List Brokers Are Data Brokers, Says FTC
New laws to regulate consumer data called for by FTC do not include individual marketers, but do include brokers of mailing lists.
FTC: Legislation needed to curb data brokers.
The report released on May 27 by the Federal Trade Commission detailing reports ordered from nine so-called data brokers in late 2012 paints the picture of an “industry” that collects sensitive data from people without their knowledge, shares consumer information incestuously so that its source is undetectable, and discriminates against Latinos and African Americans by relegating them to “sensitive categories.” The report concludes that “in the nearly two decades since the Commission first began to examine data brokers, little progress has been made to improve transparency and choice.”
The report—“Data Brokers: A Call for Transparency and Accountability”—defines data brokers as entities whose primary business is collecting and selling consumer information. While individual enterprises and marketers collect personal data and often sell it, Tiffany George, a senior attorney in the FTC's division of privacy and identity protection, said it was the agency's view that they not be classified as data brokers. List brokers that have long supplied targeted lists to direct mailers, however, fall under the classification. “If your primary business is collecting data from various sources, you're a data broker,” George said. “We consider list brokers to be data brokers.”
The report moved FTC Commissioner Julie Brill to quote Shakespeare's Othello in her written reaction: “[He] that filches from me my good name robs me of that which not enriches him.” While Brill admitted that the profiles sold by data brokers often benefit consumers, she decried marketers that treat people differently based on race, income, and sexual orientation. “If data broker profiles are based on inaccurate information or inappropriate classifications, or used for inappropriate purposes, the profiles have the ability to not only rob us of our good name, but also to lead to lost economic opportunities, higher costs, and other significant harm,” Brill wrote.
The nine companies upon whose operations the report was based were asked to file an exhaustive list of details about their businesses, including the nature and purpose of all their products and services, the sources of all types of personal data collected, the means by which they are collected, how often the data is updated, and what kinds of clients use it. Companies required to participate were Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future.
Analysis of the submitted documents led the FTC to determine that self-regulation of consumer data by brokers and marketers has been insufficient. The subsequent report calls upon Congress to enact new legislation to regulate marketers' use of customer data through:
- Creating a centralized mechanism for data brokers to identify themselves and describe how they collect and use data
- Giving consumers access to their data and providing them with the ability to suppress it
- Disclosing to consumers that inferences might be drawn about them based on their raw data
- Providing “prominent notice” to consumers that they share their data and whom they share it with, giving consumers the ability to opt out
Marketing groups have long contended that self-regulatory programs such as the Digital Advertising Alliance's opt-out program and the Direct Marketing Association's best practices programs are doing a sufficient job policing bad actors in the data game. “We applaud the FTC for the work they do, but at the same time, this is the fourth study on data brokers they've done and, again, no harm has been shown,” said Peggy Hudson, SVP of government affairs for DMA. “Now nine companies and hundreds of thousands of pages of information have been reviewed, and the misuses that are alleged to be out there are not occurring.”
In addition to legislation, the FTC report recommends that data brokers should voluntarily adopt practices such as collecting only the data they need, disposing of unused data, and refraining from collecting information from children and teens—all of which are already being done, Hudson maintained.
“We think the rules are already in place and the rules are working,” Hudson said. “Abuses are dealt with immediately and, if they're not resolved, they are turned over to the FTC.”