Posted

FTC Calls for Action on Big Data

Following an 18-month investigation into the practices and operations of data brokers,
the Federal Trade Commission has issued a voluminous report calling for legislation to regulate the industry in the interests of consumer privacy.  The report, called Data Brokers: A Call for Transparency and Accountability, identifies “data brokers” as “companies that collect consumer’s personal information and resell or share that information with others,” and notes that in today’s economy, “Big Data is big business.”  The report recounts that the privacy issues that data brokers present today were first addressed back to the 1970’s when Congress enacted the Fair Credit Report Act (FCRA) to regulate the collection and use of consumer data in connection with credit, housing, employment and similar decisions.  The FTC has been active in enforcing the provisions of the FCRA, but has also argued for similar types of protections even where the FCRA does not apply, such as where data is collected for marketing purposes, fraud prevention purposes, and people search products.  In its March 2012 report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, the FTC noted that prior self-regulatory efforts by the industry had not addressed its concerns with transparency and called for the industry to create a web portal to provide consumers with more information about and access to information that data brokers hold about them.  In addition, an FTC Commissioner has spearheaded a “Reclaim Your Name” campaign urging the industry to adopt self-regulatory reforms to educate consumers as to how information is collected and used and to allow consumers access to the data that brokers hold,
correct any errors in it, and opt out of its use for marketing purposes. 

Noting that the industry has not moved on past suggestions such as these, the report calls for legislation that would require data brokers to provide the consumer with access to the data they hold regarding the consumer and to permit consumers to opt-out of the sharing of that information for marketing purposes.  The FTC reiterates its suggestion that a central web portal be created where data brokers identify themselves and their information collection and use practices and allow consumers access to their data and to opt out of certain uses.  The report also calls for legislation that would require data brokers to disclose to consumers that they not only use raw data that they collect, but whether they combine that data with other information and draw conclusions based on it such as determining a consumer’s interests based on magazine subscriptions, previous purchases, or website visits.  To facilitate consumer education, the report suggests that all consumer-facing entities be required to disclose if they sell consumer information to data brokers, provide opt out options concerning this sharing, and to provide the names of the specific data brokers with which the information is shared and a link to the web portal where consumers can learn more about the data brokers and their data access and opt out rights.  With respect to risk mitigation products, the report recommends extending FCRA-like notices to the consumer where, for example, the consumer is denied a cellular phone contract not because he or she is a credit risk, but because risk mitigation information indicates that he or she is an identity thief.  The notice would identify the data broker from which the information was obtained and the data broker in turn would provide the consumer with access to the data and a right to correct it if it is inaccurate.  In connection with people search products, the report recommends not only that consumers have the ability to access their data and opt out of certain uses, but that limits on those opt outs be clearly identified and that the data broker’s sources of information be identified.

The report concludes with a recommendation that all data brokers adopt the principles in the Commission’s 2012 report that they adopt “privacy by design”
and incorporate consumer privacy into all aspects of their operations.