data broker

On January 16, 2024, the Belgian Supervisory Authority sanctioned a data broker for violating several provisions of the GDPR.  In particular, the data broker processed personal data without an appropriate legal basis and in violation of its transparency obligation.

The more than 100-page decision explains that until July 2021 the data broker collected personal data from different sources and sold the data to interested third parties (“data delivery services”).  The company also provided “data quality services” aimed at improving the quality and relevance of the personal data held by its clients.  The relevant data were mainly used for advertising by postal mail.Continue Reading Belgian Supervisory Authority Sanctions Data Broker

On October 10, 2023, California Governor Gavin Newsom signed S.B. 362, the Delete Act (the “Act”), into law.  The new law represents a substantive overhaul of California’s existing data broker statute, which requires data brokers to register with the California Attorney General annually.  The passage of the Act follows a renewed interest in data broker activity nationwide, including a request for comments from the Consumer Financial Protection Bureau and the introduction of similar legislation at the federal level.   Below, we outline a number of key provisions:Continue Reading California Amends Data Broker Law

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.

Continue Reading Top 10 U.S. Privacy Developments of 2014

Yesterday the White House released a report discussing how companies are using big data to charge different prices to different customers, a practice known as price discrimination or differential pricing.  The report describes the benefits of big data for sellers and buyers alike, and concludes that many concerns raised by big data and differential pricing can be addressed by existing antidiscrimination and consumer protection laws.

Big Data and Personalized Pricing 

“Big data” refers to the ability to gather large volumes of data, often from multiple sources, and use it to produce new kinds of observations, measurements, and predictions about individual consumers.  Thus, big data has made it easier for sellers to target different populations with customized marketing and pricing plans.

The White House report identifies two trends driving the increased application of big data to marketing and consumer analytics.  The first trend is the widespread adoption of new information technology platforms, most importantly the Internet and the smartphone.  These platforms give businesses access to a wide variety of applications like search engines, maps, blogs, and music or video streaming services.  In turn, these applications create new ways for businesses to interact with consumers, which produce new sources and types of data, including (1) a user’s location via mapping software; (2) their browser and search history; (3) the songs and videos they have streamed; (4) their retail purchase history; and (5) the contents of their online reviews and blog posts.  Sellers can use these new types of information to make educated guesses about consumer characteristics like location, gender, and income.  The second trend is the growth of the ad-supported business model, and the creation of a secondary market in consumer information.  The ability to place ads that are targeted to a specific audience based on their personal characteristics makes information about consumers’ characteristics particularly valuable to businesses.  This, in turn, has fostered a growing industry of data brokers and information intermediaries who buy and sell customer lists and other data used by marketers to assemble digital profiles of individual consumers.
Continue Reading White House Issues Report on Big Data and Differential Pricing

The International Association of Privacy Professionals hosted its annual Privacy Academy, at which one panel, “Data Brokers Demystified,” specifically focused on regulation of the data-broker industry.  The panelists included Janis Kestenbaum from the Federal Trade Commission, Jennifer Glasgow from Acxiom, and Pam Dixon from the World Privacy Forum.  Emilio Cividanes from Venable also participated.

Major Conclusions of the FTC Report (Janis Kestenbaum)

  • Data brokers operate with a fundamental lack of transparency.  They engage in extensive collection of information about nearly every US consumer, profiles of which are composed of billions of data elements.
  • Much data collection occurs without consumer awareness and uses a wide variety of online and offline sources, such as social networks, blogs, individual purchases and transactions with retailers, state and federal governments, events requiring registration, and magazine subscriptions.
  • The practice of “onboarding”–where offline data is onboarded onto an online cookie and is used to market to consumers online–is increasingly common.
  • Some data collected is sensitive, but even non-sensitive data is sometimes used to make “sensitive inferences” about (for example) health status, income, education, ethnicity, religion, and political ideology.  Consumers are often segmented into “clusters” based on these inferred characteristics.
  • For regulators, some of these clusters are concerning.  For example, one cluster is entitled “Urban Scramble” and contains high concentrations of low-income ethnic minorities.
  • Congress should create a centralized portal where consumers can go online and access individual data brokers’ websites to opt out and access and correct their information.  For consumer-facing entities, like retailers, consumers must be given some kind of choice before data is sold to a data broker, and when that data is sensitive, the choice should be in the form of an opt in.
    Continue Reading IAPP Privacy Academy: “Data Brokers Demystified”

The Federal Trade Commission (“FTC”) recently released a report on the data broker industry that summarizes the FTC’s findings from an investigation of nine data brokers.  The report, Data Brokers: A Call for Transparency and Accountability, recommends that Congress consider enacting legislation that promotes transparency and consumer access to information held by data brokers, and calls upon data brokers to adopt certain best practices, such as privacy by design. 

Who does the FTC consider a “data broker”?

For purposes of the FTC’s report, data brokers are “companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing, and sharing that information or information derived from it, for purposes such as marketing products, verifying an individual’s identity, or detecting fraud.”  In the report, the FTC identified the following key characteristics of the data broker industry:

  • Data Sources.  Data brokers collect information from a variety of sources, such as commercial, government, and publicly available sources.  Data brokers combine both online and offline data by, for example, importing offline data into cookies that can be used to track a user’s online behavior.  In addition, because data brokers often receive information from other data brokers, it can be difficult to trace the origin of certain consumer data.

Continue Reading FTC Data Broker Report Calls for More Transparency and Consumer Control

In conjunction with the White House’s comprehensive review of big-data and privacy issues that resulted in a 79-page report, last week the President’s Council of Advisors on Science and Technology (“PCAST”) released a parallel big-data report.  The White House report is more general and contains six major policy recommendations, whereas the PCAST report, authored by an outside panel of counselors, was designed to provide a technical evaluation by examining the practical specifics of how big data and related technologies are actually used.  Many observations and recommendations in the PCAST report are consistent with those presented in the White House report.  The PCAST report, however, has been praised for its candor and for appearing to be more clear, even bold, in advocating particular positions on key issues.  For example, in recommending a transition away from “notice and consent” — described in the White House report as a “central pillar” of the U.S. privacy legal system — and towards a “use” framework, the PCAST report states:  “Only in some fantasy world do users actually read these notices and understand their implications before clicking to indicate their consent.”Continue Reading Another Big Data Report, From the President’s Council of Advisors on Science & Technology (“PCAST”)

Last Wednesday, Senators John D. Rockefeller IV (D-WV) and Ed Markey (D-MA) introduced the Data Broker Accountability and Transparency Act, which primarily would require greater transparency from data brokers about consumer information they collect and sell.  At a Senate Commerce Committee hearing held on the data broker industry in December, Rockefeller expressed concern that data brokers operate “behind a veil of secrecy” and with “very little scrutiny and oversight” in a multibillion-dollar industry that handles large quantities of personal information.  A majority staff report released in advance of the hearing found, for example, that some data brokers sell information to other companies that identifies financially vulnerable consumers or individuals with serious health disabilities.  In most cases, however, there is no mechanism for consumers to control or correct this information.  In its March 2012 report, the Federal Trade Commission called on Congress and businesses alike to increase the transparency of and control over the practices of data brokers, specifically recommending targeted access-rights legislation and industry self-regulation by data brokers and their first-party buyers.

The Act represents not only a response to the FTC, but also the culmination of Sen. Rockefeller’s efforts of the last two years to create accountability and access to what he calls a “booming shadow industry.”  The bill defines “data broker” as any “commercial entity that collects, assembles, or maintains personal information concerning an individual . . . in order to sell the information or provide third party access to the information” and imposes the following requirements.Continue Reading Data Broker Accountability and Transparency Act Introduced By Senate Democrats

Yesterday, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”   Committee members expressed interest in bringing about greater transparency to what information is collected by data brokers and how it is used at the hearing, which consisted of a single panel of witnesses from the FTC’s Bureau of Consumer Protection, the World Privacy Forum, Experian, and the Direct Marketing Association.

In advance of the hearing, Chairman John D. Rockefeller IV (D-WV) released a majority staff report summarizing the Commerce Committee’s investigation into how data brokers collect, compile, and sell consumer information.  The staff report notes that data brokers serve a beneficial function in enabling companies to provide customers with products and services specific to their interests and needs, but that certain data brokers “operate with minimal transparency” and that consumer profiling can raise “unintended privacy issues.”  For this proposition, the staff report cited media reports that a major retailer had developed a pregnancy prediction model to enable the company to target marketing towards expectant mothers. 

According to the Committee’s staff report, a perceived lack of transparency may present further concerns when data broker information “end[s] up in the hands of predatory businesses seeking to identify vulnerable consumers, or when marketers use consumers’ data to engage in differential pricing.”

Senate Commerce Committee members generally echoed these concerns at yesterday’s hearing.  For example:Continue Reading Senate Panel Examines Data Broker Industry; Releases Staff Report

Tomorrow the U.S. Senate Committee on Commerce, Science, and Transportation will hold a hearing entitled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”  According to Chairman John D. Rockefeller IV (D-WV), the Committee will “examine the data broker industry and how industry practices may impact consumers.”  The following witnesses are scheduled to testify:

  • Jessica Rich, Director of the FTC’s Bureau of Consumer Protection
  • Pam Dixon, Executive Director of the World Privacy Forum
  • Dr. Joseph Turow, Professor at the Annenberg School for Communication
  • Tony Hadley, Senior Vice President of Government Affairs and Public Policy at Experian
  • Jerry Cerasale, Senior Vice President of Government Affairs and Public Policy for the Direct Marketing Association

The hearing is part of a more than year-long effort by Chairman Rockefeller to investigate the data broker industry.   In October 2012, Chairman Rockefeller launched an investigation into the business practices of data brokers in order to examine how data brokers collect, compile, and sell consumer information for marketing purposes.  Since September, Chairman Rockefeller has expanded his investigation by sending additional inquiries to various websites and other companies that collect personal information from both online and offline sources and then sell the data to other businesses.Continue Reading Senate Commerce Committee To Examine Data Broker Industry