Follow ACC Docket Online:  

Are Data Brokers Following Privacy Principles?

Heart of privacy Column
"T hese people are gullible. They believe that their luck can change.”

That was the description of a list sold a few years ago by data broker InfoUSA. It contained information on 19,000 elderly people who had a habit of playing sweepstakes. The buyers were experienced scam artists. They stole over US$100 million from targeted victims.

In this age of digital omnipotence, one business model has come to the forefront: data brokers. Data brokers deal in data, data collection, combining, and selling. Although data brokers existed prior to the internet, their business model has exploded. Some of the statistics on data brokers may surprise you:

  • There are over 4,000 data brokers worldwide (Gartner puts the number close to 5,000);
  • One of the largest data brokers, Acxiom, has over 25,000 servers globally and expects a fiscal 2017 revenue of nearly US$900 million;
  • ProPublica has voting data on about 80 percent of Americans;
  • Datacoup pays people for access to social media and credit card accounts; and,
  • Data brokers have about 1,500 data points on average about each individual (most people cannot list 1,500 things about themselves, but the brokers can).
Data brokers can specialize in the type of data they deal in such as consumers, corporate or commercial, scientific or technical, real estate, or geolocation. Further, data brokers offer a range of services, from simple (mere data collected and cleaned), to smart (applied analytics and rules), to adaptive (per specific request and in context). Of course, their costs range from free to highly expensive.

Where does the data come from? In general, data brokers get information from a wide variety of sources — scraping online data from retail “loyalty cards,” or access granted by individuals. On the flip side, there are businesses that specialize in helping consumers erase data or be removed from datasets.
The big question is not really a question to anyone. As in-house counsel, we recognize the value of having data. We just might not realize the huge market of data brokers. The benefits of using data brokers is huge for companies that wish to understand their audience, advertise to specific audiences at specific times, customize communications, gain insight for marketing campaigns both online and off, and monetize data by connecting it across product streams and by validating data on hand.

From great to small, data brokers’ revenue streams are marketing, risk mitigation, and people search. Customers are many and broad in scope — attorneys, insurers, lenders, hospitality, retail, government, utilities, media, etc.

Acxiom has been one of the largest and most outspoken data brokers — a rarity, as many will not respond to reporters. One of the services Acxiom offers is identity verification, stating:
“Today’s digital, need-it-now-don’t-make-me wait world has made fraud and deception easier and more frequent than ever before. Stolen or fraudulent identities cost companies billions of dollars a year in lost revenues and write-offs. Companies need to be as certain as possible that applicants, customers, or vendors are who they say they are.”
This service brings to mind that in the data protection world, authentication of individuals is expected.

The second principle, which is listed in the Organisation for Economic Co-operation and Development (OECD) privacy principles, is data quality. This includes that data should be accurate. Verifying identity through data analysis would help meet this principle as long as the data is correct.

Another key risk mitigation avenue is fraud detection. Data brokers do this in myriad ways, such as detecting patterns of use, disassociations (e.g., address listed is not associated with an individual), and email history. Another method is verifying someone’s listed income against tax filings to determine authenticity. In addition, data brokers can help companies who have had a data breach by determining if there has been a misuse of the data breached.

Given the prevalence and potential intrusiveness of data brokers (which are largely unregulated, especially in the United States), the US Federal Trade Commission (FTC) has studied them rather extensively. This has not, however, resulted in meaningful regulation of data brokers specifically. The laws coming active in Europe may reduce the reach of data brokers. However, the control relies on consumers making specific choices about their data, which is not likely to occur to an extent that would significantly impact data brokers.

The FTC’s findings were:

  • Data brokers collect consumer data from numerous sources, largely without consumers’ knowledge;
  • The data broker industry is complex, with multiple layers of data brokers providing data to each other;
  • Data brokers collect and store billions of data elements covering nearly every US consumer;
  • Data brokers combine and analyze data about consumers to make inferences about them, including potentially sensitive inferences; and,
  • Data brokers combine online and offline data to market to consumers online.
It is not surprising that the FTC recommended extensive legislation addressing data brokers. But the FTC also recommended that data brokers implement privacy-by-design and that they take measures to ensure that their services are not used against individuals in a discriminatory manner. Also, data brokers should limit information collected from minors.

What’s more, Acxiom issued a data doctrine advocating for nearly the same items as the FTC.  This “call to action” included five major points:

  • Provide core transparency and choice;
  • Enforce stringent data-source screening;
  • Don't use data for credit or insurance;
  • Restrict use of sensitive data; and,
  • Keep marketing data secure
The General Data Protection Regulation (GDPR) in Europe also addresses these points, albeit not specifically at data brokers. The requirements apply equally to data brokers and include such elements as data controller responsibilities, oversight of processors, processor responsibilities, transparency, security, limitation on use, sensitive data restrictions, and automated decision-making. These requirements are reflected in both the FTC report and the data doctrine by Axciom.

It is critical that companies that use data brokers — which appears to be most of them — insist on the data broker adhering to basic privacy principles, whether or not the GDPR or other data protection regime applies. As counsel, we should assess data brokers as we would vendors to whom we give data. Indeed, services by data brokers often include cleaning and analyzing the data we provide.

About the Author

K RoyalK Royal is the technology columnist for, and vice president, AGC privacy, and compliance/privacy officer at CellTrust Corp. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.