous information); (iii) the opportunity to opt out; and (iv) disclosure of any limitations on the opt-out (e.g., that the consumer’s name may continue to appear in search results).
The Report recognizes that many data brokers already use these practices. Whether Congress enacts any or all of the Commission’s recommendations remains an open question, and the FTC—fully recognizing that fact—further recommends certain “best practices” to consider absent legislation. According to the Commission, all data brokers should implement: (i) sound data collection, retention and disposal practices to reinforce data security; (ii) appropriate measures to prevent collecting information from children and teenagers (recognizing that the Child Online Privacy Protection Act applies only to children under 13); and (iii) reasonable precautions to ensure that customers do not use data-broker products for impermissible purposes, such as eligibility determinations in hiring, leasing or lending. Data brokers should carefully consider the FTC’s recommended practices, as they may help avoid FTC scrutiny and private litigation. Indeed, the FTC takes a broad view of its authority under the “unfairness” prong of the FTCA7 and has been quite active in the data-privacy context. The Report confirms that data brokers remain firmly on the FTC’s radar.