Big data and the growth of services that help us make sense of it are some of the more fascinating developments of our connected world, but in some cases they can be also some of the more scary, with companies collecting billions of data points that speak to every aspect of what we do online. Today, a report published by the Federal Trade Commission sheds light on the latter, darker underbelly of big data.
The 110-page study, which covers the activities of nine data brokers in particular (Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future, which FTC chairwoman Edith Ramirez said in a presentation today were representative of the industry), forms the muscle behind the FTC’s recommendation to Congress that it require companies like these to be more transparent about the data they collect, and give consumers more control over the data that is amassed.
To be clear, this report is not about breaking the law as such. “Our report does not uncover any illegal activity,” Ramirez noted today.
At issue here is consumer privacy, which has always been a theme of a lot of Internet services but that has become a greater flashpoint more recently for a couple of reasons: revelations about how our data has been monitored and used by organizations like the NSA; and the rise of malicious hacking that sees these vast stores of data get used in nefarious ways.
The FTC focuses on the more commercial, and sometimes useful, applications of this data — marketing campaigns, fraud prevention, and so on.
“Although consumers benefit from data broker practices which, for example, help enable consumers to find and enjoy the products and services they prefer, data broker practices also raise privacy concerns,” the FTC notes.
That’s the mild way of describing it, though. More alarmingly, FTC chairwoman Ramirez puts it like this:
“The extent of consumer profiling today means that data brokers often know as much – or even more – about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more…It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”
Just how much data are we talking about here? In the U.S. alone, just one of the nine data brokers profiled in the FTC report “holds information on more than 1.4 billion consumer transactions and 700 billion data elements and another adds more than 3 billion new data points to its database each month.” Ugh.
Into this mix throw the fact that some brokers store data “indefinitely” and slice and dice it for a number of purposes — calling to mind the recent decision in Europe over the “right to be forgotten” that Google will now need to comply with.
Unbeknownst to the average consumer, this kind of data collection can still impact how they will be able to progress not just online but in life in general. The example the FTC gives is around “Biker Enthusiasts.” If your name happens to fall into that category, you could end up with some nice discounts on motorcycles, but when it comes to you sorting out your car insurance, you may end up with a higher premium because of your apparent interest in “risky behavior.”
This is, some believe, some of the most extensive statements that U.S. authorities have made about data brokers.
The FTC highlights a lot of different areas that it wants Congress to address and change going forward:
For data brokers that provide marketing products, Congress should consider legislation to:
- Centralized Portal. Require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt- outs;
- Access. Require data brokers to give consumers access to their data, including any sensitive data, at a reasonable level of detail;
- Opt-Outs. Require opt-out tools, that is, a way for consumers to suppress the use of their data;
- Inferences. Require data brokers to tell consumers that they derive certain inferences from from raw data;
- Data Sources. Require data brokers to disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with an original source;
- Notice and Choice. Require consumer-facing entities – such as retailers – to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing; and
- Sensitive Data. Further protect sensitive information, including health information, by requiring retailers and other consumer-facing entities to obtain affirmative express consent from consumers before such information is collected and shared with data brokers.
For brokers that provide “risk mitigation” products, legislation should:
- When a company uses a data broker’s risk mitigation product to limit a consumers’ ability to complete a transaction, require the consumer-facing company to tell consumers which data broker’s information the company relied on;
- Require the data broker to allow consumer access to the information used and the ability to correct it, as appropriate.
For brokers that provide “people search” products, legislation should:
- Require data brokers to allow consumers to access their own information, opt-out of having the information included in a people search product, disclose the original sources of the information so consumers can correct it, and disclose any limitations of an opt-out feature.
So now what?
This is but a recommendation report, and it comes on the heels of an order from December 2012 when Congress required that these nine data brokers produce the data that went into this study.
Since then there has been so much public opinion focused around user privacy that it will be interesting to see how responsive decision-makers are to the FTC’s findings.
But even those who are positive about the FTC’s report are somewhat critical on this point.
“The commission’s calls for greater transparency and consumer control are insufficient,” says Chester at the CDD. “The real problem is that data brokers—including Google and Facebook—have embraced a business model designed to collect and use everything about us and our friends—24/7. Legislation is required to help stem the tide of business practices purposeful designed to make a mockery out of the idea of privacy for Americans.”
Actions sometimes speak louder than words and possibly even louder than data.
Full report below: