5/27. The Federal Trade Commission (FTC) released a
document [110 pages in PDF] titled "Data Brokers: A Call for Transparency and
Accountability". It recommends legislation to regulate data brokers and
others. See also, FTC
Outline of this Article:
• Congressional Reaction.
• FTC's Findings.
• FTC's Legislative Recommendations.
• FTC's Best Practices Recommendations.
• Recent Developments.
• Commissioner Brill's Concurrence.
• Iago the Privacy Advocate.
Summary. This document recommends that the Congress consider legislation to regulate
the business practices of data brokers and others. It recommends one set of requirements for
data brokers that sell marketing products, another for data brokers that sell risk mitigation
products, and another for data brokers offering people search products. It also "calls
on the data broker industry to adopt several best practices".
These recommendations pertain to disclosures by data brokers and consumer facing companies
that supply data to data brokers about their data related practices, and consumer access to data
about them held by data brokers.
For example, data brokers that sell marketing products would have "to provide
consumers access to their data, including sensitive data held about them, at a reasonable
level of detail, and the ability to opt out of having it shared for marketing purposes".
This document does not contain legislative recommendations regarding data breaches,
data retention, or data security.
This document also contains numerous findings, such as that lengthy data retention
increases security risks to consumers, that are not followed with legislative recommendations.
This document does not supply any draft legislative text.
This document does not adopt or propose any changes to FTC rules promulgated
under the Section 5 of the FTC Act, or any other section. It does not provide
guidance as to how the FTC might apply Section 5, or any other section, to data
brokers, data suppliers, or purchasers of data products, in future enforcement actions.
The FTC studied nine data brokers in preparing this document:
ID Analytics, Intelius,
and Recorded Future.
This document, and its recommendations, pertain only to "companies". It does
not address government aggregation of data.
The five member Commission voted 4-0 to approve this document. Commissioner
did not participate. Commissioner Julie Brill wrote a concurring statement in which she
urged additional legislative mandates. Commissioner
Joshua Wright voted
for this item, and did not write a separate statement. However, footnotes disclose that
he does not support all of the recommendations in this document.
Congressional Reaction. Sen. John
Rockefeller (D-WV), the outgoing Chairman of the
Senate Commerce Committee (SCC), stated in a
release that "The new FTC review of data broker practices reflects growing
consensus that this industry sorely lacks transparency and accountability."
Sen. Rockefeller added that "big data practices pose risks of consumer harm including
discrimination based on financial, health, and other personal information. Congress can no
longer put off action on this important issue. We owe it to consumers to provide them with
greater control over how data brokers are obtaining and using their personal data."
Sen. Rockefeller introduced S 2025
WW], the "Data
Broker Accountability and Transparency Act" on February 12, 2014.
Sen. Ed Markey (D-MA) is the only cosponsor.
The bill would give consumers a right to review information about them held by data brokers.
It states that "A data broker shall provide an individual a means to review any personal
information or other information that specifically identifies that individual".
This bill would also give consumers a right to contest information. It states that "An
individual whose personal information is maintained by a data broker may dispute the accuracy
of any information ... by requesting, in writing, that the data broker correct the
This bill would also give consumers a right preclude data brokers from using,
selling or sharing information about them for marketing purposes.
Rep. Joe Barton (R-TX) stated in a release
that "The data broker industry is one that is largely unregulated and currently collects
large sums of data on consumers." Rep. Bobby Rush
(D-IL) stated in the same release that "Consumers should and do want to know more about
which companies have access to their personal information, what those entities may know about
them, and how they go about sharing and acquiring so much personal data about people."
Rep. Rush introduced HR 4400
WW], the "Data
Accountability and Trust Act", on April 11, 2013. Rep. Barton is the lead cosponsor. There
are four other cosponsors -- all Democrats. This is a huge and broad bill. It is not directed
at data broker practices. It would regulate data security practices and mandate and regulate
data breach notifications.
Other versions of this bill were introduced in previous Congresses. For the 111th Congress,
see HR 2221 [LOC |
WW]. For the 112th
Congress, see HR 2577 [LOC
FTC's Findings. There is an argument, that is more often advanced by economists
than lawyers, and more often by proponents of limited government than by market interventionists,
that any federal entity with authority to regulate commercial activity ought only act to
protect consumer welfare, and only upon a finding of either actual consumer harm, or market
This argument does not always prevail. The federal government often acts upon mere
articulation of hypothetical and prospective harms. The findings in this FTC document
disclose that the FTC is proposing that the Congress act solely on the basis of hypothetical
This documents make numerous references to "potential risks", "potential
harm", "potential effects", and "potential ... discrimination".
However, it does not make any findings of actual consumer harm. And, it does not engage in
market analysis, or make any findings of market failure.
The FTC finds that "There are a number of potential risks to consumers from data
brokers' collection and use of consumer data. For example, if a consumer is denied the ability
to conclude a transaction based on an error in a risk mitigation product, the consumer can be
harmed without knowing why."
On the other hand, the FTC also finds that "Consumers Benefit from Many of the
Purposes for Which Data Brokers Collect and Use Data: Data broker products help to prevent
fraud, improve product offerings, and deliver tailored advertisements to consumers. Risk
mitigation products provide significant benefits to consumers by, for example, helping
prevent fraudsters from impersonating unsuspecting consumers. Marketing products benefit
consumers by allowing them to more easily find and enjoy the goods and services they need
and prefer. In addition, consumers benefit from increased and innovative product offerings
fueled Federal Trade Commission by increased competition from small businesses that are
able to connect with consumers they may not have otherwise been able to reach. Similarly,
people search products allow individuals to connect with old classmates, neighbors, and
The FTC also finds that data brokers "Collect Consumer Data from Numerous Sources,
Largely Without Consumers’ Knowledge", "Collect and Store Billions of Data Elements
Covering Nearly Every U.S. Consumer", "Combine and Analyze Data About Consumers to
Make Inferences About Them", and "Combine Online and Offline Data to Market to
The FTC also finds that "The Data Broker Industry is Complex, with Multiple Layers
of Data Brokers Providing Data to Each Other".
"Data brokers provide data not only to end-users, but also to other data brokers.
The nine data brokers studied obtain most of their data from other data brokers rather than
directly from an original source. Some of those data brokers may in turn have obtained the
information from other data brokers. Seven of the nine data brokers in the Commission’s
study provide data to each other. Accordingly, it would be virtually impossible for a
consumer to determine how a data broker obtained his or her data; the consumer would have
to retrace the path of data through a series of data brokers."
FTC's Legislative Recommendations. The FTC offers recommendations for three
legislative regimes -- for "data brokers that sell marketing products", for
"data brokers that sell risk mitigation products", and for "data brokers
offering people search products". These legislative regimes would also reach entities
other than data brokers.
Regarding data brokers that sell marketing products, the FTC recommends legislation with
four components. First, "Congress should seek to enable consumers to easily identify
which data brokers may have data about them and where they should go to access such information
and exercise opt-out rights. Legislation could require the creation of a centralized mechanism,
such as an Internet portal, where data brokers can identify themselves, describe their
information collection and use practices, and provide links to access tools and opt
Second, "Congress should consider requiring data brokers to clearly disclose
to consumers (e.g., on their websites) that they not only use the raw data that they
obtain from their sources, such as a person’s name, address, age, and income range, but
that they also derive from the data certain data elements. Allowing consumers to access
data about themselves is particularly important in the case of sensitive information --
and inferences about sensitive consumer preferences and characteristics -- such as those
relating to certain health information."
Third, "Congress should consider requiring data brokers to disclose the names and/or
categories of their sources of data, so that consumers are better able to determine if, for
example, they need to correct their data with an original public record source."
Fourth, "Congress should consider requiring consumer-facing entities to provide a
prominent notice to consumers that they share consumer data with data brokers and provide
consumers with choices about the use of their data, such as the ability to opt-out of sharing
their information with data brokers. Congress should also consider protecting sensitive
information, such as certain health information, by requiring that consumer-facing sources
obtain consumers’ affirmative express consent before they collect sensitive
Regarding data brokers that sell risk mitigation products, the FTC recommends that
"Congress consider legislation that provides consumers with transparency when a
company uses a risk mitigation product to limit consumers' ability to complete a transaction.
Specifically, when a risk mitigation product adversely impacts a consumer’s ability to
obtain certain benefits, the consumer-facing company should identify the data brokers whose
data the company relied upon; these data brokers could, in turn, give consumers the right
to access the information used and, where appropriate, correct any erroneous
The FTC, however, buries in a footnote that it "does not have any information
on the prevalence of errors in the consumer data that underlie data brokers'
risk mitigation products". The FTC also footnoted that "Commissioner Wright
believes that this recommendation is premature because there is no evidence
about the existence or scope of this hypothetical problem."
Regarding data brokers offering
people search products, the FTC recommends that the Congress consider legislation to
"allow consumers to access their own information", "allow consumers to
suppress the use of this information", "disclose to consumers the data brokers’
sources of information, so that, if possible, consumers can correct their information
at the source", and "disclose any limitations of the opt-out option, such as
the fact that close matches of an individual’s name may continue to appear in search
The FTC's document does not contain any draft legislative language. It does not contain
recommendations regarding whether or not the FTC would have enforcement and/or rulemaking
authority, whether or not states should also have enforcement authority, whether or not
there should be any private right of action, or whether or not state laws should be
FTC's Best Practices Recommendations. This FTC document also contains
numerous best practices recommendations for data brokers.
For example, the FTC recommends that "data brokers should conduct due diligence
to ensure that data that they intend for marketing or risk mitigation purposes is not used
to deny consumers credit, insurance, employment, or the like".
The FTC "recommends that data brokers take reasonable precautions to ensure
that downstream users of their data do not use it for eligibility determinations
or for unlawful discriminatory purposes".
The FTC elaborates that "the use of race, color, religion, and certain other
categories to make credit, insurance, and employment decisions is already
against the law, but data brokers should help ensure that the information does
not unintentionally go to unscrupulous entities that would be likely to use it
for unlawful discriminatory purposes" (Footnotes omitted.)
The FTC does not cite any actual occurrence of such a practice.
Also, it noted, regarding Commissioner Wright, that "Before imposing additional
obligations on data brokers to conduct due diligence, he would like to see evidence about
the existence, nature, and scope of any such problematic uses."
Finally, this document does not explain what would be the consequences, if any, in a
future enforcement action, of a data broker failing to comply with these best practices.
Recent Developments. The just released document is the third in a series.
The FTC released a
report [112 pages in PDF] on March 26, 2012 titled "Protecting Consumer Privacy
in an Era of Rapid Change: Recommendations For Businesses and Policymakers". See also,
stories titled "FTC Releases Second Report on Privacy Issues", "Reaction to
FTC Privacy Report", and "Commentary: Unfair v. Deceptive Conduct" in
TLJ Daily E-Mail Alert No.
2,357, March 26, 2012.
The FTC released a
document [122 pages in PDF] on December 10, 2010, titled "Protecting Consumer
Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers".
See also, story titled "Divided FTC Proposes Do Not Track Regime" in
TLJ Daily E-Mail Alert No.
2,169, December 5, 2010.
On December 18, 2013 the SCC held a hearing titled "What Information Do
Data Brokers Have on Consumers, and How Do They Use It?".
On May 1, 2014, the Executive Office of the President (EOP) released a
paper [85 pages in PDF] titled "Big Data: Seizing Opportunities, Preserving Values".
On May 13, 2014, the Technology Policy
Institute (TPI) released a
paper [26 pages in PDF] titled "Big Data, Privacy, and Familiar Solutions".
The authors are the TPI's Thomas Leonard and Paul Rubin. This paper anticipates and counters
some of the FTC's recommendations.
For example, the FTC recommends that consumers have access to certain data about them
collected by data brokers. The TPI paper counters that "if we make it easier for
individuals to access their data then we also make it easier for those bent on fraud to
access the same data".
Also, the FTC recommends that consumers have the ability to correct information. The TPI
paper states that "Giving consumers the ability to correct their information may be
more complicated than it might appear, even aside from the administrative complexities."
That is, consumers will have interests in both correcting false information, and in changing
correct information that negatively affects them. The TPI paper argues that "Distinguishing
between these various ``corrections´´ may be quite difficult."
Also, the FTC recommends that data brokers be required to describe their information
collection and use practices. The TPI paper argues that "Electronic information is
frequently used in complex ways that are difficult or impossible to explain. It would not
be feasible for websites to meaningfully convey this information through a notice, and
consumers would not devote the hours required to understand it."
This TPI paper also argues that first "policy makers should ask whether there is a
market failure or evidence of harm to consumers". Then, "If evidence of market failure
or harm is found, the next question for policy makers is whether an available remedy (or
remedies) can reasonably be expected to yield benefits greater than costs and therefore
net benefits to consumers." (Parentheses in original.)
Commissioner Brill's Concurrence. FTC Commissioner
Julie Brill wrote a concurring
statement. She wants legislation to also require data brokers to monitor their clients
use of data "to ensure that their clients do not use their products for unlawful
She also wants legislation to require that data brokers monitor their data sources
"to ensure that their original sources of information obtained appropriate consent
She expressed the concern that data could be used for racial profiling, and race based
discrimination. However, she conceded that nothing in the FTC's document "suggests
that data brokers or their clients are running afoul of anti-discrimination law". And,
she cited no actual violation in her concurrence.
She also wrote a second
statement that offers her "understanding" of the FTC's legislative
Iago the Privacy Advocate. Commissioner Brill began her concurring statement with a
quotation from Shakespeare's play titled
[H]e that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.
This is one of Iago's lines from Act III, Scene 3. Iago is one of the most despicable
characters in all of Shakespeare's works. He works his evil, not by force and violence, but by
deception. He says this to Othello, as he manipulates him into suspecting his
wife Desdemona of infidelity with Cassio.
Iago is not trying to protect anyone's good name. He is destroying reputations for his own
advancement. In Shakespeare's plays, as in Washington today, those who rhetorically advance
a policy goal are often among those doing the most to undermine attainment of that goal.
Iago is talking about slander to reputation, not databases. Prior to Shakespeare's time
there were various types of proceedings that sounded in the nature of defamation. However,
shortly after Othello the English courts developed the common law right of action
for defamation into something similar to what prevails in state courts in the U.S. today.
(See, Edward Jenks,
History of English Law, at pages 145-148.)
This FTC document is about the aggregation, retention, and sharing of huge quantities
of data about individuals. Moreover, this data is overwhelmingly accurate rather
than defamatory, useful to the
companies that acquire it, and beneficial to markets and consumers.
Shakespeare did address the downside to individuals of data aggregation, but
not in his tragedy Othello. He did so in one of his history plays,
Henry VI, Part 2, in
Act IV, in his portrayal of a series of events in 1450 known as Cade's Rebellion.
Shakespeare's character Jack Cade condemns data storage, the people who record the
data, the people who use the data, and their technologies. Of course, digital storage,
electronic computing, and IP networking did not exist then. Cade and his followers condemn
the manufacture of paper, writing with quill "pen and ink-horn", and people who
"Is not this a lamentable thing," says Cade, "that parchment, being
scribbled o'er, should undo a man?"
Cade's recommendations go further than the FTC's. He does not want a right of access
and correction. He wants to "burn all the records of the realm" and "kill
all the lawyers".