FTC Calls for Data Broker Transparency

Asks Congress to Enact Law Providing Consumer Protections

By , May 29, 2014.
FTC Calls for Data Broker Transparency

The Federal Trade Commission is urging Congress to enact privacy legislation that would provide consumers with more transparency about the activities of data brokers that collect sensitive health and financial data.

See Also: Combatting Account Takeover Fraud & Remote Access Trojans

Reacting to the FTC recommendation, two consumer advocates say the explosion of data broker activities in recent years, coupled with regulatory gaps, point to the need for some legislative reforms to protect consumer privacy.

A May 27 FTC report that examined nine companies describes data brokers as "companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing and sharing that information, or information derived from it, for purposes such as marketing products, verifying an individual's identity, or detecting fraud."

The FTC says data brokers raise privacy concerns for consumers because "significantly, data brokers typically collect, maintain, manipulate and share a wide variety of information about consumers without interacting directly with them."

The report notes: "In light of these findings, the commission unanimously renews its call for Congress to consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities."

The FTC says data broker legislation should include provisions for protecting sensitive information by requiring that consumer-facing sources, such as such as social media sites, retailers, financial services companies and other organizations that provide data to brokers, obtain consumers' express consent before they collect the information. "Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data," the FTC report states.

For data brokers involved with providing data used for marketing purposes, the FTC points out that "they may facilitate the sending of advertisements about health, ethnicity, or financial products, which some consumers may find troubling and which could undermine their trust in the marketplace."

For instance, "while data brokers have a data category for 'diabetes interest' that a manufacturer of sugar-free products could use to offer product discounts, an insurance company could use that same category to classify a consumer as higher risk," the FTC writes.

Also, the FTC report points out that data brokers are not covered under HIPAA. As a result, data broker breaches involving health information are not reportable to the Department of Health and Human Services.

"Some of the data brokers store all data indefinitely, even if it is later updated, unless otherwise prohibited by contract," the FTC report also notes. "Although stored data may be useful for future business purposes, the risk of keeping the data may outweigh the benefits. For example, identity thieves and other unscrupulous actors may be attracted to the collection of consumer profiles that would give them a clear picture of consumers' habits over time, thereby enabling them to predict passwords, challenge questions, or other authentication credentials."

As a best practice, the FTC recommends that "as part of privacy by design, data brokers should strive to assess their collection practices and, to the extent practical, collect only the data they need and properly dispose of the data as it becomes less useful. This is particularly important in light of companies' increased ability to collect, aggregate, and match consumer data and to develop secondary uses for the data in ways that consumers could never have contemplated when they provided the information."

Consumer Advocates React

One consumer advocate says the FTC report is a step in the right direction. "In general we're pleased to see that the FTC identify health data as sensitive personal information that deserves special attention from data brokers and regulators," says Gautam Hans, a fellow at the Center for Democracy & Technology.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Questions Over Plane Hacking Report

Did information security expert Chris Roberts exploit vulnerabilities in airplanes' onboard...

Latest Tweets and Mentions

ARTICLE Questions Over Plane Hacking Report

Did information security expert Chris Roberts exploit vulnerabilities in airplanes' onboard...

The ISMG Network