Broad Support for Data Broker Transparency, With No Agreement How to Get There

Brill’s initiative is similar to, but more specific and repeated, than calls from the FTC itself and several consumer advocates. Industry associations and data brokers call the plan impractical and not useful for consumers; current laws already protect consumers from the misuse of their data, they argue. The plan’s proponents say the right to access one’s information trumps industry’s feasibility concerns.

Brill first outlined the concept in 2012 of a “one-stop online shop” for users to access their data, she said. This summer, after meeting with data brokers to discuss the idea, Brill repeated her call for “the entire industry” to “come to the table” (CD June 27 p9). “Reclaim Your Name would give consumers the power to access online and offline data already collected, exercise some choice over how their data will be used in the commercial sphere, and correct any errors in information being used by those making decisions materially impacting consumers’ lives,” she said. Brill enlisted engineers and computer scientists to the cause, during an October speech at the Polytechnic Institute of New York University (CD Oct 24 p14). “You can introduce this critical industry to 21st century techniques for responsible use of big data,” she told the group.

Industry representatives frequently cite technological barriers as a main reason for the impracticability of Brill’s plan. The wide swath of third-party information collectors feeding information into the “online shop” would create an “overlap of data,” Software & Information Industry Association Senior Director-Public Policy David LeDuc told us. “The notion that it’s a centralized entity ... that’s what seems so impractical about it.” Is there “some big great central database that somebody is working off of?” he asked. If so, who is controlling it, he asked. “It sounds simpler than it actually would be,” Direct Marketing Association Vice President-Government Affairs Rachel Thomas told us. It’s not just “five or six companies” that would be on this website -- it’s “hundreds or thousands,” she said.

"The discussion about the feasibility of Reclaim Your Name can be productive,” Brill said in an email. There will be technical challenges, she said, “but I believe they are surmountable.” Some companies have come to her to discuss these challenges. Brill hopes others will follow. Without endorsing Brill’s specific plan, Electronic Privacy Information Center Consumer Protection Counsel David Jacobs told us that “I think it’s the right conversation to have.” It comes down to the question of “whether we think that as a consumer when we have information collected about you then one of our rights is to have access to that file,” he said. “I think it should be a right."

Data broker Acxiom has made an attempt to grant that right. In September, the company began AboutTheData.com, which allows people to see what data Acxiom has collected about them -- whether Acxiom lists, according to the company, one as having a pet, being single or interested in jogging, for example. At the time, Brill praised the effort as a “first step down this important road towards greater transparency”. But privacy advocates said the site withheld more intimate details the company was collecting. The data broker investigation report that Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., released hours before Wednesday’s hearing on data brokers said Acxiom isn’t fully complying with all of his information requests . “The only information Acxiom withheld was a complete list of names of our data sources and names [of] our clients,” said Chief Privacy Officer Jennifer Barrett Glasgow by email. “This is because data sources are a competitive trade secret and we have confidentiality contracts with our clients."

The ability to access and correct data alone doesn’t stop companies from using data for illicit practices, argued consumer privacy advocates. Companies are evading the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA), which historically covered discriminatory use of data for eligibility determinations for things like insurance, employment and credit, said World Privacy Forum Executive Director Pam Dixon at the data broker hearing. More companies are creating and using “modeled consumer credit scores,” in Dixon’s words, or “propensity scores,” according to Sen. Ed Markey, D-Mass. He introduced the Do Not Track Kids Act (CD Dec 2 p1) and conducted an investigation of data broker business practices while in the House (CD Nov 9/12 p7).

"The pseudo credit scores, they're made up of about 1,500 factors, and are all non-credit file factors so they don’t fall under the Credit Reporting Act,” Dixon said. “This is troubling -- deeply troubling. We don’t know everything that goes into these scores. We need to.” Dixon said she was “stunned” to find characterizations that factored into these scores including “rape sufferer,” “genetic disease sufferer” and “victim of domestic violence.” Consumers volunteer this information “thinking they are getting help from a website,” without any idea “this information will be attached to not just a cookie, but their name, their home address, their phone number,” she said. HIPAA only covers health information held by a healthcare provider and FCRA only covers information provided for “credit elements,” Dixon said. “There is no law that says an employer cannot use these to determine job eligibility. There is no law that says an employer or an insurer cannot use these scores to determine rates because these are not regulated scores.”

"It seems on its face a violation of Section 5 of the Federal Trade Commission Act on unfair and deceptive practices,” said Markey at the hearing. “Our laws are limited,” FTC Bureau of Consumer Protection Director Jessica Rich responded. The FTC can go after deceptive practices or unfair practices, but “we have a lot of hoops to jump through to prove those,” she said. The agency can also enforce FCRA, said Rich. EPIC’s Jacobs told us a good example is an $800,000 settlement with data broker Spokeo (http://1.usa.gov/IYJ4FY). The FTC claimed the company was amassing information from online and offline data sources, including social networks, to create profiles it marketed to human resource companies as an employment screening tool. But the case wasn’t litigated in court, and FCRA doesn’t necessarily cover information provided for a non-FCRA purpose, such as information posted to a social media account, Jacobs said. So “sometimes you get weird results,” in those cases, he said. “Our big data world strains the seams of the FCRA,” Rich said in a June speech. Rich said at the hearing that “there’s nothing in our laws that would require the entities amassing those lists to tell consumers about it or allow them access to the data they have on them. And that’s the limitation.” Markey put it more bluntly: “We got a real issue here and it’s a real invitation for us to act."

Congress will cause harm if it acts, said DMA’s Thomas. The FCRA and FTC enforcement combine to “effectively” and “comprehensively” protect consumers, SIIA President Ken Wasch said in a statement. SIIA released a white paper Wednesday (http://bit.ly/1gILqHx) making this argument. The FCRA is “working well,” SIIA’s LeDuc said. The law is “keeping pace with technological innovation” and new forms of digital data aggregation from social media and mobile apps, Wasch said. The industry’s largest association, DMA, has a self-regulatory framework for ethical business practices that applies to all types of data collected and covers gaps in the law, Thomas said. The DMA gets roughly 16,000 to 20,000 consumer complaints a year, she said. From February 2012 to June 2013, DMA processed 16,808 complaints, according to the 2013 report. Twelve companies failed to come into compliance after DMA alerted them to a complaint, the report said. DMA can refer those non-compliant companies to the FTC for possible Section 5 or FCRA enforcement action, Thomas said.

The heavily industry-supported FCRA was not initially popular, Brill said this week. “Industry also expressed doubts about the Fair Credit Reporting Act ... as these important consumer tools were being developed,” she said. “Over time, industry and policymakers ironed out the wrinkles, including identifying which entities and practices to cover.” Now industry is strongly behind the law. Brill wants to stimulate “a similar discussion about data brokers,” she said. “By starting with a focus on companies that have gotten past the question of whether they are a ‘data broker’ and are willing to acknowledge the case for greater transparency, Reclaim Your Name can benefit them and consumers.”

"Commissioner Brill I love dearly, but I don’t see eye-to-eye with her,” LeDuc said. Reclaim Your Name is “inherently more challenging than it sounds,” he said. Perhaps Brill’s initiative isn’t perfect, but “you certainly can have a system where companies are providing access for consumers to the information they have about them,” EPIC’s Jacobs told us. “It might be a little more expensive, but that’s just going to have to be priced into your business model.” If industry, the government and the public determine access to one’s data is indeed a consumer right, “you either make that work or you don’t,” Jacobs said.