Today, the Federal Trade Commission (FTC) issued nine administrative orders seeking information to analyze the "Data Broker Industry’s Collection and Use of Consumer Data." From the FTC:
"The nine data brokers receiving orders from the FTC are: 1) Acxiom, 2) Corelogic, 3) Datalogix, 4) eBureau, 5) ID Analytics, 6) Intelius, 7) Peekyou, 8) Rapleaf, and 9) Recorded Future. The FTC is seeking details about:
- the nature and sources of the consumer information the data brokers collect;
- how they use, maintain, and disseminate the information; and
- the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.
Earlier this year the FTC called on the data broker industry to improve the transparency of its practices as part of a Commission report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers."
The questions being asked track closely the questions posed in a U.S. PIRG/Center for Digital Democracy paper "Selling Consumers, Not Lists" (SSRN version), which is forthcoming in the Suffolk University Law Review. Some of the issues raised by the paper were discussed in an August 2012 New York Times story on "Secret E-Scores" being used for decision-making on the Internet. From the paper's abstract:
This paper explores the new world of financial decision-making that draws on a range of Internet techniques. While some practices are being regulated as traditional credit reports under the Fair Credit Reporting Act, credit bureaus and other financial firms are expanding into currently non-regulated areas, including online marketing and sales. Does the FCRA need to be updated to address the growing use of real-time database scoring and decision-making on the Internet? Where is the line drawn between when an online real-time decision-making score is used simply to serve advertising for a financial product or to make a decision about “establishing the consumer’s eligibility” for credit? When an online profile is used for “establishing the consumer’s eligibility” for credit, does it become a consumer report? As financial firms use powerful digital tools to precisely identify and market to potential customers in real-time, are they compiling prescreened lists actionable under the FCRA?
U.S. PIRG has long supported improving compliance with the Fair Credit Reporting Act, which governs the activities of firms known as credit bureaus that sell information bearing on a consumer's creditworthiness, primarily for credit, insurance or employment decision-making. The FCRA gives consumers rights to look at their credit reports and dispute inaccurate information, as well as to restrict the use of their files for credit or insurance marketing. All other forms of marketing from credit reports are banned. One of U.S. PIRG's reports on credit bureau mistakes is here.
Data brokers claim to sell only a variety of "public record" information databases that do not meet the FCRA's triggers for regulation. They claim the information that they sell does not meet the "information that bears on a consumer's creditworthiness" standard of the FCRA and further that their files are not used for credit, insurance or employment decisions. Therefore, the brokers argue, they are not credit bureaus and can do whatever they want, including selling secret digital dossiers of consumers to any company on the Internet.
The FTC's inquiry is to determine whether consumers should have greater rights when data brokers compile and sell information about them. After it reviews the responses, the FTC could do one of two things. First, it could find that some or all of the data broker practices bring them under the FCRA. This would give consumers greater rights, including the right to review and dispute their data broker files and to limit their uses. In particular, these new rights would include the FCRA's consumer right to restrict, or "opt-out," of their use for credit or insurance marketing. All other uses, including for general marketing purposes, would be banned, regardless of whether a consumer chose to opt-out. Second, the FTC could also decide, even if some data broker practices do not trigger the responsibilities of the FCRA, to propose that a parallel set of enforceable "data broker consumer rights" be established.
The questions posed by the FTC also track recent similar information requests to some of these and other data brokers from the Bi-Partisan Congressional Privacy Caucus. Last week, Suffolk paper co-author Jeff Chester of CDD and I were panelists in a standing-room-only Capitol Hill briefing by the caucus. The event also featured a number of the data brokers.
A key difference in the inquiries, of course, is that the FTC's demands were made through a form of legal administrative subpoena using its broad investigative powers. Non-compliance is not an option.
Recently, with the strong support of U.S. PIRG, which included generating 10,000 comment letters from our members in support, the new Consumer Financial Protection Bureau (CFPB) began to supervise the largest credit bureaus, using powers never granted to the FTC to ensure the accuracy of these reports sold by the big 3 credit bureaus (Experian, Equifax and Trans Union) and other very large "specialty" credit bureaus. Get more information on how to complain to the CFPB and about your credit reporting rights.
Last week, the CFPB issued its first major report on credit bureaus and the accuracy of credit reports. But the FTC shares jurisdiction over the FCRA with the CFPB. The FTC also remains the nation's chief privacy protection agency with authority to investigate the practices of both the data brokers and credit bureaus and to regulate information sharing by firms on the Internet. U.S. PIRG has worked closed with both agencies to ensure that consumers have greater rights to ensure that the files companies prepare and sell on them are accurate and to control their uses.