FTC Recommends Legislation to Regulate Data Brokers
May 27, 2014. The Federal Trade Commission (FTC) released a document [110 pages in PDF] titled "Data Brokers: A Call for Transparency and Accountability". It recommends legislation to regulate data brokers and others. See also, FTC release.
Outline of this Article:
• Summary.
• Congressional Reaction.
• FTC's Findings.
• FTC's Legislative Recommendations.
• FTC's Best Practices Recommendations.
• Recent Developments.
• Commissioner Brill's Concurrence.
• Iago the Privacy Advocate.
Summary. This document recommends that the Congress consider legislation to regulate the business practices of data brokers and others. It recommends one set of requirements for data brokers that sell marketing products, another for data brokers that sell risk mitigation products, and another for data brokers offering people search products. It also "calls on the data broker industry to adopt several best practices".
These recommendations pertain to disclosures by data brokers and consumer facing companies that supply data to data brokers about their data related practices, and consumer access to data about them held by data brokers.
For example, data brokers that sell marketing products would have "to provide consumers access to their data, including sensitive data held about them, at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes".
This document does not contain legislative recommendations regarding data breaches, data retention, or data security.
This document also contains numerous findings, such as that lengthy data retention increases security risks to consumers, that are not followed with legislative recommendations.
This document does not supply any draft legislative text.
This document does not adopt or propose any changes to FTC rules promulgated under the Section 5 of the FTC Act, or any other section. It does not provide guidance as to how the FTC might apply Section 5, or any other section, to data brokers, data suppliers, or purchasers of data products, in future enforcement actions.
The FTC studied nine data brokers in preparing this document: Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future.
This document, and its recommendations, pertain only to "companies". It does not address government aggregation of data.
The five member Commission voted 4-0 to approve this document. Commissioner Terrell McSweeney did not participate. Commissioner Julie Brill wrote a concurring statement in which she urged additional legislative mandates. Commissioner Joshua Wright voted for this item, and did not write a separate statement. However, footnotes disclose that he does not support all of the recommendations in this document.
Congressional Reaction. Sen. John Rockefeller (D-WV), the outgoing Chairman of the Senate Commerce Committee (SCC), stated in a release that "The new FTC review of data broker practices reflects growing consensus that this industry sorely lacks transparency and accountability."
Sen. Rockefeller added that "big data practices pose risks of consumer harm including discrimination based on financial, health, and other personal information. Congress can no longer put off action on this important issue. We owe it to consumers to provide them with greater control over how data brokers are obtaining and using their personal data."
Sen. Rockefeller introduced S 2025 [LOC | WW], the "Data Broker Accountability and Transparency Act" on February 12, 2014. Sen. Ed Markey (D-MA) is the only cosponsor.
The bill would give consumers a right to review information about them held by data brokers. It states that "A data broker shall provide an individual a means to review any personal information or other information that specifically identifies that individual".
This bill would also give consumers a right to contest information. It states that "An individual whose personal information is maintained by a data broker may dispute the accuracy of any information ... by requesting, in writing, that the data broker correct the information."
This bill would also give consumers a right preclude data brokers from using, selling or sharing information about them for marketing purposes.
Rep. Joe Barton (R-TX) stated in a release that "The data broker industry is one that is largely unregulated and currently collects large sums of data on consumers." Rep. Bobby Rush (D-IL) stated in the same release that "Consumers should and do want to know more about which companies have access to their personal information, what those entities may know about them, and how they go about sharing and acquiring so much personal data about people."
Rep. Rush (at right) introduced HR 4400 [LOC | WW], the "Data Accountability and Trust Act", on April 11, 2013. Rep. Barton is the lead cosponsor. There are four other cosponsors -- all Democrats. This is a huge and broad bill. It is not directed at data broker practices. It would regulate data security practices and mandate and regulate data breach notifications.
Other versions of this bill were introduced in previous Congresses. For the 111th Congress, see HR 2221 [LOC | WW]. For the 112th Congress, see HR 2577 [LOC | WW].
FTC's Findings. There is an argument, that is more often advanced by economists than lawyers, and more often by proponents of limited government than by market interventionists, that any federal entity with authority to regulate commercial activity ought only act to protect consumer welfare, and only upon a finding of either actual consumer harm, or market failure.
This argument does not always prevail. The federal government often acts upon mere articulation of hypothetical and prospective harms. The findings in this FTC document disclose that the FTC is proposing that the Congress act solely on the basis of hypothetical harms.
This documents make numerous references to "potential risks", "potential harm", "potential effects", and "potential ... discrimination". However, it does not make any findings of actual consumer harm. And, it does not engage in market analysis, or make any findings of market failure.
The FTC finds that "There are a number of potential risks to consumers from data brokers' collection and use of consumer data. For example, if a consumer is denied the ability to conclude a transaction based on an error in a risk mitigation product, the consumer can be harmed without knowing why."
On the other hand, the FTC also finds that "Consumers Benefit from Many of the Purposes for Which Data Brokers Collect and Use Data: Data broker products help to prevent fraud, improve product offerings, and deliver tailored advertisements to consumers. Risk mitigation products provide significant benefits to consumers by, for example, helping prevent fraudsters from impersonating unsuspecting consumers. Marketing products benefit consumers by allowing them to more easily find and enjoy the goods and services they need and prefer. In addition, consumers benefit from increased and innovative product offerings fueled Federal Trade Commission by increased competition from small businesses that are able to connect with consumers they may not have otherwise been able to reach. Similarly, people search products allow individuals to connect with old classmates, neighbors, and friends."
The FTC also finds that data brokers "Collect Consumer Data from Numerous Sources, Largely Without Consumers’ Knowledge", "Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer", "Combine and Analyze Data About Consumers to Make Inferences About Them", and "Combine Online and Offline Data to Market to Consumers Online".
The FTC also finds that "The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other".
"Data brokers provide data not only to end-users, but also to other data brokers. The nine data brokers studied obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the Commission’s study provide data to each other. Accordingly, it would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers."
FTC's Legislative Recommendations. The FTC offers recommendations for three legislative regimes -- for "data brokers that sell marketing products", for "data brokers that sell risk mitigation products", and for "data brokers offering people search products". These legislative regimes would also reach entities other than data brokers.
Regarding data brokers that sell marketing products, the FTC recommends legislation with four components. First, "Congress should seek to enable consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights. Legislation could require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs."
Second, "Congress should consider requiring data brokers to clearly disclose to consumers (e.g., on their websites) that they not only use the raw data that they obtain from their sources, such as a person’s name, address, age, and income range, but that they also derive from the data certain data elements. Allowing consumers to access data about themselves is particularly important in the case of sensitive information -- and inferences about sensitive consumer preferences and characteristics -- such as those relating to certain health information."
Third, "Congress should consider requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if, for example, they need to correct their data with an original public record source."
Fourth, "Congress should consider requiring consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers. Congress should also consider protecting sensitive information, such as certain health information, by requiring that consumer-facing sources obtain consumers’ affirmative express consent before they collect sensitive information."
Regarding data brokers that sell risk mitigation products, the FTC recommends that "Congress consider legislation that provides consumers with transparency when a company uses a risk mitigation product to limit consumers' ability to complete a transaction. Specifically, when a risk mitigation product adversely impacts a consumer’s ability to obtain certain benefits, the consumer-facing company should identify the data brokers whose data the company relied upon; these data brokers could, in turn, give consumers the right to access the information used and, where appropriate, correct any erroneous information."
The FTC, however, buries in a footnote that it "does not have any information on the prevalence of errors in the consumer data that underlie data brokers' risk mitigation products". The FTC also footnoted that "Commissioner Wright believes that this recommendation is premature because there is no evidence about the existence or scope of this hypothetical problem."
Regarding data brokers offering people search products, the FTC recommends that the Congress consider legislation to "allow consumers to access their own information", "allow consumers to suppress the use of this information", "disclose to consumers the data brokers’ sources of information, so that, if possible, consumers can correct their information at the source", and "disclose any limitations of the opt-out option, such as the fact that close matches of an individual’s name may continue to appear in search results".
The FTC's document does not contain any draft legislative language. It does not contain recommendations regarding whether or not the FTC would have enforcement and/or rulemaking authority, whether or not states should also have enforcement authority, whether or not there should be any private right of action, or whether or not state laws should be preempted.
FTC's Best Practices Recommendations. This FTC document also contains numerous best practices recommendations for data brokers.
For example, the FTC recommends that "data brokers should conduct due diligence to ensure that data that they intend for marketing or risk mitigation purposes is not used to deny consumers credit, insurance, employment, or the like".
The FTC "recommends that data brokers take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes".
The FTC elaborates that "the use of race, color, religion, and certain other categories to make credit, insurance, and employment decisions is already against the law, but data brokers should help ensure that the information does not unintentionally go to unscrupulous entities that would be likely to use it for unlawful discriminatory purposes" (Footnotes omitted.)
The FTC does not cite any actual occurrence of such a practice.
Also, it noted, regarding Commissioner Wright, that "Before imposing additional obligations on data brokers to conduct due diligence, he would like to see evidence about the existence, nature, and scope of any such problematic uses."
Finally, this document does not explain what would be the consequences, if any, in a future enforcement action, of a data broker failing to comply with these best practices.
Recent Developments. The just released document is the third in a series. The FTC released a report [112 pages in PDF] on March 26, 2012 titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers". See also, stories titled "FTC Releases Second Report on Privacy Issues", "Reaction to FTC Privacy Report", and "Commentary: Unfair v. Deceptive Conduct" in TLJ Daily E-Mail Alert No. 2,357, March 26, 2012.
The FTC released a document [122 pages in PDF] on December 10, 2010, titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers". See also, story titled "Divided FTC Proposes Do Not Track Regime" in TLJ Daily E-Mail Alert No. 2,169, December 5, 2010.
On December 18, 2013 the SCC held a hearing titled "What Information Do Data Brokers Have on Consumers, and How Do They Use It?".
On May 1, 2014, the Executive Office of the President (EOP) released a paper [85 pages in PDF] titled "Big Data: Seizing Opportunities, Preserving Values".
On May 13, 2014, the Technology Policy Institute (TPI) released a paper [26 pages in PDF] titled "Big Data, Privacy, and Familiar Solutions". The authors are the TPI's Thomas Leonard and Paul Rubin. This paper anticipates and counters some of the FTC's recommendations.
For example, the FTC recommends that consumers have access to certain data about them collected by data brokers. The TPI paper counters that "if we make it easier for individuals to access their data then we also make it easier for those bent on fraud to access the same data".
Also, the FTC recommends that consumers have the ability to correct information. The TPI paper states that "Giving consumers the ability to correct their information may be more complicated than it might appear, even aside from the administrative complexities." That is, consumers will have interests in both correcting false information, and in changing correct information that negatively affects them. The TPI paper argues that "Distinguishing between these various ``corrections´´ may be quite difficult."
Also, the FTC recommends that data brokers be required to describe their information collection and use practices. The TPI paper argues that "Electronic information is frequently used in complex ways that are difficult or impossible to explain. It would not be feasible for websites to meaningfully convey this information through a notice, and consumers would not devote the hours required to understand it."
This TPI paper also argues that first "policy makers should ask whether there is a market failure or evidence of harm to consumers". Then, "If evidence of market failure or harm is found, the next question for policy makers is whether an available remedy (or remedies) can reasonably be expected to yield benefits greater than costs and therefore net benefits to consumers." (Parentheses in original.)
Commissioner Brill's Concurrence. FTC Commissioner Julie Brill wrote a concurring statement. She wants legislation to also require data brokers to monitor their clients use of data "to ensure that their clients do not use their products for unlawful purposes".
She also wants legislation to require that data brokers monitor their data sources "to ensure that their original sources of information obtained appropriate consent from consumers".
She expressed the concern that data could be used for racial profiling, and race based discrimination. However, she conceded that nothing in the FTC's document "suggests that data brokers or their clients are running afoul of anti-discrimination law". And, she cited no actual violation in her concurrence.
She also wrote a second statement that offers her "understanding" of the FTC's legislative recommendations.
Iago the Privacy Advocate. Commissioner Brill began her concurring statement with a quotation from Shakespeare's play titled Othello.
[H]e that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.
This is one of Iago's lines from Act III, Scene 3. Iago is one of the most despicable characters in all of Shakespeare's works. He works his evil, not by force and violence, but by deception. He says this to Othello, as he manipulates him into suspecting his wife Desdemona of infidelity with Cassio.
Iago is not trying to protect anyone's good name. He is destroying reputations for his own advancement. In Shakespeare's courts, as in Washington today, those who rhetorically advance a policy goal are often among those doing the most to undermine attainment of that goal.
Iago is talking about slander to reputation, not databases. Prior to Shakespeare's time there were various types of proceedings that sounded in the nature of defamation. However, shortly after Othello the English courts developed the common law right of action for defamation into something similar to what prevails in state courts in the U.S. today. (See, Edward Jenks, A Short History of English Law, at pages 145-148.)
This FTC document is about the aggregation, retention, and sharing of huge quantities of data about individuals. Moreover, this data is overwhelmingly accurate, useful to the companies that acquire it, and beneficial to markets and consumers.
However, Shakespeare did address the downside to individuals of data aggregation, but not in his tragedy Othello. He did so in one of his history plays, Henry VI, Part 2, in Act IV, in his portrayal of a series of events in 1450 known as Cade's Rebellion.
Shakespeare's character Jack Cade condemns data storage, the people who record the data, the people who use the data, and their technologies. Of course, digital storage, electronic computing, and IP networking did not exist then. Cade and his followers condemn the manufacture of paper, writing with quill "pen and ink-horn", and people who can write.
"Is not this a lamentable thing," says Cade, "that parchment, being scribbled o'er, should undo a man?"
Cade's recommendations go further than the FTC's. He does not want a right of access and correction. He wants to "burn all the records of the realm" and "kill all the lawyers".
(Published in TLJ Daily E-Mail Alert No. 2,663, May 27, 2014.)