Data brokers have been under increased scrutiny lately – from Congress, the press and joined again this week by the Federal Trade Commission, which released a 109-page study of nine data brokers entitled Data Brokers: A Call For Transparency and Accountability (the “Report”). which examined nine data brokers to determine the types and scope of personal information data collected. What did the FTC learn about the data broker industry? What could this mean going forward for data brokers and data users? And more importantly, could you be a “data broker” without realizing it?
For starters, the FTC recognizes that its now a big, big, big data world, and had in 2012 (in its influential report Protecting Consumer Privacy in an Era of Rapid Change) identified three categories of data brokers, namely: “(1) entities subject to the Fair Credit Reporting Act (“FCRA”); (2) entities that maintain data for marketing purposes; and (3) non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of the FCRA, such as to detect fraud or locate people.”
The nine data brokers the FTC examined includes Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. For many, most of the names will be unfamiliar, and that’s part and parcel of the FTC’s push for increased “transparency” as the majority of consumers will have no idea who these firms are or specifically what information they broker. As the FTC Report notes:
“In developing their products, the data brokers use not only the raw data they obtain from these sources, such as a person’s name, address, home ownership status, or age, but also certain derived data, which they infer about consumers. For example, a data broker might infer that an individual with a boating license has an interest in boating, that a consumer has a technology interest based on the purchase of a ‘Wired’ magazine subscription, or that a consumer who has bought two Ford cars has loyalty to that brand. The data brokers use this actual and derived data to create three main kinds of products for clients in a wide variety of industries: marketing products, risk mitigation products, and people search products.”
Within the context of these three main products the FTC reviewed which of the categories the nine brokers were involved in and how, if any, consumers interacted with them to learn about access rights and consent choices. After their review the FTC concluded that:
- Data brokers collect consumer data from numerous sources, largely without consumers’ knowledge. Some of the information data brokers collect, like bankruptcy information, voting history, consumer purchase data, web browsing activities and warranty registrations are not obtained directly from consumers, and as a result, consumers are largely unaware that data brokers are collecting and using this information.
- Data brokers collect and store billions of data elements, including some on nearly every U.S. consumer. Data brokers hold a vast array of information on individual consumers. For example, one of the nine data brokers has 3,000 data segments for nearly every U.S. consumer.
- The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other. Data brokers provide data not only to end-users, but also to other data brokers. The nine data brokers studied obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the
Commission’s study provide data to each other. Accordingly, it would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers.
- Data brokers combine and analyze data about consumers to make potentially sensitive inferences. Data brokers infer consumer interests from the data they collect. Then, they use those interests to make inferences about consumers and place them in categories. Potentially sensitive categories include those that primarily focus on ethnicity and income-levels, a consumer’s age, or health-related conditions like “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.”
- Data Brokers Combine Online and Offline Data to Market to Consumers Online. Data brokers rely on websites with registration features and cookies to find consumers online and target Internet advertisements to them based on their offline activities.
In our next post about the FTC Report we’ll review the benefits and risks to consumers the FTC identified, legislative recommendations and suggested best practices for data brokers – and determine who may be a “data broker” without realizing it. And, what that means for your data and information security practices.