Last Wednesday, Senators John D. Rockefeller IV (D-WV) and Ed Markey (D-MA) introduced the Data Broker Accountability and Transparency Act, which primarily would require greater transparency from data brokers about consumer information they collect and sell. At a Senate Commerce Committee hearing held on the data broker industry in December, Rockefeller expressed concern that data brokers operate “behind a veil of secrecy” and with “very little scrutiny and oversight” in a multibillion-dollar industry that handles large quantities of personal information. A majority staff report released in advance of the hearing found, for example, that some data brokers sell information to other companies that identifies financially vulnerable consumers or individuals with serious health disabilities. In most cases, however, there is no mechanism for consumers to control or correct this information. In its March 2012 report, the Federal Trade Commission called on Congress and businesses alike to increase the transparency of and control over the practices of data brokers, specifically recommending targeted access-rights legislation and industry self-regulation by data brokers and their first-party buyers.
The Act represents not only a response to the FTC, but also the culmination of Sen. Rockefeller’s efforts of the last two years to create accountability and access to what he calls a “booming shadow industry.” The bill defines “data broker” as any “commercial entity that collects, assembles, or maintains personal information concerning an individual . . . in order to sell the information or provide third party access to the information” and imposes the following requirements.
Data Collection Standards
The Act would require data brokers to establish procedures to ensure the accuracy of data collected. Additionally, the Act would require that consumers be a means to review and correct personally identifiable information, unless the information includes only name or address. Data brokers would also be required to maintain websites with instructions on how consumers may review their information. Further, for data brokers that maintain data used for marketing purposes, the Act would require an opt out for individuals who do not want their information to be used for such purposes.
Under the Act, the FTC would promulgate data-collection regulations to enforce the requirements described above, and would require data brokers establish measures to audit internal or external access to data and (2) the creation of a centralized website intended for consumer benefit that lists all businesses subject to the Act, and which provides additional information regarding consumer rights under the Act.
Enforcement and Penalties
Both the FTC and state attorneys general could enforce the requirements of the bill. Notably, because any data broker who violates the Act could be subject to the same penalties imposed by the FTC for violations of a trade-regulation rule, the FTC could fine an entity up to $16,000 per violation of the Act. Further, although state officials would be limited from instituting a civil action during the pendency of an FTC action, states could impose additional civil penalties of up to $16,000 per violation.
Earlier this month, continuing the investigation he launched in October 2012 and following up on concerns voiced at the December hearing, Sen. Rockefeller sent additional letters to six data brokers, requesting information about which companies are buying data to target vulnerable consumers.
The biggest criticism of Sen. Rockefeller’s efforts comes from industry leaders, whose primary position is that such regulation inhibits beneficial uses of data and undermines the value that responsible data use provides to consumers. In particular, advocates of a data-driven marketing economy suggest that industry self-regulation is the best way to safeguard consumer privacy, whereas legislation such as Sen. Rockefeller’s would curb the sensible exchange of data and ultimately would injure consumers by limiting choice and raising prices. Moreover, industry advocates argue that an access-and-correction regime would have the unintended effect of exposing consumer privacy to greater harm, because allowing access would make it even harder for businesses to keep data secure. Expressing opposition to the data-broker bill, the CEO and President of the Direct Marketing Association, Linda Woolley, stated, “It is unfortunate that after receiving all of that evidence, and despite the fact that no harm has been discovered, Chairman Rockefeller continues to hamstring an industry that is the brightest beacon of American innovation – creating products and services that consumers love and demand – and the engine of the U.S. economic and employment growth – for no good reason.” Meanwhile, consumer advocates continue to assert that the practices of data brokers promote price discrimination and allow companies to target vulnerable consumers who, for example, might be more likely to buy risky financial products.
Some businesses are responding positively, however, and are setting an industry standard that may pave the way for more consumer involvement. Acxiom, once termed “the quiet giant” of the data-broker industry, and which suffered a serious data breach in 2003, launched a site called “About the Data,” which allows consumers to view and correct personal information used for marketing. While the launch of the site last September received mixed reviews and criticism that the data was incomplete, it was nonetheless praised by FTC Commissioner Julie Brill as “a first step down this important road towards greater transparency.” Acxiom was also one of the first companies to be investigated by Sen. Rockefeller, suggesting that some industry leaders are willing to work with Congress to provide consumer protections, while helping regulators to understand the nature of their businesses and the benefits of the appropriate uses of data.