On November 15, 2013, the Government Accountability Office (GAO) released a report entitled Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. In the report, the GAO finds that the applicability of the primary federal privacy and data security laws — such as the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act, and Health Insurance Portability and Accountability Act — to the collection and sale of personal consumer information by information resellers (commonly called “data brokers”) is limited and therefore, the current privacy framework “warrants reconsideration.” The GAO calls upon Congress to consider legislation to provide appropriate privacy protections to consumers’ personal information “while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.” The report also notes that the Department of Commerce agrees that strengthening privacy protections could better protect consumers and support innovation.
The report canvasses the existing primary federal laws and regulations governing consumer privacy and identifies gaps with respect to consumer data used for marketing purposes. In particular, the GAO finds that the scope of current federal privacy laws is limited in addressing (1) individuals’ ability to access, control, and correct their personal data; (2) collection methods and sources and types of consumer information collected; and (3) new technologies, such as tracking of web activity and the use of mobile devices. As a result of these gaps, the report suggests that current privacy law does not always align with the Fair Information Practice Principles, which are a set of widely recognized principles for protecting the privacy and security of personal information that have served as the basis for “best practices” for many organizations and governments.