Consumers Need More Protection from Data Brokers’ Practices

Not surprisingly, a Federal Trade Commission (FTC) report finds that data brokers who gather massive amounts of data about consumers operate with a fundamental lack of transparency.

The report, Data Brokers: A Call for Transparency and Accountability, recommends federal legislation to make the practices more transparent and give consumers greater control over their personal information.

The FTC found that data brokers collect and store billions of data elements covering nearly every U.S. consumer.  For example, the report found, “[O]f the nine data brokers [studied], one data broker’s database has information on 1.4 billion consumer transactions and over 700 billion aggregated data elements; another data broker’s database covers one trillion dollars in consumer transactions; and yet another data broker adds three billion new records each month to its data base.  Most importantly, data brokers hold a vast array of information on individual customers.  For example, one of the nine data brokers has 3000 data segments for nearly every U.S. consumer.”

Not only do the data brokers collect the data, but they also infer consumer interests from the data they collect, which could cause harm to the consumer.  “For example, while a data broker could infer that a consumer belongs in a data segment for ‘Bike Enthusiasts,’ which would allow a motorcycle dealership to offer the consumer coupons, an insurance company using that same segment might infer that the consumer engages in risky behavior,” the report said.  “Similarly, while data brokers have a data category for ‘Diabetes Interest’ that a manufacturer of sugar-free products could use to offer product discounts, an insurance company could use that same category to classify a consumer as higher risk.”

The FTC found that most data brokers limit consumers’ “access to some, but not all, of the actual and derived data the brokers have about them.”  Only two of the nine brokers surveyed allowed consumers to correct their personal information, but the report found that, because there was no centralized portal for consumers to learn about data brokers, it is “not clear how consumers would learn about these rights.”

The brokers also use the information to “score” consumers.  “These scores are based on, for example, the consumers’ blogging practices, participation in social media sites such as Facebook and Twitter, the number of friends, follows, or readers the consumer has, the amount of content the consumer creates on the Internet, or the consumer’s prominence in the news.”  Other consumers who are classified as “underbanked” or “financially challenged” are sent “an advertisement for subprime loan or other services.”

The FTC found that, once a data broker locates a consumer online and places a cookie on the consumer’s browser, “the data broker’s client can advertise to that consumer across the Internet for as long as the cookie stays on the consumer’s browser. Consumers may not be aware that data brokers are providing companies with products to allow them to advertise to consumers online based on their offline activities.”

The report recommends that Congress:

• Enable consumers to identify easily which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.
• Require data brokers to disclose clearly  to consumers (e.g., on their websites) that they not only use the raw data that they obtain from their sources, such as a person’s name, address, age, and income range, but that they also disclose what information they derive from the data.
• Require data brokers to disclose the names and/or categories of their sources of data so that consumers are better able to determine if, for example, they need to correct their data with an original public record source.
• Require consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

For data brokers, the report suggests three “best practices” that they should implement:

• Privacy-by-design, which includes considering privacy issues at every state of product development.
• Better measures to refrain from collecting information from children and teens, particularly in marketing produces.
• Precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

The nine data brokers were Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future.