01 INTRODUCTION

For years, policymakers have debated whether new laws are needed to “rein in” the practices of data brokers – companies that collect consumers' personal data from various sources, process and package it, and then sell it to individuals and businesses for marketing and advertising, fraud detection, risk mitigation, and locating people, among other purposes.

Proponents of stronger laws cite data privacy and accuracy concerns, noting that most data brokers operate behind the scenes, unknown to consumers, and sell personal data (some of it highly sensitive) to a vast array of end users, who may use it to make important decisions about consumers. Data brokers counter that they provide valuable services that help businesses serve their customers, and help the economy operate efficiently and effectively.

To date, regulation of data brokers has been limited at both the federal and state level. Recently, however, there's been flurry of regulatory activity related to this industry, driven in part by the increased focus on data privacy concerns more generally. Whether in Congress or state legislatures, at federal agencies or the White House, many policymakers are pushing in the direction of increased regulation. This article provides an overview of the issues and recent activity surrounding data brokers, and forecasts stormy weather ahead for these companies.

02 WHAT ARE DATA BROKERS?

There's no universal definition of data brokers, especially since people with different perspectives tend to describe data brokers quite differently. For example, one data broker describes its business as follows:

We unlock[] the power of data to create opportunities for consumers, businesses and society. At life's big moments – from buying a home or car, to sending a child to college, to growing a business exponentially by connecting it with new customers – we empower consumers and our clients to manage their data with confidence so they can maximize every opportunity. We help individuals take financial control and access financial services, businesses make smarter decision and thrive, lenders lend more responsibly, and organizations prevent identity fraud and crime.1

In contrast, a consumer advocacy group describes data brokers this way:

Thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight. As the data broker industry proliferates, companies have enormous financial incentives to collect consumers' personal data, while data brokers have little financial incentive to protect consumer data. For these companies, consumers are the product, not the customer. Companies also maintain information about consumers that is often inaccurate, wrongfully denying them credit, housing, or even a job.2

In a 2014 report to Congress, the Federal Trade Commission (“FTC”) (the primary consumer protection agency at the federal level, with jurisdiction over many data brokers) described data brokers somewhat more objectively as “companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing, and sharing that information, or information derived from it, for purposes such as marketing products, verifying an individual's identity, or detecting fraud.”3

Meanwhile, California's new data broker law (SB 362, discussed in more detail below) defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”4 This definition (echoed in other federal and state laws and bills) underscores one of the key issues driving concerns about data brokers – that they operate behind the scenes, collecting and selling consumers' sensitive data without most consumers' knowledge or control.

However data brokers are described or defined, they essentially collect, combine, process, and sell consumer data. They obtain this information from a range of sources, including government databases (e.g. real property and court records), publicly available sources (e.g. social media, blogs, and the internet), and commercial entities (e.g. retailers and magazine publishers). Often, they use online tools to collect the information, such as cookies, pixels, fingerprinting, application programming interfaces, or software development kits. They then combine the data, make inferences from it, and classify consumers by demographics, household income, familial status, political affiliation, hobbies, and other characteristics and preferences. A range of purchasers (individuals, businesses, and government) typically access data broker services online, and use it to find and authenticate people, detect and prevent fraud, and send consumers relevant advertising and offers, among other purposes.5

03 BACKGROUND ON THE DATA BROKER DEBATE

The debate about whether and how to regulate data brokers started in the 1960s, when concerns arose about a particular type of data broker (consumer reporting agencies or “CRAs”) that collect and sell consumer information for use in making decisions about consumers' eligibility for certain benefits (notably, credit, employment, and insurance). The concerns centered primarily around three issues: (1) the confidentiality of the information collected, which included consumers' credit histories, financial status, and even data about arrests and “general reputation,” (2) the accuracy and currency of the information, since false or outdated information can lead to the denial of important consumer opportunities, and (3) the fact that this system of critical decisionmaking had been “built up with virtually no public regulation or supervision.”6

In 1970, Congress passed the Fair Credit Reporting Act (“FCRA”), the nation's first commercial privacy law, to address these concerns. The FCRA imposes data privacy and accuracy requirements on CRAs that sell, and on people or entities that furnish and use, consumer data (“consumer reports”) for consumer eligibility determinations (i.e. about credit, employment, insurance, and other specified benefits). Among other things, the law requires CRAs to implement “reasonable procedures” to maintain data accuracy, to allow access to consumers reports only by those with a “permissible purpose,” and to discard outdated information. It also gives consumers the right to review and dispute the accuracy of the information collected about them.7 The FCRA is considered the “mother” of commercial privacy laws in the US (described admiringly by one of my former FTC colleagues as the “magna carta” of privacy).8

The FCRA didn't end the discussion about data brokers, however. Since its enactment, there has been explosive growth in the data broker industry,9 with many data brokers performing services that fall outside (or purport to fall outside) the FCRA.10 As a result, critics of the industry have pressed for broader regulation – arguing that data brokers collect highly sensitive consumer data (about consumers' health, precise location, purchase histories, family members, etc.), make inferences and assign consumers to marketing categories (“financially challenged,” “leans left,” “bible lifestyle”), and sell this data with few limitations. Critics also point to use of this data by the government, contrary to civil liberties, and even stalkers, who can buy their victims' addresses online. These concerns have intensified as the ubiquity of mobile devices and technological advances have enabled data brokers to collect more detailed consumer data, and make more granular inferences and predictions, for sale to the public.11

To view the full article, click here.

Footnotes

1. Large data broker's website. (I'm not naming the company to avoid singling out any one data broker. Other companies' narratives are similar.)

2. Electronic Privacy Information Center (EPIC) website, https://epic.org/issues/consumer-privacy/data-brokers/.

3. FTC Report, Data Brokers: A Call for Transparency and Accountability (“FTC Data Broker Report”), https://www.ftc.gov/system/files/ documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport. pdf (May 2014). Although this report is almost a decade old, it is still widely cited due to its in-depth examination of the practices of nine diverse data brokers.

4. SB 362 §1(c), https://legiscan.com/CA/text/SB362/2023.

5. See e.g. FTC Data Broker Report, supra at n. 4; Congressional Research Service Report R47298 (“CRS Report”), https://crsreports. congress.gov/product/pdf/R/R47298l (Oct. 2022).

6. See e.g. National Consumer Law Center Digital Library website, https://library.nclc.org/book/fair-credit-reporting/141-overview.

7. FCRA, https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act.

8. Since enactment, the FCRA has been amended several times and has been actively enforced by the FTC, private plaintiffs, and, more recently, the Consumer Financial Protection Bureau (CFPB).

9. In 2021, digital marketing company Web FX estimated that there were over 4000 data brokers worldwide in an industry valued at more than $200 billion per year. See Web FX blogpost, https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/ (2021)

10. Some data brokers post disclosures stating that they are not CRAs and that purchasers cannot use their data for CRA purposes. Critics say that the data is used for such purposes anyway. See CFPB Press Release, CFPB Kicks Off Rulemaking to Remove Medical Bills from Credit Reports (“CFPB Rulemaking Proposal”), https://www.consumerfinance.gov/about-us/newsroom/cfpb-kicks-off-rulemaking-toremove-medical-bills-from-credit-reports/ (Sept. 21, 2021).

11. See e.g. FTC Data Broker Report, supra at n. 4; CRS Report, supra at n. 6

Originally published by CPI TechREG Chronicle.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.