Federal Trade Commission Needs to Move Beyond Reports When It Comes to Data Brokers
“In the nearly two decades since the Commission first began to examine data brokers, little progress has been made to improve transparency and choice.”
- Conclusion, Federal Trade Commission Report,
That’s the heart of the problem, isn’t it? Data brokering—the buying and selling of information about consumers—is an industry that consumers know nothing about, yet knows everything about us. Its members construct detailed profiles (Acxiom has “3000 data segments for nearly every U.S. consumer”). It decides who gets good marketing offers, verifies our identity (and potentially denies us goods and services based on the result) and sells our addresses and other personal information to anyone who wants it. All of this happens in almost complete secrecy. The result is that consumers are treated like products to be bought and sold. Unfortunately, it’s not just a failing of industry—it’s also a problem with the FTC.
We already know there is a huge problem here. This report builds on , , , and . We’ve written extensively about the real problems. even did a special earlier this year.
The report does provide some useful new detail. The copious nature of information that brokers can tie to personal information like an email—such as race, religion, political affiliation, ethnicity, gender, household income, weight, guns and ammunitions purchases—is striking. See Appendix B if you want to view of the numerous categories.
But ultimately it’s a very frustrating report. There is no discussion of the concrete nature of the harm. Not a single victim is identified. Bad outcomes are left amorphous. Take risk mitigation—when data brokers use the information in their files to verify your identity or root out fraud. The FTC notes the real risk that incorrect assessments will keep people from accessing goods and services to which they are entitled but makes no effort to quantify how often that is happening or what the error rates might be like.
The FTC also repeatedly notes that some brokers create mechanisms for giving consumers access to information about themselves and that those mechanisms are inadequate. However it doesn’t quantify how they fail or attempt to spell out the consequences of this inadequacy. We’ve tested some of these mechanisms in the past and found them to be abysmal.
The report skims over one of the major problems of data brokers—the risk of a data breach that could expose all this data—in spite of the fact that less than a decade ago the $15 million for selling personal data to thieves.
The report’s final recommendations are basically suggestions to Congress phrased in the weakest possible way (“The Commission recommends that Congress consider”). And it puts too much burden on consumers rather than the companies that are exploiting them; two of the main recommendations are that data brokers allow consumers to opt out, and that they centralize those opt out procedures. This ignores the fact that consumers are unwilling participants in this system.
But worse, as the report acknowledges, bills have been filed—good ones in both the and the —but with little movement. Congress has shown little appetite for action. Congressional inertia on this issue obviously deserves scorn but at this point it isn’t surprising. So the real question the FTC should have asked in this report, and can still tackle, is what can we do on our own?
- Use the Fair Credit Reporting Act (FCRA). Under the FCRA, the FTC can already target products that are used to deny consumers, credit, insurance, employment. Push the limits of this power and come down hard on bad actors.
- Tackle discrimination head on. It should raise huge red flags that data brokers are collecting race, ethnicity, gender and other categories of information that can be used for unlawful discrimination. The FTC should be proactively looking for discrimination. If it’s happening, that’s illegal and the Commission doesn’t need a go-ahead from Congress to address it.
- Recognize the security issues. The FTC has authority to force companies to abide by best practices in securing personal information. Given that data brokers’ databases are enormously appealing to identify thieves, the Commission should consider whether, at a minimum, it can force companies to purge extraneous information.
I hope this report is viewed for what it is—a useful fact-finding exercise. Now the FTC has to take the next step and determine what it can do on its own to uncover and tackle industry bad practices.