In this Part Two covering the Federal Trade Commission’s Report on Data Brokers, (Part One is here) we focus on the Report’s detail of benefits and risks to consumers of data brokers’ services, the FTC’s legislative recommendations and best practices data brokers should consider to address growing concerns surrounding data mining. Lastly, we’ll review considerations in determining whether a company is a “data broker” and what this means to your governance, risk management and legal compliance efforts.
The Benefits and Risks to Consumers
In examining a group of nine data brokers, the FTC notes data broker’s services often offer overlooked benefits. As previously discussed in Part One, data brokers rely on the gathering of data from millions of users. The collected data is sold by the data brokers, which often enables small businesses to respond quickly to market changes as well as successfully compete with larger entities that utilize their own big data analytics as a matter of course. The sale of such data allows small to medium-sized companies to embrace and serve niches in the market and effectively target advertisements tailored to this market.
Unfortunately, large scale data collection today also holds certain inherent risks. Errors related to the aggregation of user data can compound without a proper method of recourse for the user in question. Currently, there are very few easy and effective ways for aggrieved users to determine what data about them and their activities is collected, where it’s held, who it’s provided to downstream and to then, if necessary, correct errors in the data.
Similarly, data collection practice may agitate and frustrate targeted users as they are presented with advertisements touching on sensitive topics, like physical ailments, (such as diabetes), sexual orientation or ethnicity. Taken to the extreme, risk mitigation products employed by merchants could prevent users from completing an otherwise legal transaction if they deem a specific user has certain unwanted tendencies based on previously collected data.
Finally, the FTC observed that “storing data about consumers indefinitely may create security risks,” which those involved in data incident responses know as a very real concern that complicated the quick determination of the scope of a potential breach.
However, when one looks at the sheer dollar figures of the data broker industry, it’s easy to understand why it has become such a lucrative practice. For example, the nine data brokers the FTC reviewed accumulated $426 million in revenue for three different categories of services – roughly $196 million for marketing data services, almost $178 million for risk mitigation products, and almost $53 million for “people search” data sales.
Additionally, a litany of factors combine to creating user profiles that are then subsequently used in the three different data broker service categories. For instance, information such as bank accounts being opened, changing addresses, and even the notice of fraudulent transactions may be collected by data brokers. Other information such as court records and real estate purchases can be stored and maintained by data brokers. And often, once these records are obsolete, the data retained is not generally timely purged from storage.
In response to issues the FTC backs legislative actions to ameliorate or rectify matters by improving transparency and consumer choice within the data broker industry. The FTC’s recommendations also “borrow from the Commission’s best practice and legislative recommendations regarding data brokers in its 2012 Privacy Report; self-regulatory developments among industry members; and the Commission’s extensive enforcement experience with data broker practices.” Among the recommendations are:
- Access and Opt Outs – Legislation requiring data brokers to give consumers (1) access to their data and (2) the ability to opt out of having it shared for marketing purposes by, for example, creating a central Internet portal where data brokers self-identify, describe data collection and use, and provide tools and mechanisms for consumers to conduct opt outs, particularly when sensitive information is involved.
- Comment: This proposal is effectively a FTC long standing call, which it has urged Congress to act upon for years. Query whether such a central portal would become a “high value” target for cyber attacks and cyber criminals. The FTC’s response is that to make such a portal manageable Congress could limit its mandate to include only, for example, the 50 or so largest data brokers and that such requirements mirror approaches taken by the Federal Credit Reporting Act. How data brokers are ranked in size and how often the rankings are updated would also be issues of contention.
- Transparency – To enhance transparency, the FTC urges Congress enact legislation requiring disclosure of data collection specifics, such as what raw data points are acquired and what inferences are thereafter made using such data in conjunction with onboarded data sources, as well as disclosing the names and/or categories of data sources to enable consumers to determine where errors need to be corrected and through whom.
- Comment: Given how frequently sources and uses of data change, how data brokers would provide timely and accurate transparency would no doubt be a non-trivial matter.
- Increased Visibility – The FTC Report rhetorically asks “[g]iven the current invisibility of data brokers, the question remains: If these access and opt-out tools were to exist and be available to consumers through a centralized mechanism, how would a consumer learn about them?” In answering, the FTC details several methods legislation should require, including requiring:
Consumer-facing data sources provide “prominent notice” to consumers that they share consumer data with data brokers and then give consumers various choices, such as opting out of sharing their information with data brokers.
- Consumer-facing sources to provide the names of data brokers they provide data to, along with information or links to the centralized mechanism with a description of the access and opt-out rights offered by these data brokers.
- Additional protections for “sensitive information” and obtaining a consumers’ affirmative express consent before consumer-facing sources collect and share such information with data brokers.
- Comment: As always, the devil is in the details. While notice and choice methods are common solutions today, notice fatigue is a very real concern. Markedly, additional required “prominent” notices are likely to engender further counter-productive notice overloading.
- Risk Mitigation – Continuing its drive for increased transparency the FTC urges legislation that would mandate notifying consumers in the course of a company’s use of a risk mitigation product if such products could limit consumers’ capacity to complete transaction as “such legislation could address scenarios that the FCRA may not cover.”
- Comment: Despite this recommendation, Footnote 95 of the Report notes that “the Commission does not have any information on the prevalence of errors in the consumer data that underlie data brokers’ risk mitigation products.” So this recommendation seems to be far forward looking rather than any proposal designed to remedy a currently well-understand dilemma. Additionally, the FTC at least takes note of the oft unintended consequences of such measures, stating “at the same time, one would not want an unscrupulous individual to be able to ‘correct’ his or her own truthful data. For this reason, Congress should consider how to enable consumer access while preserving the accuracy and security of such data.” Unfortunately, this is often easier said than done in practice.
Notably, according to the FTC, a plethora of best practices should be instituted to further address these matters of contention. These FTC’s preferred techniques are important to our clients for a multitude of reasons. The Commission emphasizes the necessity of employing “Privacy by Design”, which would subsequently be enforced at every phase of product development. These include limitations on the use and collection of data from minors, which could be used in an inimical manner that may not be suitable for specific age groups, and is currently regulated in the U.S. on the federal level by COPPA, the Children’s Online Privacy Protection Act, and by states, such as through California’s CalOPPA.
As such, it is worthwhile to start implementing controls and filters that restrict such information from being collected and sold to prospective buyers, effectively staying one step ahead of the FTC and Congress. Another recommended practice is to include controls prohibiting the use of data in ways that are or could be perceived as unlawfully discriminatory.
And it almost goes without saying that it’s certainly beneficial to limit the practices that could result in a disgruntled customer or the marketplace of opinions.
Are You a Data Broker?
Finally, who qualifies as a “data broker” may be surprising to some. Companies that retain data records for marketing purposes may in certain circumstances be viewed as a data broker under the FTC’s purview. Moreover, firms in the fraud detection and prevention industry may also inadvertently meet the definition of a data broker, according to the FTC.
A bill was recently passed at the state level in California, SB 1348 – Online Data Brokers, but has yet to be enacted into law, which defines what entities can be classified as Data Brokers for purposes of California law. Under SB 1348 an Online Data Broker is defined as “a commercial entity that collects, assembles, or maintains personal information concerning individuals residing in California who are not customers or employees of that entity, for the purposes of selling or offering for sale the personal information over the Internet to a third party.”
Whether SB 1348 or similar such bills make headway in State capitals remains to be seen, but the issue of data broker regulation and data broker practices is not one that will go away anytime soon. Stay tuned.