Earlier this week, the Federal Trade Commission released its long awaited report on the data brokerage industry – Data Brokers: A Call for Transparency and Accountability. This report is the culmination of approximately two years of information collection, public workshops, and analysis by the FTC staff. Notably, the Report recommends that Congress enact legislation to address several areas of concern. The Report also discusses best practices that the data broker industry may adopt on its own. Following up on issues raised in previous FTC Staff Reports, such as Protecting Consumer Privacy in an Era of Rapid Change published in March 2012, the FTC expresses significant concern about the growing data broker industry and its impact on consumers. The Report acknowledges that the data broker industry provides substantial benefits to the U.S. economy as a whole and efficiencies that improve the lives of consumers. However, the FTC expressed concerns that the industry operates in a manner that is largely unseen and unrecognized by consumers, creating a potential for substantial harm.
While the report focuses on the practices of the companies that provide data broker services, it should be noted that the recommendations would impact all participants in the data broker marketplace. This would include the businesses that acquire information from data brokers for marketing, risk mitigation, people search, and other purposes. This also includes the organizations that share information about consumers with data brokers. It also bears notice that the Report defines data broker broadly – including “companies that collect consumers’ personal information and resell or share that information with others”. In practice, this definition could sweep in a wide array of businesses involved in Internet publishing and advertising. Accordingly, data broker customers, data sources, and service providers to all of these entities should proceed with caution as the regulatory and legislative landscape evolves, including the concerns and proposals presented by the Report discussed in detail below.
The FTC indicates that the services offered by data brokers often skirt the edges of the consumer reporting industry, governed by the Fair Credit Reporting Act. While data brokers generally avoid providing information for FCRA-covered purposes, such as creditworthiness and employment decision-making, the services they do provide can have similar impacts on consumers. The Commission presents the example of a data broker that provides identity verification services to a mobile telephone carrier. If the carrier uses a consumer profile to assess the creditworthiness of a potential customer, the carrier and the provider of the consumer profile would be required to comply with FCRA. On the other hand, if the carrier uses a consumer profile to determine the likelihood that the potential customer is committing identity fraud, then the carrier and profile provider would not be subject to FCRA. However, errors in a consumer profile (whether it is used for either purpose) could lead to the denial of service to customers. Thus, it should be noted that most of the FTC’s legislative recommendations appear to be attempts to apply controls similar to FCRA upon data brokers.
Furthermore, the FTC Report expresses unease about the potential use of data broker services to facilitate business practices that could adversely affect legally protected classes, such as racial, ethnic, and religious minorities. While current data broker practices appear to avoid categorizing or grouping consumers based directly on protected class status, the categories developed by data brokers could contain disproportionate numbers of minorities and allow indirect discrimination and redlining. Similarly, the FTC Report discusses the risk that consumer profile categories could be misused to infer health conditions and facilitate discrimination on that basis. It should be noted that these concerns align with several issues raised by the recent White House report on big data, Big Data: Seizing Opportunities, Preserving Values.
The FTC Report expresses apprehension about the opaque nature of the data broker business. Data brokers generally operate unseen by consumers. The relationships between data brokers, data sources, and brokerage customers can be quite complex. This is further exacerbated by the development of multiple layers of data brokers that acquire, analyze, recompile, package, and/or resell consumer information to other data brokers. In addition, some data brokers combine data collected online with data collected offline in ways that the consumers may be unable to recognize. Finally, the rapid evolution of data brokerage practices advance rapidly because finding new ways to combine, interpret, and package information about consumers is a key area of competition among data brokers. Therefore, it may be quite difficult to provide meaningful prior notice to consumers.
Based on the FTC staff’s finding, the Report includes the following legislative recommendations.
- Establishment of a centralized mechanism to:
- record which data brokers hold personal information;
- specify the personal information maintained by each data broker; and
- allow consumers to correct information and opt-out of future uses of data.
- Require that data brokers make available to consumers the:
- methods used to draw inferences from collected data;
- actual inferences drawn from the collected information (e.g., the categories and groupings to which consumers are assigned); and
- identity of their data sources.
- Require consumer-facing companies that provide information to data brokers to notify consumers that information is shared with data brokers.
The Report goes on to suggest legislative steps appropriate to risk-mitigation services (e.g., identity verification services). These recommendations include:
- requiring consumer-facing companies to disclose to consumers that data brokers are used and
- permitting consumers to correct erroneous information while ensuring that dishonest individuals are not able to alter truthful information maintained by data brokers, which would undermine the benefits of the service.
Moreover in a concurring opinion, Commissioner Julie Brill suggests that Congress pass legislation to:
- require procedures to ensure that data brokerage customers use data for lawful purposes and
- require data sources to acquire affirmative consent from consumers before sharing information with data brokers.
The core objectives of these recommendations is to give consumers a greater understanding of what data broker practices and greater control over how their information is used within those practices, if it is used at all. The expectation is that a less opaque data broker industry will allow consumers to make more informed decisions about sharing their information and better protect themselves from errors in data profiles (both inadvertent and malicious). Requiring data brokers to allow consumers to view and correct information, as well as opt-out of certain data sets may find particular favor with regulators, legislators, and consumer advocates precisely because the industry is growing and evolving at a very quick pace. The more difficult it becomes to predict how data will be used in the future, the more important it may be to opt-out of new uses as they arise.
In addition, the Report highlights several best practices for data brokers. For example, the Report suggests that data brokers practice privacy-by-design. Moreover, the Report recommends a policy of data minimization, collecting only the data that is necessary for legitimate business purposes and securely disposing of data when no longer needed. The Report also advises data brokers to maintain reasonable safeguards to protect consumer information from cybercriminals and identity thieves. Furthermore, the Report proposes that data brokers take reasonable steps to mitigate the risk that data brokerage customers misuse data for unlawful purposes. The FTC praises those data brokers that presently seed their databases with dummy data and/or conduct audits of customers to detect misuse.
The FTC Report also notes that data brokers should handle information about children and teens with great care. The Report indicates that information collected from children would be subject to COPPA and its implementing regulations. With regard to teens, the Report specifies that teens often lack the judgment that may be necessary to make reasonable decisions about contribution of information to data brokers and the long term implications thereof.
Many of the proposed legislative requirements and recommended best practices may call for significant innovation in business process design as well as the design, architecture, and engineering of information systems. For instance, providing a clear picture of the relationships between businesses in the data brokerage industry may present substantial challenges in user interface design. However, companies that overcome this challenge may find themselves with an advantage over their competitors. On the other hand, data brokers may benefit from adoption of applicable best practices that have already been established by consumer reporting agencies. Examples may include the development and maintenance of procedures that allow consumers to view and correct information about themselves while mitigating the risk that dishonest individuals attempt to alter accurate information.
Ultimately, it may serve businesses involved in the data broker industry well to assess their information practices and ensure that they, at a minimum:
- incorporate privacy concepts in their business processes at all stages, from design to operation to wind-down;
- implement safeguards to ensure that information is used for permissible purposes by properly authorized and vetted persons; and
- maintain means for consumers to access and correct information about them and better understand and make choices about their participation in the data brokerage economy.
Despite the Report’s calls for congressional action, industry members should be aware that the broad scope of the FTC Act may provide significant discretion for the FTC to incentivize adoption of privacy and security protections without the passage of new laws.