Privacy and Advertising Alert

Date: May 29, 2014

FTC Calls for Greater Transparency for Data Brokers

The Federal Trade Commission (FTC or Commission) called for legislative and industry actions in a 110-page report on the practices of data brokers, released Tuesday.  The report is the culmination of an 18-month study of information obtained from nine data brokers, including such prominent companies as Axciom and Intelius, through responses to FTC compulsory orders to provide data and information.  Based on its review, the FTC believes that consumers are not aware of the depth or breadth of information collected about them, and that consumers’ ability to make choices about the use of their data is limited, where it is available at all.  At the same time, the Commission praised certain practices implemented by some of the data brokers.  (For example, the FTC singled out and praised Acxiom for allowing consumers to access, correct, and opt out of having information about them collected.)  The Commission also acknowledged the benefits of data broker products in  preventing fraud, improving product offerings, and delivering tailored ads to consumers.

The Commission offered a number of specific recommendations for Congress to consider in legislation addressing data brokers’ collection and use of consumers’ data.  All of the FTC’s recommendations about legislation on data brokers’ products echo themes from the White House’s Consumer Privacy Bill of Rights.  The Commission calls for:

  • allowing consumers to find out what data is collected about them and the type of data that may be derived from raw data;
  • the opportunity for consumers to correct erroneous data (where appropriate); and
  • opt-out options, with certain limitations, depending on context.  

The Commission also offered a number of specific recommendations according to its classification of three data products: marketing products, risk mitigation products, and people search products.  For marketing products, the FTC recommends that Congress consider requiring consumer-facing entities to disclose that they share consumer data and give consumers an opportunity to opt out.  For risk mitigation products, the FTC recommends that Congress consider allowing consumers to access information that negatively influences the consumer’s ability to get benefits from a consumer-facing entity, and to correct that information if appropriate.  For people search products, the FTC recommends that Congress consider allowing consumers to access their own information, suppress its use, disclose the sources of information, and disclose limitations on any opt-out options.

The prospects of the FTC’s recommendations are unclear.  Legislators are increasingly pushing new legislation to address privacy issues resulting from the collection of personal data, and the Congressional Bi-Partisan Privacy Caucus is also among the largest caucuses in Congress.  The White House also released a report earlier this month addressing similar data collection practices (“Big Data”) and urging greater government regulation.  Yet even though legislation on consumers’ data collection has often been proposed, no bill or set of bills appears to enjoy broad bipartisan support in a tough election year.  Company initiatives, like Axciom’s, and other possible self-regulatory responses may be more likely in the short term.  Also possible are enforcement actions by the FTC itself even in the absence of any new legislation.  Although standard enforcement under the FTC’s deception authority is available if statements about data products are not true, the Commission has recently used a novel interpretation of its unfairness authority to sue Wyndham Hotels following the company’s data breach, citing failure to offer reasonable and appropriate security.  An April 2014 New Jersey federal court decision bolstered this approach, FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), which may encourage further exploration by the FTC of its unfairness authority in connection with data collection practices as well as security measures.  Given the increasing focus on privacy and security practices of data brokers, and implications of possible restrictions on both brokers and their customers, close attention to developments and recommendations remains appropriate.