In recent years, data-driven marketing has spread across numerous sectors of the economy. While the industry provides many benefits and conveniences for consumers by lowering the cost of products and services and helping businesses better capture customer preferences, privacy advocates and legislators are pushing for increased government regulation over companies known broadly as “data brokers.”
As a result of the increased interest in additional regulation, in November 2013, the U.S. Government Accountability Office (GAO) released a detailed report about the data broker industry at the request of Senator Jay D. Rockefeller (D-WV), chairman of the Senate Committee on Commerce, Science, and Transportation (the Commerce Committee). The Commerce Committee released its own report about one month later. These reports, both the product of long-running investigations into the policies and practices of companies involved in online and offline marketing and data collection, provide important insights into the potential challenges facing the industry.
Government Accountability Office Study
On November 15, 2013, the GAO released a study following a year-long investigation of existing federal laws and regulations and several state laws applicable to “data brokers” (also known as “information resellers”),1 which were broadly defined as “companies that collect and resell information on individuals.”2 The GAO also interviewed representatives of federal agencies, trade associations, consumer and privacy groups, and industry businesses, and reviewed the many approaches advocated to improve consumer data privacy, which range from new legislation to greater self-regulation.3
The GAO report identified what it perceived as gaps in the current statutory privacy framework that, in the office’s opinion, did not fully address changing technology and marketplace practices, including online tracking, mobile applications, location tracking, and mobile payments. The report also maintained that current law is not aligned with “fair information practice principles” (FIPPs),4 the principles commonly advocated as a baseline for handling consumer data.
The GAO called for Congress to strengthen the current consumer privacy framework, and recommended focusing on the following issues:
- the adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under the Fair Credit Reporting Act (FCRA);
- whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;
- whether changes should be made to the permitted sources and methods for data collection; and
- what privacy controls should be imposed related to new technologies, such as web tracking and mobile devices.5
Notably, the report took no position on how this new legislation should look. It merely presented the pros and cons of enacting a comprehensive, federal-based privacy-law regime to replace the current sector-specific regulations,6 and noted the challenge of allowing consumer privacy protections without inhibiting commerce.7
Senate Commerce Committee Report
About one month later, on December 18, 2013, the Senate Commerce Committee issued its own report on data brokers.8 This report was released just hours before a Commerce Committee hearing on the same issue.9
The Commerce Committee sought answers to the following four questions:
- What data about consumers does the data broker industry collect?
- How specific is the data?
- How does the data broker industry obtain consumer data?
- Who buys the data, and how is it used?10
The Commerce Committee report adopted a broad definition of “data broker” developed by the Federal Trade Commission (FTC): “[c]ompanies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.”11 This description, however, leaves significant room for interpretation.12
Like the GAO, the Commerce Committee concluded that “[c]urrent federal law does not fully address the use of new technologies”13 or the incredible increase in the sale and availability of consumer information in the digital age. The report opined that although the FCRA, Health Insurance Portability and Accountability Act (HIPAA), and several other laws protect consumers in certain sector-specific contexts, the tremendous changes in the digital age have left a large gray area unregulated. Furthermore, the committee was highly critical of data brokers, drawing the following broad conclusions about their practices: “(1) Data brokers collect a huge volume of detailed information on hundreds of millions of consumers; (2) Data broker products provide information about consumer offline behavior to tailor online outreach by marketers; and (3) Data brokers operate behind a veil of secrecy.”14
This disapproving tone echoed throughout the December 18, 2013, Commerce Committee hearing. Senator Rockefeller had many harsh words for common industry practices, and other committee members gave examples of what they deemed “predatory” marketing activities conducted by financial firms or other companies targeting vulnerable groups such as the impoverished or immigrant populations. They also raised concerns about the practice of scoring individuals based on algorithmic data analysis and serving them with tailored offers based on prior web behavior or demographic data, emphasizing their fears of dynamic pricing.
In response, industry representatives highlighted that data brokers’ efforts lower the costs of products and services for consumers, while helping businesses focus on tailoring their offerings to consumer needs—not to mention contributing $156 billion to the American economy. In fact, in recent years, database “profiling” and targeted marketing have become fundamental to the success of almost any business or organization—including the U.S. government itself. These techniques provide crucial tools to ensure the provision of government assistance to those in need, and give important insights into the requests and opinions of constituents. Regardless, rather than being extracted from consumers against their will, the majority of the data being discussed was derived from public records or other publicly available information; in most other cases, customers chose to provide the information directly to businesses by opting into incentive or loyalty-card programs, entering contests, or completing questionnaires.
Importantly, although both the Commerce Committee report and the hearing confirmed the growing divide between the two sides of the debate, neither revealed concrete plans for specific legislation, suggesting only that there must be further fact-finding.
The perceived gaps in federal and state laws called out in both the GAO report and the Commerce Committee report, as well as the derisive remarks of Senator Rockefeller and others during the recent hearing, suggest that the tension between the data broker industry and its critics will likely grow in the coming months. Moreover, one crucial issue has yet to be resolved—the definition of a “data broker.” The vague and conclusory descriptions adopted by both the GAO and the Commerce Committee could arguably apply to thousands of different companies since “[e]veryone shares data within the Internet ecosystem.”15 Given the lack of clarity, any company that either collects data or relies upon such collection efforts by others may be impacted by the government’s heightened scrutiny in this area.
In December 2012, the FTC opened its own inquiry into the privacy implications of the industry’s collection and use of consumer data, the findings of which are expected to be released in early 2014 and may only further muddy the waters.16 In the past, FTC Commissioner Julie Brill has promoted a “one-stop shop” for consumers to access their information in an effort she has dubbed “Reclaim Your Name”;17 the forthcoming report will probably continue to stress the commissioner’s view that heightened industry regulation is needed.18 It is also possible that the FTC could propose a legislative recommendation to give itself broader authority over data brokers or call for more self-regulatory efforts.
Whether through comprehensive federal and state legislation or more restrictive self-regulation, one thing is clear—privacy advocates and lawmakers seem intent on imposing a greater degree of regulation on this industry. But until a definitive definition of what constitutes a “data broker” exists, any company involved in the collection and use of consumer data (particularly data obtained from, or provided to, third parties) could feel the effects and should track this issue closely.
1 U.S. Government Accountability Office, “Report to the Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate: Information Resellers—Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace” (September 25, 2013) (hereinafter “GAO report”), available at http://www.gao.gov/assets/660/659769.pdf (last visited December 20, 2013).
2 GAO report, supra note 1 at 1.
3 See id. at 2; see id., Appendix I at 48-51.
4 See id. at 46. Rooted in a 1973 report by the United States Department of Health, Education and Welfare, FIPPs are at the core of the Privacy Act of 1974 and are regularly incorporated into government and business privacy policies. FIPPs include the following core principles: transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. See National Strategy for Trusted Identities in Cyberspace, “Fair Information Practice Principles (FIPPs),” available at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf (last visited December 20, 2013).
5 GAO report, supra note 1 at 19, 46-47.
6 See generally id. at 31-34.
7 Id. at 46.
8 Committee on Commerce, Science, and Transportation—Office of Oversight & Investigations Majority Staff, “A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes” (Dec. 18, 2013) (hereinafter “Commerce Committee report”), available at http://www.scribd.com/doc/192589947/12-18-13-Senate-Commerce-Committee-Report-on-Data-Broker-Industry (last visited December 19, 2013).
9 Senate Commerce Committee Hearing, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?” (Dec. 18, 2013), video archive available at http://www.commerce.senate.gov/public/index.cfm?p=Hearings&ContentRecord_id=a5c3a62c-68a6-4735-9d18-916bdbbadf01&ContentType_id=14f995b9-dfa5-407a-9d35-56cc7152a7ed&Group_id=b06c39af-e033-4cba-9221-de668ca1978a (last visited Dec. 19, 2013). The hearing panel consisted of the following individuals: Jessica Rich, Director of the FTC’s Bureau of Consumer Protection; Pam Dixon, Executive Director of the World Privacy Forum; Dr. Joseph Turow, Professor at the Annenberg School for Communication; Tony Hadley, Senior Vice President of Government Affairs and Public Policy at Experian; and Jerry Cerasale, Senior Vice President of Government Affairs and Public Policy for the Direct Marketing Association.
10 Commerce Committee report, supra note 8 at ii.
11 Id. at 1 (citing Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, at 68 (Mar. 2012), available at http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf (last visited December 19, 2013)).
12 See id. at 13-21 (describing types of consumer data that brokers collect, maintain, and share); id. at 21-28 (describing types of data broker products); id. at 28-31 (describing data broker customers).
13 Id. at 10.
14 Id. at ii-iii.
15 See Testimony of Thomas Hadley, Senior Vice President of Government Affairs and Public Policy at Experian, Committee Hearing, supra note 9.
16 See Press Release, supra note 10.
17 Julie Brill, FTC chairman, “Reclaim Your Name—Keynote Address at the 23rd Computers Freedom and Privacy Conference,” at 10-11 (June 26, 2013), transcript available at http://www.ftc.gov/sites/default/files/documents/public_statements/reclaim-your-name/130626computersfreedom.pdf (last visited December 20, 2013).
18 In 2012, the FTC published a report calling for greater transparency among data brokers, and asking Congress to give consumers the right to access information these firms hold about them. See FTC report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at 30 (Mar. 2012), available at http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf (last visited Dec. 20, 2013). Although the report covered many different issues, the FTC specifically called on data brokers to increase transparency for consumers by creating a centralized website where they could identify themselves and disclose how they collect and use data, as well as details about the choices that data brokers provide consumers about their own information.