FTC’s Data Broker Report Brings New Facts to Light about how Consumer Data is Captured and Sold

May 27, 2014

Forget worrying about loyalty cards or programs: it’s the everyday purchases you make tied to your name with a debit or credit card that can land you on data brokers’ lists. That is one of the many facts that the new FTC report on data brokers sets forth. The report offers a high-level analysis and establishes new fact patterns about the data broker industry based on the Commission’s investigation of nine major data brokers. Overall, we find things to like in the report, but we wish the FTC had gone further in some areas. Here are some of the high points that stood out to us.

Documenting What Retailers Know … and Sell

The FTC report documents that retailers – thousands of them – sell details about consumer transactions and purchase histories to data brokers. We can now say definitively that most items we purchase with our names attached (that is, using credit cards, debit cards, or loyalty debit cards) can be fodder for sale by the retailers we patronize. WPF documented this trend through painstaking research in our Scoring of America report, and the FTC now confirms it. The FTC report also confirms that website registration information is sometimes sold to data brokers, something long suspected but not fully documented until now.

To provide consumers with some rights over the large amounts of personal information collected and held by data brokers, including mitigating the issues that have been brought to light regarding sales of consumers’ purchase information, the FTC recommends that retailers provide notice to customers prior to the sale of information to data brokers, among other things. If consumers are to receive notice, the notice needs to be extremely prominent with options that can be easily exercised by consumers. In the case of the sale of health-related or other sensitive information, any transfer, sale, or use of the information must require affirmative (opt-in) consent.

Consumers need to trust that when they make a purchase using a debit or credit card that their purchase information is not heading off to a data broker as a matter of course. It would take a lot of work to accomplish meaningful notice, and more transparency from retailers and websites than we see routinely. Even if notice came with all of the features we recommend, we know that consumer notice is still just the beginning of what needs to be done.

Reducing Risks of Risk Mitigation Products

The FTC report discusses the problems consumers face from “risk mitigation” products, such as identity verification products and fraud products. Risk mitigation offers some clear consumer benefits in that most everyone benefits from the reduction of fraud. Yet risk mitigation products also stretch beyond the boundaries of the Fair Credit Reporting Act and leave consumers vulnerable to negative decisions based on erroneous data. When merchants use erroneous data broker “risk mitigation” information, consumers can suffer by being denied products, services, and opportunities in the marketplace, and the FTC report discusses this.

WPF views ID verification and fraud products sold by data brokers as new forms of “modern eligibility.” We need new laws to protect consumers because the Fair Credit Reporting Act, which should protect consumers here, is too easily evaded by merchants and data brokers. The FTC indeed recommends that Congress act in this area to bring protection and transparency to consumers. The use of these risk products is on the rise, so protections for consumers need to be enacted sooner rather than later.

Sensitive Information and Consent

The FTC report has an important recommendation regarding sensitive information:

“Congress should also consider imposing important protections for sensitive information, such as certain health information, by requiring that consumer-facing sources obtain consumers’ affirmative express consent before collecting and sharing such information with data brokers. Finally, Congress should consider requiring that consumer-facing sources provide the names of the data brokers to which they provide data, along with information or links to the centralized mechanism with its description of the access and opt-out rights offered by these data brokers.”

We agree with this recommendation regarding sensitive data, and urge the need to create a mechanism that assures that true affirmative opt-in consent has been given, not just a passive consent based on a tiny statement buried in a privacy policy on a web site. Julie Brill, in her concurring statement, printed as Appendix C of the report, wrote that the consent procedure is crucial:

 “A second accountability measure that Congress should consider is to require data brokers to take reasonable steps to ensure that their original sources of information obtained appropriate consent from consumers.This requirement would help to ensure that data brokers’ sources comply with the Commission’s recommendation that the sources secure well-informed consumer consent to disclose information to data brokers.”

Consent for data use, and how this consent is obtained, is going to be an area of much discussion, and is possibly the part of the data broker discussion that will require the most attention to ensure fairness to consumers. There can be no hidden consent and no weasel-worded opt-ins if consumer harms are going to be addressed.

Centralized Data Broker Opt Out: 50 is not the Magic Number

Regarding opt out, we are pleased that the FTC recommends a centralized data broker opt-out portal so consumers can opt out of data broker activities in one place. But the FTC recommends just the top 50 or so largest data brokers be included as part of this portal. We would go further. We believe that all consumer-impacting data brokers must be included in the opt-out portal. Size should not be the only consideration for inclusion. Some small data brokers are high-volume sellers of consumer information. Further, judging data brokers by size as the primary consideration for consumer protection provides a major temptation for industry to exploit any exemptions or cut-off points in order to evade regulation.

Any opt-out portal needs to include all data brokers whose activities substantially affect consumers.

Downstream Information Use

Overall, the FTC report needed to do more to address downstream uses of the information. Julie Brill addressed this issue in her concurring statement:

“Congress should consider legislation – and not merely a best practice recommendation – that would require data brokers to employ reasonable procedures to ensure that their clients do not use their products for unlawful purposes.Reasonable procedures could include requirements for data brokers to verify the identity of their customers, and conduct due diligence and other monitoring, to provide a level of accountability that their customers are not using data for unlawful purposes.”

Accountability and due diligence is something that would help prevent illegal uses of consumer data from occurring. This is important, and Brill’s statement serves to fill some of the gaps that exist in the text of the report itself.

 

Links and more info: