In keeping with Congress’s heightened focus on privacy practices in the data broker industry, Senators Jay Rockefeller (D-W.Va.) and Ed Markey (D-Mass.) introduced a bill that would require increased transparency and accountability in the collection and sale of private consumer data.  Describing data brokers as operating a “shadow industry” with “very little scrutiny and oversight,” Senator Rockefeller lauded his proposed bill as an important step in his commitment to protect consumers and hold data brokers accountable.

The Data Broker Accountability and Transparency Act of 2014 (DATA Act) would restrict data brokers from using deceptive tactics to solicit consumer information and grant consumers the ability to:

1.  Access files a data broker compiles of their personal information;

2.  Correct inaccuracies in those files; and

3. Grant or prohibit the sale of their personal information to third parties.

The bill defines a data broker as a “commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.”  Of great concern to lawmakers and regulators is the possible use of consumer information to target particularly vulnerable groups, such as low income individuals and immigrants, with products that may have high interest rates or trap them into a long cycle of debt.

Increased Scrutiny: A Growing Trend

The (DATA Act) comes on the heels of a Senate Commerce Committee Hearing held in December that focused on data brokers’ information collection practices, and a report on the industry, released in advance of the hearing.  The Federal Trade Commission and the Consumer Financial Protection Bureau have similarly stepped up their scrutiny of the industry, and the DATA Act empowers the FTC to enforce the law and impose civil penalties on violators.

Industry Push-Back

            The Direct Marketing Association (DMA), a trade association whose members use and support data-driven marketing practices and techniques, expressed its disappointment with the DATA Act, claiming that it would “stymie the responsible use of data…stifle innovation, and ultimately hurt consumers.” The DMA stressed the benefits of a self-regulatory framework for data brokers, citing to its own Guidelines for Ethical Business Practice as an example of “robust yet flexible standards that adapt quickly to technological changes, provide robust and meaningful choices to consumers, and are an effective means of enforcing ethical standards on the data-driven marketing community.”

Looking to the Future: Protecting Your Business

As government tries to catch up to industry, it is likely that the increased focus on data collection practices will only intensify, leading to increased legislation and regulation.  In these uncertain times, the best defense is a good offense in avoiding legislative and regulatory scrutiny of your business.  Here are some FTC recommendations data brokers should consider to prevent potential scrutiny by privacy regulators:

•Establish a secure procedure for consumers to have reasonable access to information held by data brokers, to improve the transparency of industry practices;
•Consumer access should be proportional to the sensitivity and intended use of the data at issue;
•Regarding data used solely for marketing purposes, companies should provide consumers with access to a list of the categories of consumer data they hold and give consumers the ability to suppress the use of the data for marketing purposes;
•Create a centralized website where data brokers who compile and sell data for marketing could identify themselves to consumers — and describe how they collect consumer data, disclosing the types of companies to which they sell data;
•Create a voluntary, industry-led strategy consistent with privacy regulator and lawmaker developments.

The DMA’s Guidelines for Ethical Business Practice also contain helpful best practices:

  • If your organization collects personally identifiable information from visitors and/or collects information from non-affiliate websites for online behavioral advertising purposes, your notice should include:

    • The nature of the information collected online for marketing purposes, and the types of uses you make of such information, including uses for online behavioral advertising purposes;
    • The use(s) of such information, including whether you transfer information to third parties for use by them for their own marketing or online behavioral advertising purposes and the mechanism by which consumers can exercise choice not to have such information transferred;
    • Whether personally identifiable information is collected by, used by, or transferred to agents (entities working on your behalf) as part of the business activities related to the visitor’s actions on the site, including to fulfill orders or to provide information or requested services;
    • Whether you use cookies or other passive means of information collection, and whether such information collected is for internal purposes or transferred to third parties for marketing purposes, including online behavioral advertising purposes;
    • What procedures your organization has put in place for accountability and enforcement purposes; and
    • That your organization maintains appropriate physical, electronic, and administrative safeguards to protect information collected online.

In the midst of increasing legislation and regulation, adopting a proactive policy of data collection that ensures the protection of consumer privacy will only benefit your company in the long run.

Thank you to Jenna Felz for her contribution to the preparation of this blog posting.