28 May 2014

FTC report on US Data Brokers

The Federal Trade Commission has released Data Brokers: A Call for Transparency and Accountability [PDF], a study of nine US data brokers.

The report comments that
these data brokers collect personal information about consumers from a wide range of sources and provide it for a variety of purposes, including verifying an individual’s identity, marketing products, and detecting fraud. Because these companies generally never interact with consumers, consumers are often unaware of their existence, much less the variety of practices in which they engage. By reporting on the data collection and use practices of these nine data brokers, which represent a cross-section of the industry, this report attempts to shed light on the data broker industry and its practices. 
For decades, policymakers have expressed concerns about the lack of transparency of companies that buy and sell consumer data without direct consumer interaction. Indeed, the lack of transparency among companies providing consumer data for credit and other eligibility determinations led to the adoption of the Fair Credit Reporting Act (“FCRA”), a statute the Commission has enforced since its enactment in 1970. The FCRA covers the provision of consumer data by consumer reporting agencies where it is used or expected to be used for decisions about credit, employment, insurance, housing, and similar eligibility determinations; it generally does not cover the sale of consumer data for marketing and other purposes. While the Commission has vigorously enforced the FCRA, since the late 1990s it has also been active in examining the practices of data brokers that fall outside the FCRA.
Most recently, in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (“Privacy Report”), the Commission specifically addressed the subject of data brokers. The Commission described three different categories of data brokers: (1) entities subject to the FCRA; (2) entities that maintain data for marketing purposes; and (3) non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of the FCRA, such as to detect fraud or locate people. The Commission noted that, while the FCRA addresses a number of critical transparency issues associated with companies that sell data for credit, employment, and insurance purposes, data brokers within the other two categories remain opaque. In the report, the Commission recommended legislation in this area to improve the transparency of industry practices. Following the Privacy Report, the Commission determined that, despite some progress, too little was still known about the practices of data brokers and that further examination was needed.
To further the objective of increased transparency, in December 2012, the Commission initiated a study of data broker practices. It issued identical Orders to File Special Reports (“Orders”) under section 6(b) of the Federal Trade Commission Act to nine data brokers seeking information about their data collection and use practices, as well as any tools provided to consumers to control these practices. Appendix A is a copy of the text of the Orders that the Commission issued to the data brokers. 
The nine data brokers that received the Orders are Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. The Orders requested detailed information regarding the data brokers’ practices, including the nature and sources of consumer data they collect; how they use, maintain, and disseminate the data; and the extent to which the data brokers allow consumers to access and correct data about them or to opt out of having their personal information sold or shared.
This report summarizes the information provided in response to the Commission’s Orders, including information gathered through follow-up questions and meetings and publicly available sources. In general, the data brokers collect information about consumers from a wide variety of commercial, government, and other publicly available sources. In developing their products, the data brokers use not only the raw data they obtain from these sources, such as a person’s name, address, home ownership status, or age, but also certain derived data, which they infer about consumers. For example, a data broker might infer that an individual with a boating license has an interest in boating, that a consumer has a technology interest based on the purchase of a “Wired” magazine subscription, or that a consumer who has bought two Ford cars has loyalty to that brand. The data brokers use this actual and derived data to create three main kinds of products for clients in a wide variety of industries: marketing products, risk mitigation products, and people search products.
Marketing Products
Five of the data brokers studied sell marketing products, which assist clients in a variety of ways. For example, businesses can purchase their customers’ email addresses from data brokers so that they can send email solicitations to them. They can also purchase information about their customers’ interests in order to market specific products to them, including using consumers’ offline activities to determine what advertisements to serve them on the Internet. The data brokers also sell analytics products. For instance, some data brokers analyze their client’s customer data and suggest the media channel to use to advertise a particular product (e.g., online or newspapers) and/or the geographic region where the advertisements should be shown. A few data brokers also convert their analyses into marketing scores that, for example, rank clients’ customers on the basis of how likely they are to respond to particular marketing efforts or to make a purchase, their presence on the web or their influence over others, or other metrics.
Most of the data brokers that sell marketing products provide consumers with limited access to some, but not all, of the actual and derived data the data brokers have about them. Only two of the data brokers allow consumers to correct their personal information for marketing purposes, and four of the five data brokers that sell marketing products allow consumers to opt out of the use of their personal information for marketing purposes. However, it is not clear how consumers would learn about these rights; for example, no centralized portal currently exists for consumers to learn about data brokers and what access rights and choices they provide.
Risk Mitigation Products
Four of the data brokers studied sell risk mitigation products, which clients use to verify their customers’ identities or detect fraud. For example, a lender might use a data broker’s identity verification product to ensure that the individual presenting himself as John Smith at 123 Main Street who wants to open an account is in fact that John Smith. The same lender might use a fraud detection product to flag whether a Social Security number provided as part of the application process has recently been associated with many different addresses, thereby suggesting fraud.
Even if consumers knew about the data brokers providing products in this category or knew they were denied or limited in their ability to complete a transaction, they might not be able to access their own information from these data brokers and correct errors. Two of the data brokers studied provide consumers with some form of access to their information used in risk mitigation products after verifying their identity, but only one allows consumers to correct their information.
People search Products
Three of the data brokers studied provide “people search” websites through which users can search for publicly available information about consumers. Users can use these products to research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers. Consumers can generally access their information through the same free or fee-based products that the data brokers provide to their clients. These data brokers allow consumers to correct certain information to varying degrees; most of them also allow consumers to opt out of the disclosure of their information.
The report features the following findings.
1 . Characteristics of the Industry
  • Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers’ Knowledge: Data brokers collect data from commercial, government, and other publicly available sources. Data collected could include bankruptcy information, voting registration, consumer purchase data, web browsing activities, warranty registrations, and other details of consumers’ everyday interactions. Data brokers do not obtain this data directly from consumers, and consumers are thus largely unaware that data brokers are collecting and using this information. While each data broker source may provide only a few data elements about a consumer’s activities, data brokers can put all of these data elements together to form a more detailed composite of the consumer’s life. 
  • The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each Other: Data brokers provide data not only to end-users, but also to other data brokers. The nine data brokers studied obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the Commission’s study provide data to each other. Accordingly, it would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers. 
  • Data Brokers Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer: Data brokers collect and store a vast amount of data on almost every U.S. household and commercial transaction. Of the nine data brokers, one data broker’s database has information on 1.4 billion consumer transactions and over 700 billion aggregated data elements; another data broker’s database covers one trillion dollars in consumer transactions; and yet another data broker adds three billion new records each month to its databases. Most importantly, data brokers hold a vast array of information on individual consumers. For example, one of the nine data brokers has 3000 data segments for nearly every U.S. consumer. 
  • Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences: Data brokers infer consumer interests from the data that they collect. They use those interests, along with other information, to place consumers in categories. Some categories may seem innocuous such as “Dog Owner,” “Winter Activity Enthusiast,” or “Mail Order Responder.” Potentially sensitive categories include those Data Brokers: A Call for Transparency and Accountability that primarily focus on ethnicity and income levels, such as “Urban Scramble” and “Mobile Mixers,” both of which include a high concentration of Latinos and African Americans with low incomes. Other potentially sensitive categories highlight a consumer’s age such as “Rural Everlasting,” which includes single men and women over the age of 66 with “low educational attainment and low net worths,” while “Married Sophisticates” includes thirty-something couples in the “upper-middle class . . . with no children.” Yet other potentially sensitive categories highlight certain health-related topics or conditions, such as “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.” 
  • Data Brokers Combine Online and Offline Data to Market to Consumers Online: Data brokers rely on websites with registration features and cookies to find consumers online and target Internet advertisements to them based on their offline activities. Once a data broker locates a consumer online and places a cookie on the consumer’s browser, the data broker’s client can advertise to that consumer across the Internet for as long as the cookie stays on the consumer’s browser. Consumers may not be aware that data brokers are providing companies with products to allow them to advertise to consumers online based on their offline activities. Some data brokers are using similar technology to serve targeted advertisements to consumers on mobile devices.
2 . Benefits and Risks
  • Consumers Benefit from Many of the Purposes for Which Data Brokers Collect and Use Data: Data broker products help to prevent fraud, improve product offerings, and deliver tailored advertisements to consumers. Risk mitigation products provide significant benefits to consumers by, for example, helping prevent fraudsters from impersonating unsuspecting consumers. Marketing products benefit consumers by allowing them to more easily find and enjoy the goods and services they need and prefer. In addition, consumers benefit from increased and innovative product offerings fueled by increased competition from small businesses that are able to connect with consumers they may not have otherwise been able to reach. Similarly, people search products allow individuals to connect with old classmates, neighbors, and friends. 
  • At the Same Time, Many of the Purposes for Which Data Brokers Collect and Use Data Pose Risks to Consumers: There are a number of potential risks to consumers from data brokers’ collection and use of consumer data. For example, if a consumer is denied the ability to conclude a transaction based on an error in a risk mitigation product, the consumer can be harmed without knowing why. In such cases, the consumer is not only denied the immediate benefit, but also cannot take steps to prevent the problem from recurring. Similarly, the scoring processes used in some marketing products are not transparent to consumers. This means that consumers are unable to take actions that might mitigate the negative effects of lower scores, such as being limited to ads for subprime credit or receiving different levels of service from companies. As to other marketing products, they may facilitate the sending of advertisements about health, ethnicity, or financial products, which some consumers may find troubling and which could undermine their trust in the marketplace. Moreover, marketers could even use the seemingly innocuous inferences about consumers in ways that raise concerns. For example, while a data broker could infer that a consumer belongs in a data segment for “Biker Enthusiasts,” which would allow a motorcycle dealership to offer the consumer coupons, an insurance company using that same segment might infer that the consumer engages in risky behavior. Similarly, while data brokers have a data category for “Diabetes Interest” that a manufacturer of sugar-free products could use to offer product discounts, an insurance company could use that same category to classify a consumer as higher risk. Finally, people search products can be used to facilitate harassment, or even stalking, and may expose domestic violence victims, law enforcement officers, prosecutors, public officials, or other individuals to retaliation or other harm. 
  • Storing Data About Consumers Indefinitely May Create Security Risks: Some of the data brokers store all data indefinitely, even if it is later updated, unless otherwise prohibited by contract. For some products, these data brokers report that they need to keep older data. For example, they explain that even if a consumer’s address is outdated, it is important to keep the consumer’s address history in order to verify the consumer’s identity. For other products, however, retention of older data may not be necessary. An older address may be less relevant to deliver marketing to a consumer. Although stored data may be useful for future business purposes, the risk of keeping the data may outweigh the benefits. For example, identity thieves and other unscrupulous actors may be attracted to the collection of consumer profiles that would give them a clear picture of consumers’ habits over time, thereby enabling them to predict passwords, challenge questions, or other authentication credentials.
3 . Consumer Choice
  • To the Extent Data Brokers Offer Consumers Choices About Their Data, the Choices are Largely Invisible and Incomplete: Some data brokers provide consumers with choices about their data, but because data brokers are not consumer-facing, consumers may not know where to go to exercise any choices that may be offered. In addition, the data brokers’ opt outs do not clearly convey whether the consumer can exercise a choice to opt out of all uses of consumer data, and therefore, consumers may find the opt outs confusing. As a result, even those consumers who know who the data brokers are, find their websites, and take the time to find the opt out and use it may still not know its limitations. For marketing products, the extent of consumers’ choices over their data is not clear. For risk mitigation products, many data brokers do not provide consumers with access to their data or the ability to correct inaccurate data.
Many of these findings point to a fundamental lack of transparency about data broker industry practices. Data brokers acquire a vast array of detailed and specific information about consumers; analyze it to make inferences about consumers, some of which may be considered sensitive; and share the information with clients in a range of industries. All of this activity takes place behind the scenes, without consumers’ knowledge. 
In light of these findings, the Commission unanimously renews its call for Congress to consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities. The specific legislative recommendations made by the Commission reflect high-level principles drawn from the findings of this study, the Commission’s previous work in this area, and the ongoing public debate about data brokers. In particular, the recommendations build on the Commission’s work for the last two decades to improve transparency and choice in the data broker industry. Indeed, despite the Commission’s call for greater transparency in the 1990s, the Individual References Services Group (“IRSG”) self-regulatory experiment to improve transparency of data broker practices was short-lived. Since then, data broker practices have grown dramatically, in both breadth and depth, as data brokers have expanded their ability to collect information from a greater number of sources, including from consumers’ online activities; analyze it through new algorithms and emerging business models; and store the information indefinitely due to reduced storage costs. Despite the Commission’s past recommendations, lack of transparency and choice remain a significant source of concern about this industry.
The Commission’s legislative recommendations vary depending on the product categories at issue— marketing, risk mitigation, or people search—and reflect differences in the business models and the sensitivity of the data used. Many of these legislative recommendations are consistent with best practices that certain of the nine data brokers have already implemented.
The FTC accordingly offers several legislative recommendations
With respect to data brokers that sell marketing products, the Commission recommends that Congress consider legislation requiring data brokers to provide consumers access to their data, including sensitive data held about them, at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes. The Commission recommends that Congress consider including four requirements in any such legislation. 
First, Congress should seek to enable consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights. Legislation could require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs. 
Second, Congress should consider requiring data brokers to clearly disclose to consumers (e.g., on their websites) that they not only use the raw data that they obtain from their sources, such as a person’s name, address, age, and income range, but that they also derive from the data certain data elements. Allowing consumers to access data about themselves is particularly important in the case of sensitive information—and inferences about sensitive consumer preferences and characteristics—such as those relating to certain health information. 
Third, Congress should consider requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if, for example, they need to correct their data with an original public record source. 
Finally, Congress should consider requiring consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers. Congress should also consider protecting sensitive information, such as certain health information, by requiring that consumer-facing sources obtain consumers’ affirmative express consent before they collect sensitive information. Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.
For data brokers that sell risk mitigation products, the Commission recommends that Congress consider legislation that provides consumers with transparency when a company uses a risk mitigation product to limit consumers’ ability to complete a transaction. Specifically, when a risk mitigation product adversely impacts a consumer’s ability to obtain certain benefits, the consumer-facing company should identify the data brokers whose data the company relied upon; these data brokers could, in turn, give consumers the right to access the information used and, where appropriate, correct any erroneous information. The level of transparency, access, and correction should be tied to the significance of the benefit or transaction in question. At the same time, the Commission recognizes that it may be appropriate for legislation to require data brokers to implement robust authentication safeguards before allowing such access and correction so that an unscrupulous individual cannot “correct” accurate data. Congress should consider how to enable consumer access while preserving the accuracy and security of such data. 
The Commission also recommends Congress consider legislation that would require data brokers offering people search products to: (1) allow consumers to access their own information; (2) allow consumers to suppress the use of this information; (3) disclose to consumers the data brokers’ sources of information, so that, if possible, consumers can correct their information at the source; and (4) disclose any limitations of the opt-out option, such as the fact that close matches of an individual’s name may continue to appear in search results.
The report states that the FTC more generally calls on the data broker industry to adopt several best practices -
First, they should implement privacy-by-design, which includes considering privacy issues at every stage of product development. 
Second, the Commission encourages data brokers to implement better measures to refrain from collecting information from children and teens, particularly in marketing products. 
Finally, the Commission recommends that data brokers take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.