Just weeks ago, the Federal Trade Commission (FTC) recommended that Congress require the data broker industry to be more transparent and give consumers greater control over their own personal information. The agency issued a detailed report on data brokers and summarized the extensive data collection efforts that it uncovered in its study of the industry. So it was deja vu all over again when weeks later, a Wall Street Journal headline read, “Facebook to Give Advertisers More User Data.” The article summarized Facebook’s efforts to vacuum up its users’ web browsing habits and sell that data to advertisers.
According to media reports, Facebook collects web browsing histories by placing lines of computer code on its users’ computers, thereby gathering data about the websites its users visit. Facebook apparently also gathers data about which mobile apps its users have downloaded onto their mobile devices. The company had said it keeps this data only for security reasons — but apparently, there may also be a lucrative data mining potential for such information, as reflected in the sale of that data to advertisers.
Facebook’s sale of web browsing history demonstrates the steady growth of mining of customer data. So just who is regulating this space? Who is protecting consumers? And from the industry’s perspective, what legal framework can the industry rely on to guide its own legitimate commercial interests? The surprising answer is that a substantial legal and regulatory void exists.
It was precisely the opaque nature of how companies used consumer data to make credit, housing, employment and similar determinations that led to the passage of the Fair Credit Reporting Act (FCRA) in 1970. The FTC has brought over 100 law enforcement actions under the FCRA since then, but huge portions of the business fall outside the statute. Given the growing opportunities to collect consumer data — and the ever-increasing power to mine that data — it may well be the time to fill the void.
Data brokers collect and store billions of data elements covering virtually everyone in the United States. Brokers collect and aggregate data regarding everything from shopping preferences, to healthcare data, to public records such as lawsuits and arrests. Often the nature of the information sold is disturbing: a list of individuals in financial distress, diabetics, smokers in the household, and political and religious affiliations. Recent reports reveal utterly shocking data aggregation; for instance, the identity of rape victims, AIDS victims and people with addictions. Frequently this information is gathered and sold without consumers’ knowledge. As the FTC chair put it, “You may not know them, but data brokers know you.”
Some of the data collected may appear at first to be collected for fairly mundane purposes. For instance, software-generated groupings could simply label a person assumed to be a “biker enthusiast.” That individual might receive special offers from the local motorcycle dealer. However, that same person could pay higher fees for life insurance because insurers reason that the person engages in risky behavior. The information gathered by data brokers poses a risk to consumers, including the denial of opportunities based on inaccurate information, public disclosure of information many consumers regard as private (e.g. their health), or even something as menacing as stalking. Moreover, storing vast amounts of aggregated data indefinitely may create security risks.
In February 2014, Senator John D. Rockefeller, (D-W.Va.) and Senator Edward Markey (D-Ma.) introduced a bill that would require data brokers to disclose more information about their practices and to give consumers more control over their information collected and sold by the companies. The data broker industry generally opposes legislation, asserting that effective self-regulation is the preferred solution in an industry that is changing quickly and growing rapidly.
Those collecting, aggregating and selling data would be well served to get out ahead of legislative and regulatory efforts. The absence of standards only serves to lead to further abuses and unwanted media attention — all of which can easily create a backlash against the industry. Current proposals urge relatively modest and balanced limits. For instance, the FTC has called for transparency across the data broker industry, providing more information about the sources of data brokers’ information and giving consumers access and the ability to correct data used for marketing and risk mitigation products. Other proposals encourage data brokers to be more accountable by conducting due diligence on their customers’ use of the data and creating contractual requirements that prohibit their customers from using the data in an unlawful manner.
Companies collecting and mining consumer data are in the frontier days of those efforts. The spread of smartphones, social networks, cloud computing and more potent predictive analytic data techniques have enabled the collection, analysis, use and storage of data in a way that was not possible just a few years ago. Tremendous benefits can flow from the insights of big data. But a backlash of consumers offended by the continued encroachment on their privacy, coupled with the risks of long-term storage of such data, could easily lead to upending business models based on big data. A proactive effort to regulate data collection and aggregation efforts is more likely to preserve the big data store in the long run.