Concerns about privacy practices in the data broker industry, and the privacy implications about the lack of transparency “behind-the-scenes,” will remain a topic of intense regulatory and legislative focus in 2014. The Federal Trade Commission has defined “data brokers” as companies that collect personal information about consumers from a variety of public and non-public sources and resell the information to other companies. The reselling of consumer information may occur for purposes that include the marketing of products; verifying an individual’s identity; differentiating records; or preventing financial fraud. However, there is no statutory definition of data brokers, nor are there laws requiring data brokers to maintain the privacy of consumer data – unless the data is used for purposes under the Fair Credit Reporting Act (FCRA), such as credit, insurance, housing or employment. 2014 will bring renewed and expanded FTC and legislative scrutiny relating to three diverse categories of data brokers, identified in the FTC 2012 Privacy Report, reflecting different levels of data sensitivity:
1. Companies subject to the FCRA. In this category, which has seen the highest level of regulatory scrutiny, data brokerage companies may be considered consumer reporting agencies (CRAs) under the FCRA and thus subject to substantial civil – even criminal penalties. Recent examples of the FTC’s aggressive FCRA enforcement program include:
- Spokeo – In June 2012, the Commission alleged the company, which assembles consumer information from on and offline sources, marketed and sold its consumer profiles to third party employers and recruiters, without complying with the FCRA, resulting in an $800,000 civil penalty. This was the Agency’s first use of the FCRA to address the sale of data collected from an online source, such as social media, in the employment screening context.
- HireRight – In August 2012, the Commission settled, with the employment background screening company, for $2.6 million after allegations that the company violated the FCRA, by neglecting to reinvestigate consumer disputes and failing to provide consumers with copies of their reports.
- Filiquarian – The FTC settled with the mobile app developer, in May 2013, for compiling and selling criminal background screening reports in violation of the FCRA.
- Certegy — The Commission settled with the check authorization services company, in August 2013, for $3.5 million, for violation of the FCRA and Furnisher Rule, when the company allegedly failed to follow proper FCRA dispute procedures.
2. Entities that Maintain Data for Marketing Purposes. The FTC has identified this data broker business model as one end of the spectrum that expands beyond traditional credit reporting. The Commission has specified that it will continue to conduct research and issue reports examining the data broker practices in this category. In light of the recent report by the Senate Committee on Commerce, Science and Transportation (discussed below), 2014 may bring dual FTC and Congressional reports and future enforcement actions relating to data brokers who maintain data specifically for marketing purposes.
3. Non-FCRA covered Entities that Maintain Data for Non-Marketing Purposes: The Commission has indicated that this third category of data broker does not fall within the FCRA and would include, for example, companies that provide fraud detection or people-search services. In December 2013, the FTC announced a study of the data broker industry’s use and collection of consumer data, issuing compulsory process orders to a number of data brokerage companies. We can expect to see the Commission issue a final report and recommendations in the coming months, detailing how the data broker industry can improve the transparency of its privacy practices. Commission investigations likely will follow, as the Agency believes that data brokers in categories 2 and 3 operate without ample transparency and fall outside the reach of the FCRA.
Recent Congressional Data Broker Initiative
Meanwhile, the Senate Committee on Commerce, Science and Transportation ended 2013 by issuing a December 18th report, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, indicating that some companies are quietly maintaining databases to track, compile and sell consumer data for marketing purposes, without consumers’ knowledge. Though the Committee Majority staff report acknowledges that data brokers collect and sell information for many purposes — including credit risk assessment, fraud prevention and marketing – the report focuses on data broker collection and sale of consumer information specifically for marketing purposes. This is an area, the report states, where data broker activities are subject to far less legislative oversight and operate with nominal transparency. Highlighting its concern that consumer data (collected and sold in this manner) could end up in the possession of unscrupulous businesses to target vulnerable consumers, or used to engage in differential pricing, the Committee Majority staff report found that:
- Data brokers collect a huge volume of detailed information on hundreds of millions of consumers;
- Data brokers sell products that identify financially vulnerable consumers;
- Data broker products provide information about consumer offline behavior to tailor online outreach by marketers;
- Data brokers operate behind a veil of secrecy.
Despite these findings, the staff report did not make any legislative recommendations. It is likely, however, that the data broker industry can expect to see draft legislation, this year, by Senate Commerce Committee Chair Jay Rockefeller, based upon the conclusions of the report.
How to Avoid Being a Target of Regulatory/Legislative Scrutiny
The Commission has stated publically that it… “commend[s] Chairman Rockefeller’s leadership on the issue [of the collection, use and sale of consumer information, by data brokers, for marketing purposes] and stand[s] ready to work with this Committee and Congress on ways to improve transparency of data broker practices.” Thus, future enforcement actions regarding the lack of transparency surrounding data broker privacy practices are sure to follow. Here are some FTC recommendations the data broker industry, and companies who may be deemed de facto data brokers, should consider to prevent potential scrutiny by privacy regulators:
- Establish a secure procedure for consumers to have reasonable access to information held by data brokers, to improve the transparency of industry practices;
- Consumer access should be proportional to the sensitivity and intended use of the data at issue;
- Regarding data used solely for marketing purposes, companies should provide consumers with access to a list of the categories of consumer data they hold and give consumers the ability to suppress the use of the data for marketing purposes;
- Create a centralized website where data brokers who compile and sell data for marketing could identify themselves to consumers — and describe how they collect consumer data, disclosing the types of companies to which they sell data;
- Create a voluntary, industry-led strategy consistent with privacy regulator and lawmaker developments.
Industry ingenuity will continue to produce new technological advances that will enhance, rather than thwart, high-tech innovation. An effective market-based solution, by the data broker industry, for managing the collection and use of consumer data, would be preferable to the legislative and regulatory initiatives that 2014 is certain to stimulate.