Data brokers are invisible to consumers and unbridled by regulation. The Federal Trade Commission (FTC) has repeatedly emphasized the need for targeted legislation to regulate this industry. In an attempt to bolster self-regulatory efforts, the FTC’s March 2012 privacy report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, calls on data brokers to post their data collection practices and to provide consumers with choices on what information is being collected and retained. However, self-regulatory efforts have largely failed.
Perhaps until now. The following events may change the regulatory landscape for companies engaging in data mining practices.
Lawmakers Release Information on Data Brokers’ Collection and Use of Consumer Information
On November 8, 2012, a bipartisan group of lawmakers, including Reps. Edward Markey and Joe Barton, Co-Chairmen of the Congressional Bi-Partisan Privacy Caucus, released responses to letters sent last July to nine major data brokerage companies regarding their data mining practices. The results were disconcerting. The companies reported they were collecting consumer data from a variety of sources, including telephone directories, mobile phones, government agencies, financial institutions, social media sites, and consumers themselves. All but one (Acxiom, relevance to be discussed below) rejected the categorization of their business practices as “data brokerage.” And only Acxiom provided information on the number of consumers who requested access to their information in the last two years: 77 out of 190 million consumers from whom data had been mined.
In a joint statement released the same day, lawmakers characterized the companies’ responses as offering “only a glimpse of the practices of an industry that has operated in the shadow for years.” Lawmakers vowed to continue their efforts to learn more about the data brokerage industry and to “push for whatever steps are necessary to make sure Americans know how this industry operates and are granted control over their own information.”
Recall that Acxiom Corporation’s mining practices had been unveiled by the New York Times last June. The Times characterized Acxiom as the world’s largest commercial database on consumers, operating tens of thousands of servers to collect and analyze consumer data on hundreds of million consumers worldwide on trillions of data transactions a year. The article reported that Acxiom and others operate an extremely profitable enterprise, yielding over $77 million per fiscal year, and enjoy a broad customer base of banks, investment services, automakers, department stores, just about any major company looking for insight into its consumers.
FTC Settlement with Online Data Brokerage Company, Compete, Inc.
On October 22, 2012, the FTC announced its proposed settlement with web analytics company Compete, Inc. The FTC alleged the company used web-tracking software to follow the browsing behavior of millions of consumers without disclosing the extent of the information being collected. Compete got unwitting consumers to download the tracking software by, among other things, promising rewards for sharing opinions about products and services on an online forum. Once installed, the tracking component collected information about consumers’ online activity and captured information consumers entered into websites, including consumers’ usernames, passwords, credit card and financial account information, security codes, and Social Security Numbers. Compete then compiled this data to generate consumer reports, which it sold to clients wanting to improve their website traffic and sales. The FTC alleged the company failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its website would collect, and also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data from software downloaded onto consumers’ computers, to delete personal information already collected, and to provide directions for uninstalling its software.
FTC to Host December 2012 Workshop on Data Mining
On December 6, 2012, the FTC will host a public workshop, entitled “The Big Picture: Comprehensive Data Collection,” which will explore the practices and privacy implications of comprehensive data collection. The FTC’s preliminary agenda includes an examination by consumer protection organizations, academics, business and industry representatives, and privacy professionals of the technological landscape related to data mining, its benefits and risks, consumer knowledge and attitude, and the future of comprehensive data collection. The workshop will likely address many of the questions left unanswered by the nine data brokers queried by lawmakers regarding the companies’ data mining practices.
It remains to be seen whether these events will provide enough legislative inertia to promulgate industry-wide change. Until then, data brokers will continue their practice of unfettered commercial data mining of sensitive consumer information.