close

For more than four decades, Fenwick & West LLP has helped some of the world’s most recognized companies become, and remain, market leaders. From emerging enterprises to large public corporations, our clients are leaders in the technology, life sciences and cleantech sectors and are fundamentally changing the world through rapid innovation.  MORE >

Fenwick & West was founded in 1972 in the heart of Silicon Valley—before “Silicon Valley” existed—by four visionary lawyers who left a top-tier New York law firm to pursue their shared belief that technology would revolutionize the business world and to pioneer the legal work for those technological innovations. In order to be most effective, they decided they needed to move to a location close to primary research and technology development. These four attorneys opened their first office in downtown Palo Alto, and Fenwick became one of the first technology law firms in the world.  MORE >

From our founding in 1972, Fenwick has been committed to promoting diversity and inclusion both within our firm and throughout the legal profession. For almost four decades, the firm has actively promoted an open and inclusive work environment and committed significant resources towards improving our diversity efforts at every level.  MORE >

At Fenwick, we are proud of our commitment to the community and to our culture of making a difference in the lives of individuals and organizations in the communities where we live and work. We recognize that providing legal services is not only an essential part of our professional responsibility, but also an excellent opportunity for our attorneys to gain valuable practical experience, learn new areas of the law and contribute to the community.  MORE >

Year after year, Fenwick & West is honored for excellence in the legal profession. Many of our attorneys are recognized as leaders in their respective fields, and our Corporate, Tax, Litigation and Intellectual Property Practice Groups consistently receive top national and international rankings, including:

  • Named Technology Group of the Year by Law360
  • Ranked #1 in the Americas for number of technology deals in 2015 by Mergermarket
  • Nearly 20 percent of Fenwick partners are ranked by Chambers
  • Consistently ranked among the top 10 law firms in the U.S. for diversity
  • Recognized as having top mentoring and pro bono programs by Euromoney

MORE >

We take sustainability very seriously at Fenwick. Like many of our clients, we are adopting policies that reduce consumption and waste, and improve efficiency. By using technologies developed by a number of our cleantech clients, we are at the forefront of implementing sustainable policies and practices that minimize environmental impact. In fact, Fenwick has earned recognition in several areas as one of the top US law firms for implementing sustainable business practices.  MORE >

At Fenwick, we have a passion for excellence and innovation that mirrors our client base. Our firm is making revolutionary changes to the practice of law through substantial investments in proprietary technology tools and processes—allowing us to deliver best-in-class legal services more effectively.   MORE >

Mountain View Office
Silicon Valley Center
801 California Street
Mountain View, CA 94041
650.988.8500

San Francisco Office
555 California Street
13th Floor
San Francisco, CA 94104
415.875.2300

Seattle Office
1191 Second Avenue
10th Floor
Seattle, WA 98101
206.389.4510

New York Office
1211 Avenue of the Americas
32nd Floor
New York, NY 10036
212.921.2001

Shanghai Office
Unit 908, 9/F, Kerry Parkside Office
No. 1155 Fang Dian Road
Pudong New Area, Shanghai 201204
P.R. China
+86 21 8017 1200


Data Brokers in Regulatory Crosshairs

“Shadowy,” “invisible,” “secretive” and “unregulated” are all terms that have been used in recent years to describe the data broker industry, an industry with an estimated $150 billion in annual revenue. Whether those descriptors were accurate or not in the past, intense press, regulatory and legislative attention is now focused squarely on the industry that is not likely to remain in the shadows much longer. In the past two years, the industry has been subjected to a Federal Trade Commission investigation, a congressional inquiry, and most recently, legislation proposed by Sen. Jay Rockefeller that would regulate it more comprehensively. Regardless of whether this legislation passes in its current form, one thing is clear: Although data brokers play an important role in the U.S. economy, their possession of significant amounts of data about a large percentage of—perhaps all—Americans has raised concerns of regulators and privacy hawks that are unlikely to subside.

What Are Data Brokers?

In a 2012 report, the FTC defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” As evidenced by the size of the market in which they operate, data brokers provide a highly sought after function in the data economy. More than just acquiring data about individuals, data brokers compile the data and sell “buckets” of consumer data—e.g., those who fit a particular demographic, such as urban, married, with $150,000-plus annual incomes—for marketing purposes. Some brokers also sell predictive scoring products—that is, predicting whether consumers who fit a set of criteria will purchase certain products.

Concerns

Perhaps because data brokers have maintained such a low public profile, they have been defined in recent years by mishaps that have shone a spotlight the vast quantities of individual data the industry possesses and the powerful predictive modeling about consumer behavior that brokers have developed. For instance, the revelation of Target’s marketing campaign in which it predicted which customers were pregnant based on their purchasing habits generated public concern after the company sent coupons for maternity products to the household of a teenage girl who had not yet told her father she was pregnant.

Data security and privacy are also frequently raised concerns. For example, the 2005 data breach of ChoicePoint, a large data broker, resulted in the sale of more than 163,000 consumer records to an identity theft ring. Similarly, in 2008, the FTC settled enforcement actions against data brokers Reed-Elsevier and Seisint for failing to implement adequate security measures, resulting in the compromise of more than 300,000 individuals’ personal data.

Existing Regulations

A frequent criticism of the data broker industry is that it is unregulated. Although this criticism is an overstatement, the Government Accountability Office concluded in a 2013 report that federal law does not currently provide individuals with a means of accessing the data that brokers collect about them. Nor do any laws provide individuals the ability to correct personal information or demand that brokers purge data.

Data brokers are strictly regulated by the Fair Credit Reporting Act when they act as consumer reporting agencies—providers of consumer data for use in making determinations relating to the credit, insurance, employment, etc. Congress enacted the FCRA more than four decades ago, and gave the FTC both rulemaking and enforcement authority. The act requires that consumer reporting agencies provide notice to individuals of adverse decisions made about them. In addition, consumer reporting agencies have an obligation to maintain the accuracy of information in a consumer’s file and provide individuals the ability to review and correct information.

Prior to 2013, the FTC was the principle enforcer of the FCRA. Since then, the Consumer Financial Protection Bureau has taken over as lead enforcer. Over the history of the FCRA, the FTC has brought over 100 enforcement actions, including one against Spokeo, a data broker that aggregates consumer data from information disclosed in social networks and other sources. In that action, which settled with an $800,000 penalty, the FTC alleged that the company had sold consumer reports without ensuring that individuals were given notice of adverse actions or the ability to correct information.

The FCRA does not, however, regulate the use of data for non-FCRA purposes, namely advertising and marketing. Indeed, the U.S. Senate’s Committee on Commerce, Science and Transportation found that many data brokers that provide consumer reports regulated by the FCRA have separate business units that compile and sell non- FCRA reports for marketing purposes.

Some data brokers do participate in industry self-regulation through the Direct Marketing Association. The DMA publishes guidelines, which, for example, require members to provide consumers with transparency about the data they collect, choice to opt out, and require companies to treat sensitive personal data with care and not resell it if there is a reasonable expectation that the data will not be transferred. Critics, however, maintain that the guidelines do not go far enough in allowing consumer to obtain, remove and correct data.

Recent Actions

Both the FTC and the Senate committee have conducted investigations into the data broker industry within the last 18 months. In December 2012, the FTC issued orders to nine data brokers requiring narrative responses and production of documents regarding the nature and sources of consumer data the companies collect, how they use, maintain and disseminate it, and the extent to which they allow consumers to access and correct their information or to opt out of having it sold. The FTC has not yet published a report on its findings, but the director of the FTC’s Bureau of Consumer Protection, Jessica Rich, has stated the report is forthcoming.

In October 2012, Rockefeller, as majority chair of the committee, sent letters to nine data brokers seeking similar information. The committee issued its report on its findings in December 2013, noting that while some provided complete responses, others were less forthcoming. The report found:

  • The industry collects a huge volume of detailed information on hundreds of millions of consumers, often with no consumer knowledge, consent or input;
  • Brokers package consumers into “buckets” of demographically similarly situated persons, and sell products that identify financially vulnerable consumers;
  • Brokers collect offline data about consumers that can be used to target online marketing; and
  • Brokers largely operate without direct interaction with consumers, and many contractually prohibit their customers from identifying the data broker as the source of consumer data.

These findings served as the basis for the Data Broker Accountability and Transparency Act of 2014 introduced earlier this month.

Pending Legislation

If enacted, the DATA Act would create the first federal statutory regulation of non- FCRA data brokers. It would increase transparency and give consumers broader rights to access and correct information.

The act would prohibit data brokers from obtaining data about consumers by “false, fictitious, or fraudulent statement[s] or representation[s].” Whether this would require affirmative representations about the purpose of collecting data through commonly used methods, such as online surveys, is not clear.

The act also would require data brokers to implement reasonable procedures to ensure the accuracy of information collected. In addition, it would give consumers the right to access information held about them, including any specifically identifying the individual, at least once per year at no cost. Consumers would also be afforded the opportunity to contest as inaccurate information, and brokers would be required to (a) correct public record information if provided proof that an inaccuracy has been corrected; and (b) for nonpublic information, note that the information is disputed by the consumer and attempt to verify it through a verifiable process. If the broker determines the information is incorrect, it would be required to correct the information.

Finally, the act would vest the FTC with both rulemaking and enforcement authority. If passed into law, the FTC would be required to conduct rulemaking within one year. In addition, the FTC could enforce violations as unfair and deceptive business practices, which would carry civil penalties of up to $16,000 per violation. State attorneys general would also be given civil enforcement authority for affected individuals in their respective states, unless the FTC intervened.

 

 

Originally published in the Daily Journal on February 26, 2014.
©2014 Fenwick & West LLP. All Rights Reserved.​