The Federal Trade Commission (FTC) has issued its long-awaited report on data brokers, concluding that they operate with a “fundamental lack of transparency,” urging Congress to enact legislation to further regulate data brokers so that consumers have more control over their own personal information, and calling on the industry itself to adopt several best practices.
In December 2012, the FTC initiated a study of the data broker industry, issuing identical orders to nine data brokers seeking detailed information regarding their practices, including:
- The nature and sources of consumer data they collect;
- How they use, maintain,and disseminate the data; and
- The extent to which they allow consumers to access and correct data about them or to opt out of having their personal information sold or shared.
The data brokers examined by the FTC, among other things, sell marketing products, sell risk mitigation products that clients use to verify their customers’ identities or detect fraud, and provide “people search” websites through which users can search for publicly available information about consumers.
The FTC report summarizes the information provided in response to the FTC’s orders as well as information gathered through follow-up questions and meetings and publicly available sources to highlight the breadth of data collection in the industry, and contains the FTC’s recommendations to Congress and to the industry.
In its report, the FTC found that data brokers collect “billions of data elements” from numerous sources covering nearly every U.S. consumer, and that consumers are “largely unaware that data brokers are collecting and using this information.” The FTC also indicated that because data brokers provide data not only to end-users, but also to other data brokers, it is “virtually impossible” for a consumer to determine how a data broker obtained his or her data or determine the myriad of companies involved in generating the consumer profiles.
The FTC also observed that data brokers “infer consumer interests from the data that they collect” and “use those interests,” along with other information, to place consumers in categories such as “Dog Owner,” “Winter Activity Enthusiast,” or “Mail Order Responder” as well as in “[p]otentially sensitive categories” that primarily focus on ethnicity and income levels or in categories that could be used by an insurance provider as a sign of risky behavior.
Then, the FTC pointed out, data brokers rely on websites with registration features and cookies to find consumers online and target Internet advertisements to them based on their offline activities.
The FTC acknowledged that consumers benefit from many of the purposes for which data brokers collect and use data, but it declared that, at the same time, there are “a number of potential risks to consumers from data brokers’ collection and use of consumer data.” As an example, the FTC explained that if a consumer was denied the ability to conclude a transaction based on an error in a risk mitigation product, the consumer could be harmed “without knowing why.” The FTC also pointed out that storing consumer data can create security risks.
Although data brokers may offer consumers “opt outs” and other choices about how their data is handled, the FTC determined that the choices were “[i]nvisible” and “[i]ncomplete,” noting a “fundamental lack of transparency about data broker industry practices.”
Given its findings, the FTC urged Congress to act. With respect to data brokers that sell marketing products, the FTC recommended that Congress consider including the following four requirements in any legislation:
- Enabling consumers to easily identify the data that brokers may have about them and where they should go to access this information and exercise an opt-out right.
- Requiring that data brokers clearly disclose to consumers (for example, on their websites) that they not only use the raw data that they obtain from their sources, such as a person’s name, address, age, and income range, but that they also derive from the data certain data elements.
- Requiring that data brokers disclose the names and/or categories of their sources of data, so that consumers are better able to determine if, for example, they need to correct their data with an original public record source.
- Requiring “consumer-facing” entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data.
Significantly, in connection with this fourth recommendation, the FTC suggested that Congress consider requiring retailers and other consumer- facing sources to obtain consumers’ affirmative express consent before they collect sensitive information, including health information.
With respect to data brokers that sell risk mitigation products, the FTC recommended that Congress consider legislation that provides consumers with transparency when a company uses a risk mitigation product to limit consumers’ ability to complete a transaction. In particular, the FTC is suggesting that legislation be adopted to provide that when a risk mitigation product adversely impacts a consumer’s ability to obtain certain benefits, the consumer- facing company should identify the data brokers whose data the company relied upon; these data brokers, the FTC said, could, in turn, give consumers the right to access the information used and, where appropriate, correct any erroneous information.
Then, with respect to data brokers offering people search products, the FTC recommended that Congress adopt legislation to:
- Allow consumers to access their own information;
- Allow consumers to suppress the use of this information;
- Disclose to consumers the data brokers’ sources of information; and
- Disclose any limitations of this opt-out option.
BEST PRACTICE RECOMMENDATIONS
Finally, the FTC called on the data broker industry to adopt several best practices:
- Implement privacy-by-design by considering privacy issues at every stage of product development.
- Implement better measures to refrain from collecting information from children and teens, particularly in marketing products.
- Take “reasonable precautions” to ensure that downstream data users do not use data for inappropriate eligibility determinations or for unlawful discriminatory purposes.
The FTC’s issuance of its report on data brokers is, of course, not the first time that it has focused its energy on this industry. The FTC enforces the federal Fair Credit Reporting Act (FCRA) and, over the years, has brought 100 FCRA enforcement actions, yielding more than $30 million in penalties. In 2009, it called for Congress to enact legislation that would have regulated data brokers, among other entities. The FTC also issued a report in 2012 that discussed its concerns about consumer privacy resulting from data brokers’ activities – and in which it renewed its earlier call for federal legislation. Nevertheless, even given last September’s U.S. Government Accountability Officereport on the data broker industry, it is certainly far from clear that Congress is prepared to act now.
THE BOTTOM LINE
The extent to which the FTC seeks to independently focus its attention on data brokers remains to be seen. However, it is important to emphasize that, given the report’s broad characterization of data brokers as “companies that collect consumers’ personal information and resell or share that information with others,” businesses in addition to those traditionally viewed as “data brokers” should take careful note of this report.