On May 27, 2014, the Federal Trade Commission (“FTC”) released a report entitled Data Brokers: A Call for Transparency and Accountability (the “Report”).  The Report codified the FTC’s findings after a study initiated in December 2012, involving nine (9) data brokers.  In proposing legislation aimed at data brokers, the FTC segmented the industry into three (3) distinct product categories: marketing products, risk mitigation products and people search products.  The degree of oversight suggested by the FTC varies based on the category of services.  If Congress takes up the FTC’s call for more transparency in the data broker industry, data brokers will find themselves facing increased federal oversight involving their business practices.

Proposed Data Broker Legislation Targeting Marketing Services

The FTC study involved five (5) data brokers that sell “marketing products”- products where businesses can purchase customer email addresses and other personally identifiable information (“PII”) from data brokers so that they can send email solicitations or market specific products to them.  With respect to data brokers offering these services, the FTC recommended that data brokers be required to provide consumers with access to their data and the ability to opt out of having it shared for marketing purposes.  In making this recommendation, the FTC suggested that Congress create a centralized mechanism, such as an Internet portal, where data brokers would identify themselves, describe their information collection and use practices, and provide links that consumers could use to access information tools and opt-out functionality.  The FTC further advised Congress to require data brokers to provide enough detail that would allow consumers to see the breadth of categories that specific data brokers have about them, including sensitive data.

In its Report, the FTC has also proposed that Congress pass legislation requiring data brokers to clearly disclose on their respective websites that they collect raw data, such as address, age and income range of individuals, and that they use this data to derive certain inferences about consumers.  The proposed legislation would require that data brokers also clearly disclose the names and/or categories of their data sources so that consumers are better able to determine if they need to correct and/or delete certain publicly available information.

Finally, the FTC recommended that Congress require that consumer-facing sources provide prominent notice to consumers that they share consumer data with data brokers and give consumers choices, such as the ability to opt out of the sharing of their information with data brokers.  The FTC went on to recommend that Congress require consumer-facing sources to obtain “affirmative express consent” before collection and sharing of “sensitive information” (such as health information) with data brokers.

Proposed Data Broker Legislation Targeting Risk Mitigation Services

Four of the data brokers that were investigated by the FTC offer risk mitigation products, that is, products that businesses use to verify their customers’ identities to protect against fraud.  In the Report, the FTC acknowledged that the Fair Credit Reporting Act (“FCRA”) already broadly applies to data brokers offering risk mitigation services.  Nevertheless, the FTC has recommended that Congress pass legislation requiring that if a risk mitigation product adversely impacts a consumer’s ability to complete a transaction or obtain a benefit, the consumer-facing company should identify its data broker sources.  These data brokers, in turn, should give consumers the right to access the information that they have on file for them and correct any inaccurate information as appropriate.

Proposed Data Broker Legislation Targeting People Search Products

Data brokers that offer people search products typically provide websites or services where users can search for publically available information on individuals.  For data brokers that offer these services, the FTC recommends that Congress pass legislation requiring data brokers to provide individuals with access to their personnel information and provide the ability to opt out of the use of this information.  In addition, the FTC recommends that data brokers be required to clearly disclose the sources of their information and any limitations associated with consumer opt out requests, such as the fact that close matches of an individual’s name may continue to appear in search results.

Protect Yourself

The Report is a clear sign that the FTC is taking a hard look at the data broker industry.  Although the Report calls for new legislation, which Congress may take up, it is important to remember that there are existing federal laws, such as the FCRA, which the FTC can presently use to restrict the practices of data brokers.