The Federal Trade Commission is urging Congress to enact privacy legislation that would provide consumers with more transparency about the activities of data brokers that collect sensitive health and financial data.
Reacting to the FTC recommendation, two consumer advocates say the explosion of data broker activities in recent years, coupled with regulatory gaps, point to the need for some legislative reforms to protect consumer privacy.
A May 27 FTC report that examined nine companies describes data brokers as "companies whose primary business is collecting personal information about consumers from a variety of sources and aggregating, analyzing and sharing that information, or information derived from it, for purposes such as marketing products, verifying an individual's identity, or detecting fraud."
The FTC says data brokers raise privacy concerns for consumers because "significantly, data brokers typically collect, maintain, manipulate and share a wide variety of information about consumers without interacting directly with them."
The report notes: "In light of these findings, the commission unanimously renews its call for Congress to consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities."
The FTC says data broker legislation should include provisions for protecting sensitive information by requiring that consumer-facing sources, such as such as social media sites, retailers, financial services companies and other organizations that provide data to brokers, obtain consumers' express consent before they collect the information. "Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data," the FTC report states.
For data brokers involved with providing data used for marketing purposes, the FTC points out that "they may facilitate the sending of advertisements about health, ethnicity, or financial products, which some consumers may find troubling and which could undermine their trust in the marketplace."
For instance, "while data brokers have a data category for 'diabetes interest' that a manufacturer of sugar-free products could use to offer product discounts, an insurance company could use that same category to classify a consumer as higher risk," the FTC writes.
Also, the FTC report points out that data brokers are not covered under HIPAA. As a result, data broker breaches involving health information are not reportable to the Department of Health and Human Services.
"Some of the data brokers store all data indefinitely, even if it is later updated, unless otherwise prohibited by contract," the FTC report also notes. "Although stored data may be useful for future business purposes, the risk of keeping the data may outweigh the benefits. For example, identity thieves and other unscrupulous actors may be attracted to the collection of consumer profiles that would give them a clear picture of consumers' habits over time, thereby enabling them to predict passwords, challenge questions, or other authentication credentials."
As a best practice, the FTC recommends that "as part of privacy by design, data brokers should strive to assess their collection practices and, to the extent practical, collect only the data they need and properly dispose of the data as it becomes less useful. This is particularly important in light of companies' increased ability to collect, aggregate, and match consumer data and to develop secondary uses for the data in ways that consumers could never have contemplated when they provided the information."
Consumer Advocates React
One consumer advocate says the FTC report is a step in the right direction. "In general we're pleased to see that the FTC identify health data as sensitive personal information that deserves special attention from data brokers and regulators," says Gautam Hans, a fellow at the Center for Democracy & Technology.
"Given that inferences about individual lives that data brokers may draw as a result of amassing health data could affect individual care, consumers should be protected from unlawful discrimination or treatment," he says. "The report points out that existing laws like HIPAA do not cover some sources of data - like apps or wearable devices - that data brokers collect," he says. "These regulatory gaps emphasize the need for the legislative reforms that the report calls for in order to ensure that health privacy receives the necessary protections and that consumers feel secure when using new products and services."
Deborah Peel, M.D., founder of advocacy group Patient Privacy Rights, says federal legislators and regulators need to crack down on data brokers, especially those that deal with sensitive information, such as health data.
"This is clearly a case where the government must pass laws that require personal control over personally identifiable information to restore our rights to privacy, because we can't possibly do it ourselves," Peel says. "Worse, the FTC seems not to have a handle on the size of the health data broker industry. ... "Personal information is the 'oil' of the digital age - and our personal information belongs to each of us. ... If the data brokers want our data, they should just ask. If we think the benefits are worth it, we will say 'yes'."
Call for Action
Among the recommendations in the FTC report:
- Congress should seek to enable consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights. Legislation could require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.
- Congress should consider requiring data brokers to clearly disclose to consumers that they not only use the raw data that they obtain from their sources, such as a person's name, address, age, and income range, but that they also derive from the data certain data elements. FTC notes: "Allowing consumers to access data about themselves is particularly important in the case of sensitive information - and inferences about sensitive consumer preferences and characteristics - such as those relating to certain health information."
- Congress should consider requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if, for example, they need to correct their data with an original public record source.
- Congress should consider requiring consumer-facing entities, such as social media sites, retailers, financial services companies and others, to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.