Report Outlines Best Practices for Data Broker Industry
The Federal Trade Commission (FTC) released its report, Data Brokers: A Call for Transparency and Accountability, based on an in-depth study of nine data brokers, which the FTC defines as companies that collect consumers’ personal information and resell or share that information with others.1 The report calls for increased regulation and new consumer protection legislation, to address the FTC’s concerns about consumer privacy. The FTC also called on the data broker industry to adopt the FTC’s best practice recommendations.
In December 2012, the FTC initiated a study of data broker practices and issued Orders, pursuant to section 6(b) of the Federal Trade Commission Act, to nine data brokers seeking information about their data collection and use practices. The nine data brokers that received the Orders are Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. The Data Brokers report summarizes the detailed information provided by the nine data brokers, including the nature and sources of consumer data they collect; how they use, maintain and disseminate data; and the extent to which the data brokers allow consumers to access and correct data about them.
The FTC report criticizes data brokers for a “fundamental lack of transparency.”2 The FTC also emphasizes consumers’ lack of knowledge about the industry’s data collection practices and lack of access to the information maintained about them.3 In a press release about the Data Brokers report, FTC Chairwoman, Edith Ramirez, commented that “[t]he extent of consumer profiling today means that data brokers often know as much—or even more—about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more,” and noted that the FTC believes “[i]t’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”4
The FTC suggests that it may police unfair and deceptive data broker practices under Section 5 of the FTC Act, but it also calls for legislation to
regulate the data broker industry.5 The FTC recommends that new legislation should:
- Create a centralized Internet portal where data brokers can identify themselves, describe their information and collection and use practices, and provide links to access tools and opt outs;6
- Require data brokers to increase disclosure of their data collection practices;7
- Require consumer-facing sources to obtain affirmative consent prior to collecting sensitive information with the purpose of selling it to a data broker;8
- Require consumer-facing websites to notify consumers that they sell data to data brokers;9
- Require data brokers to provide consumers with access to information collected about them, including the option to modify or correct that information;10
- Require data brokers to clearly disclose their sources of information;11
- Require consumer-facing companies that rely upon a data broker’s risk mitigation product to identify the data broker upon whose data the company relied if that risk mitigation product adversely impacts a consumer’s ability to complete a transaction or obtain a benefit.12
The FTC also recommends that the data broker industry adopt certain best practices. First, the FTC suggests that data brokers take steps to comply with the 2012 Consumer Privacy report by adopting privacy by design principles.13 Those principles require a data broker to consider privacy issues at every stage of product development, assess collection practices, collect only the data needed, and properly dispose of data as it becomes less useful.14 Second, the FTC suggests that data brokers “implement better measures to refrain from collecting information from children and teens, particularly in marketing products.”15 Finally, the FTC recommends that data brokers take steps to ensure that a “downstream entity” does not use the consumer information for unlawful purposes, suggesting that data brokers contractually limit the purposes for which clients use their data or audit their clients to ensure proper use of the information.16
In response to the Data Brokers report, companies have announced efforts to increase transparency about data collection practices and improved consumer controls. Earlier this month, Facebook, Inc. announced that it will share users’ web browsing data with advertisers to enable targeted advertising, but the company will also allow users to change, add or delete the information that Facebook collects about their “likes” and interests.17
Some states are not waiting for Congress to act on the FTC’s call for legislation. The California State Senate recently approved a bill requiring online data brokers that sell or offer for sale the personal information of any California resident to permit the consumer to “review his or her personal information . . . by means of an electronic search through an online system” and “correct his or her personal information.” If signed into law, the California bill would also require those data brokers to “conspicuously post an opt-out notice on its Internet Web site, as specified, that would include specific instructions for permanently removing personal information from the online data broker’s database by making a written demand requesting to have the information permanently removed.”18
Clients should regularly revisit data collection and use practices in order to ensure the accuracy of current disclosures. Given the FTC report’s focus on the over-collection and over-retention of personal information, entities should revisit their personal information collection policy and consider limiting such collection where there is not a demonstrable business need. Clients that do collect and resell information about consumers should reassess what level of transparency they offer to consumers and consider whether or not they give consumers the ability to exercise control over the accuracy of the information and how that information is used.