“Shadowy,” “invisible,” “secretive” and “unregulated” are all terms that have been used in recent years to describe the data broker industry, an industry with an estimated $150 billion in annual revenue. Whether those descriptors were accurate or not in the past, intense press, regulatory and legislative attention is now focused squarely on the industry that is not likely to remain in the shadows much longer. In the past two years, the industry has been subjected to a Federal Trade Commission investigation, a congressional inquiry, and most recently, legislation proposed by Sen. Jay Rockefeller that would regulate it more comprehensively. Regardless of whether this legislation passes in its current form, one thing is clear: Although data brokers play an important role in the U.S. economy, their possession of significant amounts of data about a large percentage of—perhaps all—Americans has raised concerns of regulators and privacy hawks that are unlikely to subside.
What Are Data Brokers?
In a 2012 report, the FTC defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” As evidenced by the size of the market in which they operate, data brokers provide a highly sought after function in the data economy. More than just acquiring data about individuals, data brokers compile the data and sell “buckets” of consumer data—e.g., those who fit a particular demographic, such as urban, married, with $150,000-plus annual incomes—for marketing purposes. Some brokers also sell predictive scoring products—that is, predicting whether consumers who fit a set of criteria will purchase certain products.
Perhaps because data brokers have maintained such a low public profile, they have been defined in recent years by mishaps that have shone a spotlight the vast quantities of individual data the industry possesses and the powerful predictive modeling about consumer behavior that brokers have developed. For instance, the revelation of Target’s marketing campaign in which it predicted which customers were pregnant based on their purchasing habits generated public concern after the company sent coupons for maternity products to the household of a teenage girl who had not yet told her father she was pregnant.
Data security and privacy are also frequently raised concerns. For example, the 2005 data breach of ChoicePoint, a large data broker, resulted in the sale of more than 163,000 consumer records to an identity theft ring. Similarly, in 2008, the FTC settled enforcement actions against data brokers Reed-Elsevier and Seisint for failing to implement adequate security measures, resulting in the compromise of more than 300,000 individuals’ personal data.
A frequent criticism of the data broker industry is that it is unregulated. Although this criticism is an overstatement, the Government Accountability Office concluded in a 2013 report that federal law does not currently provide individuals with a means of accessing the data that brokers collect about them. Nor do any laws provide individuals the ability to correct personal information or demand that brokers purge data.
Data brokers are strictly regulated by the Fair Credit Reporting Act when they act as consumer reporting agencies—providers of consumer data for use in making determinations relating to the credit, insurance, employment, etc. Congress enacted the FCRA more than four decades ago, and gave the FTC both rulemaking and enforcement authority. The act requires that consumer reporting agencies provide notice to individuals of adverse decisions made about them. In addition, consumer reporting agencies have an obligation to maintain the accuracy of information in a consumer’s file and provide individuals the ability to review and correct information.
Prior to 2013, the FTC was the principle enforcer of the FCRA. Since then, the Consumer Financial Protection Bureau has taken over as lead enforcer. Over the history of the FCRA, the FTC has brought over 100 enforcement actions, including one against Spokeo, a data broker that aggregates consumer data from information disclosed in social networks and other sources. In that action, which settled with an $800,000 penalty, the FTC alleged that the company had sold consumer reports without ensuring that individuals were given notice of adverse actions or the ability to correct information.
The FCRA does not, however, regulate the use of data for non-FCRA purposes, namely advertising and marketing. Indeed, the U.S. Senate’s Committee on Commerce, Science and Transportation found that many data brokers that provide consumer reports regulated by the FCRA have separate business units that compile and sell non- FCRA reports for marketing purposes.
Some data brokers do participate in industry self-regulation through the Direct Marketing Association. The DMA publishes guidelines, which, for example, require members to provide consumers with transparency about the data they collect, choice to opt out, and require companies to treat sensitive personal data with care and not resell it if there is a reasonable expectation that the data will not be transferred. Critics, however, maintain that the guidelines do not go far enough in allowing consumer to obtain, remove and correct data.
Both the FTC and the Senate committee have conducted investigations into the data broker industry within the last 18 months. In December 2012, the FTC issued orders to nine data brokers requiring narrative responses and production of documents regarding the nature and sources of consumer data the companies collect, how they use, maintain and disseminate it, and the extent to which they allow consumers to access and correct their information or to opt out of having it sold. The FTC has not yet published a report on its findings, but the director of the FTC’s Bureau of Consumer Protection, Jessica Rich, has stated the report is forthcoming.
In October 2012, Rockefeller, as majority chair of the committee, sent letters to nine data brokers seeking similar information. The committee issued its report on its findings in December 2013, noting that while some provided complete responses, others were less forthcoming. The report found:
These findings served as the basis for the Data Broker Accountability and Transparency Act of 2014 introduced earlier this month.
If enacted, the DATA Act would create the first federal statutory regulation of non- FCRA data brokers. It would increase transparency and give consumers broader rights to access and correct information.
The act would prohibit data brokers from obtaining data about consumers by “false, fictitious, or fraudulent statement[s] or representation[s].” Whether this would require affirmative representations about the purpose of collecting data through commonly used methods, such as online surveys, is not clear.
The act also would require data brokers to implement reasonable procedures to ensure the accuracy of information collected. In addition, it would give consumers the right to access information held about them, including any specifically identifying the individual, at least once per year at no cost. Consumers would also be afforded the opportunity to contest as inaccurate information, and brokers would be required to (a) correct public record information if provided proof that an inaccuracy has been corrected; and (b) for nonpublic information, note that the information is disputed by the consumer and attempt to verify it through a verifiable process. If the broker determines the information is incorrect, it would be required to correct the information.
Finally, the act would vest the FTC with both rulemaking and enforcement authority. If passed into law, the FTC would be required to conduct rulemaking within one year. In addition, the FTC could enforce violations as unfair and deceptive business practices, which would carry civil penalties of up to $16,000 per violation. State attorneys general would also be given civil enforcement authority for affected individuals in their respective states, unless the FTC intervened.
Originally published in the Daily Journal on February 26, 2014.
©2014 Fenwick & West LLP. All Rights Reserved.