Federal Trade Commission Needs to Move Beyond Reports When It Comes to Data Brokers
鈥淚n the nearly two decades since the Commission first began to examine data brokers, little progress has been made to improve transparency and choice.鈥
- Conclusion, Federal Trade Commission Report,
That鈥檚 the heart of the problem, isn鈥檛 it? Data brokering鈥攖he buying and selling of information about consumers鈥攊s an industry that consumers know nothing about, yet knows everything about us. Its members construct detailed profiles (Acxiom has 鈥3000 data segments for nearly every U.S. consumer鈥). It decides who gets good marketing offers, verifies our identity (and potentially denies us goods and services based on the result) and sells our addresses and other personal information to anyone who wants it. All of this happens in almost complete secrecy. The result is that consumers are treated like products to be bought and sold. Unfortunately, it鈥檚 not just a failing of industry鈥攊t鈥檚 also a problem with the FTC.
We already know there is a huge problem here. This report builds on , , , and . We鈥檝e written extensively about the real problems. even did a special earlier this year.
The report does provide some useful new detail. The copious nature of information that brokers can tie to personal information like an email鈥攕uch as race, religion, political affiliation, ethnicity, gender, household income, weight, guns and ammunitions purchases鈥攊s striking. See Appendix B if you want to view of the numerous categories.
But ultimately it鈥檚 a very frustrating report. There is no discussion of the concrete nature of the harm. Not a single victim is identified. Bad outcomes are left amorphous. Take risk mitigation鈥攚hen data brokers use the information in their files to verify your identity or root out fraud. The FTC notes the real risk that incorrect assessments will keep people from accessing goods and services to which they are entitled but makes no effort to quantify how often that is happening or what the error rates might be like.
The FTC also repeatedly notes that some brokers create mechanisms for giving consumers access to information about themselves and that those mechanisms are inadequate. However it doesn鈥檛 quantify how they fail or attempt to spell out the consequences of this inadequacy. We鈥檝e tested some of these mechanisms in the past and found them to be abysmal.
The report skims over one of the major problems of data brokers鈥攖he risk of a data breach that could expose all this data鈥攊n spite of the fact that less than a decade ago the $15 million for selling personal data to thieves.
The report鈥檚 final recommendations are basically suggestions to Congress phrased in the weakest possible way (鈥淭he Commission recommends that Congress consider鈥). And it puts too much burden on consumers rather than the companies that are exploiting them; two of the main recommendations are that data brokers allow consumers to opt out, and that they centralize those opt out procedures. This ignores the fact that consumers are unwilling participants in this system.
But worse, as the report acknowledges, bills have been filed鈥攇ood ones in both the and the 鈥攂ut with little movement. Congress has shown little appetite for action. Congressional inertia on this issue obviously deserves scorn but at this point it isn鈥檛 surprising. So the real question the FTC should have asked in this report, and can still tackle, is what can we do on our own?
- Use the Fair Credit Reporting Act (FCRA). Under the FCRA, the FTC can already target products that are used to deny consumers, credit, insurance, employment. Push the limits of this power and come down hard on bad actors.
- Tackle discrimination head on. It should raise huge red flags that data brokers are collecting race, ethnicity, gender and other categories of information that can be used for unlawful discrimination. The FTC should be proactively looking for discrimination. If it鈥檚 happening, that鈥檚 illegal and the Commission doesn鈥檛 need a go-ahead from Congress to address it.
- Recognize the security issues. The FTC has authority to force companies to abide by best practices in securing personal information. Given that data brokers鈥 databases are enormously appealing to identify thieves, the Commission should consider whether, at a minimum, it can force companies to purge extraneous information.
I hope this report is viewed for what it is鈥攁 useful fact-finding exercise. Now the FTC has to take the next step and determine what it can do on its own to uncover and tackle industry bad practices.