The report is the result of a study of nine data brokers, representing a cross-section of the industry, undertaken by the FTC to shed light on the data broker industry. Data brokers obtain and share vast amounts of consumer information, typically behind the scenes, without consumer knowledge.
Data brokers sell this information for marketing campaigns and fraud prevention, among other purposes. Although consumers benefit from data broker practices which, for example, help enable consumers to find and enjoy the products and services they prefer, data broker practices also raise privacy concerns.
“The extent of consumer profiling today means that data brokers often know as much – or even more – about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more,” said FTC Chairwoman Edith Ramirez. “It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”
The report finds that data brokers collect and store billions of data elements covering nearly every U.S. consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements and another adds more than 3 billion new data points to its database each month.
- Data brokers collect consumer data from extensive online and offline sources, largely without consumers’ knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.
- Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact, seven of the nine data brokers in the Commission study had shared information with another data broker in the study.
- Data brokers combine online and offline data to market to consumers online.
- Data brokers combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age, and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes. The category “Rural Everlasting” includes single men and women over age 66 with “low educational attainment and low net worths.” Other potentially sensitive categories include health-related topics or conditions, such as pregnancy, diabetes, and high cholesterol.
- Many of the purposes for which data brokers collect and use data pose risks to consumers, such as unanticipated uses of the data. For example, a category like “Biker Enthusiasts” could be used to offer discounts on motorcycles to a consumer, but could also be used by an insurance provider as a sign of risky behavior.
- Some data brokers unnecessarily store data about consumers indefinitely, which may create security risks.
- To the extent data brokers currently offer consumers choices about their data, the choices are largely invisible and incomplete.
For data brokers that provide marketing products, Congress should consider legislation to:
Centralized Portal. Require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt- outs.
Access. Require data brokers to give consumers access to their data, including any sensitive data, at a reasonable level of detail.
Opt-Outs. Require opt-out tools, that is, a way for consumers to suppress the use of their data;
Inferences. Require data brokers to tell consumers that they derive certain inferences from from raw data.
Data Sources. Require data brokers to disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with an original source.
Notice and Choice. Require consumer-facing entities – such as retailers – to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing.
Sensitive Data. Further protect sensitive information, including health information, by requiring retailers and other consumer-facing entities to obtain affirmative express consent from consumers before such information is collected and shared with data brokers.
For brokers that provide “risk mitigation” products, legislation should:
- When a company uses a data broker’s risk mitigation product to limit a consumers’ ability to complete a transaction, require the consumer-facing company to tell consumers which data broker’s information the company relied on
- Require the data broker to allow consumer access to the information used and the ability to correct it, as appropriate.
- Require data brokers to allow consumers to access their own information, opt-out of having the information included in a people search product, disclose the original sources of the information so consumers can correct it, and disclose any limitations of an opt-out feature.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.