The Federal Trade Commission recommended that that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the large amounts of personal information collected and shared by data brokers. The recommendation came as a result of the FTC’s report “Data Brokers: A Call for Transparency and Accountability” which studied nine data brokers, representing a cross-section of the industry. The report found just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements; another adds more than 3 billion new data points to its database each month.
Among other things, the report finds that:
- Data brokers collect consumer data from extensive online and offline sources, largely without consumers’ knowledge. This includes consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.
- Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact, seven of the nine data brokers in the study had shared information with another data broker in the study.
- Data brokers combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age, and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes. The category “Rural Everlasting” includes single men and women over age 66 with “low educational attainment and low net worths.” Other potentially sensitive categories include health-related topics or conditions, such as pregnancy, diabetes, and high cholesterol.
- Many of the purposes for which data brokers collect and use data pose risks to consumers, such as unanticipated uses of the data. For example, a category like “Biker Enthusiasts” could be used to offer discounts on motorcycles to a consumer, but could also be used by an insurance provider as a sign of risky behavior.
- Some data brokers unnecessarily store data about consumers indefinitely, which may create security risks.
- To the extent data brokers currently offer consumers choices about their data, the choices are largely invisible and incomplete.
To help rectify a lack of transparency about data broker industry practices, the FTC suggests that Congress consider enacting legislation that would: enable consumers to learn of the existence and activities of data brokers; and provide consumers with reasonable access to information about them held by data brokers. This could include a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt-outs.
In addition, the report recommends adoption of a requirement that data brokers: (1) give consumers access to their data, including any sensitive data, at a reasonable level of detail; (2) offer a way for consumers to suppress the use of their data (opt-out); (3) tell consumers that they derive certain inferences from raw data; and (4) disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with an original source.
The report also recommends that consumer-facing entities such as retailers be required to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing; and obtain affirmative express consent from consumers before such information is collected and shared with data brokers.
The report also includes separate recommendations for legislation affecting brokers that provide “risk mitigation” products and “people search” products.
For “risk mitigation” products, the FTC recommends that when a company uses a data broker’s risk mitigation product to limit a consumers’ ability to complete a transaction, it should be required to tell consumers which data broker’s information the company relied on. It also recommends requiring the data broker to allow consumer access to the information used and the ability to correct it, as appropriate. In connection with “people search” products, the FTC recommends that data brokers be required to allow consumers to access their own information, opt-out of having the information included in a people search product, disclose the original sources of the information so consumers can correct it, and disclose any limitations of an opt-out feature.