On November 15, 2013, the Government Accountability Office (GAO) released a report entitled Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. In the report, the GAO finds that the applicability of the primary federal privacy and data security laws — such as the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act, and Health Insurance Portability and Accountability Act — to the collection and sale of personal consumer information by information resellers (commonly called “data brokers”) is limited and therefore, the current privacy framework “warrants reconsideration.” The GAO calls upon Congress to consider legislation to provide appropriate privacy protections to consumers’ personal information “while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord.” The report also notes that the Department of Commerce agrees that strengthening privacy protections could better protect consumers and support innovation.
The report canvasses the existing primary federal laws and regulations governing consumer privacy and identifies gaps with respect to consumer data used for marketing purposes. In particular, the GAO finds that the scope of current federal privacy laws is limited in addressing (1) individuals’ ability to access, control, and correct their personal data; (2) collection methods and sources and types of consumer information collected; and (3) new technologies, such as tracking of web activity and the use of mobile devices. As a result of these gaps, the report suggests that current privacy law does not always align with the Fair Information Practice Principles, which are a set of widely recognized principles for protecting the privacy and security of personal information that have served as the basis for “best practices” for many organizations and governments.
The report acknowledges that stakeholder views diverge about the extent to which significant gaps in the current privacy legal framework exist and whether more legislation is needed, or whether self-regulation is sufficient. In addition, the report considers the debate around the appropriate approach for any such privacy legislation or regulation including: (1) whether such legislation or regulation should be comprehensive or sector-specific; (2) how to address consumers’ interests in accessing, controlling, and correcting their personal data held by information resellers; and (3) the potential impact of new regulation on consumers and commerce.
Upon consideration of the aforementioned differing viewpoints, the GAO recommends that Congress consider: (1) how well consumers can access, correct, and control their personal information in circumstances not covered by FCRA; (2) whether there should be additional controls on the types of information that can be collected or shared; (3) whether any changes are needed in the permitted sources and methods for data collection; and (4) privacy controls related to new technologies, such as web tracking and mobile devices. Although the report recommends a legislative approach to strengthening the current consumer privacy framework to reflect new technology and the growing market for consumer data, it does not recommend what kind of legislative approach, e.g. comprehensive or sector-specific, Congress should follow to best effect enhanced consumer privacy protections.