Caveat Vendor

The FTC’s Five Specific Recommendations to Limit Data Brokers: Spur to Action or Legislative Dead-End?

June 02, 2014

Behnam Dayanim and Michael London*

* Summer associate; George Washington University Law School (J.D. expected 2015).

Last week, the Federal Trade Commission released its long anticipated report: Data Brokers: A Call for Transparency and Accountability. The FTC is the latest federal agency to demand increased transparency for the biggest collectors of personal information. Data brokers collect significant amounts of consumer information, which is used for a variety of corporate services, including marketing and risk management.  To write the report, the FTC collected data from some of the largest data brokers, including Acxiom, Datalogix, and Rapleaf. According to the report, Acxiom has collected information on 700 million consumers worldwide, while Rapleaf possesses data on over eight percent of all email addresses in the United States.

Although traditional credit reporting agencies such as Experian, TransUnion and Equifax are subject to the statutory framework of the Fair Credit Reporting Act and similar requirements, this new wave of data brokers often is not. These new data brokers are not covered by the FCRA because they collect data for marketing purpose or fraud prevention products.  The FTC report explains that  information collected for these purposes does not fall within the scope of the statute.

The FTC’s call to action echoes those made by the Government Accountability Office and senior members of Congress, including Senate Commerce Committee Chairman Jay Rockefeller (D-WV) and chair emeritus of the House Energy and Commerce Committee Joe Barton (R-TX). Though the FTC’s report does not initiate any new rulemaking, it suggests several significant legislative recommendations.

The FTC’s Legislative Proposals

The FTC report embraces five legislative proposals.

• First, the FTC recommends that Congress require data brokers to increase disclosure of their data collection practices.

• Second, the report recommends that Congress require consumer-facing sources to obtain affirmative consent prior to collecting sensitive information with the purpose of selling it to a data broker.

• Third, it advises that consumer-facing websites should be required to notify consumers that they sell data to data brokers.

• Fourth, it advocates for requiring data brokers to provide consumers with access to information collected about them.

• Finally, it recommends requiring data brokers to reveal their sources of information in an effort to allow consumers to correct any mistakes at the source.

Although all of these recommendations hold the potential for significant impact on how the data broker industry operates, some are certain to attract more debate than others.  The last, in particular, may raise sensitivities in an industry where sources of information are regarded as highly sensitive and often as a proprietary competitive advantage.

Reaction to the report has been mixed. The Direct Marketing Association criticized the report for failing to identify any actual harm as a result of the status quo.  The DMA also noted that a number of the report’s recommendations are already implemented via self-regulatory programs. Conversely, the Center for Democracy and Technology, a consumer advocacy group, lauded the report’s recommendations and reiterated its position that  “consumers should not have to do all the legwork” to protect themselves.

Potential Impact of the FTC Report

Although the FTC’s report aims to effect a paradigm shift in the degree of transparency into data brokers and collected information, its recommendations will likely have little immediate impact. The report recommends legislative solutions, suggesting perhaps that the FTC does not believe it has authority to impose these requirements under existing statutes.  However, the report may increase the pressure on Congress to address the issues it discusses.

As it stands now, there are bipartisan bills in both chambers of Congress that include a number of the FTC’s recommendations. Nonetheless, as we’ve seen with efforts to modernize the Electronic Communications Privacy Act and to create a national data breach notification requirement, privacy legislation – like all other legislation – has faced difficult sledding in a bitterly divided and hyper-partisan Congress.  The FTC report represents the Obama Administration’s latest attempt to break the logjam.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.

Subscribe to Caveat Vendor by Email. You will receive an email when the blog has been updated.