Last month a bill was introduced in the US Senate that would require increased transparency and accountability in the collection and sale of private consumer data. The main purpose of the bill is to oversee data brokers and to protect consumers. The bill, called “the Data Broker Accountability and Transparency Act of 2014” (“the DATA Act”), would restrict data brokers from using deceptive tactics to solicit consumer information and grant consumers the ability to: (1) access files a data broker compiles of their personal information; (2) correct inaccuracies in those files; and (3) grant or prohibit the sale of their personal information to third parties.
The bill defines a data broker as a "commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information."
The DATA Act was introduced after a Senate Commerce Committee Hearing held in December that focused on data brokers' information collection practices, and a report on the industry, released in advance of the hearing (see our report regarding this hearing in one of our previous newsletters. In that hearing the Federal Trade Commission (“FTC”) expressed their intention to step up its scrutiny of the data brokerage industry and the DATA Act will give the FTC more powers to enforce violation of privacy laws and the DATA Act.
The increased focus by legislators and the FTC on data collection practices is expected to lead to increased legislation and regulation. It would therefore be advisable to address the regulatory concerns by implementing better compliant and transparent privacy policies and practices, which should include the following elements:
- A procedure for consumers to have reasonable access to information held by data brokers should be implemented;
- Consumer access should be proportional to the sensitivity and intended use of the data at issue;
- Regarding data used solely for marketing purposes, companies should provide consumers with access to a list of the categories of consumer data they hold and give consumers the ability to suppress the use of the data for marketing purposes;
- In case of data collection for online behavioral advertising purposes, privacy notices should include:
- The nature of the information collected online for marketing purposes, and the types of uses of such information, including uses for online behavioral advertising purposes;
- The use(s) of such information, including whether information is being transferred to third parties for use by them for their own marketing or online behavioral advertising purposes and the mechanism by which consumers can exercise choice not to have such information transferred;
- Information regarding cookies or other passive means of information collection being used, and whether such information collected is for internal purposes or transferred to third parties for marketing purposes, including online behavioral advertising purposes;
- Information regarding the procedures in place for accountability and enforcement purposes; and
- Information regarding the appropriate physical, electronic, and administrative safeguards to protect information collected online.