The Federal Trade Commission (“FTC”) recently released a report on the data broker industry that summarizes the FTC’s findings from an investigation of nine data brokers. The report, Data Brokers: A Call for Transparency and Accountability, recommends that Congress consider enacting legislation that promotes transparency and consumer access to information held by data brokers, and calls upon data brokers to adopt certain best practices, such as privacy by design.
Who does the FTC consider a “data broker”?
For purposes of the FTC’s report, data brokers are “companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing, and sharing that information or information derived from it, for purposes such as marketing products, verifying an individual’s identity, or detecting fraud.” In the report, the FTC identified the following key characteristics of the data broker industry:
- Data Sources. Data brokers collect information from a variety of sources, such as commercial, government, and publicly available sources. Data brokers combine both online and offline data by, for example, importing offline data into cookies that can be used to track a user’s online behavior. In addition, because data brokers often receive information from other data brokers, it can be difficult to trace the origin of certain consumer data.
- Scale. Data brokers collect and maintain massive amounts of data “on almost every U.S. household and commercial transaction.” For example, data brokers may collect, combine, and analyze tax records, criminal records, driving records, voter registration information, social media information, information that is publicly available on the Internet, purchase histories (including healthcare purchases), and financial data. This data can provide the data broker and its customers with considerable insight into an individual’s life.
- Categories and Inferences. Data brokers analyze data in order to make potentially sensitive inferences about consumers and place them into categories that allow data brokers to predict consumer behavior. Some of the sensitive categories may be based on income level, ethnicity, or health information.
- Interactions with Consumers. According to the FTC, “data brokers are not consumer-facing” entities.
What types of products and services do data brokers offer their customers?
In the report, the FTC identifies three general products that data brokers provide to consumers:
- Marketing Products – These products offer information to companies so that they can more effectively tailor their marketing campaigns. For example, data brokers engaging in direct marketing might sell an email list of consumers who meet certain criteria. In other cases, the client might provide the data broker with a list of its consumers and ask the data broker to provide more detailed information that it maintains about those consumers. Data brokers also may assist with online marketing efforts by, for example, matching a website’s registered users who meet certain criteria with relevant advertisers, or by loading offline information about a consumer into a cookie so that these offline behaviors can inform online ad targeting. In some cases, these inferences may be based on an analytics product and data brokers may present their findings in the form of a “marketing score.”
- Risk Mitigation Products – These products are used to verify an individual’s identity or detect fraud. For example, lenders may use products for verification, whereas companies that have experienced a data breach may use these products to determine how much fraud has resulted from the breach.
- People Search Products – These products tend to be websites that aggregate “publicly available information about consumers,” and may account for a wide range of sources, from social media accounts to official government records.
As explained further below, the FTC’s legislative recommendations are tailored to the type of product at issue.
What types of risks to consumers did the FTC identify?
While the FTC acknowledges that data brokers can benefit consumers, it identifies several risks that these entities pose.
- Lack of Transparency and Consumer Access. Many of these risks stem from the lack of transparency surrounding data brokers and consumers’ inability to access much of the data that is maintained about them. For example, a consumer could be denied a benefit based on incorrect information maintained by a data broker, without even realizing that the denial had occurred.
- Adverse Inferences. The report raises concerns about how data brokers might use inferences to penalize consumers. For example, insurance companies might consider consumers who engage in certain activities to be higher risk and charge higher premiums as a result.
- Misuse of Data. If misused, the massive amounts of data held by data brokers could “facilitate harassment, or even stalking.”
- Indefinite Retention. The FTC’s investigation revealed that many data brokers maintain information about consumers indefinitely. The report suggests that this practice may increase consumers’ vulnerability to identity theft.
In addition, the report laments the lack of consumers’ choices about how their data is used and the ineffectiveness of the choices that do exist. The FTC found that many data brokers who provide risk mitigation products “do not provide consumers with access to their data or the ability to correct inaccurate data.” Some data brokers offer consumers choices, such as opting out of certain data uses, but, according to the FTC, “because data brokers are not consumer-facing,” many consumers are unaware of these choices. When data brokers do offer the choice to opt out of certain uses of information, the scope of the opt out is not always unclear.
What types of legislation does the FTC support?
The FTC called on Congress to consider enacting data broker “legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities.” The FTC’s specific recommendations vary by the type of product at issue.
- Marketing Products. The FTC recommends that Congress consider legislation that would allow consumers to access their data in a reasonable level of detail and to opt out of sharing for marketing purposes. According to the FTC, it is particularly important that consumers be able to exercise choices with respect to sensitive data, such as health data. The report also recommends that Congress consider various means for informing consumers about data brokers. For example, the report raises the possibility of creating an online portal that would describe, among other things, the types of information that data brokers maintain and how consumers can opt out of certain uses or sharing. In addition, the report addresses potential disclosure requirements that would apply to data brokers and entities that share information with data brokers. The FTC also suggests that entities that share information with data brokers should grant consumer opt out rights and obtain affirmative express consent before collecting and sharing sensitive information, such as health data.
- Risk Mitigation Products. The FTC recommends that Congress consider requiring clients of data brokers to inform consumers when they have been adversely affected by a risk mitigation product in situations beyond those required by the Fair Credit Reporting Act. In these cases, the data broker client might be required to identify the data broker that provided the relevant information. The FTC also endorses consumer access and correction rights and suggests that Congress consider how data brokers could disclose data or recommendations to consumers in a manner that appropriately balances consumer access and data accuracy and security.
- People Search Products. The FTC also recommends that Congress consider legislation that would grant consumer access and opt out rights, and require data brokers to disclose both the scope of the opt out right and the sources of their information.
What other steps should the data broker industry adopt?
In addition to legislation, the FTC recommends that the data broker industry adopt certain best practices. First, the FTC suggests that data brokers should take steps to comply with the 2012 Consumer Privacy report by adopting privacy by design principles. Second, data brokers should “implement better measures to refrain from collecting information from children and teens, particularly in marketing products.” And finally, the FTC “recommends that data brokers take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.”
As the FTC states in its report, its “findings and recommendations…are intended to be part of an ongoing dialogue.” Whether Congress or state legislatures move to enact legislation or regulators bring new enforcement actions, we will continue to track these developments.