On November 15, 2013, the U.S. Government Accountability Office released a report on the statutory legal protections for consumers with regard to the use of data for marketing purposes by data brokers.
The GAO report canvasses the existing federal consumer legal protections applicable to information resellers and finds them wanting with regard to the use of the data for marketing purposes. Specifically, the GAO concluded the following:
– “[I]nformation about an individual’s physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations, and sexual habits and orientation,” can legally be collected, shared, and used for marketing purposes. The report notes limits on HIPAA’s applicability to health-related marketing lists used by e-health websites.
– Although some industry participants have stated that current privacy laws are adequate – particularly in light of self-regulatory measures – there are gaps in the current statutory privacy framework that do not fully address “changes in technology and marketplace practices that fundamentally have altered the nature and extent to which personal information is being shared with third parties.”
– Current law is often out of step with the fair information practice principles.
According to the GAO, Congress should therefore consider strengthening the current consumer privacy framework in relation to consumer data used for marketing while not unduly inhibiting the benefits to industry and consumers from data sharing. In doing so, Congress should consider:
– the adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA;
– whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;
– changes needed, if any, in the permitted sources and methods for data collection; and
– privacy controls related to new technologies, such as web tracking and mobile devices.
GAO Report at 19, 46-47.
The GAO Report is the most recent expression of support for comprehensive privacy legislation from within the federal government. In this regard, the report echoes the Obama Administration’s 2012 Privacy Blueprint and the FTC’s 2012 Privacy Report, both of which called for baseline privacy legislation. The FTC Privacy Report also reiterated the agency’s support for a privacy law targeted to data brokers. The GAO Report, by contrast, implies that a general privacy law could suffice to address the issues raised by data brokers.