[Senate Hearing 113-693]
[From the U.S. Government Publishing Office]
S. Hrg. 113-693
WHAT INFORMATION DO DATA BROKERS HAVE
ON CONSUMERS, AND HOW DO THEY USE IT?
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
DECEMBER 18, 2013
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
95-838 PDF WASHINGTON: 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington ROY BLUNT, Missouri
MARK PRYOR, Arkansas MARCO RUBIO, Florida
CLAIRE McCASKILL, Missouri KELLY AYOTTE, New Hampshire
AMY KLOBUCHAR, Minnesota DEAN HELLER, Nevada
MARK WARNER, Virginia DAN COATS, Indiana
MARK BEGICH, Alaska TIM SCOTT, South Carolina
RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas
BRIAN SCHATZ, Hawaii DEB FISCHER, Nebraska
EDWARD MARKEY, Massachusetts RON JOHNSON, Wisconsin
CORY BOOKER, New Jersey
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
John Williams, General Counsel
David Schwietert, Republican Staff Director
Nick Rossi, Republican Deputy Staff Director
Rebecca Seidel, Republican General Counsel and Chief Investigator
C O N T E N T S
----------
Page
Hearing held on December 18, 2013................................ 1
Statement of Senator Rockefeller................................. 1
Staff report entitled ``A Review of the Data Broker Industry:
Collection, Use, and Sale of Consumer Data for Marketing
Purposes'' by the Office of Oversight and Investigations
Majority Staff............................................. 4
Statement of Senator Thune....................................... 54
Prepared statement of Alicia Puente Cackley, Director
Financial Markets and Community Investment, U.S. Government
Accountability Office...................................... 56
Statement of Senator Booker...................................... 119
Statement of Senator Johnson..................................... 121
Statement of Senator Blumenthal.................................. 123
Statement of Senator Markey...................................... 126
Statement of Senator McCaskill................................... 129
Statement of Senator Fischer..................................... 135
Witnesses
Jessica Rich, Director, Bureau of Consumer Protection, Federal
Trade Commission............................................... 66
Prepared statement........................................... 68
Pam Dixon, Executive Director, World Privacy Forum............... 72
Prepared statement........................................... 73
Joseph Turow, Robert Lewis Shayon Professor of Communication,
Associate Dean for Graduate Studies, Annenberg School for
Communication, University of Pennsylvania...................... 102
Prepared statement........................................... 104
Tony Hadley, Senior Vice President of Government Affairs and
Public Policy, Experian........................................ 105
Prepared statement........................................... 107
Jerry Cerasale, Senior Vice President of Government Affairs,
Direct Marketing Assocation.................................... 110
Prepared statement........................................... 111
Appendix
Response to written question submitted to Jessica Rich by:
Hon. John D. Rockefeller IV.................................. 143
Hon. Kelly Ayotte............................................ 143
Response to written questions submitted to Jerry Cerasale by:
Hon. Amy Klobuchar........................................... 145
Hon. Kelly Ayotte............................................ 145
WHAT INFORMATION DO DATA BROKERS.
HAVE ON CONSUMERS, AND HOW DO THEY USE IT?
----------
WEDNESDAY, DECEMBER 18, 2013
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 2:31 p.m., in
room SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. ENATOR FROM WEST VIRGINIA
The Chairman. The Committee will come to order.
There are, at this point, two people sitting at the dais,
and they are two wonderful people, but I would be pleased if
there were more. Senator Blumenthal and Senator Pryor, Senator
Markey, Senator Fischer, Senator Warner will be here.
But this is the day that we almost vote on the budget,
actually. We don't quite. We always find ways to do it. You
have the motion to proceed to it, and then you have a motion
to--whatever. And then tomorrow at some point we vote on the
budget. Just be grateful you are in private life.
[Laughter.]
The Chairman. OK. You are all welcome.
The disclosures about U.S. intelligence activities over the
past few months have sparked a very public debate in this
country about what kinds of information the government should
be gathering and how we protect the privacy of Americans who
have done nothing wrong.
The Snowden disclosures have harmed our country's national
security, but they have made Americans think more than they
usually do about how their lives, both online and offline, can
be tracked, monitored, and analyzed. People are aware of that,
not to the extent that they are in Great Britain, where they
are so accustomed to being videotaped in everything they do. We
are still going through that adjustment period.
I am glad we are talking about these important privacy
issues, in general and today. We have all benefited from the
rapid advances in computing technology, but we also cherish our
personal freedoms. We always use that word, ``cherish'' our
personal freedoms. But we do. And it is a complicated subject.
And we want to be able to protect ourselves and our loved ones
from the unwanted gaze of the government and our neighbors.
What has been missing from this conversation so far is the
role that private companies play in collecting and analyzing
our personal information. A group of companies known
collectively as ``data brokers'' are gathering massive amounts
of data about our personal lives and selling this information
to marketers. We don't hear a lot about the private-sector data
broker industry, but it is playing a large and growing role in
our lives.
Let me provide a little perspective. In the year 2012,
which you will recall was last year, the data broker industry
generated $156 billion in revenues--that is more than twice the
size of the entire intelligence budget of the United States
Government--all generated by the effort to learn about and sell
the details about our private lives. Whether we know it or like
it or not, makes no difference.
One of the largest data broker companies, Acxiom, recently
boasted to its investors that it can provide, quote, ``multi-
sourced insight into approximately 700 million customers
worldwide.''
When government or law enforcement agencies collect
information about us, they are restrained by our Constitution
and our laws, and they are subject to the oversight of courts,
inspectors general, and the United States Congress through the
Intelligence Committee in the Senate and the House.
And I have served on the Intelligence Committee since
before 9/11, and I can declare to you absolutely without a
single thought that the protection that NSA provides to
security and secrecy is far better than what we are going to be
talking about today. They have rules. They have all kinds of
judges and hoops that you have to jump through. The FBI is
involved, DOJ. It is all--it is very tight.
And every day you read the paper, you would think it didn't
exist, it is just the government gone wild. But particularly
when it comes to domestic, which is called Section 215, it is
very tightly monitored, and there is never content, there is
never e-mail, and there is never a name--never a name. There is
just a telephone number.
But data brokers go about their business with little or no
oversight. While there are laws on the books that protect the
privacy of Americans' health and financial information, they do
not cover data brokers' marketing activities.
Collecting consumers' information for marketing purposes is
not a new business. For decades before the Internet was
invented, retailers, marketers, and, yes, political candidates
compiled mailing lists that they used to send catalogs, coupon
books, or other materials to their potential customers.
But the data broker industry has been revolutionized in
recent years by the tremendous advances in computing and data
analysis. And as consumers spend more and more time socializing
and shopping online, they are generating rich new streams of
personal data to collect and analyze, on the part of the data
brokers.
These days, data brokers don't just know our address, our
income level, our political affiliation, most probably, they
probably know the weight of everybody in the family. They have
collected thousands of data points about each one of us, and we
are simply not aware of it, except in theory.
They know if you have diabetes or suffer from depression.
They know if you smoke cigarettes. They know your reading
habits, your browsing habits. They know how much you and your
family members weigh. And they may even know how many whiskey
drinks you have consumed in the last 30 days.
We wouldn't reveal that kind of information, would we?
Senator Thune. Of course not.
The Chairman. No.
[Laughter.]
The Chairman. Like the pieces of a mosaic, data brokers
combine data points like these into startlingly detailed and
intimate profiles of American consumers.
Under current laws, we have no right to see these pictures
of ourselves that these companies have created. We have no
right. For the past year, this committee has been trying to
bring some much-needed oversight to the data broker industry.
Where is the copy of our report? Oh, it is under here. I
have it.
We have been pushing the data brokers to answer the same
kinds of questions many Americans have been asking the
government since the Snowden disclosures: What information are
you collecting about us, and how are you using the information?
Today's hearing is the first time we are publicly
discussing what we are learning in this investigation. The
Commerce Committee staff has also prepared a report for me and
for the Ranking Member on the progress of this investigation.
It is thus. More to come.
I ask unanimous consent to put a copy of this report in the
record of this hearing.
[The report follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Table of Contents
Executive Summary
Background
A. GAO Review of Privacy Laws Applicable to Data Brokers
B. Voluntary Industry Guidelines
C. Privacy and Consumer Protection Issues Regarding Data Broker
Practices
Privacy Issues
Potentially Harmful Uses of Data Broker Products
Use of Predictive Scoring Products for Marketing
Data Breaches
D. Recent FTC and Congressional Reviews of the Data Broker
Industry
II. Committee Investigation
III. Committee Majority Staff Findings Regarding Industry Practices
A. Data Broker Collection of Consumer Data
1. Nature of Data Collected
2. Sources of Consumer Data
a. Government Records and Other Publicly
Available Data
b. Purchase or License
c. Cooperative Arrangements
d. Self-Reporting by Consumers
e. Social Media
B. Data Broker Products
1. How Data Brokers Package Consumer Information
2. Issues Regarding Data Broker Products
a. Products that Identify Financially
Vulnerable Populations
b. Scoring Products that Mirror Tools
Regulated under the Fair Credit Reporting Act
C. Data Broker Customers and How They Use Data Broker Products
1. Who Buys the Data
2. New Mechanisms for Using Data
D. Data Broker Transparency and Privacy Practices
1. Disclosure Limitations
2. Consumer Access and Control Rights
3. Opt-Out Rights
IV. Conclusion
Appendices and Exhibits
Appendix I: Federal Laws that May Be Applicable to Information
Collected by Data Brokers
Appendix II: Sample List of Targeting Products Identifying Financially
Vulnerable Populations
Appendix III: Sample List of Offline Elements Available for Online
Advertising
Exhibit A: Sample Consumer Surveys
Exhibit B: Sample Product Descriptions
Exhibit C: Experian ChoiceScore Marketing Description
______
Executive Summary
Consumers are conducting more and more of their daily business
online and through their mobile devices. They use the Internet and
their smart phones and tablets to make purchases, research medical
conditions, plan vacations, interact with friends and relatives, do
their jobs, map travel routes, and otherwise pursue their interests.
With these activities, consumers are creating a voluminous and
unprecedented trail of data regarding who they are, where they live,
and what they own.
At the same time, the Internet and other technological advances
have made consumer data easier to access, analyze, and share.
Information that in years past was accessible only through a trip to
the library or courthouse can now be readily available to millions
online, as computing capabilities for storing and reviewing information
continue to grow at exponential rates.
These changes have fueled the growth of a multi-billion dollar
industry that largely operates hidden from consumer view. Today, a wide
range of companies known as ``data brokers'' collect and maintain data
on hundreds of millions of consumers, which they analyze, package, and
sell generally without consumer permission or input. Since consumers
generally do not directly interact with data brokers, they have no
means of knowing the extent and nature of information that data brokers
collect about them and share with others for their own financial gain.
Data brokers collect and sell information for a variety of purposes
including for fraud prevention, credit risk assessment, and marketing.
Their customer base encompasses virtually all major industry sectors in
the country in addition to many individual small businesses. Some of
the most well-known products sold by data brokers are credit reports
that businesses use to make eligibility determinations for, among other
things, credit, insurance, and employment--activities where consumers
have detailed statutory consumer protections regarding the accuracy and
sale of their information.
This Committee Majority staff report focuses on data broker
activities that are subject to far less statutory consumer protection:
the collection and sale of consumer data specifically for marketing
purposes. In this arena, data brokers operate with minimal
transparency.
One of the primary ways data brokers package and sell data is by
putting consumers into categories or ``buckets'' that enable
marketers--the customers of data brokers--to target potential and
existing customers. Such practices in many cases may serve the
beneficial purpose of providing consumers with products and services
specific to their interests and needs. However, it can become a
different story when buckets describing consumers using financial
characteristics end up in the hands of predatory businesses seeking to
identify vulnerable consumers, or when marketers use consumers' data to
engage in differential pricing.
Further, the data breaches that have repeatedly occurred in this
industry and with others in the data economy underscore the public's
need to understand the volume and specificity of data consumer
information held by data brokers.
In light of these issues and the Chairman's longstanding commitment
to consumer protection and privacy matters, the Committee opened an
inquiry last October to shine a light on how the data broker industry
operates, with a specific focus on nine representative companies that
sell consumer data for marketing purposes. The Committee's inquiry
sought answers to four basic questions:
What data about consumers does the data broker industry
collect?
How specific is this data?
How does the data broker industry obtain consumer data?
Who buys this data and how is it used?
In response to the Committee's inquiries, the companies queried
provided documents and narrative explanations. While some of the
companies have been completely responsive to this inquiry, several
major data brokers to date have remained intent on keeping key aspects
of their operations secret from both the Committee and the general
public.
Based on review of the company responses and other publicly
available information, this Committee Majority staff report finds:
(1) Data brokers collect a huge volume of detailed information on
hundreds of millions of consumers. Information data brokers
collect includes consumers' personal characteristics and
preferences as well as health and financial information. Beyond
publicly available information such as home addresses and phone
numbers, data brokers maintain data as specific as whether
consumers view a high volume of YouTube videos, the type of car
they drive, ailments they may have such as depression or
diabetes, whether they are a hunter, what types of pets they
have; or whether they have purchased a particular shampoo
product in the last six months;
(2) Data brokers sell products that identify financially vulnerable
consumers. Some of the respondent companies compile and sell
consumer profiles that define consumers in categories or
``score'' them, without consumer permission or knowledge of the
underlying data. A number of these products focus on consumers'
financial vulnerability, carrying titles such as ``Rural and
Barely Making It,'' ``Ethnic Second-City Strugglers,''
``Retiring on Empty: Singles,'' ``Tough Start: Young Single
Parents,'' and ``Credit Crunched: City Families.'' One company
reviewed sells a marketing tool that helps to ``identify and
more effectively market to under-banked consumers'' that the
company describes as individuals including ``widows'' and
``consumers with transitory lifestyles, such as military
personnel'' who annually spend millions on payday loans and
other ``non-traditional'' financial products. The names,
descriptions and characterizations in such products likely
appeal to companies that sell high-cost loans and other
financially risky products to populations more likely to need
quick cash, and the sale and use of these consumer profiles
merits close review;
(3) Data broker products provide information about consumer offline
behavior to tailor online outreach by marketers. While
historically, marketers used consumer data to locate consumers
to send catalogs and other marketing promotions through the
mail, or contact via telephone, increasingly the information
data brokers sell marketers about consumers is provided
digitally. Data brokers provide customers digital products that
target online outreach to a consumer based on the dossier of
offline data collected about the consumer;
(4) Data brokers operate behind a veil of secrecy. Data brokers
typically amass data without direct interaction with consumers,
and a number of the queried brokers perpetuate this secrecy by
contractually limiting customers from disclosing their data
sources. Three of the largest companies--Acxiom, Experian, and
Epsilon--to date have been similarly secretive with the
Committee with respect to their practices, refusing to identify
the specific sources of their data or the customers who
purchase it. Further, the respondent companies' voluntary
policies vary widely regarding consumer access and correction
rights regarding their own data--from virtually no rights to
the more fulsome policy reflected in the new access and
correction database developed by Acxiom.
I. Background
While there is no statutory definition for ``data brokers,'' the
Federal Trade Commission (FTC) has defined this term to include
``companies that collect information, including personal information
about consumers, from a wide variety of sources for the purpose of
reselling such information to their customers for various purposes,
including verifying an individual's identity, differentiating records,
marketing products, and preventing financial fraud.'' \1\ This report
relies on the FTC definition of data broker, and focuses specifically
on the collection and sale of consumer information for the purpose of
marketing.
---------------------------------------------------------------------------
\1\ Federal Trade Commission, Protecting Consumer Privacy in an Era
of Rapid Change, at 68 (Mar. 2012) (hereafter ``FTC Privacy Report'').
These companies may also be referred to as ``information resellers.''
See Government Accountability Office, Information Resellers: Consumer
Privacy Framework Needs to Reflect Changes in Technology and the
Marketplace, GAO-13-663 (Sept. 2013) (hereafter ``GAO Information
Resellers Report'').
---------------------------------------------------------------------------
The practice of collecting and selling consumer data to help
businesses conduct marketing has existed for many decades. Long before
the advent of the Internet, e-mail, or the mobile economy, data brokers
developed expertise in compiling consumer data to facilitate targeted
outreach to consumers through direct mail.\2\ Toward that end companies
have for many years assembled information about consumers from public
records, surveys and sweepstakes entries, to develop consumer lists for
use by marketers in targeting mailings and phone calls.\3\
---------------------------------------------------------------------------
\2\ For example, after the introduction of zip codes in 1963,
direct mail marketing companies used zip code data to make assumptions
about individuals, such as the kinds of magazines they read, the foods
they ate, and political affiliations. In 1974, social scientist
Jonathan Robbin created PRIZM (Potential Rating Index for Zip Markets),
which combined ZIP Codes with census data and consumer surveys to help
target direct mail marketing. Michael J. Weiss, The Clustering of
America (1988).
\3\ Financial Times, Data Brokers Compile Lists to Map Your Life
before you Reach the Cradle (June 13, 2013).
---------------------------------------------------------------------------
What is new in recent years, however, is the tremendous increase in
the volume and quality of digitally recorded data--and the
technological advances that have facilitated access to, storage,
analysis, and sharing of this information.\4\ Information that was
previously public but required a trip to places such as a library or
courthouse to retrieve can now be instantaneously accessible to
millions when posted on the Internet. At the same time, consumers
increasingly are expanding their digital data footprint as they go
about their daily routines.
---------------------------------------------------------------------------
\4\ See Kenneth Cukier and Viktor Mayer-Schhoenberger, The Rise of
Big Data: How It's Changing the Way We Think about the World, Foreign
Affairs, at 28-40 (May/June 2013) (noting that while in 2000 ``only one
quarter of all the world's stored information was digital'' and ``the
rest was preserved on paper, film, and other analog media,'' by 2013
``less than two percent of all stored information is non-digital'');
Charles Duhigg, The Power of Habit: Why We Do What We Do in Life and
Business, Chapter 7; Software & Information Industry Association, Data-
Driven Innovation: A Guide for Policymakers--Understanding and Enabling
the Economic and Social Value of Data, at 1-9 (2013); Organization for
Economic Co-operation and Development, The Evolving Privacy Landscape:
30 Years After the OECD Privacy Guidelines, OECD Digital Economy
Papers, No. 176, at 16-18 (2011) (online at http://dx.doi.org/10.1787/
5kgf09z90c31-en).
---------------------------------------------------------------------------
For example, millions of consumers are now using computers, smart
phones, and tablets to make purchases, plan trips, and research
personal financial and health questions, among other activities.\5\
These digitally recorded decisions provide insights into the consumer's
habits, preferences, and financial and health status. A wide and ever-
expanding variety of other routine activities also are becoming part of
consumers' digital trail--from viewing decisions regarding video
streaming services \6\ to online searches and mapping requests \7\ to
personal fitness monitoring through wearable devices \8\ to stocking
``smart'' refrigerators that record food purchases and monitor
expiration dates.\9\
---------------------------------------------------------------------------
\5\ See Pew Internet & American Life Project, Broadband and
Smartphone Adoption Demographics (Aug. 27, 2013) (online at http://
www.pewinternet.org/Infographics/2013/Broadband-and-smartphone-
adoption.aspx) (``Today 56 percent of American adults own a smartphone
or some kind, compared with 70 percent who have broadband at home'');
Pew Internet & American Life Project, Cell Phone Activities 2012.
\6\ Salon.com, How Netflix is Turning Viewers into Puppets (Feb. 1,
2013).
\7\ Time Magazine, Data Mining: How Companies Now Know Everything
About You (Mar. 10, 2011).
\8\ Entrepreneur, How Fitbit Is Cashing In on the High-Tech Fitness
Trend (July 27, 2012).
\9\ NPR, The Salt, The `Smart Fridge' Finds the Lost Lettuce, for A
Price (May 4, 2012).
---------------------------------------------------------------------------
Amid this continuing growth in consumers' digital records, there
has been a ``vast increase'' in the number and types of companies that
collect and sell consumer data.\10\ No comprehensive list of such
companies currently exists, but estimates indicate the data broker
industry consists of many hundreds of members.\11\ Media accounts and
other reports in recent years have provided glimpses into some of the
ways data brokers are obtaining, compiling, and sharing consumer
data.\12\ However, data broker activities have remained largely
obscured from public view because these companies generally do not
collect data directly from consumers and many of their practices lie
outside the ambit of Federal consumer protection laws.
---------------------------------------------------------------------------
\10\ GAO Information Resellers Report, supra n.1, at 34.
\11\ GAO Information Resellers Report, supra n.1, at 5 (noting:
``Several privacy related organizations and websites maintain lists of
data brokers--for example, Privacy Rights Clearinghouse lists more than
250 on its website--but none of these lists claim to be comprehensive.
The Direct Marketing Association, which represents companies and
nonprofits that use and support data-driven marketing, maintains a
proprietary membership list, which it says numbers about 2,500
organizations (although that includes retailers and others that
typically would not be considered information resellers)'').
\12\ E.g., New York Times, You for Sale: Mapping, and Sharing, the
Consumer Genome (June 16, 2012) (focusing on data broker Acxiom and
reporting that the company maintains about 1,500 data points per
consumer that include information on the size of home loans, household
incomes, or whether a household is concerned about certain health
conditions).
---------------------------------------------------------------------------
A. GAO Review of Privacy Laws Applicable to Data Brokers
In light of these changes regarding the availability and sale of
consumer information, Chairman Rockefeller requested that the
Government Accountability Office (GAO) review the privacy laws
applicable to consumer information collected and sold for marketing
purposes.\13\ In response, in September 2013, GAO released a report
concluding that there is no one comprehensive privacy law governing
information collection and sale of consumer data by private sector
companies \14\ and that further, existing privacy laws have ``limited
scope'' regarding the collection, use, and sale of consumer data for
marketing purposes.\15\
---------------------------------------------------------------------------
\13\ GAO Information Resellers Report, supra n. 1 at 1. To address
these objectives, GAO analyzed laws, studies and other documents, and
interviewed representatives of Federal agencies, the date broker
industries, consumer and privacy groups, and others. Id.
\14\ GAO Information Resellers Report, supra n.1, at 7.
\15\ GAO Information Resellers Report, supra n.1, at 16.
---------------------------------------------------------------------------
Specifically, GAO found that under current law, consumers have no
Federal statutory right to know what information data brokers have
compiled about them for marketing purposes, or even which data brokers
hold any such information. Further, with the exception of information
used for pre-screened offers of credit and insurance,\16\ consumers
generally do not have the right to control what personal information is
collected, maintained, used, and shared about them--even where such
information concerns personal or sensitive matters about an
individual's physical and mental health. In addition, no Federal law
provides consumers with the right to correct inaccuracies in the data
or assumptions made by data brokers on their own profiles.\17\
---------------------------------------------------------------------------
\16\ 15 U.S.C. Sec. 1681b(c). The Fair Credit Reporting Act
provides consumers opt-out rights for such information. 15 U.S.C.
Sec. 1681b(e).
\17\ GAO Information Resellers Report, supra n.1, at 16-19.
---------------------------------------------------------------------------
GAO does note that a ``more narrowly tailored'' set of laws
concerning private sector use of consumer information exists which
``apply for specific purposes, in certain situations, to certain
sectors, or to certain types of entities.'' \18\ For example, the Fair
Credit Reporting Act imposes a number of obligations on consumer
reporting agencies (CRAs), which are entities that assemble consumer
information into ``consumer reports,'' \19\ commonly referred to as
credit reports, for use by issuers of credit and insurance, and by
employers, landlords, and others in making eligibility decisions
affecting consumers. The FCRA prohibits the sale of consumer reports
for other than a permissible purpose. The FCRA does not allow the use
of credit reports for marketing purposes, though marketing via pre-
screened offers of credit and insurance is allowed, where it is a firm
offer of credit and consumers are provided the opportunity to opt-out
of such offers in the future.\20\
---------------------------------------------------------------------------
\18\ GAO Information Resellers Report, supra n.1, at 7.
\19\ A ``consumer report'' means any written, oral, or other
communication of any information by a consumer reporting agency bearing
on a consumer's credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of
living which is used or expected to be used or collected in whole or in
part for the purpose of making eligibility decisions. 15 U.S.C.
Sec. 1681a (d).
\20\ 15 U.S.C. Sec. 1681b (e). Pre-screened offers of credit or
insurance--sometimes called ``pre-approved'' offers--are sent to
consumers unsolicited, usually by mail. They are based on information
in consumers' credit reports that indicates that the individuals
receiving the offer meet the criteria set by the company making the
offer. The FCRA limits the circumstances in which consumer reports can
be used to make pre-screened offers, and provides that all such offers
must include a notice of consumers' right to stop receiving future pre-
screened offers.
---------------------------------------------------------------------------
GAO also found that current Federal law does not fully address the
use of new technologies, despite the fact that social media, web
tracking, and mobile devices allow for faster, cheaper and more
detailed data collection and sharing among resellers and private-sector
entities.\21\
---------------------------------------------------------------------------
\21\ GAO Information Resellers Report, supra n.1, at 19.
---------------------------------------------------------------------------
Appendix I at the end of this report provides a detailed summary of
the FCRA, and other existing Federal privacy laws and their
applicability to the collection and dissemination of consumer data by
data brokers.
B. Voluntary Industry Guidelines
The direct advertising and data broker industries have consistently
asserted that Congress should defer to industry self-regulation rather
than enacting broader consumer privacy legislation.\22\ Industry
members assert that their interest in avoiding reputational harm
motivates them to engage in strong self-regulation and provides
consumers with meaningful privacy protections.\23\ Privacy advocates,
on the other hand, have argued that self-regulation does not adequately
addresses concerns regarding the potential for consumer abuse in this
arena.\24\
---------------------------------------------------------------------------
\22\ See, e.g., Senate Committee on Commerce, Science and
Transportation, The Need for Privacy Protections: Is Industry Self-
Regulation Adequate, 112th Cong. (2012) (S. Hrg. 112-785).
\23\ Id.
\24\ Id.
---------------------------------------------------------------------------
Industry trade associations that include data brokers have
identified voluntary best practice guidelines for its members.\25\ For
example, the Direct Marketing Association (DMA) issued Guidelines for
Ethical Business Practice that include principles of conduct, including
recommendations on how members should handle and protect consumer
information. Specifically, these guidelines provide that the members
should offer notice of its policy ``regarding the rental, sale,
exchange or transfer of data about them'' and the ability to opt-out of
inclusion on a mailing list or other marketing methods,\26\ as well as
specific ways to handle health information.\27\ A number of the
companies that are the subject of the Committee's inquiry are DMA
members and have agreed to abide by the association's guidelines.
---------------------------------------------------------------------------
\25\ Direct Marketing Association, Direct Marketing Association
Guidelines for Ethical Business Practice (May 2011).
\26\ Id. at 18-19.
\27\ Id. at 20 (Article #33: Collection, Use, and Transfer of
Health-Related Data).
---------------------------------------------------------------------------
In addition, the Digital Advertising Alliance, the trade
association of the online advertising industry, has implemented Ad
Choice, a program that allows consumers some control over their online
information as it is used for online behavioral advertising.\28\
---------------------------------------------------------------------------
\28\ See AdChoices website at http://www.youradchoices.com/
(accessed Dec. 13, 2013).
---------------------------------------------------------------------------
C. Privacy and Consumer Protection Issues Regarding Data Broker
Practices
Privacy and information experts have raised concerns regarding data
broker practices. These include issues relating to consumer privacy
rights with respect to the use of their own personal information; the
potential harmful ways consumer profiles can be used; the extent to
which data broker products categorize consumers based on financial
characteristics are serving as substitutes or supplements for the
consumer report products that are more highly regulated; and the
vulnerability of data broker computer systems to a data breach.
Privacy Issues. One major issue raised by privacy advocates is that
data brokers operate without transparency to consumers. Since data
brokers generally collect information without the consumers' knowledge,
consumers have limited means of knowing how the companies obtain their
information, whether it's accurate, and for what purposes they are
using it.\29\
---------------------------------------------------------------------------
\29\ See FTC Privacy Report, supra n.1, at 61-69.
---------------------------------------------------------------------------
Privacy experts further point out that consumers currently lack
control over the compilation and use of data that may contain intimate
details about them. For example, the Financial Times reported one data
broker is selling lists of addresses and names of consumers suffering
from conditions including cancer, diabetes, and depression, and the
medications used for those conditions; another is offering lists naming
consumers, their credit scores, and specific health conditions.\30\
Citing these and other examples, FTC Commissioner Julie Brill recently
raised the question: ``What damage is done to our individual sense of
privacy and autonomy in a society in which information about some of
the most sensitive aspects of our lives is available for analysts to
examine without our knowledge or consent, and for anyone to buy if they
are willing to pay the going price.'' \31\
---------------------------------------------------------------------------
\30\ Financial Times, Companies Scramble for Consumer Data (June
12, 2013).
\31\ Keynote Address by Commissioner Julie Brill, Reclaim Your
Name, 23rd Computers Freedom and Privacy Conference (June 26, 2013).
---------------------------------------------------------------------------
Data brokers argue that the creation and use of consumer profiles
for marketing does not pose substantial privacy issues for consumers
because this information cannot be used in decisions affecting a
consumer's eligibility for credit or insurance, or in employment or
housing decisions. Rather, such profiling benefits consumers by
facilitating targeted outreach about products and services that are
relevant to consumers' specific interests, needs, or preferences.\32\
---------------------------------------------------------------------------
\32\ See GAO Information Resellers Report, supra n.1, at 40-41
(summarizing industry arguments on benefits of information sharing for
consumers).
---------------------------------------------------------------------------
However, an incident involving Target highlights how marketing
based on consumer profiling may pose unintended privacy issues.
According to a New York Times report, Target developed a pregnancy
prediction model to enable the company to target marketing of certain
products to expectant mothers. In one case, Target sent maternity and
baby clothes coupons to the household of a teenage girl who, through
use of this model, they predicted was pregnant. These mailings alerted
the girl's father that she was pregnant--before she had told him the
news herself.\33\
---------------------------------------------------------------------------
\33\ Charles Duhigg, The Power of Habit, Chapter 7.
---------------------------------------------------------------------------
Potentially Harmful Uses of Data Broker Products. Some consumer
advocates also have noted that targeted marketing means consumers have
unequal access to helpful information, offers, and benefits, and have
questioned the fairness of this result when the basis for such
targeting are consumer profiles constructed without the consumer's
knowledge, input, or permission--and that in fact may not be accurate.
World Privacy Forum Executive Director Pam Dixon has elaborated as
follows:
Two people going to one website or one retail store could
already be offered entirely different opportunities, services,
or benefits based on their modern permanent record comprised of
the previous demographic, behavioral, transactional, and
associational information accrued about them.\34\
---------------------------------------------------------------------------
\34\ Testimony of Pam Dixon, Executive Director, World Privacy
Forum, House Committee on Energy and Commerce, Subcommittee on
Communications, Technology, and the Internet (Nov. 19, 2009). See also
Dwork & Mulligan, It's Not Privacy, and It's Not Fair, 66
Stan.L.Rev.Online 35 (Sept. 3, 2013) (arguing that increasing use of
consumer profiles by marketers and others could inadvertently result in
social discrimination where unfair or inaccurate profiles are created
and reinforced without consumers' input).
A related issue is whether ready access to increasingly detailed
consumer data lends to differential pricing. Indeed, several recent
media accounts have described cases where website retailers offered
consumers different prices for the same product based on analysis of
customer characteristics. For example, a Wall Street Journal report
found that office supply retailers have varied prices displayed for the
same product based on customers'geolocation and other factors.\35\ In
another example the travel website Orbitz reportedly showed costlier
travel options to visitors whose browsers indicated they were using Mac
computers, because this brand was assumed to be used by more affluent
consumers.\36\ While it does not appear from these news accounts that
third party data broker products were involved with these particular
examples, these reports underscore that targeting the most ``relevant''
information to consumers does not always equate to providing consumers
information about the best deals.
---------------------------------------------------------------------------
\35\ Wall Street Journal, Websites Vary Prices, Deals Based on
Users' Information (Dec. 24, 2012).
\36\ Wall Street Journal, On Orbitz, Mac Users Steered to Pricier
Hotels (Aug. 23, 2012).
---------------------------------------------------------------------------
A few recent cases also have highlighted the value of consumer
profiles to predatory businesses seeking to target vulnerable
consumers. In October of 2012, the FTC alleged that the credit
reporting division of Equifax improperly sold more than 17,000
``prescreened'' lists of consumers who were late on their mortgage
payments to Direct Lending Source, Inc. and its affiliate companies.
Direct Lending subsequently resold some of these lists to third
parties, who ``used the lists to pitch loan modification and debt
relief services to people in financial distress,'' including to
companies that had been the subject of prior law enforcement
investigations.\37\
---------------------------------------------------------------------------
\37\ The FTC charged Equifax with a host of FCRA violations,
including that it provided credit report information to entities that
lacked a permissible purpose. The FTC further charged that Equifax's
failure to employ appropriate measures to control access to sensitive
consumer information was unfair, in violation of Section 5 of the FTC
Act. Direct Lending was also charged with violating Section 5 and the
FCRA for, among other reasons, obtaining pre-screened lists without
having a permissible purpose and failing to maintain reasonable
procedures to ensure that prospective users to whom it had resold the
reports had a permissible purpose. Equifax and Direct Lending combined
paid nearly $1.6 million to resolve charges that they violated the Fair
Credit Reporting and the FTC Act. Press Release, FTC Settlements
Require Equifax to Forfeit Money Made by Allegedly Improperly Selling
Information About Millions of Consumers Who Were Late on Their
Mortgages, Federal Trade Commission (Oct. 10, 2012) (available at
http://www.ftc.gov/news-events/press-releases/2012/10/ftc-settlements-
require-equifax-forfeit-money-made-allegedly).
---------------------------------------------------------------------------
In June 2011, Teletrack, Inc. paid a $1.8 million penalty to settle
FTC charges that it sold lists of consumers who had previously applied
for non-traditional credit products, including payday loans, to third
parties--primarily pay day lenders and sub-prime auto lenders--that
wanted to use the information to target potential customers. The FTC
alleged that the information Teletrack sold constituted consumer
reports and could not be sold for marketing.\38\
---------------------------------------------------------------------------
\38\ Press Release, Consumer Reporting Agency to Pay $1.8 Million
for Fair Credit Reporting Act Violations, Federal Trade Commission
(June 27, 2011) (available at http://www.ftc.gov/news-events/press-
releases/2011/06/consumer-reporting-agency-pay-18-million-fair-credit-
reporting).
---------------------------------------------------------------------------
Similarly, the New York Times reported in 2007 that data broker
InfoUSA had sold lists of consumers with titles such as ``Suffering
Seniors'' to individuals who then used the lists to target elderly
Americans with fraudulent sales pitches.\39\
---------------------------------------------------------------------------
\39\ New York Times, Bilking the Elderly, with a Corporate Assist
(May 20, 2007).
---------------------------------------------------------------------------
Use of Predictive Scoring Products for Marketing. Consumer
advocates have suggested that that use of scoring products that predict
consumer behavior merits further scrutiny. Companies reportedly are
using predictive scoring products for a range of purposes, such as
assessing which customers will receive special offers, or looking at
credit risks associated with certain mortgage applications--but
consumers are generally not aware of these products and do not have
access to the data underlying them. The FTC plans to hold a hearing in
the Spring to examine the use of these products, including the types of
consumer protections that should be provided.\40\
---------------------------------------------------------------------------
\40\ Press Release, FTC to Host Spring Seminars on Emerging
Consumer Privacy Issues, Federal Trade Commission (Dec. 2, 2013)
(available at http://www.ftc.gov/news-events/press-releases/2013/12/
ftc-host-spring-seminars-emerging-consumer-privacy-issues).
---------------------------------------------------------------------------
Data Breaches. Finally, a series of incidents over recent years
have underscored that data brokers--like others who collect and
maintain sensitive consumer data--are vulnerable to data breaches.\41\
Privacy advocates emphasize the need to make sure appropriate
protections against data breach are in place for consumer data.\42\
---------------------------------------------------------------------------
\41\ Wall Street Journal, Breach Brings Scrutiny (April 5, 2011);
United States v. ChoicePoint, Inc., No. 1 06-CV-0198 (N.D. Ga. filed
Jan. 30, 2006); Press Release, Agency Announces Settlement of Separate
Actions Against Retailer TJX, and Data Broker Reed Elsevier and Seisint
for Failing to Provide Adequate Security of Consumer Data, Federal
Trade Commission (Mar. 27, 2008) (available at http://www.ftc.gov/news-
events/press-releases/2008/03/agency-announces-settlement-separate-
actions-against-retailer-tjx).
\42\ FTC Privacy Report, supra n.1, at 24-26.
---------------------------------------------------------------------------
D. Recent FTC and Congressional Reviews of the Data Broker Industry
Several recent inquiries have explored data broker practices and
related privacy and consumer protection issues. The FTC has held a
series of workshops, opened a formal inquiry, written reports, and
proposed principles for industry self-regulation on how companies
collect, use and protect consumer data. In March of 2012, the
Commission released a comprehensive report on protecting consumer's
data privacy in light of the rapid advances of technological change.
The Commission recommended that Congress consider enacting baseline
privacy legislation across industry sectors. The report also called for
greater transparency in the data broker and advertising industries.\43\
---------------------------------------------------------------------------
\43\ FTC Privacy Report, supra n.1.
---------------------------------------------------------------------------
The 2012 report identified the data broker industry as one of the
Commission's main focuses in implementing an enhanced privacy
protection framework.\44\ In examining the privacy implications of the
data broker industry, the FTC has also noted how advances in
technologies have rapidly allowed for the aggregating and selling of
consumer information that combines data reflecting consumers' online
activities as well as ``offline'' information that has been accessible
since before the Internet.\45\
---------------------------------------------------------------------------
\44\ FTC Privacy Report, supra n. 1, at 68, 72-73.
\45\ FTC Privacy Report, supra n.1.
---------------------------------------------------------------------------
In December 2012, the FTC opened an inquiry pursuant to its
authority under Section 6(b) of the FTC Act to examine privacy
implications of the data broker industry's collection and use of
consumer data.\46\ This investigation is underway and will result in a
study and recommendations on whether, and how, the data broker industry
could improve its privacy practices.\47\
---------------------------------------------------------------------------
\46\ Press Release, FTC to Study Data Broker Industry's Collection
and Use of Consumer Data, Federal Trade Commission (Dec. 18, 2012)
(available at http://www.ftc.gov/news-events/press-releases/2012/12/
ftc-study-data-broker-industrys-collection-use-consumer-data). Three of
the nine companies the FTC is examining are included in this inquiry.
\47\ Id.
---------------------------------------------------------------------------
In addition to the FTC's ongoing work, in the summer of 2012, a
bipartisan group of eight lawmakers led by Reps. Ed Markey (D-MA) and
Joe Barton (R-TX) opened an inquiry into how data brokers collect and
use consumer's personal data.\48\ In November 2012 the lawmakers
concluded their inquiry, finding that, ``Many questions about how these
data brokers operate have been left unanswered, particularly how they
analyze personal information to categorize and rate consumers.'' \49\
---------------------------------------------------------------------------
\48\ New York Times, Congress to Examine Data Sellers (July 24,
2012).
\49\ AdWeek, Lawmakers Come Up Short in Data Brokers Probe (Nov. 8,
2012).
---------------------------------------------------------------------------
II. Committee Investigation
In light of the gaps in public knowledge regarding data broker
practices, in October 2012 the Committee opened an inquiry into the
data broker industry to help the Committee better understand industry
practices and the information data brokers collect and share about
American consumers for marketing purposes. To obtain a snapshot of
industry practices, the Committee focused on nine companies that
collect and sell consumer information: Acxiom, Experian, Epsilon, Reed
Elsevier, Equifax, TransUnion, Rapleaf, Spokeo, and Datalogix.
The companies include the three major credit reporting companies--
Experian, Equifax, and TransUnion--each of which also sells consumer
data for marketing purposes; and well-established targeted marketing
companies--Acxiom, Epsilon, Reed Elsevier, and Datalogix--that maintain
data on millions of consumers. In addition, the sample reflects
companies with discrete focus on major data collection techniques and
marketing uses: Rapleaf, which in 2010 specialized in collecting public
data from social media sites, and Spokeo, which offers individual
consumer look-up services.
On October 9, 2012, Chairman Rockefeller sent letters to the nine
data broker companies requesting information about each company's data
collection and use practices.\50\ The letters highlighted four basic
questions:
---------------------------------------------------------------------------
\50\ Senate Committee on Commerce, Science, and Transportation,
Rockefeller Seeks Information About Data Brokers' Practices (Oct. 10,
2012).
---------------------------------------------------------------------------
What data about consumers does the industry collect?
How specific is the data the industry collects about
consumers?
How does the industry obtain this data?
Who buys the data and how is it used?
All nine companies provided narrative and documentary responses to
the Committee letter. Some of these companies were forthcoming
regarding all questions. For example, Equifax's response included a
list of the specific entities that are data sources and customers they
provided after clearing this disclosure with each entity. However,
several large data brokers--Acxiom, Experian, and Epsilon--to date have
refused to identify to the Committee their specific data sources.
Instead, they have described general categories of sources--such as
``surveys'' and ``public records.''
One of the main consumer-facing data sources identified in the
company responses is websites.\51\ In an attempt to learn more about
consumer information data brokers obtain from websites, on September
24, 2013, Chairman Rockefeller sent letters to twelve popular personal
finance, health, and family-focused websites whose privacy policies
allowed for sharing with third parties and that also indicate they
collected consumer data through ``surveys,'' ``sweepstakes,'' and
``questionnaires,'' which were identified by data brokers to the
Committee as sources of consumer information. The letters asked whether
the websites shared information with third parties, and if so, with
whom.
---------------------------------------------------------------------------
\51\ For example, one company noted ``there are over 250,000
websites who state in their privacy policy that they share data with
other companies for marketing and/or risk mitigation purposes.'' Acxiom
response to Chairman John D. Rockefeller IV (Mar. 26, 2013).
---------------------------------------------------------------------------
On October 23, 2013, following press reports alleging that an
Experian subsidiary sold data to an alleged identity theft
operation,\52\ Chairman Rockefeller sent a second letter to Experian
requesting information about the incident and the company's customer
vetting practices, and pressing the company to provide the Committee a
complete list of its data purchasers and sources.\53\ Experian to date
has not provided the Committee either its specific data sources or its
data purchasers.
---------------------------------------------------------------------------
\52\ Krebsecurity.com, Experian Sold Consumer Data to ID Theft
Service (Oct. 20, 2013); PCMag.com, Experian Confirms Subsidiary's Data
Sold to Identity Theft Operation (Oct. 22, 2013).
\53\ Senate Committee on Commerce, Science, and Transportation,
Rockefeller's Latest Letter to Experian Requests Information on
Reported Data Disclosures to Identity Theft Services (Oct. 24, 2013).
---------------------------------------------------------------------------
In the course of the inquiry, Committee Majority staff reviewed
thousands of pages of documents produced by respondent companies
including narrative responses, company manuals and training materials,
contracts, and marketing materials.
III. Committee Majority Staff Findings Regarding Industry Practices
The responses received by the Committee during this inquiry provide
a glimpse into the operations of a large and continually evolving
industry. The nine data brokers queried by the Committee hold a vast
and varied amount of consumer data. Acxiom alone has ``multi-sourced
insight into approximately 700 million consumers worldwide,'' \54\ and
Datalogix asserts its data ``includes almost every U.S. household.''
\55\ Some of the companies maintain thousands of data points on
individual consumers, with one providing the Committee a list of
approximately 75,000 individual data elements that are in its
system.\56\ Data collected by these companies includes detailed and
personal information including data on consumers' health and financial
status.
---------------------------------------------------------------------------
\54\ Acxiom Corp., 2013 10-K Annual Report for the Period Ending
March 31, 2013 (filed May 29, 2013).
\55\ http://www.datalogix.com/about/. The other companies queried
by the Committee hold data on millions more. For example, Rapleaf
claims to have at least one data point for over 80 percent of U.S.
consumer e-mail addresses. http://www.rapleaf.com/why-rapleaf/.
\56\ Equifax Response to the Committee (Aug, 23, 2013) (EFX PROD6
000010-001361). Acxiom claims to have ``over 3,000 propensities for
nearly every U.S. consumer.'' Acxiom Corporation (2013). Form 10K 2013.
---------------------------------------------------------------------------
One of the main types of products offered for sale by respondent
data brokers are ``modeled'' profiles of consumers that categorize
consumers, or that ``score'' likelihood for certain behaviors, based on
inferences drawn from consumer data. The respondent companies offer for
sale a number of modeled products that group consumers based on their
degree of financial vulnerability, such as ``Rural and Barely Making
It,'' or ``Ethnic Second-City Strugglers.'' The Committee has no
evidence that any of the specific queried companies are currently
selling such products for inappropriate purposes. However, the creation
and use of these types of products merits close scrutiny, particularly
in light of their value to predatory businesses that seek to target
consumers who are economically fragile.\57\
---------------------------------------------------------------------------
\57\ See infra Section III.B.2(a) discussing consumer protection
issues relating to such lists.
---------------------------------------------------------------------------
Data brokers continue to develop new approaches to facilitate
marketing outreach to consumers online. Some data brokers now offer
products that enable marketers to tailor online advertisements based on
off-line data about the consumer provided by the data broker.
As they conduct these various activities, data brokers remain
largely invisible to the consumers whose information populates their
databases. Consumers have limited means of learning that these
companies hold their data, and respondent companies provide consumers
rights of access and control regarding their data that vary widely by
companies. Several of the largest respondent companies have been
similarly secretive with the Committee, refusing to identify specific
sources of their data, and specific customers who purchase it. And
provisions in company contracts with customers perpetuate this secrecy
by placing restrictions on customer disclosures regarding data sources.
Below is a detailed discussion of the Committee Majority Staff's
findings regarding the information companies have provided to date
regarding the collection, compilation, and sale of consumer data.
A. Data Broker Collection of Consumer Data
The information the Committee obtained in this inquiry regarding
the nature and specificity of information collected by data brokers
paints a picture consistent with the following observation offered by
one of the respondent companies: ``The amount of available data has
created an unprecedented amount of information about consumers: Their
attitudes and behaviors, perceptions about brands, what they're buying
and even where they happen to be at the moment the data is captured.''
\58\
---------------------------------------------------------------------------
\58\ Epsilon Targeting, Data Intelligence (EPS-COM-002026).
---------------------------------------------------------------------------
1. Nature of Data Collected
Much of the information data brokers collect is demographic, such
as consumers' names, addresses, telephone numbers, e-mail addresses,
gender, age, marital status, presence of and ages of children in
household, education level, profession, income level, political
affiliation, and information about their homes and other property. In
addition, data brokers collect many other categories of information
about individuals. Some examples include:
Consumer purchase and transaction information, including
whether a purchase was made through a catalog, online, or in-
store, as well as the frequency of such purchases;\59\
---------------------------------------------------------------------------
\59\ Experian Narrative Response to Senate Commerce Committee (Dec.
14, 2013); Datalogix Narrative Response to Senate Commerce Committee
(Nov. 16, 2013).
Consumers' available methods of payment, including type of
credit card and bankcard issuance date;\60\
---------------------------------------------------------------------------
\60\ Epsilon, TotalSource Plus Data Enhancement Element Listing
(EPS-COM-5-25); Acxiom, The Power of Insight: Consumer Data Products
Catalog (ACXM 190); Lexis Nexis, MarketView Demographic Data Dictionary
(REP001397-1403).
Purchase of automobiles, including makes and models of cars
purchased or whether a consumer prefers new or used cars;\61\
---------------------------------------------------------------------------
\61\ Acxiom, The Power of Insight: Consumer Data Products Catalog
(ACXM 173-226); Lexis Nexis, MarketView Demographic Data Dictionary
(REP001397-1403).
Health conditions. One company collects data on whether
consumers suffer from particular ailments, including Attention
Deficit Hyperactivity Disorder, anxiety, depression, diabetes,
high blood pressure, insomnia, and osteoporosis, among
others;\62\ another keeps data on the weights of individuals in
a household.\63\ An additional company offers for sale lists of
consumers under 44 different categories of health conditions,
including obesity, Parkinson's disease, Multiple Sclerosis,
Alzheimer's disease, and cancer, among others;\64\
---------------------------------------------------------------------------
\62\ Epsilon, TotalSource Plus Data Enhancement Element Listing
(EPS-COM-16). Epsilon has provided that it collects data about health
ailments solely through its ``Shoppers Voice'' survey through which
consumers ``self-report'' data, which is described in more detail in
Section III.A.2.d.
\63\ Acxiom, The Power of Insight: Consumer Data Products Catalog
(ACXM 184).
\64\ Experian, List Services Catalog (EXP002569). Experian provides
its catalog, which contains more detail about element listings on its
website (available at http://www.experian.com/assets/data-university/
brochures/ems-list-services-catalog.pdf).
Social media activity, including the number of a consumer's
friends and followers, and whether they view YouTube
videos.\65\
---------------------------------------------------------------------------
\65\ Acxiom, The Power of Insight: Consumer Data Products Catalog
(ACXM 173-206); Acxiom Narrative Response to Senate Commerce Committee
at 7 (Mar. 1, 2013); and Acxiom, Acxiom Predictive Scores for Social
Media (ACXM 473).
The specificity of consumer data that brokers collect, maintain,
and share varies depending on the entity. For example, TransUnion
reported that it maintains and offers for sale primarily demographic
data.\66\ On the other hand, Equifax maintains approximately 75,000
individual data elements for its use in creating marketing products,
including information as specific as whether a consumer purchased a
particular soft drink or shampoo product in the last six months,\67\
uses laxatives or yeast infection products;\68\ OB/GYN doctor visits
within the last 12 months,\69\ miles traveled in the last 4 weeks,\70\
and the number of whiskey drinks consumed in the past 30 days.\71\ Some
companies offer ``data dictionaries'' that include more than one
thousand potential data elements, including whether the individual or
household is a pet owner, smokes, has a propensity to purchase
prescriptions through the mail,\72\ donates to charitable causes, is
active military or a veteran, holds certain insurance products
including burial insurance or juvenile life insurance, enjoys reading
romance novels, or is a hunter.\73\
---------------------------------------------------------------------------
\66\ Letter from TransUnion to Chairman John D. Rockefeller IV
(Dec. 14, 2012).
\67\ Equifax Response to Senate Commerce Committee (Aug, 23, 2013)
(EFX PROD6 000010-001361). Equifax made clear in their response that
the individual data elements are not sold as is, but are used to create
their products and models. Individual-level data elements are
aggregated for use in products sold to customers. Id.
\68\ Id.
\69\ Id.
\70\ Id.
\71\ Id.
\72\ Acxiom, The Power of Insight: Consumer Data Products Catalog
(ACXM 173-226).
\73\ Epsilon, TotalSource Plus Data Enhancement Element Listing
(EPS-COM-5-25).
---------------------------------------------------------------------------
2. Sources of Consumer Data
The information the responding companies provided to the Committee
suggests that these data brokers primarily obtain consumer data through
five major avenues: government records and other public data; purchase
or license from other data collectors; cooperative agreements with
other companies; self-report by consumers, often through surveys,
questionnaires, and sweepstakes; and social media.\74\
---------------------------------------------------------------------------
\74\ In November 2013, the Attorney General of New Jersey settled a
case that suggested web browsing activity is potentially an additional
source of information for data brokers. The case alleged that Dataium,
a data company, used software to track websites visited by consumers, a
practice known as ``history sniffing,'' and then sold consumer
preferences inferred from web browsing along with consumers' names,
phone numbers, and e-mail addresses to Acxiom. See Office of New Jersey
Attorney General, Acting Attorney General Announces Settlement
Resolving Allegations Data Company Engaged in Online ``History
Sniffing'' (Nov. 21, 2013) (available at http://nj.gov/oag/
newsreleases13/pr20131121a.html).
---------------------------------------------------------------------------
Three companies--Acxiom, Experian, and Epsilon--declined to share
specific data sources with the Committee, citing confidentiality
clauses in their contracts, and concerns about putting themselves at a
competitive disadvantage among the reasons. Instead, these companies
provided general descriptions of the types of entities that are data
sources.
a. Government Records and Other Publicly Available Data
Many companies reported obtaining information from public records
sources. These include: census data; property records; court filings,
including criminal convictions, judgments, liens, and bankruptcies;
driver's license records; voter registrations; telephone directories;
real estate listings; and marriage and death certificates.\75\ Data
brokers also obtain publicly available information from licensing
filings including licenses for physicians and other medical
professionals, attorneys, accountants, engineers, notaries, and real
estate professionals, as well as hunting, fishing, and pilot
licenses.\76\ License information can supply contact information and
license issuance and expiration dates.\77\
---------------------------------------------------------------------------
\75\ E.g., Acxiom Narrative Response to Senate Commerce Committee
(Feb. 15, 2013).
\76\ Id at 5.
\77\ Id.
---------------------------------------------------------------------------
b. Purchase or License
Companies reported that several types of entities either sell or
license them data, including:
Retailers. Retailers provide data brokers with consumers'
purchase information, which can include consumer name, postal
addresses, e-mail addresses, items purchased, transaction
history, and whether the purchase was made in a store, online,
or through a catalog.\78\ Often, the information provided does
not identify the specific item purchased, but rather the
category or type of product, such as ``collectibles'' or
``ladies apparel.'' Retailers are able to collect this
information about consumers through many methods, among them
store or brand loyalty/rewards cards.\79\
---------------------------------------------------------------------------
\78\ Datalogix Narrative Response to Senate Commerce Committee, at
1 (Nov. 2, 2012).
\79\ Consumers who use loyalty cards allow retailers to collect
information about their purchases in exchange for discounts, coupons,
or other perks such as discounts on gasoline purchases. In 2012,
Americans had a collective total of 2.65 billion loyalty program
memberships. See Bulking Up: The 2013 Colloquy Loyalty Census, Growth
and Trends in U.S. Loyalty Program Activity, Colloquy (June 2013).
Financial institutions. Responding companies reported receiving
information from a variety of financial institutions, such as
banks, credit unions, brokerage services, and online trading
platforms. Such sources provide information regarding bank
deposits, brokerage assets, annuities, and mutual funds.
Companies reported that the information obtained is not tied to
specific consumers, but is received in an anonymized or
aggregated form \80\ and used to create models and scoring
products.\81\
---------------------------------------------------------------------------
\80\ Financial institutions provide anonymous financial data,
meaning it does not include consumers name, house number or street
name; and information aggregated at the ZIP+4 level. Letters from Paul
Zurawski, Senior Vice President Government Affairs and Regulatory
Management, Equifax, to Chairman John D. Rockefeller IV (Feb. 13, 2013)
and (Jan. 23, 2013).
\81\ See Section III.B for a discussion of modeling and scoring.
Other data brokers. All of the responding companies reported
obtaining information from other data brokers either by
purchasing or under sharing arrangements. Some have specified
which other data brokers provide such information, while others
refused to specify other data broker sources beyond generic
descriptions such as ``third-party partners.'' \82\
---------------------------------------------------------------------------
\82\ Experian Narrative Response to Senate Commerce Committee (May
24, 2013).
---------------------------------------------------------------------------
c. Cooperative Arrangements
Another way data brokers obtain information is through cooperative
arrangements in which companies provide information about their
customers in exchange for information to enhance their existing
customer lists or identify new customers. Examples described by
responding companies include:
Epsilon operates a cooperative consisting of over 1,600
participating companies, which include catalog and retail
companies, non-profits, and publishers.\83\ Participants
contribute household purchase information in exchange for
information about prospective customers. Epsilon organizes this
data into 22 ``primary purchase categories,'' such as
children's apparel and merchandise.\84\
---------------------------------------------------------------------------
\83\ Letter from Jeanette Fitzgerald, Senior Vice President and
General Counsel, Epsilon, to Chairman John D. Rockefeller IV (Nov. 2,
2012); Epsilon, Abacus Cooperative Overview (EPS-COM-002114).
\84\ Letter from Jeannette Fitzgerald, Senior Vice President and
General Counsel, Epsilon, to Chairman John D. Rockefeller IV, at 5-6
(Nov. 2, 2012).
Experian manages a database open to catalog sellers as well
as brick and mortar and e-commerce retailers. Participants
provide customer transactional records, which may include
consumer's name, address, gender, e-mail address, phone number,
channel of purchase (e.g., online or in-store), dollar amount,
payment method, transaction date, and transaction product
category.\85\ Experian summarizes the information to describe
buying behaviors at the household level within general product
categories--such as ``Kitchen and Tabletop,'' ``Books,'' or
``Vitamins/Health Products.'' \86\ For example, ``if a high-end
retailer of men's business suits reports a customer purchase of
approximately $500, Experian would maintain a record showing
only that the household engaged in a transaction involving
Men's High-End Apparel.'' \87\
---------------------------------------------------------------------------
\85\ Experian, Z-24 Catalog Database File Information (EXP001665).
\86\ Experian Narrative Response to Senate Commerce Committee, at 5
(Dec. 14, 2012). Experian breaks purchase information into 64 different
categories. Experian (EXP001667).
\87\ Experian Narrative Response to Senate Commerce Committee, at 5
(Dec. 14, 2012).
Equifax runs a cooperative for financial institutions that
contribute data at least twice per year about consumer and
small business investments and bank accounts. According to the
company, this information is anonymized, often including only
zip code and year of birth;\88\ it does not include information
that could be used to individually identify consumers.
Participants have access to certain information and products
available only to members, including products that estimate
total outstanding credit and that track assets.\89\
---------------------------------------------------------------------------
\88\ Equifax, Member Data Submissions (EFX PROD3 0143).
\89\ Letter from Paul Zurawski, Senior Vice President Government
Affairs and Regulatory Management, Equifax to Chairman John D.
Rockefeller, at 3 (Feb. 13, 2013); Equifax Corporation, IXI Services
Core Products for Network Members (EFX PROD3 0191).
Datalogix offers a cooperative arrangement that allows
retailers to share information including customers' names,
mailing addresses, e-mail addresses, purchase transaction
histories, and transaction channel, such as Internet, catalog,
or retail purchase. In return for supplying information,
participants can receive mailing lists, or access to online
audiences to identify new customers.\90\
---------------------------------------------------------------------------
\90\ Datalogix Narrative Responses to Senate Commerce Committee
(Nov. 2, 2012) and (Nov. 16, 2012).
---------------------------------------------------------------------------
d. Self-Reporting by Consumers
The responses to the Committee's inquiries indicate that data
brokers obtain information directly from consumers through warranty
cards, sweepstakes entries, and other types of surveys. Some of the
data brokers conduct their own marketing surveys, both on-and off-line,
and shared examples with the Committee.\91\ These surveys ask detailed
questions about household demographics, income levels, shopping
preferences, and other personal matters such as health and insurance
related information. For example, some surveys ask whether anyone in
the household suffers from diabetes, or what types of insurance the
household currently has or plans to obtain.\92\ Surveys provided to the
Committee disclose to consumers that the information they provide may
be shared for marketing purposes in exchange for entry into a
sweepstakes or other chances at prizes. However, the surveys do not
generally indicate that they are affiliated with a specific data
broker.
---------------------------------------------------------------------------
\91\ E.g. Experian Narrative Response to Senate Commerce Committee
(Feb. 8, 2013); and Letter from Jeanette Fitzgerald, Senior Vice
President and General Counsel, Epsilon, to Chairman John D. Rockefeller
(Nov. 2, 2012).
\92\ Epsilon, Shopper'sVoice Consumer Product Survey of America
(2012) (EPS-COM-000001-000004).
---------------------------------------------------------------------------
For example, Epsilon obtains consumer data through its ``Shopper's
Voice'' survey. The survey contains several pages of specific questions
about the household, including demographic information, hobbies and
interests, products purchased, and ailments. The survey includes
questions about a range of health-related matters. For example, one
category, titled ``Heart Health,'' asks whether anyone in the household
has a family history of heart disease, heart attack, high blood
pressure or high cholesterol, whether anyone suffers from angina,
atrial fibrillation, and whether these ailments are treated with a
prescription.\93\ The survey also asks the respondent to indicate
whether they personally or another member of the household suffer from
other listed ailments, such as depression, Bipolar disorder or other
major depressive disorder, Lupus, or Parkinson's disease.\94\ The
Shopper's Voice survey is mailed to approximately 36 million households
each January; approximately 5.2 million households complete and return
it to Epsilon.\95\ Consumers are encouraged to respond to the survey by
being offered an opportunity for savings via coupons and a chance to
win $10,000.\96\ See Exhibit A for a complete example of the survey
questions.
---------------------------------------------------------------------------
\93\ Id. at 2.
\94\ Epsilon, Shopper's Voice Survey (EPS-COM-003757).
\95\ Epsilon, TargetSource Survey Data, at 3 (EPS-COM-003150).
\96\ Epsilon, TargetSource Survey Data, at 5 (EPS-COM-003152).
---------------------------------------------------------------------------
Experian collects data through the ``Simmons National Consumer
Surveys,'' which over 30,000 consumers fill out each year.\97\
Questions cover subjects including demographic, hobbies and interests,
military experience, participation in the lottery, and product
preferences.\98\ Consumer responses are aggregated and used to create
models that assign a shared set of characteristics to all households
within a particular zip code. Simmons surveys include the Simmons
National Consumer Survey; the Simmons National Kids and Teens Studies;
the National Hispanic Consumer Survey; and the Simmons Lesbian, Gay,
Bisexual and Transgender Study.\99\ Adults may be paid $25 for their
participation in the survey and teens receive $14 in addition to a
keychain.\100\
---------------------------------------------------------------------------
\97\ Experian, Simmons National Consumer Studies (online at http://
www.experian.com/simmons-research/national-consumer-studies.html).
\98\ Experian, Simmons National Consumer Survey (EXP001785-1923).
\99\ Experian Narrative Response to Senate Commerce Committee (Feb.
8 2013).
\100\ Sample letters that accompany Simmons National Consumer
Survey (EXP002099) and (EXP002100).
---------------------------------------------------------------------------
According to narrative responses from Acxiom and Experian,
consumers report personal information to them by completing surveys,
entering sweepstakes, registering to receive coupons, or filling out
other forms on Internet sites. The websites either directly feed this
information to data brokers or provide it to other ``data compilers''
who then pass it to data brokers.\101\
---------------------------------------------------------------------------
\101\ Experian Narrative Responses to Senate Commerce Committee
(May 24, 2013) (July 26, 2013); and Acxiom Narrative Response to Senate
Commerce Committee (Apr. 5, 2013).
---------------------------------------------------------------------------
Experian uses survey results in products including Experian's
``BehaviorBank.'' As Experian explained:
BehaviorBank is a database of self-reported information
provided by consumers with the clear understanding of the
consumer that the responses will be used for marketing. .
.Experian acquires all such information from third-party
partners. Such third parties typically either recruit consumers
for their own surveys or obtain data from companies that have
surveyed their own customers. In some cases, consumers are
offered an incentive, such as an opportunity to win a prize,
for participation in the survey.\102\
---------------------------------------------------------------------------
\102\ Experian Narrative Response to Senate Commerce Committee, at
2-3 (May 24, 2013).
Experian refused to identify to the Committee the third-party
website sources of data for the company.
Similarly, Acxiom said consumer-facing websites are a source of
their consumer data, but declined to provide the Committee the specific
identities of these websites except for six self-selected samples
websites. Instead the company stated generally, ``there are over
250,000 websites who state in their privacy policy that they share data
with other companies for marketing and/or risk mitigation purposes.''
\103\
---------------------------------------------------------------------------
\103\ Acxiom Narrative Response to Senate Commerce Committee (Apr.
5, 2013).
---------------------------------------------------------------------------
Of the six websites provided by Acxiom, one was not functional when
Committee majority staff attempted to access it. The remaining five
asked consumers for varying levels of personal information in exchange
for benefits such as coupons and discounts, or the opportunity to
compare health insurance quotes. The general counsel for the company
that maintains the health insurance quote website, when contacted by
Committee majority staff, said the company had no information sharing
agreement with Acxiom, and that the entities that contract to receive
the website's information are contractually prohibited from sharing
that data with third parties such as Acxiom.\104\ Acxiom represented
that this website data source was provided by one of Acxiom's data
aggregators.\105\
---------------------------------------------------------------------------
\104\ Committee staff interview with website general counsel (Dec.
3, 2013).
\105\ Acxiom Narrative Response to Senate Commerce Committee (April
5, 2013). It is unclear at this point whether or how information from
this website flowed to Acxiom.
---------------------------------------------------------------------------
To explore the issue of website data sources further, Chairman
Rockefeller queried 12 popular health and financial focused websites
whose privacy policies appeared to allow for the sharing of consumer
data obtained through surveys, sweepstakes, and questionnaires. In
response, several websites acknowledged collecting personal information
from consumers through surveys or sweepstakes entries. However, they
largely denied sharing that data with third parties except in limited
circumstances, including for their own advertising purposes,
sweepstakes prize fulfillment, or with other third-party vendors to
perform services on the websites' own behalf.
Two of the website companies reported relationships with Acxiom,
but those relationships were for the benefit of the websites: one
retained Acxiom's services to store consumer information solely for its
own marketing efforts, and the other to perform services such as
collecting additional information about visitors to its website. While
neither arrangement allowed for Acxiom to share or use the data
provided for Acxiom's own purposes, one company did share with
Committee majority staff that Acxiom had approached them to become a
data supplier, a request it declined.\106\
---------------------------------------------------------------------------
\106\ Website responses to Senate Commerce Committee (Oct. 2013).
---------------------------------------------------------------------------
e. Social Media
Social media is a source of consumer information for many of the
queried data brokers. For example, Acxiom says it obtains data about
consumers' social media interests and usage to predict the likelihood
that a consumer would fall into one of the following categories:
``business fan,'' ``heavy social media user '' (including Facebook,
LinkedIn, Twitter, and YouTube), ``mobile social networker,'' ``text
messaging user,'' ``poster'' (including poster of photos, texts, and
responders), ``video sharer,'' ``social influencer,'' and ``social
influenced.'' \107\
---------------------------------------------------------------------------
\107\ Acxiom Narrative Response to Senate Commerce Committee at 7
(Mar. 1, 2013). Acxiom asserts that they ``do not collect specific
activity from social media sites, such as individual postings, lists of
friends or any data that is not public.'' (ACXM 1422).
---------------------------------------------------------------------------
In 2010, the Wall Street Journal and other media outlets reported
that Rapleaf was collecting information about consumers' social media
accounts and selling that information to other companies.\108\ Rapleaf
had been ``crawling'' publicly available data consumers placed on
social media sites such as Facebook, MySpace, LinkedIn, and others, to
gather information including consumers' names, age, gender, location,
colleges and universities attended, and occupations, information about
membership on social media sites such as Facebook, Flickr, LinkedIn,
Twitter, CafeMom, Amazon Wishlist, Pandora, Photobucket, and
Dailymotion, number of friends and followers, and the URL of consumers'
profiles.\109\
---------------------------------------------------------------------------
\108\ See Wall Street Journal, Facebook in Privacy Breach (Oct. 18.
2010), and Wall Street Journal, A Web Pioneer Profiles Users by Name
(Oct. 25, 2010).
\109\ Rapleaf, Report Data Dictionary, (RAP-SEN-001-00121-RAP-SEN-
001-00125).
---------------------------------------------------------------------------
Following public backlash and requests by Facebook, Rapleaf deleted
most of the information it collected through webcrawling.\110\ However,
companies that purchased this data before Rapleaf ceased this activity
were not required to delete the information that they had previously
purchased.\111\
---------------------------------------------------------------------------
\110\ Letter from Phil Davis, Chief Executive Officer, Rapleaf, to
Chairman John D. Rockefeller IV (Nov. 21, 2012). According to Rapleaf,
the information it maintained was non-sensitive data consisting of age
range, gender, zip code, and marital status. Id.
\111\ Letter from Kenneth M. Dreifach, Counsel to Rapleaf, to
Melanie Tiano, Counsel to the Senate Commerce Committee (Dec. 28,
2012); Committee staff conversation with Rapleaf Counsel (Dec. 5,
2012).
---------------------------------------------------------------------------
B. Data Broker Products
Data brokers compile and analyze consumer data to create products
and services that provide customers with data that has varying degrees
of specificity about individual consumers. Most of the products
described by respondent companies are essentially lists of consumers
grouped by shared characteristics or predicted behaviors. The companies
also provide data on individual consumers to supplement data customers
may already have on the consumer.
Data broker products can consist of ``actual'' or ``modeled''
elements. Actual data includes factual information about individuals,
such as their date of birth, contact information, and presence of
children in a household. ``Modeled'' data results from drawing
inferences about consumer characteristics or predicted behavior based
on actual data. For example, a company may infer a consumer's marital
status based upon use of the prefix ``Mrs.''; characterize an
individual as having an interest in golf based on the fact that an
individual subscribes to a golf magazine; \112\ or characterize an
individual as having a health interest in allergies based on the fact
that the individual made a non-prescription purchase of over the
counter allergy medication.\113\
---------------------------------------------------------------------------
\112\ Acxiom Narrative Response to Senate Commerce Committee (Feb.
15, 2013).
\113\ Id.
---------------------------------------------------------------------------
The companies also use actual data to create ``look-a-like''
models. Look-a-like models use known information--such as living within
a particular zip code and having children in the household--to predict
characteristics such as the likelihood that an individual drives an
SUV. With this model, a data broker could create a list of consumers
likely to drive an SUV that a customer could purchase for targeted
marketing.
Two prominent means by which data brokers provide consumer data to
customers are ``original lists'' and ``data appends.'' Original lists
are sold to customers seeking a list of consumers who fit certain
criteria--for example, women who live in Cleveland and have an interest
in cooking.\114\ Typically, customers purchase this information in
large quantities, hundreds or thousands of names at a time.\115\
---------------------------------------------------------------------------
\114\ Except in instances where a company offers some type of
individual look-up product, ``original list'' information is not
generally available to be purchased on an individual consumer basis.
Spokeo, for example, offers consumers an individual look-up service
that provides the ability to search for information about specific
individuals. Products offered by Spokeo allow customers to search for
people by name or address or through a ``reverse search'' service--
where customers may enter a telephone number or e-mail address to
identify the individual associated with that number or address.
Customers are able to obtain a ``person's name, address, phone number,
e-mail address, occupation, property value, family relations, and
social media accounts.'' Letter from Angela Saverice-Rohan, General
Counsel, Spokeo, Inc., to Chairman John D. Rockefeller IV (Nov. 2,
2012).
\115\ Committee staff conversations with respondent companies;
several companies reported that segments are priced and sold by the
thousand.
---------------------------------------------------------------------------
``Data append,'' on the other hand, occurs when a customer has some
information about specific consumers, but they want to create more
complete profiles. In that case, the customer provides some identifying
information about their customers, such as a list of names and zip
codes or e-mail addresses, to a data broker company to purchase
additional information about the specific consumers on the list.
The products companies described to the Committee include consumer
profiles characterizing consumers based on degree of financial
vulnerability and propensity to use payday loans and other non-
traditional financial products. These types of data broker products
merit close scrutiny as they appear tailor made for businesses that
profit from taking advantage of consumers. Following is a discussion of
major types of data broker products, methods for sharing these
products, and questions raised by certain products described by
respondent companies.
1. How Data Brokers Package Consumer Information
One product data brokers offer is ``segments,'' or groupings of
consumers defined by shared characteristics and likely behaviors. Many
data brokers offer some variation of segmenting products, and several
of the large data brokers included in the Committee's review offer
dozens of different segment choices.
The idea of segmenting consumers for marketing purposes is not a
novel concept. In the 1970s, Claritas--which merged with Nielsen in
2001--developed a segmenting product called PRIZM, which defined groups
of consumers based on demographics and behaviors.\116\ PRIZM is now
advertised as ``the industry-leading lifestyle segmentation system that
yields rich and comprehensive consumer insights to help you reveal your
customer's preferences.'' \117\ When clustering first began, companies
generally relied on census data to predict the behavior of consumers.
Today, however, there are endless avenues to obtain consumer data.
---------------------------------------------------------------------------
\116\ Wall Street Journal, Placing Products: Marketing Firm Slices
U.S. into 240,000 Parts to Spur Clients' Sales (Nov. 3, 1986).
\117\ Nielsen, My Best Segments (online at http://www.claritas.com/
MyBestSegments/Default.jsp?ID=70&pageName=Learn
percent2BMore&menuOption=learnmore).
---------------------------------------------------------------------------
Another type of product described by data brokers involves
``scoring,'' a form of analytics that utilizes data to make predictions
about likely consumer behavior. Scoring products are designed to
provide marketers insight about existing and prospective customers by
assigning a number or range that signifies each consumer's likelihood
to exhibit certain characteristics or perform certain actions. For
example, Acxiom offers a product that can provide marketers with
predictive indicators of consumers' social media behaviors, assigning a
number from 1-20 on the basis of whether they are likely to be a
``social influencer'' or are ``socially influenced,'' and whether they
are a frequent ``text poster'' or ``business fan.'' \118\
---------------------------------------------------------------------------
\118\ Acxiom, Precision Targeting and Messaging in Social Networks:
Acxiom Predictive Scores for Social Media (ACXM 473-474).
---------------------------------------------------------------------------
2. Issues Regarding Data Broker Products
a. Products that Identify Financially Vulnerable Populations
A number of products described by data brokers focus on
characterizing a consumer's economic status. For example, some of the
consumer profiles they sell identify economically comfortable
consumers. Consumers in clusters titled ``Established Elite,'' ``Power
Couples,'' ``American Royalty,'' and ``Just Sailing Along,'' indicate a
level of affluence that might be used to identify a likely audience for
luxury products or investments. Data broker descriptions of such
products provide further detail. For example, Experian describes
``American Royalty'' as ``[w]ealthy, influential and successful couples
and families living in prestigious suburbs.'' \119\
---------------------------------------------------------------------------
\119\ Experian, Mosaic USA New Segment and Group Names (EXP002634-
002678).
---------------------------------------------------------------------------
Understanding the financial circumstances of consumers is important
for assessing how to best the reach those most likely to purchase
particular goods or products. However, some of the targeting products
described by the companies appear to focus specifically on identifying
financially vulnerable populations. The table below represents a sample
of the segments offered for sale by the queried companies:
Table I: Company Product Names
Source: Company Responses \120\
---------------------------------------------------------------------------
\120\ Experian, Mosaic USA New Segment and Group Names (EXP002634-
2636); Acxiom, Personicx Classic, (Mar. 1, 2013); Epsilon, Niches 3.0
(EPS-COM-003484--003496); Equifax, Economic Cohorts: Economic-based
Household Segmentation (EFX Prod4 0002-0292); Equifax, Financial
Cohorts: Direct-Measured Asset-Based Household Segmentation (EFX PROD4
0293-0543). See Appendix II.
The product descriptions that data brokers provide to potential
customers further elaborate on such vulnerability.\121\ For example,
``Hard Times'' is described by Experian as, ``Older, down-scale and
ethnically-diverse singles typically concentrated in inner-city
apartments.'' \122\ The description continues: ``This is the bottom of
the socioeconomic ladder, the poorest lifestyle segment in the Nation.
Hard Times are older singles in poor city neighborhoods. Nearly three-
quarters of the adults are between the ages of 50 and 75; this is an
underclass of the working poor and destitute seniors without family
support. . . . One-quarter of the households have at least one resident
who is retired.'' \123\
---------------------------------------------------------------------------
\121\ See Exhibit B for sample product descriptions.
\122\ Experian, Mosaic USA Segment Descriptors (EXP002946).
\123\ Experian, Mosaic USA Segment Descriptors (EXP002947). In
another example, ``Resilient Renters'' is described as ``singles with
high-school and vocational/technical educations. At a mean age of 39,
they are renters in the second-tier cities and, if employed, earn wages
in service and clerical positions.'' Acxiom Narrative Response to
Senate Commerce Committee, Acxiom Personicx Classic (Mar. 1, 2013).
---------------------------------------------------------------------------
A number of scoring products similarly focus on consumers'
financial vulnerabilities. One example is Experian's ``ChoiceScore,''
which the company asserts ``helps marketers identify and more
effectively market to under-banked consumers.'' \124\ According to the
company's marketing materials for this product, ``each year, under-
banked consumers alone spend nearly $11 billion on non-traditional
financial transactions like payday loans and check-cashing services.''
\125\ These consumers include ``new legal immigrants, recent graduates,
widows, those with a generation bias against the use of credit,
followers of religions that historically have discouraged credit,'' and
``consumers with transitory lifestyles, such as military personnel.''
\126\
---------------------------------------------------------------------------
\124\ Experian, ChoiceScore: Improve Targeting and Customer
Acquisition in the Untapped Under-banked Population (EXP002353). See
Exhibit C for ChoiceScore Marketing description.
\125\ Id.
\126\ Id.
---------------------------------------------------------------------------
The ChoiceScore options include a ``Confidence Score'' that
``identifies and assigns a score, determining the propensity for a
consumer to be in the under-banked population,'' and a ``Risk Score,''
a ``non-credit based score used to identify the most and least
desirable consumers.'' \127\ Suggested applications of the product
include: ``target under-marketed new prospect segments eager to accept
direct-marketing offers; target invitation-to-apply credit card offers,
secured card, prepaid debit and other non-traditional financial service
offerings; and suppress records of those less likely to get approved.''
\128\
---------------------------------------------------------------------------
\127\ Experian, List Services Catalog: ChoiceScore (EXP002601).
\128\ Id.
---------------------------------------------------------------------------
This Committee inquiry did not review whether any of the specific
identified lists that designate financially vulnerable consumers have
been used in a harmful manner. However, precedent underscores the value
of such products to unscrupulous businesses that seek to take advantage
of consumers. For example, the New York Times has reported on
telemarketing criminals that succeeded in raiding the banking account
of a 92-year old Army veteran.\129\ Data broker InfoUSA sold his name
and contact information to a scam artist. As detailed in the Times'
account, InfoUSA advertised lists such as ``Elderly Opportunity
Seekers,'' described as older people ``looking for ways to make
money;'' ``Suffering Seniors,'' older people with cancer or Alzheimers
disease; and ``Oldies but Goodies,'' people described as ``gullible . .
. [who] want to believe their luck can change.''
---------------------------------------------------------------------------
\129\ The New York Times, Bilking the Elderly, with Corporate
Assist (May 20, 2007).
---------------------------------------------------------------------------
InfoUSA was not one of the companies examined in this Committee
inquiry, but the concerns raised by lists identifying financially
vulnerable customers are illustrated by this example. The names,
descriptions and characterizations in these products--all generated by
the data brokers--likely appeal to companies that sell high-cost loans
and other financially risky products to populations more likely to need
quick cash, such as payday and installment lenders.
Most of the companies provided to the Committee customer vetting
and oversight policies that they assert ensure that information is used
properly.\130\ Further, several of the contracts reviewed by the
Committee include provisions that prohibit resale of consumer data to
certain types of businesses such as ``debt repair'' \131\ and one
specifically prohibits resale for ``payday or short-term lending.''
\132\ However, because data brokers operate in the shadows, with little
oversight or regulation, companies in this industry have discretion
regarding their voluntary enforcement of such restrictions. Indeed, an
investigation into InfoUSA showed that employees routinely ignored
rules about selling data to known fraudsters.\133\ Unfortunately, three
of the largest companies--Acxiom, Experian, and Epsilon--to date have
declined to disclose their customers to the Committee. As a result, the
precise range and nature of their customer base remains unknown.
---------------------------------------------------------------------------
\130\ The procedures range from a very basic requirement that each
new customer agree to Terms of Service to a thorough vetting process of
each new customer. While several data brokers report that customers
must agree to abide by the companies' terms of service or use, other
companies described a stricter vetting process that include additional
screening components. Company Narrative Responses to Senate Commerce
Committee (2012).
\131\ Acxiom Narrative Response to Senate Commerce Committee (Feb.
15, 2013).
\132\ Sample Equifax Contract (EFX SUPP 008).
\133\ The New York Times, Bilking the Elderly, with Corporate
Assist (May 20, 2007).
---------------------------------------------------------------------------
One recent incident involving Experian's credit services arm
underscored that customer vetting and oversight practices are not
always failsafe. In October 2013, media accounts reported that an
alleged identity theft operation had purchased consumer data from Court
Ventures, a company Experian acquired in March 2012, and that sales of
data to the operation went on ``for almost a year after Experian did
their due diligence'' and purchased the company.\134\ Concerned about
implications of these reports regarding Experian's customer vetting
processes, Chairman Rockefeller wrote Experian asking the company to
confirm whether such sales had occurred, how long such sales had
continued after Experian had acquired Court Ventures, and Experian's
vetting of Court Ventures customers prior to and after acquisition. He
also pressed the company for a complete customer list.\135\
---------------------------------------------------------------------------
\134\ Krebsecurity.com, Experian Sold Consumer Data to ID Theft
Service (Oct. 20, 2013); PCMAG.com, Experian Confirms Subsidiary's Data
Sold to Identity Theft Operation (Oct. 22, 2013).
\135\ Letter from Chairman John D. Rockefeller to Mr. Don Robert,
Chief Executive Officer, Experian (Oct. 23, 2013).
---------------------------------------------------------------------------
Experian's response acknowledged that a person possibly engaged in
criminal activity had been a Court Ventures customer before and after
Experian's acquisition of the company, and underscored that Experian
stopped sales to this customer immediately after notification by
authorities that this customer was under investigation. However, the
company did not make clear how long the sales occurred undetected by
Experian after acquisition of Court Ventures. The company further
refused to provide specific customers to the Committee.\136\
---------------------------------------------------------------------------
\136\ Letter from Tony Hadley, Senior Vice President of Government
Affairs and Public Policy, Experian, to Chairman John D. Rockefeller IV
(Nov. 8, 2013).
---------------------------------------------------------------------------
Given that identifying vulnerable consumers is critical to the
business of predatory lenders and fraudfeasors, and precedent where
such entities have turned to data brokers for consumer data, the sale
and use of data broker products segmenting financially vulnerable
consumers merits close scrutiny.
b. Scoring Products that Mirror Tools Regulated under the Fair Credit
Reporting Act
Some of the scoring products the respondent companies sell for
marketing purposes resemble credit scoring tools that, under the Fair
Credit Reporting Act, cannot be used for marketing. In materials
describing one such product, ``Summarized Credit Statistics,'' Experian
emphasizes the distinction between the aggregated credit related
information offered by the product and individual credit information,
explaining: ``because individual credit information may not be used for
marketing purposes without a pre-approved offer, Experian developed
Summarized Credit Statistics to characterize a neighborhood's consumer
credit activity.'' \137\
---------------------------------------------------------------------------
\137\ Experian, Summarized Credit Statistics (EXP002109-EXP002110).
This credit product includes the following:
Median equivalency score--assesses the potential risk
for seriously derogatory behavior. The scores range from 360 to 840
(high score equals low risk) to accommodate the industry standard use
of credit scores,
Median risk score--similar to median equivalency score,
this option also characterizes neighborhoods or market segments based
on their likelihood of having future derogatory credit activity. This
score range (0-1000) has a direct correlation, where a low score equals
a low risk, and,
Median bankruptcy score--pinpoints neighborhoods or
market segments that may be more likely to file for bankruptcy or
become seriously delinquent over the next 12 months. This score is a
leading indicator of potential derogatory impacts. Scores range from
108 to 1257, with a high score indicating great likelihood. Id.
---------------------------------------------------------------------------
Similarly, Equifax offers ``Aggregated FICO Scores,'' which Equifax
distinguishes from FICO scores which are generally prohibited for use
in marketing under the Fair Credit Reporting Act. In its marketing
materials for this product, the company states that ``FICO Scores are
no longer only for credit approvals: With aggregated FICO Scores,
[customers] can leverage the basis of FICO scores for non-FCRA
marketing applications such as prospecting and ITA [invitations to
apply].'' \138\ The company further explains that ``for the first time,
marketers now have access to an aggregated, non-FCRA measure derived
from the FICO Score.\139\
---------------------------------------------------------------------------
\138\ Equifax, Aggregated FICO Scores: Utilize Aggregated FICO for
Marketing Applications (EFX PROD3 0258-0260).
\139\ Equifax, Aggregated FICO Scores from IXI Services (EFX SUPP
168-169).
---------------------------------------------------------------------------
This Committee inquiry did not focus on FCRA compliance
issues.\140\ However, the emergence of marketing products that closely
resemble credit scoring tools underscores the need for additional
review of key questions including:
---------------------------------------------------------------------------
\140\ Contracts that respondent data brokers provided the Committee
make clear they require customers to comply with FCRA's prohibition
against using marketing information for eligibility determinations.
whether there are privacy concerns surrounding the use of
---------------------------------------------------------------------------
these tools
whether additional consumer protections should be provided,
and
whether use of some of these scores might be considered
eligibility determinations that should be scrutinized under the
Fair Credit Reporting Act.\141\
---------------------------------------------------------------------------
\141\ See discussion at part I.C regarding consumer protection
issues relating to scoring products.
---------------------------------------------------------------------------
C. Data Broker Customers and New Mechanisms for Using Data Broker
Products
Responding data brokers told the Committee they sell their
marketing products to a range of customers for a variety of types of
marketing. These customers use data broker products for traditional
mailing lists and increasingly to tailor outreach to individual
consumer computers or mobile devices. Following is a discussion of the
types of customers with whom data brokers share marketing products and
what companies told the Committee about how their products are shared
and used.
1. Who Buys the Data
The respondent companies told the Committee they sell consumer data
to a wide range of customers. The types of customers included financial
institutions, hotel chains, wireless telephone service providers, cable
companies, and jewelry stores, as well as other data brokers or
resellers. While, some companies provided identities of specific
customers, others instead provided only general descriptions of the
types of customers that purchase their data. For example, Acxiom's
customers include ``47 Fortune 100 clients; 12 of the top 15 credit
card issuers; seven of the top 10 retail banks; eight of the top 10
telecom/media companies; seven of the top 10 retailers; 11 of the top
14 automotive manufacturers; six of the top 10 brokerage firms; three
of the top 10 pharmaceutical manufacturers; five of the top 10 life/
health insurance providers; nine of the top 10 property and casualty
insurers; eight of the top 10 lodging companies; two of the top three
gaming companies; three of the top five domestic airlines; six of the
top 10 U.S. hotels.'' \142\
---------------------------------------------------------------------------
\142\ Acxiom, Fact Sheet: Consumer Insight Products (ACXM 458).
Acxiom also provided several examples of specific publicly identified
clients. E.g., Acxiom Response to Senate Commerce Committee (Nov. 2,
2012).
---------------------------------------------------------------------------
Experian's customers include ``retailers, including online,
storefront, and catalog sellers; consumer products manufacturers;
charities and other nonprofit organizations; advertising agencies;
media placement agencies; government agencies; Internet service
providers; Internet portals; businesses offering services, especially
local businesses; direct mail service providers; real estate agents;
local, state, and Federal politicians; and colleges and universities.''
\143\
---------------------------------------------------------------------------
\143\ Experian Narrative Response to Senate Commerce Committee, at
19 (Nov. 2, 2012).
---------------------------------------------------------------------------
Epsilon provided a list of the industries associated with their
customers, which includes ``business to business, broker, consumer
packaged goods, direct to consumer, emerging markets, finance,
healthcare, high tech--telco, insurance, multichannel marketers
(catalog), not for profit, publishing, research, retail, strategic
partners, tobacco, and travel and entertainment.'' \144\ The company
further elaborated on several of these categories, explaining that list
brokers are ``buying agents for companies that send direct mail,'' that
``research the types of available lists that a mailer could use for
their offer.'' Emerging markets are ``a collection of types of clients
that are new to using direct marketing to reach customers,'' and
strategic partners are ``companies that license data as inputs for
models they create and resell to other companies.'' \145\
---------------------------------------------------------------------------
\144\ Letter from Lydia Parnes, Counsel to Epsilon, to Erik Jones,
Deputy General Counsel to the Senate Commerce Committee, at 10 (Feb.
13, 2013).
\145\ Letter from Lydia Parnes, Counsel to Epsilon, to Melanie
Tiano, Counsel to Senate Commerce Committee (July 24, 2013). An example
is a company that specializes in in serving not-for-profit clients on
fund-raising matters, which then uses marketing data furnished by
Experian to help their clients refine fund-raising mailing campaigns.
Id. Epsilon also described to the Committee several examples of
specific publicly identified clients. Epsilon Response to Senate
Commerce Committee, (Feb. 13, 2013) (EPS-COM-003612-003650).
---------------------------------------------------------------------------
2. New Mechanisms for Using Data
In their responses to the Committee, data brokers described client
uses of their data in general terms such as fraud detection, identity
authentication, and marketing. Specific customers named in some
responses of the queried data brokers provided Committee staff with
additional detail regarding their use of data broker products.
For example, one retail bank noted if it were seeking to determine
ideal locations of new branches it may be interested in examining
predicted borrowing and spending behaviors of their existing customers.
Such information also might help banks when they are setting goals
based upon the likely needs of their clientele, such as whether one
branch should give more loans while another should open more new
accounts.\146\
---------------------------------------------------------------------------
\146\ Committee staff telephone interview with retail bank
purchaser of segmenting buckets (Nov. 21, 2013).
---------------------------------------------------------------------------
Further, the data broker responses made clear that customers are
using data broker products to reach consumers both through on-line and
off-line outreach. While American consumers are beginning to
understand, and even expect, that their online activities will be
tracked in order to send them online advertisements,\147\ it is unclear
whether they understand the extent to which data concerning their
offline activities also may be collected and used to tailor online
advertisements.\148\
---------------------------------------------------------------------------
\147\ Joseph Turow, The Daily You, at 185 (2011) (citing a 2005
survey that showed 80 percent of respondents ``believed that `companies
today have the ability to follow my activity across many sites on the
web.'')
\148\ See Appendix III for a sampling of some of the data elements
one company reported offering for online targeting.
---------------------------------------------------------------------------
Historically, data about consumers was used to locate consumers to
send catalogs and other marketing promotions through the mail or
contact via telephone. Increasingly, the information that data brokers
make available about consumers--including demographic characteristics,
financial information, and offline purchases and interests--is provided
to clients digitally such that it informs the client's ability to
target consumers online.\149\
---------------------------------------------------------------------------
\149\ As Datalogix explained its digital product offerings:
The DLX Digital Display Media product is a direct and natural
evolution of Direct Mail product for the digital era, in virtually
every way. In the traditional mail world, the data was and is used to
deliver catalogues and marketing promotions through the mail channel to
the personal address of a family or individual. In the display
business, the data is used to deliver an advertisement via a banner
advertisement. If the consumer clicks on the advertisement, the
consumer is taken to a company-sponsored website that provides detail
about the product or service in an analogous way to a catalog. Websites
have replaced or augmented catalogues as a preferred method of consumer
shopping in the last decade.
Letter from Eric Roza, Chief Executive Officer, Datalogix, to
Chairman John D. Rockefeller IV (Nov. 16, 2012).
---------------------------------------------------------------------------
The primary method for achieving online data sharing described by
respondent companies is through the use of ``cookies,'' \150\ and other
technical means, such as ``cookie syncing,'' or ``cookie matching.''
\151\ However, as Internet browser companies take steps to block cookie
traffic, other technology to track consumers is developing rapidly, and
some data broker companies appear to be finding new ways to follow
consumers across different channels such as mobile devices. For
example, in September 2013, Acxiom announced its ``Audience Operating
System (AOS).'' AOS will combine data from multiple sources and enable
digital marketers to segment and target audiences across channels and
devices and would eliminate the need for third-party cookies, the
current technology used to track consumers across the Internet.\152\
---------------------------------------------------------------------------
\150\ A cookie is a text file that a website's server places on a
consumer's web browser. Cookies can be used to transmit information
back to the website's server about the browsing activities on the site
as well as be used to track a computer across different sites. See
Federal Trade Commission, FTC Staff Report: Self-Regulatory Principles
for Online Behavioral Advertising (Feb. 2009).
\151\ Cookie syncing is the process of mapping user id's from one
system to another. See AdMonsters, Cookie Syncing (Apr. 20, 2010)
(online at http://www.admonsters.com/blog/cookie-synching).
\152\ Gartner, Acxiom's Audience Operating System Could Reinvent
Data-Driven Marketing (Sep. 26, 2013).
---------------------------------------------------------------------------
Data brokers are increasingly focused on using their offline
consumer profiles for the purposes of serving online advertisements.
Acxiom, for example, currently offers approximately 47 percent of its
1,500 data elements to help marketers target consumers online by
personalizing websites for individual consumers or serving
advertisements.\153\ Similarly, Equifax offers many of its products
digitally, including modeled FICO scores and the Ability to Pay
Index.\154\ Experian's Hitwise product enables marketers to obtain
aggregate reports on the online behavior of their existing consumers by
anonymously matching Experian offline marketing data with website
traffic pattern analysis.\155\
---------------------------------------------------------------------------
\153\ Committee staff conversation with Jennifer Barrett Glasgow,
Chief Privacy Officer, Acxiom (Dec. 10, 2013).
\154\ For use online, the Ability to Pay Index assigns consumers a
score from one to four. A score of one represents consumers with the
highest likelihood of being able to pay. Equifax, Ability to Pay
Digital (EFX SUPP 164); Equifax, Aggregated FICO Digital Targeting
Segments (EFX PROD3 0294).
\155\ Experian Narrative Response to Senate Commerce Committee, at
10-11 (Feb. 26, 2013). The marketing materials suggest that customers
can identify and track consumer groups based upon a variety of
elements, including visits to specific websites; online searches for
specific terms; demographics, including age, income, gender, race, and
ethnicity; summarized credit scores; presence of children; hobbies;
ailments and prescriptions; and life events, such as new parents,
movers, or new homeowners. Experian, AudienceView (EXP002472-2473).
---------------------------------------------------------------------------
Data brokers have asserted that digital products offer more privacy
protections for consumers than traditional mail marketing because the
data on consumers used in this context is not ``personally
identifiable'' as that term is commonly understood. They point out that
for marketing online, information about a consumer is often associated
with a code instead of the consumer's name.\156\ However, some privacy
and information experts have expressed concerns that re-identification
techniques may be used with such data,'' \157\ and questioned whether
data that identifies specific computers and devices can truly be
considered ``anonymous.'' As marketing scholar Joseph Turow wrote:
---------------------------------------------------------------------------
\156\ Letter from Eric Roza, Chief Executive Officer, Datalogix, to
Chairman John D. Rockefeller IV (Nov. 16, 2013).
\157\ See How Anonymous Is Your Data? So, Should You Be Worried
That We're on a Fast Track to Mass Privacy Invasions?, Advertising Age
(Mar. 18, 2013) (discussing the re-identification of online data that
has been anonymized).
Industry claims of anonymity surrounding all these data may
soften the impact of the sorting and labeling processes. But in
doing so, it seriously undermines the traditional meaning of
the word. If a company can follow and interact with you in the
digital environment--and that potentially includes the mobile
phone and your television set--its claim that you are anonymous
is meaningless, particularly when firms intermittently add
offline information to the online data and then simply strip
the name and address to make it ``anonymous.'' \158\
---------------------------------------------------------------------------
\158\ Joseph Turow, The Daily You, supra n. 146, at 190; see also
Paul Ohm, Broken Promises of Privacy, 57 UCLA Law Review 1701, 1704
(2010) (``Data can either be useful or perfectly anonymous, but never
both.'').
---------------------------------------------------------------------------
D. Data Broker Transparency and Privacy Practices
Data brokers generally are not consumer facing, therefore, most
consumers have no way of knowing that data brokers may be collecting
their data. Further, a number of companies have contracts with their
customers that limit customer disclosures regarding their data sources.
And since consumers generally do not have Federal statutory rights of
access, correction, or control with respect to the information data
brokers maintain on them for marketing, companies can establish privacy
protections for this data largely at their own discretion.
Industry representatives continue to support self-regulation as the
best approach for protecting the privacy of consumer data used for
marketing, and many of the data broker responses to the Committee
highlighted the importance of self-regulation. In fact, Acxiom cited a
company philosophy--``just because you can doesn't mean you should''
\159\--as a guiding principle for how to handle the mass quantities of
consumer data available to them.
---------------------------------------------------------------------------
\159\ Acxiom Narrative Response to Senate Commerce Committee, at 3
(Apr, 15, 2013).
---------------------------------------------------------------------------
Most company responses indicated they have incorporated many of the
best practices set forth in the Guidelines for Ethical Business
Practices issued in 2009 by the Direct Marketing Association.\160\
These guidelines provide ``generally accepted principles of conduct''
for ``database compilers'' that cover subjects including consumer
choice and privacy notices, handling sensitive and specifically health-
related information, oversight of customer data use, and information
security. The guidelines also provide for a consumer right to opt out
of the marketing process but do not provide for consumer access and
correction rights with respect to their own data.\161\
---------------------------------------------------------------------------
\160\ For discussion of these guidelines see Part I.B.
\161\ DMA Guidelines, supra n.25, Article 31.
---------------------------------------------------------------------------
This section discusses respondent company practices relevant to
transparency and privacy.
1. Disclosure Limitations
Although DMA Guidelines recommend that members ``not prohibit an
end-user marketer from divulging the database compiler as the source of
the marketer's information,'' \162\ a number of the companies have
contracts with customers that place restrictions on customer disclosure
of their data source. For example, one company's contract language
provides: ``All marketing communications used in connection with any
list or data element provided to client shall . . . be devoid of any
reference to . . . the source of the recipient's name and address.''
\163\ Similarly, another company's contracts provide that the company
``may not be advertised, or otherwise disclosed to any third party, as
the source of the Licensed Data unless Client first obtains the
express, written permission'' of the company.'' \164\
---------------------------------------------------------------------------
\162\ DMA Guidelines, supra n.25, Article 36.
\163\ Sample contract provided to the Senate Commerce Committee.
\164\ Sample contract provided to the Senate Commerce Committee.
---------------------------------------------------------------------------
The contracts reviewed by the Committee do, however, provide
exceptions to such restrictions where a consumer makes a direct inquiry
to the data broker's customer.\165\
---------------------------------------------------------------------------
\165\ E.g., Sample Contract provided to the Senate Commerce
Committee.
---------------------------------------------------------------------------
2. Consumer Access and Control Rights
The respondent data brokers varied widely with respect to access
and correction rights. For example, Experian and Equifax provide
consumers no right to view their own data or correct it. Rapleaf
provides consumers access to their data, and allows them to correct
data that Rapleaf originates, but the company does not provide
correction rights to data originating from others.
Equifax states that a large percentage of the products it offers
are aggregated or modeled scores that are then attributed to every
household or individual sharing a particular ZIP+4 Code. Equifax
asserts that because the consumer data obtained is de-identified and
therefore not about a particular consumer, Equifax does not provide an
opportunity for consumer notice, access, or correction.\166\ Similarly,
Experian does not provide consumers the ability to access or correct
the data maintained because the company ``does not maintain sufficient
personal information to allow adequate authentication of an individual
who requests access,'' \167\ and much of the information is modeled or
inferred or provides general information, such as income ranges, rather
than details, such as exact income, making correction rights
unnecessary.\168\
---------------------------------------------------------------------------
\166\ Response Letter from Robert W. Kamerschen, U.S. Chief Counsel
and Senior Vice President, Equifax to Chairman John D. Rockefeller IV,
at 5 (Nov. 2, 2012).
\167\ Experian Narrative Response to Senate Commerce Committee, at
16 (Nov. 2, 2013).
\168\ Id.
---------------------------------------------------------------------------
Acxiom in September 2013 unveiled a new website--Aboutthedata.com--
that allows consumers to see and correct certain information that
Acxiom has collected about them. In order to access information,
consumers must enter their full name, address, date of birth, last four
digits of their social security number, and e-mail address. Once a
consumer's information has been authenticated, the consumer can view,
and correct or delete broad categories of what Acxiom calls ``core''
data.
While the new Acxiom database marks a step forward in promoting
transparency, it does not provide consumers a complete view of the data
the company holds on consumers for marketing purposes. First, consumers
do not have access to data to which Acxiom has applied analytics. For
example, a consumer could see data points showing their occupation and
that they have children, but if Acxiom inferred from those two data
points that the consumer is a ``working parent,'' the consumer would
not have access to that inferred element. Second, the database includes
only those data points that are currently incorporated into Acxiom's
digital--as opposed to offline--products. According to Acxiom
representatives, as of early December, about 47 percent of Acxiom's
offline data was included in the digital products, and the company is
aiming to have complete overlap of the two data sets within a few
years.\169\
---------------------------------------------------------------------------
\169\ See Section III.C.2. According to documents provided to the
Committee, as of June 2012, Acxiom had 160 elements available in the
digital products. The 160 elements include some modeled data that would
not be available for access and correction. This is out of Acxiom's
over 1,500 data elements currently listed as available in their data
catalog. Acxiom Narrative Response to Senate Commerce Committee (Mar.
1, 2013). Conversations with Acxiom suggest that this number may now be
as high as 47 percent of the available 1,500 data elements. Committee
staff conversation with Jennifer Barrett Glasgow, Chief Privacy
Officer, Acxiom (Dec. 10, 2013).
---------------------------------------------------------------------------
3. Opt-Out Rights
Several companies reported that they provide an avenue for
consumers to opt out of having their information shared for marketing
purposes. The companies that provide these options typically give
notice to consumers of this option via their privacy policies and
company websites. They can also entirely opt out of having any of their
data collected.
Acxiom's policy is to permanently delete the records of consumers
who choose to opt out. However, a number of other respondent companies
provide that, when a consumer opts out of having their information
shared, the companies do not delete the consumer's information. Rather,
as Epsilon describes:
When a consumer opts-out with Epsilon, Epsilon marks the
consumer's information as ``Do Not Share,'' rather than
deleting the information. Epsilon does this to preserve the
consumer's preference; if the consumer's information is
deleted, in the future, Epsilon would have no way to know that
the consumer requested that their information not be shared.
When a consumer is marked as ``Do Not Share,'' Epsilon will
know that the consumer did not want their information shared in
case the consumer's information is later resubmitted. Epsilon
adheres to this policy to ensure that consumers' opt-out
requests are persistent and honored.\170\
---------------------------------------------------------------------------
\170\ Epsilon Narrative Response to Senate Commerce Committee (Nov.
2, 2012).
Similarly, when a consumer requests that Experian suppress the use
of their information for marketing purposes, ``Experian does not
completely eliminate data in response to a suppression request.
[Experian] must continue to internally maintain a record pertaining to
the suppressed household in order to properly manage consumer records,
such as the consumer's choice for suppression.'' \171\
---------------------------------------------------------------------------
\171\ Experian Narrative Response to Senate Commerce Committee, at
16 (Nov. 2, 2012).
---------------------------------------------------------------------------
It is worth noting that since consumers are often not aware that
data brokers hold their information, it is not clear how they would be
aware that they have opt-out rights, or how to exercise them.
IV. Conclusion
The responses the Committee received in its inquiry into the data
broker industry provide a snapshot of how data brokers collect, use,
and share consumer data for marketing purposes. This information makes
clear that consumers going about their daily activities--from making
purchases online and at brick-and-mortar stores, to using social media,
to answering surveys to obtain coupons or prizes, to filing for a
professional license--should expect that they are generating data that
may well end up in the hands of data brokers. They should expect that
this data may well be amassed with many other details about them data
brokers already have compiled. And they should expect that data brokers
will draw on this data without their permission to construct detailed
profiles on them reflecting judgments about their characteristics and
predicted behaviors.
The responses also underscore that consumers have minimal means of
learning--or providing input--about how data brokers collect, analyze,
and sell their information. The wide variety of consumer access and
control policies provided by the representative companies show that
consumer rights in this arena are offered virtually entirely at the
companies' discretion. The contractual limitations imposed by companies
regarding customer disclosures of their data sources place additional
barriers to consumer transparency. And the refusal by several major
data broker companies to provide the Committee complete responses
regarding data sources and customers only reinforces the aura of
secrecy surrounding the industry.
This Committee inquiry has been conducted at a time when sources of
consumer data and technological capabilities for storage and speedy
analysis of data continue to expand. As data brokers are creating
increasingly detailed dossiers on millions of consumers, it is
important for policymakers to continue vigorous oversight to assess the
potential harms and benefits of evolving industry practices and to make
sure appropriate consumer protections are in place.
______
Appendix I
Federal Laws That May Be Applicable To Information Collected
By Data Brokers
In its September 2013 Information Resellers Report, GAO found that
no single comprehensive Federal privacy law governs the collection,
use, and sale of personal information maintained and sold by data
brokers.\1\ Instead, a ``more narrowly tailored'' set of laws
concerning private sector use of consumer information exists which
``apply for specific purposes, in certain situations, to certain
sectors, or to certain types of entities.'' \2\ The Fair Credit
Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), Section 5 of
the Federal Trade Commission Act (FTC Act), and to some extent the
Health Insurance Portability and Accountability Act of 1996 (HIPAA),
and the Children's Online Privacy Protection Act (COPPA) are the
primary laws that govern the collection and use of consumer
information. A brief summary of the applicable portions of each of
these laws follows below.
---------------------------------------------------------------------------
\1\ Government Accountability Office, Information Resellers:
Consumer Privacy Framework Needs to Reflect Changes in Technology and
the Marketplace, GAO-13-663 (Sept. 2013) (hereafter ``GAO Information
Reseller Report'').
\2\ Id..
---------------------------------------------------------------------------
I. Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) \3\ imposes a number of
obligations on consumer reporting agencies (CRAs), which are entities
that assemble consumer information into ``consumer reports'' for use by
issuers of credit and insurance, and by employers, landlords, and
others in making eligibility decisions affecting consumers.\4\ Whether
the obligations and protections of the FCRA apply to consumer data
depends largely on the purpose for which the information is collected,
and the intended and actual use of the information, rather than the
origin or nature of the information itself. The FCRA does not apply to
the collection and use of information for the purpose of marketing,
except it allows marketing of pre-screened offers of credit and
insurance where consumers are provided the opportunity to opt out of
future such offers.\5\
---------------------------------------------------------------------------
\3\ Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970)
(codified as amended at 15 U.S.C. Sec. Sec. 1681-1681x).
\4\ 15 U.S.C. Sec. 1681a.
\5\ 15 U.S.C. Sec. 1681b(e). Pre-screened offers of credit or
insurance--sometimes called ``pre-approved'' offers--are sent to
consumers unsolicited, usually by mail. They are based on information
in consumers' credit reports that indicates that the individuals
receiving the offer meet the criteria set by the company making the
offer. The FCRA limits the circumstances in which consumer reports can
be used to make pre-screened offers, and provides that all such offers
must include a notice of consumers' right to stop receiving future pre-
screened offers.
---------------------------------------------------------------------------
The FCRA requires that CRAs make reasonable efforts to assure the
``maximum possible accuracy'' \6\ of the information they provide to
data users, and further requires they maintain procedures through which
consumers can dispute and correct inaccurate information in their
consumer reports.\7\ CRAs also must take reasonable measures to ensure
that they provide credit reports only to those entities that have a
statutorily-specified ``permissible purpose'' to receive them.\8\ The
FTC has recently taken actions against a number of companies for
allegedly violating the FCRA.\9\
---------------------------------------------------------------------------
\6\ 15 U.S.C. Sec. 1681e(b).
\7\ 15 U.S.C. Sec. 1681i(a)-(d)
\8\ 15 U.S.C. Sec. 1681b(a), (c). Permissible purposes under the
FCRA include, but are not limited to, the use of a consumer report in
connection with a determination of eligibility for credit, insurance,
or a license; in connection with the review of an existing account; and
for certain employment purposes. Other typical uses that are subject to
FCRA protections include tenant screening, and check cashing services.
\9\ See, e.g., Press Release, ``Certegy Check Services to Pay $3.5
Million for Alleged Violations of the Fair Credit Reporting Act and
Furnisher Rule,'' Federal Trade Commission (Aug. 15, 2013) (available
at www.ftc.gov/news-events/press-releases/2013/08/certegy-check-
services-pay-35-million-alleged-violations-fair); Press Release
``Marketers of Criminal Background Screening Reports To Settle FTC
Charges They Violated Fair Credit Reporting Act'' Federal Trade
Commission, (Jan. 10, 2013) (available at www.ftc.gov/news-events/
press-releases/2013/01/marketers-criminal-background-screening-
reportsto-settle-ftc); Press Release,``Spokeo to Pay $800,000 to Settle
FTC Charges Company Allegedly Marketed Information to Employers and
Recruiters in Violation of FCRA,'' Federal Trade Commission,(June 7,
2012) (available at www.ftc.gov/news-events/press-releases/2012/06/
spokeo-pay-800000-settle-ftc-charges-company-allegedly-marketed).
---------------------------------------------------------------------------
II. Gramm Leach Bliley Act
The Gramm Leach Bliley Act (GLBA) \10\, also known as the Financial
Services Modernization Act of 1999, imposes privacy and security
obligations on nonpublic personal information that consumers provide to
``financial institutions,'' which GLBA defines as businesses that are
engaged in ``financial activities,'' including traditional banking,
lending, and insurance functions, as well as other activities such as
providing investment advice, brokering loans, credit reporting, and
real estate settlement services.\11\ Financial institutions subject to
GLBA must comply with two key provisions of the Act--the ``Financial
Privacy Rule,'' and ``Safeguards Rule.'' The Financial Privacy Rule
governs the collection and disclosure of consumers' personal
information.\12\ The ``Safeguards Rule,'' requires that financial
institutions design, implement and maintain safeguards to protect
consumers' nonpublic information.\13\
---------------------------------------------------------------------------
\10\ Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as
amended in scattered sections of 12 and 15 U.S.C.).
\11\ 15 U.S.C. Sec. 6809(3)(A).
\12\ 15 U.S.C. Sec. 6801(a).
\13\ 15 U.S.C. Sec. 6801(b).
---------------------------------------------------------------------------
The GLBA Privacy Rule generally prohibits covered financial
institutions from disclosing nonpublic personal information about
consumers to non-affiliated third parties without first providing
consumers with notice and the opportunity to opt out of the
disclosure.\14\ However, the GLBA provides a number of statutory
exceptions under which disclosure is permitted without specific notice
to the consumer, including consumer reporting (pursuant to the FCRA),
fraud prevention, law enforcement and regulatory or self-regulatory
purposes, compliance with judicial process, and public safety
investigations.\15\
---------------------------------------------------------------------------
\14\ 15 U.S.C. Sec. 6802(b).
\15\ 15 U.S.C. Sec. 6802(e).
---------------------------------------------------------------------------
Entities that receive information under an exception to the GLBA
are subject to reuse and re-disclosure restrictions, even if those
entities are not themselves financial institutions.\16\ In particular,
the recipients may only use and disclose the information ``in the
ordinary course of business to carry out the activity covered by the
exception under which . . . the information [was received].'' \17\
Thus, for example, if a data broker obtains ``credit header
information''--which includes a consumer's name, address, and social
security number--from a financial institution pursuant to the GLBA
exception ``to protect against or prevent actual or potential fraud,''
then that data broker may not reuse and re-disclose that information
for marketing purposes.
---------------------------------------------------------------------------
\16\ 16 C.F.R. Part 313.
\17\ 16 C.F.R. Part 313.11(a).
---------------------------------------------------------------------------
III. Federal Trade Commission Act
Section 5 of the Federal Trade Commission (FTC) Act provides the
Commission with broad jurisdiction to regulate unfair or deceptive
practices in competition and consumer protection.\18\ Section 5 forms
the basis of the FTC's substantial body of law that covers advertising,
marketing, certain financial practices, and privacy, among other areas.
In the privacy space, section 5 applies to both deceptions and
violations of written privacy policies and statements made to consumers
about how they will safeguard or use consumer information.\19\ The
Commission's Section 5 authority extends to the sale of data for
marketing purposes.\20\
---------------------------------------------------------------------------
\18\ 15 U.S.C. Sec. 45. Banks, savings and loans, credit unions,
common carriers, and air carriers are exempt from the FTC's Section 5
jurisdiction.
\19\ See, e.g, Press Release, Google Will Pay $22.5 Million to
Settle FTC Charges it Misrepresented Privacy Assurances to Users of
Apple's Safari Internet Browser, Federal Trade Commission (Aug.9, 2012)
(available at www.ftc.gov/news-events/press-releases/2012/08/google-
will-pay-225-million-settle-ftc-charges-it-misrepresented); Press
Release, Online Data Broker Settles FTC Charges Privacy Policies were
Deceptive, (Sept. 22, 2010) (available at http://www.ftc.gov/news-
events/press-releases/2010/09/online-data-broker-settles-ftc-charges-
privacy-pledges-were) (charging that U.S. Search, Inc.'s promises that
they would prevent consumers' personal information from appearing in
their reverse lookup database in exchange for a $10 fee were false);
Press Release, Agency Announces Settlement of Separate Actions Against
Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to
Provide Adequate Security for Consumers Data, Federal Trade Commission
(Mar. 27, 2008) (available at http://www.ftc.gov/news-events/press-
releases/2008/03/agency-announces-settlement-separate-actions-against-
retailer-tjx).
\20\ In October of 2012, the FTC alleged that the credit reporting
division of Equifax improperly sold more than 17,000 ``prescreened''
lists of consumers who were late on their mortgage payments to Direct
Lending Source, Inc. and its affiliate companies. Direct Lending
subsequently resold some of these lists to third parties, who used the
lists to pitch loan modification and debt relief services to people in
financial distress, including to companies that had been the subject of
prior law enforcement investigations. See Press Release, FTC
Settlements Require Equifax to Forfeit Money Made by Allegedly
Improperly Selling Information about Millions of Consumers Who Were
Late on Their Mortgages, Federal Trade Commission (Oct. 10, 2012)
(available at http://www.ftc.gov/news-events/press-releases/2012/10/
ftc-settlements-require-equifax-forfeit-money-made-allegedly).
---------------------------------------------------------------------------
IV. Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA)
\21\ protects certain personal health information from use and
disclosure. HIPAA applies to individually identifiable health
information \22\ held by ``covered entities,'' which include health
insurers, health care providers--if they transmit any information in an
electronic form for certain covered transactions--and health care
clearinghouses, as well as their vendors, subcontractors, and business
associates.\23\ The HIPPA Privacy Rule governs the use and disclosure
of personal health information and, with some exceptions, requires an
individual's written authorization prior to using consumers' protected
health information for marketing and sale.\24\ However, HIPPA affords
fairly narrow protections and its restrictions on sharing do not apply
to health information held by non-covered entities, including data
brokers.
---------------------------------------------------------------------------
\21\ Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as
amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
\22\ 45 C.F.R. Part 160.103. Individually identifiable health
information is information which can be linked to a particular person.
This information can relate to the individual's past, present or future
physical or mental health or condition, or, the past, present, or
future payment for the provision of health care to the individual.
\23\ 45 C.F.R. Part160.103.
\24\ Exceptions include refill reminders or otherwise communicate
about a drug or biologic that is currently being prescribed for the
individual, only if any financial remuneration received by the covered
entity in exchange for making the communication is reasonably related
to the covered entity's cost of making the communication. 45 CFR
164.501
---------------------------------------------------------------------------
V. Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act \25\ (COPPA) applies
to the online collection and use of personal information from children
under age 13. Websites and online services, including mobile apps,
covered by COPPA are required to post privacy policies, provide parents
with direct notice of their information practices, and get verifiable
consent from a parent or guardian before collecting personal
information from children. Personal information is defined as
information that would allow someone to identify or contact a child. It
includes, among other things, name, physical or e-mail address,
geolocation, and ``persistent identifier'' which can be used to
recognize a user over time and across different websites or online
services.\26\ The law specifies what information must be included in
the notice provided to parents and how and when to acquire parental
consent.\27\
---------------------------------------------------------------------------
\25\ 15 U.S.C. Sec. Sec. 6501-6506 (Pub.L. 105-277, 112 Stat. 2581-
728, enacted October 21, 1998).
\26\ 16 C.F.R. Part 312.2.
\27\ 16 C.F.R. Part 312.5.
---------------------------------------------------------------------------
COPPA's restrictions and protections could apply to this
investigation because websites have been identified as one of the
sources from which data brokers obtain consumer information. COPPA does
not restrict the collection of a child's information from the child's
parent or other adult.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. One of the things that we have learned in
this investigation is that data brokers engage in many
unobjectionable activities. They do what marketers have always
done: They help businesses find potential customers.
But we have also found some practices that raise some
serious consumer protection concerns. In particular, I am
disturbed by the evidence showing that the data brokers segment
Americans, categorize them into categories, name those
categories, based on their incomes, and then they sort
economically vulnerable customers into groups with names like
``rural and barely making it''--not making it up, that is one
of their categories--``tough start: young single parents'';
``rough retirement: small-town and rural seniors''; and ``zero
mobility.''
I want to know how and why data brokers are putting
American consumers into categories like these, and I want to
know which companies are buying these lists to target their
marketing to these groups. Maybe it is totally innocuous and
benign. I don't start out accepting that, but maybe it is. That
is why we are doing this investigation.
Some companies in the data broker industry have responded
positively to our oversight efforts.
When I became Chairman here several years ago, we went over
to Henry Waxman and stole a couple of his best people and set
up an investigations unit, which for some reason we had never
had. And we gave ourselves subpoena power; for some reason, we
had never done that. It is a powerful tool when you are doing
investigations, which is what we tend to do in here.
I want to know which companies are buying these lists to
target their marketing to those groups.
Some companies in the data broker industry have responded
very positively to our oversight efforts. Over the past year,
they have provided complete answers to my questions, even the
tough ones.
But several of the largest data brokers--specifically,
Acxiom, Epsilon, and Experian--are continuing to resist
oversight, just resist it. To date, they have not given me
complete answers about where they get their customer data on
consumers and to whom they sell it.
I am putting these three companies on notice today that I
am not satisfied with their responses and I am considering
further steps--and I have steps that I can use--that I can take
to get this information. We have oversight over this activity
in American commerce. And if you do oversight, whether it is
over intelligence or whether it is over this, you do it
seriously and you do it with a purpose and you want to get the
truth.
So I am putting these companies on notice that I am not
satisfied and I have further steps that I can take to get this
information. And I want to assure them that the oversight
efforts in this committee that we have started will continue.
I call now on my distinguished friend from a similar urban
state----
Senator Thune. That is right.
[Laughter.]
The Chairman.--Senator John Thune.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Well, thank you, Mr. Chairman, for holding
this hearing.
And thank you also to the witnesses for coming here today.
Our economy is increasingly data-driven, and data brokers
play a growing role in facilitating the provision of goods and
services to consumers. Data or information brokers are
companies that collect data, including personal information,
about consumers from a wide variety of sources, such as public
records, websites, and retailers, and then resell such
information for purposes that range from verifying an
individual's identity to preventing fraud to marketing
products.
As the Chairman noted in his initial letters to several
data brokers in 2012, the purpose of his inquiry has been to
better understand the industry and I look forward to today's
hearing as we focus on how the information collected by data
brokers is used for marketing purposes.
Without question, data-driven marketing can provide
benefits and greater convenience to consumers. It can lower the
cost of products and services because businesses can target
marketing more precisely. It also can help businesses create
and sell products that consumers actually want, lowering start-
up costs for new businesses.
Data-driven marketing is one important reason that many of
us are able to use search engines and our e-mail accounts for
free. It also allows consumers to receive frequent-shopper
benefits and coupons. And it promotes the targeting of
resources to reduce the amount of junk mail and catalogs that
aren't tailored to a consumer's particular interests--at least,
that is the goal.
Put simply, this industry is at the center of something the
Commerce Committee cares about: commerce. In today's economy,
data-driven marketing is widely used across all sectors of the
economy: financial, insurance, automotive, retail, technology,
health care. It is even used by nonprofits, governments, and
political campaigns. In fact, many media outlets have noted how
the use of commercial data resources helped the president's
reelection campaign in 2012.
As we will hear from the Direct Marketing Association, the
marketing data industry is also helping to fuel job creation
and technical innovation in our slowly recovering economy.
While the industry creates many benefits, this hearing will
also explore important questions about the privacy implications
of data brokers' activities, including issues of transparency,
profiling, and concerns about allegations of differential
pricing.
Questions have also been raised about whether consumers are
aware of the instances in which their personal information may
be collected, bought, and sold, resulting in calls for more
transparency into data broker practices.
Advocates have also raised concerns that data brokers
create profiles of individual consumers based on the
aggregation of sensitive and sometimes personal data, including
health conditions.
These are important issues, and I look forward to the
discussion today.
In a rapidly changing marketplace, the Federal Trade
Commission has done important work concerning data brokers and
related privacy issues, including developing educational
efforts. They have also brought enforcement actions under the
FTC Act and the Fair Credit Reporting Act. The FTC is also
completing a study about practices in the data broker industry
and will provide recommendations to Congress based on their
findings next year. I look forward to their testimony.
The Government Accountability Office has recently produced
a report on the data broker industry, which I understand will
be submitted as part of the record for this hearing as well as
to help inform this committee.
[The report follows:]
GAO Highlights
Why GAO Did This Study
Members of Congress and others have raised privacy concerns about
information resellers (data brokers) and consumer information. In part,
their concerns stem from consumers not always knowing the nature and
extent of the information collected and how it is used. Growing use of
the Internet, social media, and mobile applications has intensified
privacy concerns because these media greatly facilitate gathering of
personal information, tracking of online behavior, and monitoring of
individuals' locations and activities. This statement for the record
discusses: (1) existing Federal laws and regulations on the privacy of
consumer information held by information resellers, (2) any gaps that
may exist in this legal framework, and (3) views on approaches for
improving consumer data privacy.
This statement draws from a September 2013 report (GAO-13-663),
which focuses on information used for marketing. GAO analyzed relevant
laws and regulations; interviewed representatives of Federal agencies,
trade associations, consumer and privacy groups, and resellers; and
identified and reviewed approaches for improving consumer data privacy.
What GAO Recommends
In September 2013, GAO suggested that Congress should consider
strengthening the consumer privacy framework and review issues such as
the adequacy of consumers' ability to access, correct, and control
their personal information; and privacy controls related to new
technologies such as web tracking and mobile devices.
Information Resellers
Consumer Privacy Framework Needs to Reflect Changes in Technology
and the Marketplace
What GAO Found
No overarching Federal privacy law governs the collection and sale
of personal information among private-sector companies, including
information resellers. Instead, laws tailored to specific purposes,
situations, or entities govern the use, sharing, and protection of
personal information. For example, the Fair Credit Reporting Act limits
the use and distribution of personal information collected or used to
help determine eligibility for such things as credit or employment, but
does not apply to information used for marketing. Other laws apply
specifically to health care providers, financial institutions, or to
the online collection of information about children.
The current statutory framework for consumer privacy does not fully
address new technologies--such as tracking of online behavior or mobile
devices--and the vastly increased marketplace for personal information,
including the proliferation of information sharing among third parties.
No Federal statute provides consumers the right to learn what
information is held about them for marketing and who holds it. In many
circumstances, consumers also do not have the legal right to control
the collection or sharing with third parties of sensitive personal
information (such as health information) for marketing purposes. As a
result, although some industry participants have stated that current
privacy laws are adequate, GAO found that gaps exist in the current
statutory framework for information privacy. The framework also does
not fully reflect the Fair Information Practice Principles, widely
accepted principles for protecting the privacy and security of personal
information that have served as a basis for many privacy
recommendations Federal agencies have made.
Views differ on the approach that any new privacy legislation or
regulation should take. Some privacy advocates have argued that a
comprehensive privacy law would provide greater consistency and address
gaps in law left by the current sector-specific approach. Others have
stated that a comprehensive, one-size-fits-all approach would be
burdensome and inflexible. Some privacy advocates also cited the need
to provide consumers with greater ability to access, control the use
of, and correct information about themselves, particularly for data
being used for purposes different than those for which they originally
were provided. Industry representatives have asserted that restrictions
on the collection and use of personal data would impose compliance
costs, inhibit innovation, and reduce consumer benefits. Nonetheless,
the rapid increase in the amount and type of personal information that
is collected and resold warrants reconsideration of how well the
current privacy framework protects personal information. The challenge
will be providing appropriate privacy protections without unduly
inhibiting the benefits to consumers, commerce, and innovation that
data sharing can accord.
______
Prepared Statement of Alicia Puente Cackley, Director Financial Markets
and Community Investment, U.S. Government Accountability Office
Chairman Rockefeller, Ranking Member Thune, and Members of the
Committee:
I am pleased to submit this statement on our recent work on
privacy, personal information, and information resellers.\1\ As you
know, information resellers (also known as data brokers) offer several
types of products to customers that include retailers, advertisers,
individuals, nonprofit organizations, law enforcement, and government
agencies. This statement is based on a report we issued this September
in response to a request from this committee to review privacy issues
related to the consumer data that information resellers collect, use,
and sell. Others also have raised privacy concerns about resellers and
consumer information. In part, their concerns stem from consumers not
always knowing the nature and extent of the information collected and
how it is used. Moreover, growing use of the Internet, social media,
and mobile applications has intensified privacy concerns because these
media greatly facilitate the gathering of personal information,
tracking of online behavior, and monitoring of individuals' locations
and activities.
---------------------------------------------------------------------------
\1\ GAO, Information Resellers: Consumer Privacy Framework Needs to
Reflect Changes in Technology and the Marketplace, GAO-13-663
(Washington, D.C.: Sep. 25, 2013).
---------------------------------------------------------------------------
Our September report examined: (1) existing Federal laws and
regulations related to the privacy of consumer information held by
information resellers, (2) any gaps that may exist in this legal
framework, and (3) views on approaches for improving consumer data
privacy. We focused on privacy issues related to information used for
marketing and individual reference services (look-up or people-search);
we did not focus on information used for other purposes such as
determining credit or employment eligibility.\2\
---------------------------------------------------------------------------
\2\ In a 2006 report, we examined financial institutions' use of
information resellers, focusing on consumer information used for
eligibility determinations, compliance with legal requirements, and
fraud prevention. GAO, Personal Information: Key Federal Privacy Laws
Do Not Require Information Resellers to Safeguard All Sensitive Data,
GAO-06-674 (Washington, D.C.: June 26, 2006).
---------------------------------------------------------------------------
For our September 2013 report, we reviewed and analyzed relevant
laws, regulations, and enforcement actions. We interviewed
representatives of Federal agencies, trade associations, consumer and
privacy groups, and resellers to obtain their views on data privacy
laws related to resellers. We identified and reviewed approaches
(legislative, regulatory, or self-regulatory) for improving consumer
data privacy that Federal entities--such as the White House, Federal
Trade Commission (FTC), and Department of Commerce (Commerce)--or
representatives of industry, consumer, and privacy groups advocated. We
interviewed representatives of these entities and reviewed relevant
studies, hearings, position papers, public comments, and other sources.
Further details of our scope and methodology can be found in our
published report.
We conducted the performance audit on which this statement is based
from August 2012 through September 2013, in accordance with generally
accepted government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on
our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
Background
Resellers maintain large, sophisticated databases with consumer
information that can include credit histories, insurance claims,
criminal records, employment histories, incomes, ethnicities, purchase
histories, and interests. Resellers largely obtain their information
from public records, publicly available information (such as
directories and newspapers), and nonpublic information (such as from
retail loyalty cards, warranty registrations, contests, and web
browsing). Characterizing the precise size and nature of the reseller
industry can be difficult because of limited publicly known information
about the industry.
In 1972, a U.S. government advisory committee first proposed the
Fair Information Practice Principles (FIPP) for protecting the privacy
and security of personal information. While FIPPs are not legal
requirements, they provide a framework for balancing privacy with other
interests. The Organisation for Economic Co-operation and Development
(OECD) developed a revised version of the FIPPs that has been widely
adopted (see table 1).\3\
---------------------------------------------------------------------------
\3\ Organisation for Economic Co-operation and Development,
Guidelines on the Protection of Privacy and Transborder Flow of
Personal Data (Paris, France: Sept. 23, 1980). OECD's 30 member
countries include the United States. OECD has been considering whether
to revise or update its privacy guidelines to account for changes in
the role of personal data in the economy and society.
------------------------------------------------------------------------
Table 1.--Fair Information Practice Principles
------------------------------------------------------------------------
Principle Description
------------------------------------------------------------------------
Collection limitation The collection of personal information
should be limited, obtained by lawful and
fair means, and, where appropriate, with
the knowledge or consent of the
individual.
------------------------------------------------------------------------
Data quality Personal information should be relevant to
the purpose for which it is collected, and
should be accurate, complete, and current
as needed for that purpose.
------------------------------------------------------------------------
Purpose specification The purposes for the collection of personal
information should be disclosed before
collection and upon any change to those
purposes, and the use of the information
should be limited to those purposes and
compatible purposes.
------------------------------------------------------------------------
Use limitation Personal information should not be
disclosed or otherwise used for purposes
other than a specified purpose without
consent of the individual or legal
authority.
------------------------------------------------------------------------
Security safeguards Personal information should be protected
with reasonable security safeguards
against risks such as loss or unauthorized
access, destruction, use, modification, or
disclosure.
------------------------------------------------------------------------
Openness The public should be informed about privacy
policies and practices, and individuals
should have ready means of learning about
the use of personal information.
------------------------------------------------------------------------
Individual participation Individuals should have the following
rights: to know about the collection of
personal information, to access that
information, to request correction, and to
challenge the denial of those rights.
------------------------------------------------------------------------
Accountability Individuals controlling the collection or
use of personal information should be
accountable for taking steps to ensure the
implementation of these principles.
------------------------------------------------------------------------
Source: OECD.
FIPPs served as the basis for the Privacy Act of 1974--which
governs the collection, maintenance, use, and dissemination of personal
information by Federal agencies.\4\ The principles also were the basis
for many FTC and Commerce privacy recommendations and for a framework
for consumer data privacy the White House issued in 2012.\5\
---------------------------------------------------------------------------
\4\ Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified as amended
at 5 U.S.C. Sec. 552a). The act generally prohibits (with a number of
exceptions) the disclosure by Federal entities of records about an
individual without the individual's written consent and provides U.S.
persons with a means to seek access to and amend their records.
\5\ The framework includes a consumer privacy bill of rights and
encourages Congress to provide FTC with enforcement authorities for the
bill of rights. The White House, Consumer Data Privacy in a Networked
World: A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy (Washington, D.C.: Feb. 23, 2012).
---------------------------------------------------------------------------
Several Laws Apply in Specific Circumstances to Consumer Data That
Resellers Hold
No comprehensive Federal privacy law governs the collection, use,
and sale of personal information by private-sector companies. More
narrowly tailored laws govern the use, sharing, and protection of
personal information--they apply for specific purposes, in certain
situations, to certain sectors, or to certain types of entities. The
primary laws include the following:
Fair Credit Reporting Act (FCRA).\6\ FCRA protects the security
and confidentiality of personal information collected or used
to help make decisions about individuals' eligibility for
credit, insurance, or employment.\7\ It applies to ``consumer
reporting agencies'' (such as credit bureaus) that provide
``consumer reports.'' \8\
---------------------------------------------------------------------------
\6\ Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970)
(codified as amended at 15 U.S.C. Sec. Sec. 1681-1681x).
\7\ See 15 U.S.C. Sec. 1681.
\8\ For the definition of ``consumer reporting agency'', see 15
U.S.C. Sec. 1681a(f). For the definition of ``consumer report'', see 15
U.S.C. Sec. 1681a(d).
Gramm-Leach-Bliley Act (GLBA).\9\ GLBA protects nonpublic
personal information that individuals provide to ``financial
institutions'' or that such institutions maintain.\10\ GLBA
sharing and disclosure restrictions apply to financial
institutions or entities that receive nonpublic personal
information from such a financial institutions.\11\ For
example, a third party that receives nonpublic personal
information from a financial institution to process consumers'
account transactions may not use the information or resell it
for marketing purposes.
---------------------------------------------------------------------------
\9\ Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended
in scattered sections of 12 and 15 U.S.C.).
\10\ See 15 U.S.C. Sec. Sec. 6801-6802. Subtitle A of Title V of
the act contains the privacy provisions relating to the disclosure of
nonpublic personal information. 15 U.S.C. Sec. Sec. 6801-6809.
\11\ 15 U.S.C. Sec. 6802. A ``financial institution'' is any
institution the business of which is engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act (12 U.S.C.
Sec. 1843(k)). 15 U.S.C. Sec. 6809(3)(a).
Health Insurance Portability and Accountability Act
(HIPAA).\12\ HIPAA establishes a set of national standards to
protect certain health information. The HIPAA privacy rule
governs the use and disclosure of an individual's health
information for purposes including marketing.\13\ With some
exceptions, the rule requires an individual's written
authorization before a covered entity--a health care provider
that transmits health information electronically in connection
with covered transactions, health care clearinghouse, or health
plan--may use or disclose the information for marketing.\14\
The act does not directly restrict the use, disclosure, or
resale of protected health information by resellers or others
not considered covered entities under the act.
---------------------------------------------------------------------------
\12\ Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as
amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
\13\ 45 C.F.R. Parts 160, 164.
\14\ For the definition of ``marketing'', including exceptions,
see. 45 C.F.R. Sec. 164.501.
Children's Online Privacy Protection Act (COPPA).\15\ COPPA and
its implementing regulations apply to the collection of
information--such as name, e-mail, or location--that would
allow someone to identify or contact a child under 13.\16\
Covered website and online service operators must obtain
verifiable parental consent before collecting such information.
COPPA may not directly affect information resellers, but the
covered entities are potential sources of information for
resellers.
---------------------------------------------------------------------------
\15\ Pub. L. No. 105-277, Div. C, Tit. XIII, 112 Stat. 2681-728
(1998) (codified at 15 U.S.C. Sec. Sec. 6501-6506).
\16\ FTC issued regulations implementing COPPA, 16 C.F.R. Part 312.
Electronic Communications Privacy Act (ECPA).\17\ ECPA
prohibits the interception and disclosure of electronic
communications by third parties unless an exception applies
(such as one party to the communication consenting to
disclosure). For example, the act would prevent an Internet
service provider from selling the content of its customers' e-
mails to a reseller for marketing purposes, unless the
customers had consented to disclosure. However, ECPA provides
more limited protection for information considered to be ``non-
content,'' such as a customer's name and address.
---------------------------------------------------------------------------
\17\ Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended
in scattered sections of 18 U.S.C.).
Federal Trade Commission Act (FTC Act), Section 5.\18\ The FTC
Act prohibits unfair or deceptive acts or practices in or
affecting commerce. Although the act does not explicitly grant
FTC the specific authority to protect privacy, it has been
interpreted to apply to deceptions or violations of written
privacy policies. For example, if a retailer's written privacy
policy stated customers' personal information would not be
shared with resellers and the retailer later sold information
to such parties, FTC could bring an enforcement action against
the retailer for unfair and deceptive practices.
---------------------------------------------------------------------------
\18\ 15 U.S.C. Sec. 45. Section 5 of the FTC Act, as originally
enacted, only related to ``unfair methods of competition.'' The
Wheeler-Lea Act, passed in 1938, expanded the Commission's jurisdiction
to include ``unfair or deceptive acts or practices.'' Wheeler-Lea
Amendments of 1938, Pub. L. No. 75-447, 52 Stat. 111.
As they relate to specific types of consumer services or records,
other Federal privacy laws also may apply to information resellers'
practices and products. For instance, while not specifically a privacy
law, the Computer Fraud and Abuse Act (CFAA) can restrict a third party
from collecting personal information from a website when the collection
would violate the site's terms of service.\19\ The Telecommunications
Act requires telecommunications carriers to protect the confidentiality
of proprietary information of customers.\20\
---------------------------------------------------------------------------
\19\ Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified as amended
at 18 U.S.C. Sec. 1030). Courts have held that CFAA prohibits access to
websites when that access exceeds the sites' terms of use or end-user
license agreements. See, e.g., Snap-On Bus. Solutions Inc. v. O'Neil &
Assoc., Inc., 708 F.Supp. 2d 669 (N.D. Ohio 2010); Southwest Airlines
Co. v. Farechase, Inc., 318 F.Supp. 2d 435 (N.D. Tex. 2004); America
Online, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444 (E.D. Va. 1998).
\20\ Pub. L. No. 104-104, 110 Stat. 56 (1996) (codified as amended
in scattered sections of 15 and 47 U.S.C.).
---------------------------------------------------------------------------
Laws Have Limited Scope over Personal Data Used for Marketing
Privacy protections under Federal law have been limited for
consumer data used for marketing. The scope of protections is narrow in
relation to individuals' ability to access, control, and correct their
personal data; collection methods and sources and types of information
collected; and new technologies.
Laws Provide Individuals Limited Ability to Access, Control, and
Correct Their Personal Data
No Federal statute that we examined generally requires resellers to
allow individuals to review personal information (intended for
marketing purposes), control its use, or correct it. The FIPPs (for
collection limitation and openness) state that individuals should be
able to know about and consent to the collection of their information,
while the individual participation principle states they should have
the right to access the information, request correction, and challenge
the denial of those rights.
No Federal statute provides consumers the right to learn what
information is held about them and who holds it for marketing or look-
up purposes. FCRA provides individuals with certain access rights, but
only when information is used for credit eligibility purposes.. And
GLBA's provisions allowing consumers to opt out of having their
personal information shared with third parties apply only in specific
circumstances. Otherwise, individuals cannot require that their
personal information not be collected, used, and shared. Also, no
Federal law provides correction rights (the ability to have resellers
and others correct or delete inaccurate, incomplete, or unverifiable
information).
Laws Largely Do Not Address Data Collection Methods, Sources, and Types
Federal privacy laws are limited in addressing the methods by
which, or the sources from which, resellers collect and aggregate
personal information, or the types of information collected for
marketing or look-up purposes. FIPPs (for data quality, purpose
specification, and collection limitation) state that personal
information should be relevant, limited to the purpose for which it was
collected, and collected with the individual's knowledge or consent.
Federal laws generally do not govern the methods resellers may use
to collect personal information. An example of such a method is ``web
scraping,'' in which resellers, advertisers, and others use software to
search the web for information about individuals and extract and
download bulk information from websites with consumer information.
Resellers or retailers also may collect information indirectly (by
combining information from transactions).
Current law generally allows resellers to collect personal
information from sources including warranty registration cards,
surveys, and online sources such as discussion boards, social media
sites, blogs, and web browsing histories and searches. Current law does
not require disclosure to consumers when their information is collected
from these sources.
The Federal laws that address the types of consumer information
that can be collected and shared are not comprehensive. Under most
circumstances, information that many people may consider very personal
or sensitive can be collected, shared, and used for marketing. This can
include information about physical and mental health, income and
assets, political affiliations, and sexual habits and orientation. For
health information, HIPAA provisions apply only to covered entities.
Current Law Does Not Directly Address Some Privacy Issues New
Technology Raises
The current privacy framework does not fully address new
technologies such as social media, web tracking, and mobile devices. In
a 2013 report, FTC noted that mobile technologies present unique
privacy challenges (for instance, mobile devices identify a user's
geographical location).\21\ As shown in figure 1, the original
enactment of several Federal privacy laws predates these trends and
technologies.
---------------------------------------------------------------------------
\21\ Federal Trade Commission, Mobile Privacy Disclosures: Building
Trust through Transparency (Washington, D.C.: February 2013).
---------------------------------------------------------------------------
Source: GAO.
Note: The most recent amendments to the Federal laws referenced in
figure 2 are as follows:
Federal Trade Commission Act of 1914: last amended July
21, 2010 (Pub. L. 111-203).
Fair Credit Reporting Act of 1970: last amended Dec.
18, 2010 (Pub. L. No. 111-319).
Family Educational Rights and Privacy Act of 1974: last
amended Jan. 14, 2013 (Pub. L. No. 112-278).
Electronic Communications Privacy Act of 1986: last
amended Oct. 19, 2009 (Pub. L. No. 111-79).
Video Privacy Protection Act of 1988: last amended Jan.
10, 2013 (Pub. L. No. 112-258).
Driver's Privacy Protection Act of 1994: last amended
Oct. 23, 2000 (Pub. L. No. 106-346).
Health Insurance Portability and Accountability Act of
1996: last amended Mar. 23, 2010 (Pub. L. No. 111-148).
Children's Online Privacy Protection Act of 1998: has
not been amended.
Gramm-Leach-Bliley Act of 1999: last amended July 21,
2010 (Pub. L. No. 111-203).
Because these laws were enacted to protect the privacy of
information involving specific sectors rather than to address specific
technologies, some have been interpreted to apply to new technologies.
For example, FTC has taken enforcement actions under COPPA and revised
the statute's implementing regulations to account for smartphones and
mobile applications.
Online Tracking
No Federal privacy law explicitly addresses the full range of
practices to track or collect data from consumers' online activity.
Cookies--text files placed on a computer by the website that the
computer user visits--allow website operators to recall information
such as user name and address, credit card number, and purchases in a
shopping cart. Resellers can match information in cookies and their
databases to augment consumer profiles. Third parties also can
synchronize their cookie files with resellers' files. Advertisers can
use third-party cookies--placed on a computer by a domain other than
the site being visited--to track visits to the websites on which they
advertise. Consumers' ability to prevent such tracking can be
restricted. For example, flash cookies--cookies which do not expire at
the end of a browsing session--cannot be erased.\22\
---------------------------------------------------------------------------
\22\ Shannon Canty, Chris Jay Hoofnagle, et al., ``Flash Cookies
and Privacy'' (Aug. 10, 2009), available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=1446862.
---------------------------------------------------------------------------
While current law does not explicitly address web tracking, FTC has
taken enforcement actions related to web tracking under its authority
to enforce the prohibition on unfair or deceptive acts. For example, in
2011, FTC settled charges with Google for $22.5 million after alleging
that Google violated an earlier privacy settlement with FTC when it
misrepresented to users of Apple's Safari web browser that it would not
track and serve targeted advertisements to Safari users.\23\ Google
agreed to disable its advertising tracking cookies.
---------------------------------------------------------------------------
\23\ United States v. Google Inc., No. CV 12-04177-SI, 2012 WL
5833994 (N.D. Cal. Nov. 16, 2012).
---------------------------------------------------------------------------
Federal law also does not expressly prohibit ``history sniffing,''
which uses code on a webpage to record visitors' browsing history.
However, in 2012, FTC took an enforcement action against Epic
Marketplace, a large online advertising network, for deceptively
failing to disclose its use of history-sniffing technology.\24\ Epic
Marketplace used the data it collected to target advertising.
---------------------------------------------------------------------------
\24\ FTC alleged that Epic Marketplace's use of history-sniffing
was deceptive because it collected data about sites outside of its
network that consumers had visited, contrary to Epic's privacy policy,
which represented that it would collect information only about
consumers' visits to websites in its network. In the Matter of Epic
Marketplace, Inc., and Epic Media Group, LLC, FTC File No. 112 3182,
decision and order (Mar. 13, 2013).
---------------------------------------------------------------------------
Mobile Technologies
In relation to collection and use of consumer data for marketing,
no Federal privacy laws that we identified specifically govern mobile
applications and technologies.
Mobile applications. No Federal law specifically governs mobile
applications--software downloaded onto mobile devices for uses
such as providing information and online banking and
shopping.\25\ Application developers, mobile carriers,
advertisers, and others may collect an individual's information
through services provided on a mobile device. However, FTC has
taken enforcement action against companies for use of mobile
applications that violate COPPA and FCRA.\26\ The agency also
has taken action under the FTC Act.\27\ And CFAA, which bans
unauthorized access to computers, has been found to apply to
mobile phones.\28\
---------------------------------------------------------------------------
\25\ On July 25, 2013, Commerce released a draft of a voluntary
code of conduct for mobile applications, including guidelines for
notices to consumers about collection and sharing of information with
third parties. See Department of Commerce, National Telecommunications
and Information Administration, Short Form Notice Code of Conduct to
Promote Transparency in Mobile App Practices, redline draft (July 25,
2013), available at http://www.ntia.doc.gov/files/ntia/publications/
july_25_code_draft.pdf.
\26\ FTC settled charges that a social networking service deceived
consumers when it collected information from children under 13 through
its mobile application in violation of COPPA. See United States v.
Path, Inc., No. C13-0448 (N.D. Cal. Jan. 31, 2013). FTC also settled
charges that a company compiled and sold criminal record reports
through its mobile application and operated as a consumer reporting
agency in violation of FCRA. See In the Matter of Filiquarian
Publishing, LLC, FTC File No. 112 3195 (Apr. 30, 2013).
\27\ For example, in addition to the alleged COPPA violation, Path
allegedly deceived users by collecting personal information from their
mobile address books without their knowledge and consent. See United
States v. Path, Inc., No. C13-0448 (N.D. Cal. Jan. 31, 2013).
\28\ In 2011, the U.S. Court of Appeals for the Eighth Circuit held
that a basic cellular telephone--used only to place calls and send text
messages--was a computer for CFAA purposes. The judicial decision did
not address more advanced devices such as smartphones in the CFAA
context. See U.S. v. Kramer, 631 F.3d 900 (8th Cir. 2011).
Location tracking. No Federal privacy laws, except COPPA,
expressly address location data, location-based technology, and
consumer privacy. We and others have reported that the
capability of mobile devices to provide consumer's location
engenders privacy risks, particularly if companies use or share
location data without consumers' knowledge.\29\ ECPA might not
apply if location data were not deemed content and would not
govern entities such as developers of location-based
applications that are not covered by ECPA. But FTC could pursue
enforcement action if a company's collection or use of the
information violated COPPA.
---------------------------------------------------------------------------
\29\ Risks included disclosure to third parties for unspecified
uses, tracking of consumer behavior, and identity theft. See GAO,
Mobile Device Location ID: Additional Federal Actions Could Help
Protect Consumer Privacy, GAO-12-903 (Washington, D.C.: Sept. 11,
2012). A Federal Communications Commission report also noted privacy
risks. See Federal Communications Commission, Location-Based Services:
An Overview of Opportunities and Other Considerations (Washington,
D.C.: May 2012).
Mobile payments. No Federal privacy laws expressly address
mobile payments (for example, by smartphone). An FTC report
noted that although mobile payment can be an easy way for
individuals to pay for goods and services, privacy concerns
have arisen because of the number of companies in the mobile
payment marketplace and the large amount of detailed personal
and purchase information collected and consolidated.\30\
---------------------------------------------------------------------------
\30\ Federal Trade Commission, Paper, Plastic or Mobile? An FTC
Workshop on Mobile Payments (Washington, D.C.: March 2013).
---------------------------------------------------------------------------
Stakeholders Diverge on Adequacy of Legal Framework and Need for
Legislation
Stakeholder views diverge on whether significant gaps in the legal
framework for privacy exist, whether more legislation is needed, or
whether self-regulation can suffice. The marketing and information
reseller industries generally have argued that the current framework of
sector-specific laws and regulations has not left significant gaps in
consumer privacy protections. Privacy advocates and others stated that
the current privacy scheme leaves significant gaps. Industry and
privacy advocates also disagreed on the need for more legislation or
regulation and the efficacy of self-regulatory approaches to protect
privacy. Industry representatives acknowledged the importance of
consumer privacy protections, but argued that voluntary industry
measures and self-regulation mitigated the need for additional
legislation. Some privacy advocates and others argued that voluntary
compliance or self-regulation was not sufficient to uniformly protect
consumer privacy rights.
Views Differ on Approaches to Privacy Law and Consumer Interests
Debate also has focused on appropriate approaches for new privacy
legislation or regulation. This debate can be framed around three sets
of issues: a comprehensive versus sector-specific approach to privacy
legislation; how to address consumers' interests in accessing,
controlling, and correcting their data; and the potential impact of new
regulation on consumers and commerce.
Comprehensive versus Sector-Specific Approaches
Ongoing debate centers on what kind of legislative approach--
sectoral or comprehensive--would best effect enhanced consumer privacy
protections. Industry stakeholders have argued a comprehensive privacy
law would amount to a one-size-fits-all approach and could be overly
burdensome. Stakeholders also said that the current sector-specific
system was flexible and well-suited to addressing any gaps. In
contrast, some consumer and privacy groups and academic experts cited
advantages to comprehensive privacy legislation such as filling gaps in
existing privacy protections and providing comprehensive and consistent
protections. Privacy advocates and some business representatives also
argued that comprehensive legislation would benefit businesses
internationally and help reduce compliance costs.
While not recommending a comprehensive Federal privacy statute as
such, in 2010 Commerce's Internet Policy Task Force recommended the
adoption of a baseline commercial data privacy framework built on an
expanded FIPPs. The 2012 White House privacy framework called for
enacting baseline legislation while preserving existing sector-specific
laws. The Administration supported exempting companies from consumer
data privacy legislation to the extent their activities were subject to
existing data privacy laws.
Views on How to Address Consumers' Interests in Use and Control of
Their Data
Other debate on privacy protections has focused on the third-party
market for and usage of consumer data, whether or how consumers can
access and control such usage or correct data, and how or if limits
should apply to web tracking.
Use of Consumer Data
Consumer and privacy advocates have noted that consumers often were
not aware of, and had not always consented to, personal information
being repurposed for marketing and other uses. Changes in the
marketplace for consumer data include a vast increase in recent years
in the number and types of companies that collect and share such data
with third parties. The Administration noted that consumers have a
right to expect that companies will collect, use, and disclose their
information in ways consistent with the context in which the
information was provided.\31\ FTC articulated a ``context of the
interaction'' standard for determining when a practice required
consumer choice.\32\
---------------------------------------------------------------------------
\31\ The White House, A Framework for Protecting Privacy (2012).
\32\ Federal Trade Commission, Protecting Consumer Privacy in an
Era of Rapid Change, pp. 38-39.
---------------------------------------------------------------------------
Representatives of information resellers, marketers, and other
industries that use consumer data have argued that repurposing
generally is not inappropriate or harmful. One reseller argued that
personal information on unrestricted websites--such as blogs--becomes
publicly available and can be used by a third party, without legal or
ethical limitations on its use.
Access and Correction
Stakeholders' views differed on the extent to which consumers
should be able to access data held about them. FTC said that companies
should provide reasonable access to consumer data they maintain, a
position many privacy groups echoed. FTC called on information
resellers that compile data for marketing purposes to explore creating
a centralized website on which resellers would identify themselves,
describe how they collect and use the data, and consumers' access
rights and choices.
Debate also developed on consumers' right to correct information
held about them. Some privacy advocates and members of Congress have
argued that consumers should have the right to correct inaccurate
information. One advocate noted that data not covered by FCRA also can
be used for fraud prevention and identity verification, and that
inaccuracies in this context could harm a consumer. Another advocate
noted that companies may base some individual product pricing on a
consumer's profile, so inaccurate data could affect the price offered.
But FTC and the Direct Marketing Association said that special measures
were not needed to ensure the accuracy of data maintained and used for
marketing.\33\ The Administration expressed a similar view in its
privacy framework. Some resellers also said that because they acquire
information from many sources, giving consumers the opportunity to
correct information would not be effective unless consumers also could
have information corrected at the sources from which it had been drawn.
---------------------------------------------------------------------------
\33\ Federal Trade Commission, Protecting Consumer Privacy in an
Era of Rapid Change, pp. 38-39; and letter from Direct Marketing
Association to members of Congress on August 13, 2012, available at
http://the-dma.org/news/August-13-2012-DMALetter.pdf.
---------------------------------------------------------------------------
Web Tracking
Some of the most publicized debate on privacy and new technologies
has centered on consumers' ability to control tracking of their web
activity. Areas of disagreement include the effectiveness of voluntary
initiatives that allow consumers to exert some control over tracking
and the use of information collected during tracking. For example, the
Digital Advertising Alliance developed an icon to let web page users
know that their visit was being tracked and their actions used to infer
their interests and target future advertising. Users can click on the
icon to learn more about behavioral advertising and control whether
they receive such advertising and from which companies.\34\ Some
privacy advocates have pointed to limitations to this mechanism (for
example, the opt-out option only applies to companies in the Digital
Advertising Alliance).
---------------------------------------------------------------------------
\34\ According to the Digital Advertising Alliance, in 2012 more
than 5.2 million unique users accessed the resources at
www.aboutads.info, and nearly 1 million exercised a choice using the
site's opt-out mechanism.
---------------------------------------------------------------------------
Debate also has developed about the implementation of ``do not
track.'' Under this approach, consumers would be able to choose whether
to allow the collection and use of data about their online searching
and browsing. FTC supported the concept of a universal do-not-track
mechanism in its 2010 and 2012 privacy reports.\35\ On the self-
regulatory side, some Internet browsers, including Mozilla Firefox,
have introduced do-not-track features. The World Wide Web Consortium
has been developing a universal web protocol for do not track.\36\ But
disagreements on different issues (such as scope and technological
specifications) have delayed widespread adoption or standardization of
do not track.\37\
---------------------------------------------------------------------------
\35\ Federal Trade Commission, Protecting Consumer Privacy in an
Era of Rapid Change (2012) and Protecting Consumer Privacy in an Era of
Rapid Change: A Proposed Framework for Businesses and Policymakers;
preliminary staff report (Washington, D.C.: December 2010).
\36\ In the World Wide Web Consortium, member organizations and the
public work together to develop web protocols and standards. The
consortium's Tracking Protection Working Group proposes recommendations
and technologies to improve user privacy and control. See http://
w3.org/2011/tracking-protection/.
\37\ Senate Committee on Commerce, Science, and Transportation, A
Status Update on the Development of Voluntary Do-Not-Track Standards,
113th Cong., 1st sess., April 24, 2013; see testimony of Justin
Brookman, Director, Consumer Privacy, Center for Democracy and
Technology.
---------------------------------------------------------------------------
Proposals in Congress and elsewhere would require FTC to promulgate
regulations for a do-not-track mechanism.\38\ Proponents of such
proposals noted that the use of third-party cookies greatly increased
in recent years--for example, the Wall Street Journal identified more
than 3,000 tracking files the top 50 websites placed on a test
computer.\39\ Advocacy organizations argued that Internet users may not
be fully aware of the extent of third-party tracking and that users
should affirmatively consent to tracking. Some members of Congress
raised concerns about flash cookies and whether the FTC Act's
prohibition of unfair or deceptive acts or practices would cover them.
Representatives of the advertising and other industries have cautioned
against many of the proposals.
---------------------------------------------------------------------------
\38\ For example, see Do-Not-Track Online Act of 2013, S. 418,
113th Cong.
\39\ Julia Angwin, ``The Web's New Gold Mine: Your Secrets,'' Wall
Street Journal, July 30, 2010.
---------------------------------------------------------------------------
Views on Potential Impacts of New Regulation on Consumers and Commerce
Representatives of the marketing and reseller industries argued
that regulatory restrictions on using consumer data could reduce the
benefits consumers get. Advertising representatives noted that targeted
marketing and advertising helps underwrite applications and services
available free to consumers. Some resellers said that targeted
behavioral advertising gives consumers information relevant to their
specific interests, needs, or preferences. However, some privacy
advocates believe that consumer benefits have been overstated. Some
advocates also raised concerns that the profiling and scoring
techniques used to deliver specific advertisements to specific
consumers might have discriminatory effects because they present
information, sales, or opportunities only to consumers with certain
characteristics.
Stakeholder views also diverged on the potential economic effects
of strengthened privacy regulations. Industry representatives said that
new restrictions on the use of consumer information could inhibit
innovation and increase compliance costs for businesses. Privacy and
consumer groups said that the industry's claims that increased privacy
protections would be too burdensome and stifle innovation have not been
accompanied by convincing evidence. And in public comments solicited by
Commerce in 2010 on information privacy and innovation in the Internet
economy, online businesses and advertisers noted the importance of
respecting customers' privacy if they wanted to retain their business
or encourage individuals to adopt new devices and services.\40\
---------------------------------------------------------------------------
\40\ Department of Commerce, Notice of Inquiry, Information Privacy
and Innovation in the Internet Economy (Privacy and Innovation NOI), 75
Fed. Reg. 21226, Apr. 23, 2010, available at http://ntia.doc.gov/
frnotices/2010/FR_PrivacyNOI_04232010.pdf.
---------------------------------------------------------------------------
Views vary on the economic effects of greater harmonization of U.S.
and foreign privacy rules. Commerce's Internet Policy Task Force noted
that a significant number of comments they received concerned
difficulties and costs in complying with foreign data protection rules
and regulations. For example, the European Union's 1995 Data Protection
Directive states that personal information of European Union citizens
may not be transmitted to nations not deemed to have ``adequate'' data
protection laws.\41\ The United States does not have an adequacy
finding from the European Commission.\42\
---------------------------------------------------------------------------
\41\ European Union, Directive 95/46/EC of the European Parliament
and of the Council on the Protection of Individuals with Regard to the
Processing of Personal Data and the Free Movement of Such Data (Oct.
24, 1995).
\42\ However, companies participating in the U.S.-EU Safe Harbor
Framework are deemed to provide adequate data protections and may
transfer personal data from the European Union. FTC has the authority
to enforce the substantive privacy requirements of the U.S.-EU Safe
Harbor Framework.
---------------------------------------------------------------------------
The task force recommended the U.S. government work toward mutual
recognition of other commercial data privacy frameworks.\43\ Many
commenters also advocated for greater harmonization of privacy rules.
In contrast, some industry observers warned against enacting a stricter
privacy regime like the European Union's. A reseller representative
said moving to a stricter regime would hinder commerce and innovation.
---------------------------------------------------------------------------
\43\ Department of Commerce, Internet Policy Task Force, Commercial
Data Privacy and Innovation in the Internet Economy: A Dynamic Policy
Framework (Washington, D.C.: 2010).
---------------------------------------------------------------------------
New technologies have enormously changed the amount of personal
information private companies collect and how they use it. But our
current privacy framework does not fully address these changes. Laws
protecting privacy interests are tailored to specific sectors and uses.
And, consumers have little control over how their information is
collected, used, and shared with third parties for marketing purposes.
As a result, current privacy law is not always aligned with the Fair
Information Practice Principles, which Commerce and others have said
should serve as the foundation for commercial data privacy. Thus, the
privacy framework warrants reconsideration in relation to consumer
interests, new technologies, and other issues. In our September report,
we suggested that Congress consider strengthening it and review issues
such as the adequacy of consumers' ability to access, correct, and
control their personal information; and privacy controls related to new
technologies. The challenge will be providing appropriate protections
without unduly inhibiting the benefits to consumers, commerce, and
innovation that data sharing can accord.
This concludes my statement for the record.
Senator Thune. I will be asking our witnesses how data
broker practices for marketing purposes may impact consumers,
both positively and negatively. I am also interested in hearing
from our witnesses how the industry can work to balance the
privacy concerns of individuals with the information needs of
businesses and our economy.
Finally, Mr. Chairman, while I have expressed my thanks to
all of our witnesses being here today, I do want to add a
special note of thanks to Tony Hadley from Experian. This
inquiry began with letters sent to nine companies, and over
time it has also included letters to several consumer-facing
websites. Having only one of those companies testify is a good
way to keep the number of witness manageable in light of the
busy Senate schedule.
Mr. Hadley, I am sure that many of the other companies are
also grateful for your willingness to testify and help advance
our understanding----
[Laughter.]
Senator Thune.--of the data broker industry. I know I
certainly am.
So I want to thank you again, Mr. Chairman, for having this
hearing, and I do look forward to hearing from our witnesses.
The Chairman. Thank you, Senator Thune, very much.
We have--well, I will just do one by one--Jessica Rich. Ms.
Rich is the Director of the Bureau of Consumer Protection at
the Federal Trade Commission. And I will go down the line.
Could you give your testimony, please?
STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER
PROTECTION, FEDERAL TRADE COMMISSION
Ms. Rich. Chairman Rockefeller, Ranking Member Thune, and
members of the Committee----
The Chairman. You have to push a little button.
Ms. Rich. That would be a good start.
The Chairman. It is called ``technology.''
Ms. Rich. Yes.
[Laughter.]
Ms. Rich. I assure you I know something about technology.
I am Jessica Rich, director of the Bureau of Consumer
Protection at the Federal Trade Commission. And I really
appreciate this opportunity to present the Commission's
testimony on data brokers.
This is a highly opportune time to examine the practices of
data brokers, as technological developments have allowed for
the dramatic increase in the collection and use of consumers'
information.
Data brokers collect consumers' personal information from a
wide variety of sources and resell it for a variety of purposes
without most consumers ever knowing of their existence, much
less the variety of practices in which they engage. And many of
these practices, as you noted, fall outside of the scope of
existing laws.
I know this committee is well aware of the lack of
transparency of data broker practices. Chairman Rockefeller, we
commend you for your leadership on this issue and stand ready
to work with the Committee and with Congress on ways to improve
the transparency of data broker practices. The report you
released today is a key initiative in this effort, as is the
study you requested from GAO.
At the FTC, our work on data broker practices goes back to
the 1970s. For decades, policymakers have expressed concerns
about the transparency of companies that buy and sell consumer
data. Indeed, the existence of companies selling consumer data
for credit and other eligibility determinations, invisibly and
behind the scenes, led to the enactment in 1970 of the Fair
Credit Reporting Act.
Since then, the Commission has been active in examining the
practices of data brokers. We have used three primary tools in
this effort.
First, we bring enforcement actions when company practices
violate the law. Perhaps our most well-known data broker case
involved ChoicePoint, in which we obtained $10 million in civil
penalties and $5 million in redress for consumers. We alleged
that ChoicePoint implemented lax privacy and security
procedures, resulting in sensitive consumer report information
ending up in the hands of known identity thieves.
More recently, we entered into a consent decree with online
data broker Spokeo. According to our complaint, Spokeo
collected personal information from hundreds of online and
offline sources, including social networks, and combined that
data into detailed personal profiles. We allege that Spokeo
marketed these profiles for use by human resource departments
in hiring, which made it a consumer reporting agency subject to
the Fair Credit Reporting Act, but that it failed to abide by
the FCRA's accuracy and privacy requirements. The order
contains strong injunctive relief and an $800,000 civil
penalty.
Second, the Commission conducts research and issues reports
addressing data broker issues. For example, our 2012 privacy
report made best practices and legislative recommendations for
consumer privacy, including specific recommendations regarding
data brokers. Among other things, the report reiterated a
longstanding Commission recommendation that data brokers
provide consumers with access to the data they maintain and,
depending on how the data is used, the ability to correct it.
More recently, in order to shine a light on the industry,
we issued orders requiring nine data brokers to provide us with
information regarding how they collect and use consumer data.
The Commission is close to completing a report based on this
information and expects to release it in the coming months.
And in the spring of next year, we plan to host a series of
privacy workshops, including a seminar on what is called
``alternative scoring products'' offered by data brokers--that
is, products that companies use to predict consumer behavior
and shape how they market to particular consumers.
Our final tool is educating businesses and consumers on
privacy issues in the practices of data brokers. For example,
we recently sent letters to multiple data brokers that provide
tenant and background screening services, warning them about
their duty to comply with the Fair Credit Reporting Act. And
for consumers, we recently produced a video on data brokers and
have published frequent blog posts and updates on issues
related to the data broker industry.
In closing, as the collection and use of consumer data
continues to explode, we share the Committee's commitment to
continue to examine data brokers, and we stand ready to work
with the Committee on this critical issue.
Thank you.
[The prepared statement of Ms. Rich follows:]
Prepared Statement of the Federal Trade Commission
I. Introduction
Chairman Rockefeller, Ranking Member Thune, and members of the
Committee, I am Jessica Rich, Director of the Bureau of Consumer
Protection of the Federal Trade Commission (``FTC'' or
``Commission'').\1\ I appreciate the opportunity to present the
Commission's testimony on data brokers.
---------------------------------------------------------------------------
\1\ This written statement presents the views of the Federal Trade
Commission. My oral statements and responses to questions are my own
and do not necessarily reflect the views of the Commission or any
Commissioner.
---------------------------------------------------------------------------
Data brokers collect and aggregate consumers' personal information
from a wide range of sources and resell it for an array of purposes,
such as marketing, verifying an individual's identity, and preventing
financial fraud. Because data brokers generally never interact directly
with consumers, consumers are typically unaware of their existence,
much less the variety of ways they collect, analyze, and sell consumer
data.
This Committee, by investigating the privacy practices of data
brokers, has helped call attention to the lack of transparency
surrounding data broker privacy practices. We look forward to reviewing
the Committee's report on its examination of the data broker industry.
We commend Chairman Rockefeller's leadership on this issue and stand
ready to work with this Committee and Congress on ways to improve the
transparency of data broker practices. As the Committee is aware, the
Commission is developing its own report on the data broker industry
(discussed further below), which the Commission expects to release in
the coming months.
This testimony begins by describing the Commission's longstanding
work in this area. It then lays out our strategy for addressing the
privacy practices of the data broker industry through enforcement,
research and reports, and business and consumer education.
II. Background on FTC Initiatives Concerning Data Broker Privacy
Practices
Concerns about the privacy practices of companies that buy and sell
consumer data are not new. Indeed, in 1970, the existence of companies
selling consumer data with little transparency for credit and other
eligibility determinations led Congress to enact the Fair Credit
Reporting Act (FCRA)\2\, which it gave the Commission authority to
enforce.
---------------------------------------------------------------------------
\2\ 15 U.S.C. Sec. 1681 et seq.
---------------------------------------------------------------------------
In the late 1990s, the Commission began to examine the privacy
practices of data brokers that fall outside the FCRA.\3\ Notably, in
1997, the Commission held a workshop to examine database services used
to locate, identify, or verify the identity of individuals, referred to
at the time as ``individual reference services.'' The workshop prompted
industry members to form the self-regulatory Individual Reference
Services Group (IRSG).\4\ The Commission subsequently issued a report
on the workshop and the IRSG. The report commended the progress made by
the industry's self-regulatory programs, but one of the report's
conclusions was that the industry's efforts did not adequately address
the lack of transparency of data broker practices. Although industry
ultimately terminated the IRSG, a series of public breaches--including
one involving ChoicePoint--led to renewed scrutiny of the practices of
data brokers.\5\
---------------------------------------------------------------------------
\3\ See, e.g., FTC Workshop, The Information Marketplace: Merging &
Exchanging Consumer Data (Mar. 13, 2001), available at http://
www.ftc.gov/bcp/workshops/infomktplace/index
.shtml; Prepared Statement of the FTC, Identity Theft: Recent
Developments Involving the Security of Sensitive Consumer Information:
Hearing Before the S. Comm. on Banking, Housing, and Urban Affairs,
109th Cong. (Mar. 10, 2005), available at http://www.ftc.gov/public-
statements/2005/03/prepared-statement-federal-trade-commission-
identity-theft-recent; see also FTC Workshop, Information Flows: The
Costs and Benefits to Consumers and Businesses of the Collection and
Use of Consumer Information (June 18, 2003), available at http://
www.ftc.gov/news-events/events-calendar/2003/06/information-flows-
costs-and-benefits-related-collection-and-use.
\4\ See FTC, Individual Reference Services, A Report to Congress
(1997), available at http://www.ftc.gov/reports/individual-reference-
services-report-congress.
\5\ This scrutiny included an FTC investigation that resulted in
the FTC's largest FCRA civil penalty to date. See United States v.
ChoicePoint, Inc., No. 1:06-cv-00198 (N.D. Ga. Feb. 15, 2006)
(stipulated final order imposing $10 million fine and $5 million in
consumer redress), available at http://www.ftc.gov/sites/default/files/
documents/cases/2006/01/stipfinaljudge
ment.pdf.
---------------------------------------------------------------------------
Most recently, in its 2012 report Protecting Consumer Privacy in an
Era of Rapid Change: Recommendations for Businesses and Consumers
(Privacy Report),\6\ the Commission specifically addressed the privacy
practices of data brokers. The Commission described three different
categories of data brokers: (1) entities subject to the FCRA; (2)
entities that maintain data for marketing purposes; and (3) non-FCRA
covered entities that maintain data for non-marketing purposes that
fall outside of the FCRA, such as to detect fraud or locate people.\7\
The report noted that, while the FCRA gives consumers a variety of
rights with regard to companies that sell data for credit, employment,
and insurance purposes, data brokers within the other two categories
operate without much transparency.
---------------------------------------------------------------------------
\6\ FTC, Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers (Mar. 2012), available
at http://ftc.gov/os/2012/03/120326privacy
report.pdf. Commissioner Wright's term as Commissioner began in January
2013 and he was not at the Commission when the Privacy Report was
issued. While he may not necessarily endorse all the views in that
Report, he agrees with the substance of this testimony.
\7\ Id. at 65.
---------------------------------------------------------------------------
Building on the agency's prior work, the Commission's Privacy
Report made recommendations to improve the transparency of the
practices of data brokers and to give consumers greater control over
how their information is used. Among other things, the Report proposed
that data brokers provide consumers with reasonable access to the data
they maintain. The Report also noted that the Commission had long
supported legislation that would give access rights to consumers for
information held by data brokers.\8\ The Report stated that the
Commission continues to support legislation in this area to improve the
transparency of industry practices.\9\
---------------------------------------------------------------------------
\8\ Id. at 69.
\9\ Id.
---------------------------------------------------------------------------
III. The Commission's Ongoing Initiatives Regarding Data Brokers
The Commission's ongoing initiatives to address the privacy
practices of the data broker industry build on this body of prior work.
The Commission is pursuing a three-pronged strategy to ensure consumer
interests are protected in the data broker context. First, the
Commission takes aggressive enforcement action to ensure that data
brokers comply with the FCRA where it applies. Second, as data broker
business models expand beyond traditional credit reporting, the FTC
continues to conduct research and issue reports examining the practices
of the data broker industry. Third, the Commission educates businesses
about their legal responsibilities, especially small data brokers that
may be unaware of their legal obligations, and consumers regarding how
their data is disseminated. These three initiatives are discussed
below.
A. Enforcement
The Commission maintains an aggressive FCRA enforcement program. To
date, it has brought almost 100 cases and obtained in excess of $30
million in civil penalties. FCRA enforcement is a vital priority for
the agency, particularly as companies that are not traditional credit
reporting agencies venture into territory covered by the FCRA.\10\
---------------------------------------------------------------------------
\10\ The FCRA provides basic consumer protections when consumer
reporting data is used to make eligibility determinations for credit,
insurance, employment and similar purposes.
---------------------------------------------------------------------------
For example, last year the Commission entered into a consent decree
with online data broker Spokeo to resolve allegations that the company
violated the FCRA.\11\ As set forth in the Commission's complaint,
Spokeo assembled personal information from hundreds of online and
offline data sources, including social networks, and merged that data
to create detailed personal profiles, including name, address, age
range, hobbies, ethnicity, and religion. Spokeo marketed these profiles
for use by human resources departments in hiring decisions. The FTC
alleged that Spokeo, which marketed profiles for employment purposes,
was a consumer reporting agency subject to the FCRA. The Commission
charged Spokeo with violating the FCRA by, among other things, failing
to (1) take reasonable steps to ensure the accuracy of information; and
(2) tell its clients about their obligations under the FCRA, including
the requirement to send adverse action notices to people denied
employment on the basis of information obtained from Spokeo. The order
contained strong injunctive relief and an $800,000 civil penalty.
---------------------------------------------------------------------------
\11\ United States v. Spokeo, Inc., No. CV12-05001 (C.D. Cal. June
12, 2012), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2012/06/spokeo-inc-united-states-america-federal-
trade; see also Press Release, FTC, Spokeo to Pay $800,000 to Settle
FTC Charges Company Allegedly Marketed Information to Employers and
Recruiters in Violation of FCRA (June 12, 2012), available at http://
www.ftc.gov/news-events/press-releases/2012/06/spokeo-pay-800000-
settle-ftc-charges-company-allegedly-marketed.
---------------------------------------------------------------------------
The Commission also recently took action against a mobile
application developer that compiled and sold criminal record reports
without complying with the FCRA.\12\ The app developer, Filiquarian,
claimed that consumers could use its mobile apps to access hundreds of
thousands of criminal records and conduct searches on potential
employees. The FTC charged that Filiquarian failed to take reasonable
steps to ensure that the information it sold was accurate and would be
used solely for permissible purposes, as required by the FCRA. In
addition, Filiquarian failed to inform users of its reports of their
obligations under the FCRA, including the requirement to notify
consumers if an adverse action was taken against them based on a
report. In both the Spokeo and Filiquarian cases, the companies' terms
of service included disclaimers stating that the information they
provided should not be used for FCRA purposes. Despite these
disclaimers, the companies specifically advertised that their reports
could be used for employment purposes.
---------------------------------------------------------------------------
\12\ Decision and Order, Filiquarian Publishing, LLC, FTC File No.
112-3195 (May 1, 2013), available at http://www.ftc.gov/enforcement/
cases-and-proceedings/cases/2013/05/filiquarian-publishing-llc-choice-
level-llc-and; see also Press Release, FTC, FTC Approves Final Order
Settling Charges Against Marketers of Criminal Background Screening
Reports (May 1, 2013), available at http://www.ftc.gov/news-events/
press-releases/2013/05/ftc-approves-final-order-settling-charges-
against-marketers.
---------------------------------------------------------------------------
Most recently, the Commission entered into a consent decree with
Certegy Check Services, one of the Nation's largest check authorization
service companies.\13\ Certegy compiles consumers' personal information
and uses it to help retail merchants determine whether to accept
consumers' checks. The Commission's complaint alleged that, among other
things, when a merchant denied a consumer's check, and the consumer
contacted Certegy to dispute the denial, the company failed to follow
proper dispute procedures, as required by the FCRA. As a result,
Certegy's denials may have been in error, and consumers may not have
been able to pay for essential goods and services. Certegy agreed to
pay $3.5 million, the agency's second largest FCRA fine, to resolve the
Commission's allegations.
---------------------------------------------------------------------------
\13\ U.S. v. Certegy Check Servs., Inc., No. 1:13-cv-01247 (D.D.C.
Aug. 15, 2013), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2013/08/certegy-check-services-inc; ; see also Press
Release, FTC, Certegy Check Services to Pay $3.5 Million for Alleged
Violations of the Fair Credit Reporting Act and Furnisher Rule (Aug.
15, 2013), available at http://www.ftc.gov/news-events/press-releases/
2013/08/certegy-check-services-pay-35-million-alleged-violations-fair.
---------------------------------------------------------------------------
B. Research and Reports
The Commission is devoting significant resources to research and
reports addressing the privacy practices of data brokers. As described
above, the Commission's Privacy Report discussed the data broker
industry specifically and recommended steps data brokers should take to
improve the transparency of data broker practices and give consumers
greater control over their information.\14\
---------------------------------------------------------------------------
\14\ Protecting Consumer Privacy in an Era of Rapid Change, supra
note 6, at 68-70.
---------------------------------------------------------------------------
To undertake a more detailed examination of the data broker
industry, the Commission issued orders requiring nine data brokers to
provide the agency with information regarding how they collect and use
consumer data. The orders, issued pursuant to the Commission's
authority under Section 6(b) of the FTC Act, mandated production of
detailed information regarding company practices, including the nature
and sources of consumer data the companies collect, how they use,
maintain, and disseminate the information, and the extent to which the
data brokers allow consumers to access and correct their information or
to opt out of having their personal information sold. These orders were
directed to companies providing three basic non-FCRA services--
marketing services, risk mitigation services, including identity
verification and fraud detection, and people search or look-up
services. The Commission is expects to release a report on this
examination of the data broker industry in the coming months.
We also continue to examine emerging practices in the data broker
industry. Just this month, we announced a series of seminars for early
2014 that will address a number of consumer privacy issues, including
alternative scoring products offered by data brokers. Many data brokers
offer companies scores to predict trends and the behavior of their
customers. Companies are using predictive scores for a variety of
purposes, ranging from identity verification and fraud prevention to
marketing and advertising. Consumers are largely unaware of these
scores and have little to no access to the underlying data from which
they are derived. The program will explore a number of issues,
including what scores are currently available, how companies are using
them, how accurate the scores and underlying data are, privacy concerns
surrounding the use of predictive scoring, how consumers can benefit
from use of these scores, and what sort of consumer protections should
exist for them.\15\
---------------------------------------------------------------------------
\15\ Press Release, FTC, Spring Privacy Series: Alternative Scoring
Products (Mar. 19, 2014), available at http://www.ftc.gov/news-events/
events-calendar/2014/03/spring-privacy-series-alternative-scoring-
products.
---------------------------------------------------------------------------
C. Education
In addition to its enforcement and policy work on data broker
issues, the agency also focuses on educating businesses and consumers
about these issues. An important method for educating businesses is to
publicize Commission complaints and orders and issue public letters
warning companies of legal requirements and/or potential violations. In
this vein, the Commission sent staff warning letters to a number of
data brokers that provided tenant-screening services, and to marketers
of six mobile apps that provide employment background screening
services.\16\ The FTC warned the companies and app developers that, if
they have reason to believe the reports they provide are being used for
employment screening, housing, credit, or other similar purposes, they
must comply with the FCRA.\17\
---------------------------------------------------------------------------
\16\ Press Release, FTC, FTC Warns Data Brokers That Provide Tenant
Rental Histories They May Be Subject to Fair Credit Reporting Act (Apr.
3, 2013), available at http://www.ftc.gov/opa/2013/04/tenant.shtm;
Press Release, FTC, FTC Warns Marketers that Mobile Apps May Violate
Fair Credit Reporting Act (Feb. 7, 2012), available at http://
www.ftc.gov/opa/2012/02/mobileapps.shtm.
\17\ The Commission made no determination as to whether the
companies were violating the FCRA, but encouraged them to review their
apps and their policies and procedures to ensure they comply with the
Act.
---------------------------------------------------------------------------
More recently, Commission staff conducted an undercover effort to
determine if data brokers that disclaimed FCRA liability were willing
to sell information for credit, insurance, employment, or housing
decisions. As a result of this ``test shopping'' operation, Commission
staff found ten data brokers who appeared to offer data for these
purposes. Commission staff then sent warning letters to these
companies, advising them that their practices could violate the
FCRA.\18\
---------------------------------------------------------------------------
\18\ Press Release, FTC, FTC Warns Data Broker Operations of
Possible Privacy Violations (May 7, 2013), available at http://
www.ftc.gov/opa/2013/05/databroker.shtm.
---------------------------------------------------------------------------
The FTC also hosts a Business Center blog,\19\ which frequently
includes consumer privacy and data security topics; currently,
approximately 3,500 attorneys and business executives subscribe to
these e-mail blog updates. The Business Center blog consistently
features the Commission's enforcement actions and warning letters.
---------------------------------------------------------------------------
\19\ See generally http://business.ftc.gov/blog.
---------------------------------------------------------------------------
Finally, the FTC has developed materials designed to educate
consumers about the ways in which their data may be disseminated to
companies with which they do not interact. For example, the FTC
produced a video called Sharing Information: A Day in Your Life, that
describes how everyday activities by consumers--shopping in retail
stores with loyalty cards, buying good online, and using social
networking services--can lead to wide dissemination of personal
information.\20\
---------------------------------------------------------------------------
\20\ FTC, Sharing Information: A Day in Your Life, available at
http://www.consumer.ftc.gov/media/video-0022-sharing-information-day-
your-life.
---------------------------------------------------------------------------
IV. Conclusion
These enforcement, policy, and education efforts demonstrate the
Commission's continued commitment to understanding and addressing
consumer privacy issues posed by the data broker industry. We
appreciate the leadership of Chairman Rockefeller and this Committee on
these issues and look forward to continuing to work with Congress,
industry, and other critical stakeholders on these issues in the
future.
The Chairman. Thank you very much, Ms. Rich.
Pam Dixon. Ms. Dixon is the Executive Director at the World
Privacy Forum.
You are on.
STATEMENT OF PAM DIXON, EXECUTIVE DIRECTOR,
WORLD PRIVACY FORUM
Ms. Dixon. Chairman Rockefeller, members of the Committee,
thank you for the opportunity to share what I have learned
about the data broker industry today. I appreciate it very
much.
As a moderate in the privacy debate and in the privacy
world, I have come to a troubling conclusion: The data broker
industry, as it is today, does not have constraints and does
not have shame. It will sell any information about any person,
regardless of sensitivity, for 7.9 cents a name, which is the
price of a list of rape sufferers which was recently sold.
Lists of rape sufferers, victims of domestic violence,
police officers' home addresses, people who suffer from genetic
illnesses, complete with names, home addresses, ethnicity,
gender, and many other factors--this is what is being sold and
circulated today. It is a far cry from visiting a website and
seeing an ad. What it is is the sale of the personally
identifiable information and highly sensitive information of
Americans.
So, Senators, I would like to make three points.
First, scoring. There are now pseudo scores which are
comprised of factors that are non-financial or, I should say,
non-credit-report-based. These pseudo credit scores are used in
lieu of actual credit scores because they completely circumvent
the Fair Credit Reporting Act. So a business or an employer or
an insurer can purchase these scores and use them with no ill
consequence or any consequence at all. This needs to change.
Second, health. There are lists of millions of people that
are categorized by the diseases that they have, ranging from
cancer to bedwetting, Alzheimer's--terrible diseases, some of
them benign, some of them relating to mental illness. There are
lists of millions of people and what prescription drugs they
take. And these lists exist entirely outside of HIPAA.
The Chairman. Outside of what?
Ms. Dixon. HIPAA.
The Chairman. OK.
Ms. Dixon. The----
The Chairman. I understand.
Ms. Dixon. Any kind of Federal--yes--health protection.
Unless the data is held by a provider or, you know, a covered
entity under HIPAA, forget it, HIPAA doesn't apply.
This industry that is selling these lists--there has been a
lot of mention made of marketing purposes for these lists.
These lists are being sold without constraint. We don't know if
employers are buying them, if insurers are buying them. We
don't know who is buying them. But the lists are being sold for
apparently billions of dollars, which suggests to me that we
need to find out who is buying these lists.
In terms of solutions, my third and final point, we need to
expand the Fair Credit Reporting Act so that when there are
consumer scores that are pseudo credit scores that this is
brought under the Fair Credit Reporting Act so that consumers
can exercise the same rights they would have if a credit score
had been pulled. If the information is statistically as
accurate and has the same effect as a credit score, then why
isn't it regulated under the Fair Credit Reporting Act? This
should be a bright line here, and I don't think that that is
too terribly difficult to draw.
There needs to be, and actually there is an urgent need
for, a national data broker requirement for an opt-out. We
favor an opt-out that is highly granular so that consumers
don't always have to take the nuclear option and get entirely
off of every list. We favor consumers having the ability to
make their own choices. Maybe a consumer wants her name and
phone number on a list but nothing else, certainly nothing
about her weight, certainly nothing about the number of
children she has, or maybe she does, but the point is consumers
need to know when they are on a list and need to make choices
about what appears on those lists.
We need to reexamine HIPAA and decide if health information
that is not held by healthcare providers deservers healthcare
protections in privacy. I believe they do.
This is going to be the beginning of an important public
dialog that is going to be incredibly important for all of us
to engage in. Because if we have an industry that has not
curtailed the sale of names of anyone with highly sensitive
information for 7.9 cents a name, then we haven't done enough.
Thank you for this opportunity, and I look forward to your
questions.
[The prepared statement of Ms. Dixon follows:]
Prepared Statement of Pam Dixon, Executive Director,
World Privacy Forum
Chairman Rockefeller and Members of the Committee, thank you for
the opportunity to testify today about data brokers, an industry that
is often hidden from public view, and the impact of data brokers on
consumers' lives. My name is Pam Dixon, and I am the founder and
Executive Director of the World Privacy Forum.\1\ The World Privacy
Forum is a 501(c)(3) non-partisan public interest research group based
in California. We focus on conducting in-depth research on emerging and
contemporary privacy issues as well as on consumer education.
---------------------------------------------------------------------------
\1\ For more information and to read many of the research studies
and publications, see http://www.worldprivacyforum.org.
---------------------------------------------------------------------------
I have been conducting privacy-related research for more than since
1998, first as a Research Fellow at the Denver University School of
Law's Privacy Foundation where I researched privacy in the workplace
and employment environment, as well as technology-related privacy
issues such as online privacy. While a Fellow, I wrote the first
longitudinal research study benchmarking data flows in employment
online and offline, and how those flows impacted consumers.
After founding the World Privacy Forum, I wrote numerous privacy
studies and commented on numerous regulatory proposals impacting
privacy as well as creating useful, practical education materials for
consumers on a variety of privacy topics. A few months ago, we
published a report on data brokers and the Federal Government, Data
Brokers and the Government, which examined current law and practices in
regards to the eligibility use of data brokers in particular. I have
published many additional studies. Previously, in 2005 I discovered
previously undocumented consumer harms related to identity theft in the
medical sector. I coined a termed for this activity: medical identity
theft. In 2006 I published a groundbreaking report introducing and
documenting the topic of medical identity theft, and the report remains
the definitive work in the area.\1\ In 2010 I also published the first
report on digital and retail privacy, The One Way Mirror Society:
Privacy Implications of Digital Signage Networks. I have also written
several well-known reports on self-regulation, and in 2012-2013, was a
lead drafter in the NTIA MultiStakeholder Process for Mobile App Short
Form Notices.
Beyond my research work, I have published widely, including a
reference book on privacy, Online Privacy, and seven books on
technology issues with Random House, Peterson's and other large
publishers, as well as more than one hundred articles in newspapers,
journals, and magazines.
I appreciate the dedication and work of Senator Rockefeller in
bringing much-needed attention to the issue of data brokers, which
prior to his attention, was languishing on legislative backburners.
Introduction & Summary
What do a retired librarian in Wisconsin in the early stages of
Alzheimer's, a police officer, and a mother in Texas have in common?
The answer is that all were victims of consumer data brokers. Data
brokers collect, compile, buy and sell personally identifiable
information about who we are, what we do, and much of our ``digital
exhaust.''
We are their business models. The police officer was ``uncovered''
by a data broker who revealed his family information online,
jeopardizing his safety. The mother was a victim of domestic violence
who was deeply concerned about people finder websites that published
and sold her home address online. The librarian lost her life savings
and retirement because a data broker put her on an eager elderly buyer
and frequent donor list. She was deluged with predatory offers.
These people--and 320 million others in the United States--are not
able to escape from the activities of data brokers. Our research shows
that only a small percentage of known consumer data brokers offer a
voluntary opt out. These opt outs can be incomplete, extremely
difficult, and must typically be done one-by-one, site-by-site. Often,
third parties are not allowed to opt individual consumers out of data
brokers.
This state of affairs exists because no legal framework requires
data broker to offer opt out or suppression of consumer data. Few
people know that data brokers exist, and beyond that, few know what
they do. There are about 4,000 data brokers. Despite the large and
growing size of the industry, until this Committee started its work,
this entire industry largely escaped public scrutiny.
Privacy laws apply to credit bureaus and health care providers, but
data broker activity generally falls outside these laws. Even a
knowledgeable consumer lacks the tools to exercise any control over his
or her data held by a data broker. It doesn't matter that the data is
about the consumer. The data broker has all the rights, and the
consumer has none.
Consumers have no effective rights because there is no legal
framework that requires data brokers to offer consumers an opt out or
any other rights. Privacy laws apply to credit bureaus and health care
providers, but data broker activity generally falls outside these laws.
Even a knowledgeable consumer lacks the tools to exercise any control
over his or her data held by a data broker. It doesn't matter that the
data is about the consumer. The data broker has all the rights, and the
consumer has none.
In my testimony, I will discuss consumer data brokers, businesses
that traffic in consumer data. The data broker industry is complex, and
I can only focus on a few aspects of it.
There are consumer list brokers that sell lists of individually
identifiable consumers grouped by characteristics. To our knowledge, it
is not practically possible for an individual to find out if he or she
is on these lists. If a consumer learns that he or she is on a list,
there is usually no way to get off the list. Some exceptions exist, but
the rule is that the lists are circulated far from consumers' eyes.
Lists reveal information that would surprise most people. Data
brokers sell lists of people suffering from mental health diseases,
cancer, HIV/AIDS, and hundreds of other illnesses. Data brokers sell
lists of people who live in or near trailer parks so that these
undesirable consumers can be targeted for suppression. Data brokers
sell lists of people who are late on payments, often to those who make
predatory offers to those in financial trouble. Data brokers sell lists
of people who are impulse buyers or ``eager senior buyers.'' All in
all, there are millions of lists.
In addition to list brokers, there are people finder services that
sell consumer demographic information online. The hundreds of ``people
finder'' websites online are also part of the data broker industry.
Statistically, few of these sites give individuals a meaningful
opportunity to have their information removed from their databases. A
handful do offer a partial or complete opt out or suppression, but to
exercise the opt out, consumers have to first find the site, then go
through what can be an incredibly frustrating series of hoops. Scanning
drivers' licenses, sending the opt-out through postal mail, and
sometimes paying as much as $1,000.00 to opt out. A consumer who
successfully negotiates an opt-out at one data broker faces the
challenge of doing the same thing at dozens or hundreds of other data
brokers. There is always the risk that a name removed today will be
added back tomorrow.
I will also discuss consumer scores, a growing area of data broker
activity. Consumer scores are not well-known yet, but their influence
on consumers is profound. One important example is the modeled consumer
credit score. The modeled consumer credit score consists entirely of
non-credit elements. Why? Because this allows the consumer data broker
industry to avoid giving consumers the rights that the Fair Credit
Reporting Act provides.
I will offer some solutions focused on addressing the problems
identified in my testimony. The solutions I propose are practical and
possible. The solutions are designed to bring fairness and rights to
consumers. The data broker industry has not shown restraint. Nothing is
out of bounds. No list is too obnoxious to sell. Data brokers sell
lists that allow for the use of racial, ethnic and other factors that
would be illegal or unacceptable in other circumstances. These lists
and scores are used everyday to make decisions about how consumers can
participate in the economic marketplace. Their information determines
who gets in and who gets shut out. All of this must change. I urge you
to take action.
The Structure of the Data Broker Industry and Why it Matters
The data broker industry is complex, layered and multi-faceted, and
it is evolving rapidly. The industry cannot readily be described as
just consumer information being sold on flat lists. There is much, much
more than that.
A way to start approaching an understanding is to look at some key
aspects of the industry.
Size: The data broker industry, by its own estimation, numbers
in the neighborhood of 3,500 to 4,000 companies. Most data
brokers engage in multiple activities and have a range of core
expertise.
Scope: Data brokers range in scope from multi-national
corporations with revenues in the billions to small sole
proprietors operating locally. Some data brokers operate
offshore.
Shape of the long tail: This industry has a relatively small
number of very large name brand companies, and many more small
to mid-size companies. The tail of this industry is very long,
and the end of the tail works its way down from large companies
to small affiliates selling data online.
Activities: These include list brokering, data analytics,
predictive analytics and modeling, scoring, CRM, online,
offline, APIs, cross channel, mailing preparation, campaigns,
and database cleansing.
Data flows: Some data brokers host their own data and are
significant purchasers of original data. Acxiom is an example
of this kind of company. Some primarily analyze data and come
up with scoring and Return on Investments proofs. Datalogix is
an example of this kind of company. Some sell or resell
consumer information online. Intelius is an example of this
kind of company. There are many other models in addition. Some
data moves from online to offline and back; some through social
media and back. The point is that the business models and data
flows are complex, use many sources, and differ between types
of data brokers.
Affiliate Storms: One common model results in the flow of
information from the largest name-brand companies to the
smaller companies, who then turn around and resell the data to
a third tier of ``affiliates'' who then market the information
themselves, or to another downstream affiliate. The term I use
for this is ``affiliate storm.'' A consumer at the end of all
of the data reselling has difficulty finding the original
compiler and seller of the data.
Regulation: The 2013 GAO report on data resellers outlined the
lack of regulatory oversight regarding data brokers.\2\ There
are additional concerns that some existing regulations are
being circumvented in some cases.
---------------------------------------------------------------------------
\2\ Information Resellers: Consumer Privacy Framework Needs to
Reflect Changes in Technology and the Marketplace, http://www.gao.gov/
products/GAO-13-663. Sept. 25, 2013.
My comments today address the consumer-focused aspects of data
brokers. Some activities of data brokers do not affect consumers in a
negative or unfair way. Some list cleansing or compliance activities to
bring the data broker in line with the Do Not Call list are
unobjectionable. My testimony is about the other consequences of the
data broker business today.
Sources for Data Broker Data
The sources for data broker data have become more complex as the
industry has grown, and as the information systems have become more
digitized. Consumers sometimes have a choice about whether they give
data; other times, they do not. Even if a consumer paid mainly cash and
lived very quietly, using shredders for their mail and records and
keeping their SSN to themselves, the likelihood that the consumer could
totally avoid landing on a data broker list is quite small. Most people
in the U.S. are in many data bases and on many lists.
Some of the most common sources of consumer data include:
(marketing, not credit data)
Retailers and merchants via Cooperative Databases and
Transactional data sales & customer lists
Financial sector non-credit information (PayDay loan, etc.)
MultiChannel direct response
Survey data, especially online
Catalog/phone order/Online order
Warranty card registrations
Internet sweepstakes
Kiosks
Social media interactions (dependent on data broker
interactions/agreements)
Loyalty card data (retailers)
Public record information
Website interactions, including specialty or knowledge-based
websites
Lifestyle information: Fitness, health, wellness centers,
etc.
Non-profit organizations' member or donor lists
Subscriptions (online or offline content)
Following are some source examples from data broker cards, these
examples are not surprising or out of the ordinary.
On a Baby Boomers data card, Adrea Rubin gave this source data:
Source: Multichannel Direct Response, Survey Data, and Public
Record Information \3\
---------------------------------------------------------------------------
\3\ DEFINING MOMENTS REACTIVE BABY BOOMERS Data Card, http://
datacardhub.ad
rearubin.com/market?page=research/datacard&id=255914. Last accessed
Dec. 17, 2013.
On a data card for a Transaction Database, the company listed the
---------------------------------------------------------------------------
source as:
Source: 79 percent catalog/phone order/Online, 21 percent
retail.\4\
---------------------------------------------------------------------------
\4\ Adrea Rubin, Action Network Transaction Database, http://
datacardhub.adrearubin.com/market?page=research/datacard&id=257898,
last accessed Dec. 15, 2013.
---------------------------------------------------------------------------
On a data card describing extreme mail order buyers, the source for
gender, age, income, number of purchases, and number of credit cards
was cited as
Source: Multi-source, consolidated from a variety of sources,
overlaid with co-op/transactional data[1]
A data card listing seniors listed the source as warrantee cards.
Source: Warrantee card registrations \5\
---------------------------------------------------------------------------
\5\ Warranty IT Seniors, Adrea Rubin, http://
datacardhub.adrearubin.com/market?page=
research/datacard&id=123434, last accessed Dec. 15, 2013.
Of the sources, a disturbing source is retail purchases both online
and off. Cooperative databases allow retailers to append copious data
about consumers to retail transaction files. This is the basis of the
Pineda vs. Williams Sonoma case in California which Williams Sonoma
took a consumer's e-mail and added home address information. Below is
an example of the use of retail transactional/cooperative databases,
this one from KBM Group.\6\
---------------------------------------------------------------------------
\6\ http://www.kbmg.com/privacy-policy/.
Later in this testimony, I include this company as an exemplar of
good opt out practices.
Sensitive Information and Lists That Should Not Exist
One of the key characteristics of modern data brokers is a lack of
restraint. The degree to which no piece of data is sacred is evident in
the reams of sensitive consumer data compiled, scored, circulated, and
sold.
I do not oppose the selling of lists entirely. There is a
reasonable center to be found. I agree that some lists are probably
always going to exist that one or another person deems sensitive.
Selling lists of doctors, nurses, teachers, and so forth are not among
my favorite business models. But I understand the need for these lists
and how they can be used in an unobjectionable way. I think of these
lists as the center of the bell curve. These lists are of professional
people.
However, some lists should not exist at all. This is where I urge
Congress to take action. Highly sensitive data are the frayed and ugly
ends of the bell curve of lists, far from the center. This is where
lawmakers can work to remove unsafe, unfair, and overall just
deplorable lists from circulation. There is no good policy reason why
unsafe or unfair lists should exist.
I give you some examples: police officers home addresses, rape
sufferers, domestic violence shelters, genetic disease sufferers, among
others, below:
A list of police officers at home addresses. This list can
threaten the safety of police officers and their families.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of rape sufferers. This is an unjustifiable outrage
that sacrifices a rape victim's privacy for 7.9 cents per name.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of domestic violence shelters. Existing laws allow
domestic violence shelters to keep their location secret so
that abusers cannot find their victims. The commercial sale of
lists of these shelters is unjustifiable.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of genetic disease sufferers. This list identifies
people suffering from genetic diseases. This information will
apply to these people--and their progeny--for their lifetime.
Congress and the States have passed laws to protect the privacy
of genetic information, but these laws do not stop data brokers
from selling genetic information to anyone for any purpose.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of seniors who are currently suffering from dementia.
These unfortunate people are often targeted for highly
predatory offers. A list of caregivers would not have the same
potential for deleterious consequences.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of HIV/AIDs sufferers.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A list of people with addictive behavior, alcohol and drugs.
Alcohol and drug treatment information about patients is the
subject of extra protections under existing law, but no law
stops data brokers from profiting by selling the information.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A massive list of people identified by disease and
prescription taken. Diseases include everything from A to Z,
from cancer to mental illness, to bedwetting to gambling and
much more.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
These lists speak for themselves. Can we agree that some lists
should not be circulated? Can we agree that the people named and
pinpointed and targeted by these lists should be protected from the
harm that can come from simply the inclusion on the list? I hope this
is the case.
I also would put derogatory credit lists on the firing line for if
not removal, then special treatment. These lists abound,
Hispanic payday loan responders
Derogatory credit consumers. These millions of consumers
fall into a low credit category.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
In the Solutions section of this testimony I discussion ways that
this negative list situation can be improved. It is important to note
that the lists are just the obvious outgrowth of other data broker
activity, such as scoring.
Geography is Destiny: Trailer Parks and Zip+4
Where a person lives counts. A lot. Unfortunately, or fortunately,
depending on where you live, geography is marketing destiny. And
marketing destiny can now affect what opportunities come your way by
virtue of savings, discounts, or receiving financial offers.
For example, people who either live in a trailer park or within a
certain radius, usually a couple of miles of a trailer park, are often
candidates for list suppression. They will not receive opportunities
that their neighbors do solely because of their type of shelter. Or
conversely, people who are in a trailer park may be specifically
targeted for ads for low-income products or services. Is this trailer
park redlining?
DMDatabases offers, for example, a suppression list that includes
trailer parks as an option, among others:
OTHER SUPPRESSION OPTIONS
NURSING HOMES
TRAILER PARKS
MILITARY BASES
COLLEGE DORMORTORIES
BANKRUPTCIES, TAX LIENS, JUDGEMENTS \7\
---------------------------------------------------------------------------
\7\ DMDatabases, Suppression, http://dmdatabases.com/data-
processing/suppression, last accessed Dec. 17, 2013. Screen shot
available.
It can be reasonable and fair or a local business to use Zip+4 to
target a geographical area nearby. This makes a lot of sense. But I am
not persuaded that it is fair to use detailed census tract data and
Zip+4 to unfairly exclude people who may be living in or near the edge
of poverty.
Inferences and Categorization
Data brokers categorize consumers into tightly defined boxes
sourced by retail transactions, number of credit cards, ethnicity,
marital status, gender, education, and many other factors, including
neighborhood. There are a number of products sold by data brokers that
accomplish this. One product in this category is Personix, sold by
Acxiom. There are 70 Personix Clusters, each one identifying a type of
consumer. Another product is Prizm, sold by Claritas.\8\ ``P$ycle'' by
Dataman Group \9\ is another product. However, I do not know of a
single company that allows consumers to view the clusters they are put
in. I do not know of a single data broker that will allow consumers to
permanently opt out of the cluster definitions attached to them.
---------------------------------------------------------------------------
\8\ http://www.claritas.com/MyBestSegments/Default.jsp.
\9\ http://www.datamangroup.net/PycleFinancialMarkets.php.
---------------------------------------------------------------------------
At Acxiom's It's About The Data Portal, entering various zipcodes,
salaries, and characteristics such as presence of child, marriage, and
so forth allows one to explore the clusters.
Here are two sample Acxiom clusters:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
These clusters come attached to average ages and proximal
information to guide marketers. The clusters are purchased by other
data brokers and are used to overlay other data they already have. In
many ways, the clusters shape the ads we see online, the deals we get
in the mail, and in some cases, unwanted targeting both at the high and
low end of the clusters.
Take for example the following data card, which is described as Low
End Credit Prospects. The source for the data is multi-source, and
includes Acxiom data. The data card specifically identifies low-end
credit prospects by their inclusion in the Acxiom Personixs clusters.
In this case, these consumers were not described by being assigned a
modeled credit score, rather, the cluster does the work of
characterization. The category profiles are then combined with recent
transactions, which in turn landed these consumers on this data broker
list.\10\
---------------------------------------------------------------------------
\10\ Adrea Rubin, Activity Tracker Low End Credit Prospects Data
Card, Card ID 310015, http://datacardhub.adrearubin.com/
market?page=research/datacard&id=310015 last accessed Dec. 15, 2013.
What is most objectionable is that many products like Acxiom's
exist without consumers having any rights with respect to the data
about themselves that is being compiled, bought, and sold. Errors may
significantly alter the cluster a person is in, therefore altering the
quality and type of offers a consumer receives. Life looks very
different for cluster 1 and cluster 70.
Consumers need more rights over the use of their personal
information by data brokers.
Modern Eligibility
Eligibility has expanded and, with it, the uses of marketing data
for eligibility purposes and for suppression purposes. In the
traditional credit world, the FCRA still regulates the use of credit in
strictly-defined eligibility situations, such as employment and
insurance. The Equal Credit Opportunity Act also places limits on data
use. So does the Health Insurance Portability and Accountability Act's
(HIPAA) health privacy rule.
Modern eligibility has evaded, avoided, and overrun these laws,
creating an unfair situation for consumers. When health data is held by
a covered entity, HIPAA protections and rights apply. However, the
exact same data, used for purposes outside of strictly-defined FCRA,
ECOA or HIPAA limits and when not held by a health care provider,
escape the bounds of regulation. The definition of eligibility needs to
be expanded to encompass how data is now used. Consumers need more
rights with respect to these activities:
Authentication: using public and behavioral data to
authenticate consumers to use a service.
Anti-fraud: using transactional and behavioral data to
determine whether fraud is occurring.
Identity verification: Running quasi-background checks to
verify aspects of a consumer's identity.
Lifestyle: Background checks for dating websites, for
schools, for clubs.
Offers or suppression based on proxy credit scores: data
broker-generated financial offers based on non-credit
information, but just as accurate as a traditional credit
score. Or the inverse: people are excluded from a list based on
this information, but without associated FCRA or ECOA rights.
Offers or suppressions based on medical data: Consumer
health information that has escaped from the boundaries of
HIPAA--a significant amount--needs new rules that data brokers
must follow. Health-related analytics that have an impact on
consumer's health care prices, health care, credit, or
employment need controls To protect consumers. Certain lists
should not exist, and certain data should not be used in lists,
in analytics, or anywhere. Even lists that data brokers deem
non-sensitive such as lifestyle lists identifying smokers or
other patterns need controls.
Consumers who fail authentication tests, ID verification, or get
identified as a fraud risk will show up with different scores, will
wind up on different consumer data broker lists, and may have
difficulty conducting their daily business. Consumers who are painted
as fraudsters may find themselves locked out of their own bank, credit
cards, and even phones. Consumers who are identified as having very low
or derogatory credit by non-traditional analysis and scoring may find
themselves deluged with predatory offers. Consumers who are marked by a
data broker as having cancer, previous trauma, a chronic disease,
including genetic diseases, and even lifestyle markers, can have that
data sold to the wrong party and find themselves on the short end of
the health care stick and deeply stigmatized in many areas.
Circumventing the FCRA
While my testimony is not focused on the FCRA, it is important to
state for the public record that many data brokers are engaging in
behaviors that circumvent of the FCRA. I leave it to the Committee to
decide if these activities are already illegal or if they should be
brought within the FCRA and regulated in the same way as traditional
credit records.
Proxy credit scores relate to circumventing the FCRA.\11\ There is
another issue related to circumventing the FCRA. Many of the websites
selling consumer background check data and other data state in a
disclaimer that they are not a consumer reporting agency and therefore
are not regulated under the FCRA. They adjure their customers to not
violate the terms. The restrictions are not meaningful, and we suspect
the violations of terms are routine.
---------------------------------------------------------------------------
\11\ Selling Consumers Not Lists: The New World of Digital
Decision-Making and the Role of the Fair Credit Reporting Act, Ed
Mierzwinski and Jeff Chester. November, 2013.
---------------------------------------------------------------------------
There need to be meaningful checks and balances to keep improper
uses from occurring. Given the sheer numbers of affiliate websites
selling consumer data, this will require some affiliate oversight and
reform. We found some affiliates without a privacy policy, much less an
opt out.
From http://www.peoplesearchnow.com/default.aspx:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Just because there is a paragraph stating that a website is not
operating as a consumer reporting agency doesn't make it so. We
strongly suspect that the disclaimed is offered with a wink, safe in
the knowledge that no regulatory agency will be able to look at
hundreds of small sites for violations of the law.
Data Broker Opt Out: The Grim Choices Consumers Face
Consumers face bad options and scant choice when it comes to data
broker opt out. Leaving aside rights conferred under the FCRA for
strict FCRA-defined eligibility purposes for the moment, consumers are
in fact left largely to fend for themselves with few tools and no clear
rights. Some opt outs exist, but the landscape is difficult--so much so
that it is improbable that consumers can wend their way through the opt
out process successfully
How many allow opt out?
The World Privacy Forum compiled a list of 352 consumer-focused
data broker sites and lists. Our list is available at http://
www.worldprivacyforum.org/2013/12/data-brokers-opt-out/. A study of the
data broker industry conducted by Dr. John Deighton for the Direct
Marketing Association in 2013 found that the universe of data brokers
was approximately 3,500.\12\ Our data broker list, then, comprises at
ten-percent rough sample of this universe. Included on the list are
various people finder websites, data brokers that this Committee or the
FTC has sent letters of inquiry to, consumer list brokers, and others.
Of 352, 128 offered a data opt out. Some of those were full opt outs,
some partial or unclear, some of them cost as much as $1,799.00, and
one opt out promised that the site reserved the right to ``publish the
request'' if someone decided to opt out.
---------------------------------------------------------------------------
\12\ Panel comments by Dr. John Deighton, National Press Club, The
Value of Data: Consequences for Insight, Innovation and Efficiency in
the U.S. Economy, A Symposium Hosted by DMA's Data-Driven Marketing
Institute, October 29, 2013. Dr. Deighton was commenting on his
sampling for the study, The Value of Data: Consequences for Insight,
Innovation and Efficiency in the U.S. Economy, John Deighton and Peter
Johnson, DDMI, 2013.
---------------------------------------------------------------------------
Opting out of Data Broker Scores and Lists
To remove a consumer's name and information from all data broker
lists appears to be an almost impossible task right now. If a mailing
list is held by a DMA member, the DMA opt out can be effective.
However, not every data broker is a DMA member, which poses an
immediate problem. For scores, there is no known score opt out. After a
consumer is assigned a score by a data broker, a consumer will find it
nearly impossible to find that score or to opt-out of its use to
describe or characterize the consumer.
In our research, we have found one exemplar company that is
allowing an opt out of their databases and lists, KBM Group. A screen
shot of the relevant portion of the policy is below; note that the
policy allows for internal database opt out as well as linking to the
DMA opt out. The policy is located at http://www.kbmg.com/privacy-
policy/. This is a best practice, and is seldom seen.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Suppression vs opt out
It is important to note that when consumers opt out of data broker
websites or lists, most often what is happening is that their
information is being suppressed. The information remains, but it is
removed from circulation. Delete is not a word that is used very often
in data broker opt out.
For consumers who want to get off of data brokers marketing lists,
the primary mechanism for removal is to use the DMA Choice opt-out
mechanism. This will put the consumer on a suppression list, which
means the data brokers will still have the consumer information, but no
further sales or marketing will occur within a given time frame via the
lists that allow opt out or suppression.
When data brokers allow for a DMA Choice opt out to influence all
of their list and brokering activity, this is a good thing. But this is
not nearly as common as it needs to be. Only some lists adhere to the
DMA Choice program. One significant problem is that not all data
brokers are DMA members, and thus escape the self-regulatory program.
For those that are DMA members, we do not know how effective the DMA
Choice program is.
Policy Issues in Current Opt Out/Suppression Practices
Of data brokers that allow opt out, additional policy issues
include the following:
Incomplete: Most opt outs are incomplete, and often require
consumers to have a safety reason for the opt out.
Suppression not deletion. Many opt outs are suppression-
based. This may be difficult to change.
No Third Parties: Consumers are usually required to ask for
the opt out directly on their own. Requests through third
parties are not allowed. This makes opt out an impossible
proposition for consumers, who have to go to each individual
site to effectuate the opt outs that are available to them. It
is clear that the policy deliberately seeks to make it as hard
as possible for consumers to exercise the ability to opt-out.
No Guarantee: An opt out is not guaranteed, no matter why
the consumer is conducting the opt out. Thus, the opt out may
not work or may only be effective for a short period of time.
Fees: Some data brokers charge fees ranging from annoying
(less than $30) to exorbitant (in excess of $1,000).
Hunting for the opt out: Finding the opt outs on many
consumer data broker sites is an exercise in extreme patience
and persistence. Opt outs are seldom indicated by a prominent
opt out button labeled as such. While some data brokers do play
nicely with consumers and provide this, fair play is the
exception, not the rule. Typically, opt outs are buried deep
within a privacy policy, terms of use, or FAQ.
Opt out requirements non-standardized: Opt out requirements
non-standardized: A bewildering array of choices face the
person who wants to opt out of data broker lists. Some opt outs
are fair. DMA Choice is a reasonable opt out. But many are not
reasonable or fair. Some require a privacy-concerned consumer
to send a scanned copy of a driver's license or to jump through
other hoops. We would be reluctant to recommend that a consumer
share a copy of a driver's license. Many consumers do not have
a driver's license or other government-issued form of
identification, and these consumers may find it impossible to
opt out.
Marketing use of opt -out information: No regulation stops
data brokers from selling or otherwise using the information
given in an opt out application.
Negotiating the opt out: There is no controlling legal
standard for data broker opt out. As a result, consumers have
to dig through complex privacy policies and language and figure
out each opt out.
Partial Opt Outs Only: Some data brokers allow for partial
opt outs, meaning that it is available only if there is a
safety issue, or if an individual is a member of law
enforcement. However, there are concerns even with this. There
are no rules that say that information about the request to opt
out will not be sold or shared.
No opt out: Many data brokers do not allow any opt out.
Consumers are left with no recourse.
Examples of challenging opt outs
Here is an example of a privacy policy with an opt out notice, this
is from a consumer-facing data broker site called SortedbyName.com.
Note the last sentence, where consumers who opt out may be treated
punitively for doing so (emphasis in yellow is mine).:
This webmaster reviews stats, including IP addresses of site
visitors from time to time.
Third party vendors, including Google, use cookies and web
beacons to serve ads based on a user's prior visits to the
website.
Google's use of the DART cookie enables it and its partners
to serve ads to users based on their visit to the site and/or
other sites on the Internet.
Users may opt out of the use of the DART cookie by visiting
the advertising opt-out page. (You can opt out of a third-party
vendor's use of cookies by visiting the Network Advertising
Initiative opt-out page.)
With the Firefox browser, use Ctrl+Shift+P for private
browsing. Use Tools--Options--Privacy to set preferences. Use
Shift+Ctrl+Delete to clear your history so remote servers
cannot access it.
By sending a request for removal of names from the site, you
give us permission to publish the request, including your e-
mail address and all headers.\13\
---------------------------------------------------------------------------
\13\ http://sortedbyname.com/privacy.html, last accessed Dec. 17,
2013. Screen shot available.
Here is an example of a complicated opt out, this at from
---------------------------------------------------------------------------
waatp.com:
How do I remove or update my data on waatp.com? waatp.com
investigates for live data reached by public on a regular
basis. Because this information is not contented on our
hosting, we cannot give any guarantees these data will be
removed until the change has been occurred at the source of the
data. To update or remove this information, we advise: Our site
will provide the certain source for the information the applier
would have changed or removed. Approval that applier is the
individual specified in the Public Profile is an obligatory
condition, therefore we may ask that appliers faxes or e-mails
it:
1--a written application asking for the database source or a
change application;
2--a screenshot of a page, with marked information that you ask
to change or to search in the source;
3--a legal proof of ID like State/Federal ID card that points
your name, full address, date of birth (you can remove your
personal photo an/or ID#);
4--any pseudonyms;
5--ex-addresses, including str.name, town, zip.
You should fax this information to 800 861 9713 (please attach
an e-mail so that we are able to contact you regarding any
questions) or e-mail to Profile-Remove/at/waatp.com.com.
Changes might take up to 6 weeks to come into effect and are
only constant if the info has been previously edited or removed
at the original source. Without a constant change at the
original source, the process of deletion of any info stored in
a Public Profile is NOT guaranteed.\14\
---------------------------------------------------------------------------
\14\ http://waatp.com/faq.html. Last accessed Dec 17, 2013. Screen
shot available.
An example of the No third Party policy can be found at People
Smart, http://www.peoplesmart.com:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Scoring of Americans
Americans face a future that is increasingly being shaped in
significant ways by their consumer scores. A consumer score provides a
way of evaluating an individual or a household. The best-known consumer
scoring activity is credit scoring. Credit scores date back to the
1950s, and replaced human judgment about credit granting by relying on
standardized criteria. While most people are familiar with credit
scoring, consumer scoring encompasses a broader category of activities
that uses scores to assess consumers for one or more purposes.
The World Privacy Forum offers consumer scoring as a generic term
for these scoring methods. A consumer score derives from an algorithm
that typically employs objective criteria. The score relies on
demographic, health, consumption, transactional data, marketing,
credit, or other personal characteristics. Companies and governments
use the resulting score to make a decision about an individual or
household.
By itself, consumer scoring is not necessarily good or bad. Scoring
orders a population along a mathematically defined scale. However,
scoring has the prospect of being used to affect individuals in
significant ways that may not be fair. If a score becomes the way that
consumers are treated, then the results may not be acceptable to the
American public. The quality and relevance of the data used, the
transparency of the methodology, and the reasonableness of the
application are the major factors that determine the fairness of any
scoring activity. These issues are likely to be the central focus on
the policy debate about consumer scoring.
Consumer scoring is already more widespread than most people
realize. A significant segment of the data broker industry already
focuses on scoring and predictive analytics, and as such, is
intricately interwoven into the scoring business.\15\ Known consumer
scoring activities include assessments and predictions relating to
insurance, bankruptcy, identity, fraud, consumption, health, propensity
to purchase, ``consumer value estimation,'' and more. A dozen
categories of consumer scoring have been identified so far, each
containing numerous scores. There may be hundreds or thousands of
consumer scores already in use. The Federal Government uses scoring for
some purposes, an activity beyond the scope of this testimony but
something that may be worthy of more attention by the Congress. It
might be useful, for example, to ask the Government Accountability
Office to identify all of the consumer scoring used by Federal
agencies.
---------------------------------------------------------------------------
\15\ The Direct Marketing Association's publicly searchable Vendor
Database contained 377 companies stating an expertise specifically in
scoring as of Dec. 15, 2013. Some examples of companies listed include
Datalogix, Analytics IQ, FICO, iKnowtion, and others.
---------------------------------------------------------------------------
The use of consumer scoring is expanding rapidly because scores
provide an easy analytics shorthand for measuring consumer behavior,
risk, and potential for future success or spending. Companies and
government will use scores to make more decisions about a consumer's
access to markets, price for goods and services, ability to travel, and
other social and economic opportunities. Schools will use scores beyond
academic measurement scores to determine the viability of candidates.
Policy issues around consumer scoring
Secrecy
Most consumer scores today are secret--consumers cannot see most
scores even if they know about them. Beyond the numeric value of the
scores themselves, a complete lack of transparency surrounds consumer
scores. Citing proprietary claims, the factors that make up consumer
scores are secret. The procedures and algorithms are secret. Often,
even the full numeric range and context are secret.
Credit scores were unknown to most consumers through the 50s, 60s,
70s, and 80s. Trickles of a score that was not disclosed to consumers
but that could be used to deny a person credit began to leak out slowly
to some policymakers, particularly around the time ECOA passed. In May
1990, the Federal Trade Commission wrote commentary indicating that
risk scores (credit scores) did not have to be made available to
consumers. But when scoring began to be used for mortgage lending in
the mid 90s,\16\ many consumers finally began hearing about a ``credit
score,'' most of them for the first time, and mostly when they were
being turned down for a loan.\17\ A slow roar over the secrecy and
opacity of the credit score began to build.
---------------------------------------------------------------------------
\16\ In 1995 Freddie Mac and Fannie Mae endorsed the use of credit
scores as part of the mortgage underwriting process. This had a
substantial impact on the use of credit scores in the mortgage loan
industry. See for example Kenneth Harney, The Nation's Housing Lenders
might rely more on credit scores, The Patriot Ledger, July 21 1995.
\17\ See for example, comments of Peter L. McCorkell, Senior
Counsel to Wells Fargo, to the Federal Trade Commission, August 16,
2004 in response to FACT Act Scores Study.
---------------------------------------------------------------------------
By the late 90s, the secrecy of credit scores and the fact that
people could not see the underlying methodology or factors that went
into the score or the range of the score to determine how the number
should be interpreted was a full-blown policy issue. Beginning in 2000,
a rapid-fire series of events--particularly the passage of legislation
in California that required disclosure of credit scores--eventually
dismantled credit score secrecy and non-disclosure. Now, credit scores
must be disclosed to consumers, and the context, range, and key factors
are now known.\18\
---------------------------------------------------------------------------
\18\ As of December 2004, the Fair Credit Reporting Act as modified
by the Fair and Accurate Credit Transactions Act, or FACTA, ended score
secrecy formally, and required consumer reporting agencies to provide
consumers with more extensive credit score information, upon request.
Also made available to the public was the context of the score (its
numeric range), the date the score was created, some of the key factors
that adversely affected the score, and some other items.
---------------------------------------------------------------------------
Credit scores are no longer secret, and this was and still is the
right policy decision. Why are other scores secret, when they are being
used for important decisions about consumers? Why are other score
factors and numeric ranges secret, when the risk of marketing data
comprising the score of a factor used in modern eligibility practices
is very high?
There should be no secret scores, and no hidden factors.
Unfairness
Of significant concern regarding scoring are the factors that go
into the creation of a score. A single score is often created from the
admixture of more than 600 to 1,000 individual factors. These factors
can include race, religion, age, gender, household income, zip code,
presence of medical conditions, zip code + 4, transactional data from
retailers, and hundreds more. Therefore, one individual score can
contain hidden factors that range from non-sensitive to quite
sensitive. A score that is designed to assess or assign consumer value
to a business could also include factors that would be entirely
unacceptable or that, in the context of either the Equal Credit
Opportunity Act (ECOA) or the Fair Credit Reporting Act, would be
flatly illegal.
In a description of its sets of scores that can be purchased, one
company described how it creates its scores:
Aspects Life Choices system
Our Database at the Core
Our proprietary set of data that allows us to produce powerful
scored solutions. It is created from over 100 sources, updated
quarterly, and contains 1,500 proprietary demographic,
psychographic, attitudinal, econometric and summarized credit
attributes.
Clear Benefits to Users
Can be used to enhance any list Applied at the
Zip+4 level
Data can be custom modeled \19\
---------------------------------------------------------------------------
\19\ AnalyticsIQ, http://analytics-iq.com/download/Aspects.pdf,
last accessed Dec. 16, 2013.
This particular company, like most companies selling consumer
scores, does not publish its 100 sources nor its 1,500 attributes that
it is using to develop the score for consumers' perusal, nor does it
summarize even the categories of information used for consumers. It is
unlikely that consumers can purchase or see these scores for
themselves,\20\ and like other consumer scores, this score is opaque.
If ECOA factors are present, no one but the company employees would
know.
---------------------------------------------------------------------------
\20\ One exception to this is ID Analytics' Identity Score, which
consumers are able to see.
---------------------------------------------------------------------------
Notably, the ECOA requires that credit scoring systems may not use
race, sex, marital status, religion, or national origin as factors
comprising the score. The law provides the opportunity for creditors to
use age, however, also requires that seniors are treated equally.\21\
Marital status is commonly used as a consumer score factor, as are
other factors either directly or inferentially connected to factors
that would be protected under ECOA but are not in broader consumer
scores, even if those scores are being used for other eligibility
decisions.
---------------------------------------------------------------------------
\21\ For more information, see http://www.consumer.ftc.gov/
articles/0152-how-credit-scores-affect-price-credit-and-insurance.
---------------------------------------------------------------------------
Lack of Rights in Consumer Scoring
After a consumer has been scored, the factors (behaviors,
characteristics, etc.) that went into the score do not typically
disappear. After the score have been recorded into a data broker's host
database, there is not a way for consumers to remove themselves from
this activity. A discussion of how this impacts proxy credit scores is
below.
Exemplar: Modeled Credit Scores
The privilege of marketing information based on credit report data
comes with the requirement that consumers can opt out of that
marketing. Marketing targeted to credit reports is strictly limited to
credit and insurance.\22\ But analytics are at such a sophisticated
level now that accurate ``modeled credit scores'' are being created and
used as a proxy for traditional credit scores. These modeled scores are
made of consumer information drawn from beyond the traditional credit
bureau score to create an entirely new score. Because these scores
contain no direct credit information, they are seen by some as outside
of either ECOA or the FCRA. Therefore, information closely mimicking
credit data is now being used for broad marketing purposes, and there
is no requirement for opt out.
---------------------------------------------------------------------------
\22\ A significant lawsuit on this issue is FTC v. Transunion which
is definitive. From the press release: ``The Federal Trade Commission
has ordered the Trans Union Corporation to stop selling consumer
reports in the form of target marketing lists to marketers who lack an
authorized purpose for receiving them under the Fair Credit Reporting
Act (``FCRA''). In a unanimous opinion authored by Commissioner Mozelle
W. Thompson, the FTC determined that ``Trans Union's target marketing
lists are . . . consumer reports under the FCRA'' and concluded that
Trans Union is violating the FCRA by selling this information to target
marketers who lack one of the ``permissible purposes'' enumerated under
the Act. The Commission's decision applies to a number of Trans Union's
target marketing list products including its Master File/Selects
products, its modeled products and its TransLink/reverse append
products.'' http://www.ftc.gov/news-events/press-releases/2000/03/
trans-unions-sale-personal-credit-information-violates-fair. Full case:
http://www.ftc.gov/enforcement/cases-and-proceedings/cases/2000/03/
trans-union-corporation-matter.
---------------------------------------------------------------------------
A good modeled credit score predicts financial risk comparable to
the traditional credit score. Fair Isaac's Expansion Score draws
consumer information from non-traditional sources, that is, sources
other than the big three credit bureaus. Although Fair Isaac does not
disclose its data sources except directly to the individual consumer
being scored, industry publications state that Fair Isaac is using
deposit account records and pay-day loan cashing as predictive factors
in its Expansion Score.\23\ The Expansion Score is regulated, so
consumers who have an Expansion Score are entitled to knowing certain
information about that score, including the factors. Fair Isaac is
playing by the rules, but data broker data cards indicate that not all
companies (or data brokers) are when it comes to inferred credit data
or scores.
---------------------------------------------------------------------------
\23\ Ann McDonald, High Points for Credit Scoring: With generic
scores becoming antiquated, credit-scoring providers are focusing on
new offerings. Collections and Credit Risk, April 1 2006, 46 Vol. 10,
No.4.
---------------------------------------------------------------------------
Companies can now build score cards with very little or even no
data by taking advantage of the new generic credit bureau scores to
create a baseline of information. In these cases, the score card is
typically monitored and evaluated closely to see if it is viable.\24\
In this way, the equivalent of consumer credit scores that would be
otherwise regulated under the FCRA end up being used for all sorts of
purposes that would not be allowed had they been traditional credit
scores. The end score could be something like a churn score, or
customer loyalty score. In other situations, behavioral clues allow
people to be targeted just as precisely as if their scores were known.
---------------------------------------------------------------------------
\24\ LC Thomas, RW Oliver, DJ Hand, A Survey of Issues in Consumer
Credit Modeling Research, The Journal of the Operational Research
Society, Sept. 2005, Vol. 56, Iss. 9.
---------------------------------------------------------------------------
People, for example, who have a low Beacon score (an Equifax credit
score) and are subsequently turned down for the purchase of a phone,
show up on a data broker mailing list called ``Cell Phone Turndowns.''
\25\ The data card says: ``These consumers are ready and eager to
receive offers and opportunities in the following categories: secured
and sub-prime credit, Internet, legal and financial service, health
insurance offers, home equity loans, money making opportunities, and
pre-approved credit with a catalog purchase.'' The Beacon score is not
given--it does not need to be in order for data brokers to infer the
credit score of these individuals. If a generalized credit score is
known with certainty, as it is in this case, then why is it OK to then
sell this information without limiting the data to FCRA constraints?
---------------------------------------------------------------------------
\25\ Cell Phone Turndowns Mailing List, NextMark List ID #188161.
http://lists.nextmark.com/market?page=order/online/datacard&id=188161,
last accessed Dec. 12, 2013.
---------------------------------------------------------------------------
The use of the modeled credit score is well understood by data
brokers. DMDatabases wrote this on its website, discussing its modeled
credit score:
IMPORTANT NOTE: The Fair Credit Reporting Act (FCRA) does NOT
allow the release of actual credit data to any party that lacks
a permissible purpose, such as the evaluation of an application
for a loan, credit, service, or employment. Before requesting
information on a credit score mailing list or credit score e-
mail list, make sure your offer is in compliance with FCRA
guidelines. For details on FCRA compliance requirements--CLICK
HERE.
GOOD NEWS/BAD NEWS: The bad news is that 90+ percent of offers
do not meet the strict FCRA compliance requirements for using
actual credit score data. The good news is that marketers have
a very effective alternative . . . The Premier Modeled Credit
Score Database.-CLICK HERE and read more.\26\
---------------------------------------------------------------------------
\26\ http://dmdatabases.com/databases/consumer-mailing-lists/
consumer-lists-by-credit-score. More information about the DMDatabases
modeled credit score is at http://dmdatabases.com/databases/specialty-
lists/modeled-credit-score-direct-mail-e-mail-list.
Experian sells ChoiceScore, a financial risk score built entirely
of non-credit factors.\27\ Experian explains in its description of the
score that it is created from consumer demographic, behavioral, and
geo-demographic information. One data broker selling a list of
consumers who had been segmented by the ChoiceScore said this in its
data card description, which can be seen in the screen shot below:\28\
---------------------------------------------------------------------------
\27\ Experian ChoiceScore, http://www.experian.com/marketing-
services/data-digest-choicescore
.html.
\28\ http://datacardhub.adrearubin.com/market?page=research/
datacard&id=268601.
---------------------------------------------------------------------------
ChoiceScore by Experian UnderBanked and Emerging Consumers
ChoiceScore helps marketers identify and effectively target under-
banked and emerging consumers. Using the most comprehensive array of
non-credit data available from Experian. A financial risk score
(indicating the potential risk of future nonpayment) provides marketers
with an additional tool for more precise targeting.\29\ The data card
also indicated that the ChoiceScore could be used to suppress some
consumers from getting information.
---------------------------------------------------------------------------
\29\ CHOICESCORE BY EXPERIAN UNDER BANKED AND EMERGING CONSUMERS,
http://datacardhub.adrearubin.com/market?page=research/
datacard&id=268601.
Based on Experian's website, it appears that the ChoiceScore is
apparently not available for sale to consumers. The score appears to be
available for non-FCRA uses.\30\ What factors go into these and other
scores? How is ChoiceScore used in eligibility decisions? The score's
factors are not defined, so it is difficult to know what kind of
marketing data is included, if at all, in the score. It is also
difficult if not impossible to determine how or if or when the score is
being used in modern eligibility decisions.
---------------------------------------------------------------------------
\30\ According to the data broker's data card, two entities
purchased this data: Achievecard, and Figi's Incorporated. Figi's
Incorporated appears to be a food gift retailer. (http://www
.fbsgifts.com/about.html#figis).
---------------------------------------------------------------------------
Are credit factors bundled into any base scores? Are credit factors
used for non-credit marketing? Are any ECOA factors in the scores? How
are credit and ECOA factors weighted in the algorithms? We do not know.
Modern data analytics have made child's play of mimicking
traditional credit scores and unearthing people who are in various
credit score brackets. Congress acted to protect the use of this
information with good reason. The change in technologies that give us
new modeled scores of great accuracy does not change the underlying
principles that still need to be at work here: fairness, accuracy,
transparency, and some reasonable limits in use.
My question is this: if a modeled credit score is as good as a
traditional credit score, shouldn't it come under the FCRA? I believe
the answer to this is yes. Congress needs to draw a bright line around
this issue in particular and ensure that for fairness reasons it does
not get entrenched any further. I predict that when consumers learn of
data broker activity in the scoring area, they will not be happy.
Exemplar: Heath Scores
Another category to consider is the area of health. Health scores
are now in circulation, which brings concerns, not the least of which
is that consumers care deeply about their health privacy and decisions
made about them regarding their health, insurance policy pricing, and
prescription pricing. The same questions raised above about
transparency, secrecy, factors, and use are relevant here. Other
questions come into play as well. For example: can employers purchase
health scores? Are health scores shared with debt collectors? Of note
in the area of health and in other areas is the issue that companies
increasingly either
Frailty Scores
Regarding the Frailty Score, in 2011, a rather spectacular medical
data breach revealed that a company called Accretive was collecting
detailed and sensitive health information about hospital patients in
Minnesota via contract with those hospitals, and then using that data
to develop scores. A lawsuit revealed the extent of the information
gathering by this company. The company was collecting the following
information and developing the following scores:
Patient's full name
Gender
Number of dependents
Date of birth
Social Security number
Clinic and doctor
A numeric score to predict the ``complexity'' of the patient
A numeric score to predict the probability of an inpatient
hospital stay
The dollar amount ``allowed'' to the provider
Whether the patient is in ``frail condition''
Number of ``chronic conditions'' the patient has
Fields to denote whether the patient has:
Macular degeneration
Bipolar disorder
Depression
Diabetes
Glaucoma
HIV
Metabolism disorder
Hypertension
Hypothyroidism
Immune suppression disorder
Ischemic heart disease
Osteoporosis
Parkinson's Disease
Asthma
Arthritis
Schizophrenia
Seizure disorder
Renal failure
Low back pain
The screenshot below is a screenshot of a patient's data that had
been revealed in the breach, redacted for the lawsuit.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
One of the complaints in the lawsuit was that patients had no
knowledge of this scoring activity.
``Upon information and belief, the hospitals' patient admission
and medical authorization forms do not identify Accretive by
name or disclose the scope and breadth of information that is
shared with it. Upon information and belief, patients are not
aware that Accretive is developing analytical scores to rate
the complexity of their medical condition, the likelihood they
will be admitted to a hospital, their ``frailty,'' or the
likelihood that they will be able to pay for services, among
other things.'' \31\
---------------------------------------------------------------------------
\31\ United States District Court, District of Minnesta. State of
Minnesota vs. Accetive Health, Inc.
This was a complex case that illustrates the complex nature of what
constitutes data broker activities. The company, Accretive, wore many
hats, from debt collector to data analytics. Data analytics such as
complex scoring is one form of data broker activity. However, Accretive
in this case did not fit the traditional mold of data broker as list
seller. No outsider can tell if the company is internally violating
restrictions in existing law.
FICO's Medication Adherence Score
FICO's Medication Adherence Score was launched in June, 2011,
According to FICO, it is using variables from the marketing world: ``.
. . those variables include age, gender, family size and asset
information--such as the likelihood of car ownership--data also used by
direct marketing companies. FICO says that with only a patient's name
and address, it can pull the remainder of the necessary information
from publicly available sources.'' \32\ FICO states that the score is
used to determine reminder mailings for consumers. It is unknown if the
uses for the score have expanded since its introduction. Historically,
prescription reminder activity has been controversial. Those chosen for
reminders have not always not been very happy about it.\33\ We suspect
that prescription reminders are sent only to patients who have high-
quality health plans and then only for high-priced, patent-protected
drugs. That may be the type of information included in a score.
---------------------------------------------------------------------------
\32\ Jeremy M. Simon, New medical FICO score sparks controversy,
questions, Yahoo Finance, July 28, 2011. http://finance.yahoo.com/news/
New-medical-FICO-score-sparks-creditcards-1400
615100.html?x=0.
\33\ Weld v. CVS Pharmacy Inc., No. CIV. A. 98-0897, 1999 WL
1565175 (Mass. Super. Nov. 19, 1999), aff'd, Weld v. Glaxo Wellcome,
Inc., 746 N.E.2d 522 (Mass. 2001).
---------------------------------------------------------------------------
General Conclusions about Consumer Scoring and Data Brokers
I have mentioned above that the data business is changing and is
becoming much more sophisticated. Consumer scores are a significant
contributor to the change. Consumer scoring has substantial potential
to become a major policy issue as scores with unknown factors and
unknown uses and unknown legal constraints move into broader and
broader use.
Secrecy, fairness of the factors, accuracy of the models, the
inclusion of sensitive information--these are some of the key issues
that must be handled. It is exquisitely unlikely that self-regulation
will solve the dilemmas consumer scoring introduces. However, the path
for what could constitute fair regulation in this area is already
established via the history of the credit score.
Solutions
To bring fairness, accuracy, and transparency to consumers
regarding data broker activities, a multi-prong approach which
addresses multiple aspects of the problems needs to be pursued.
National data broker list
The Federal Trade Commission or the Consumer Finance Protection
Bureau should require the industry to maintain a current list of all
data brokers, with full identification, description, and contact
information. If industry cannot provide the needed transparency, the
agencies should create the list on their own.
National consumer data broker opt out requirement
There is an urgent need for a national consumer data broker opt-out
requirement. Consumers should be able to opt out at a central portal.
Data brokers should be allowed to download the list of those who have
opted out. Data brokers would then be responsible for scrubbing their
lists.
The opt out needs to be standardized, and could operate like
Prescreen Opt Out. Consumers would opt out at a central portal,
consumer data brokers would be able to download the list of those who
had opted out, then data brokers would be responsible for using this
dated list to scrub their lists.
National opt out standards:
No use of opt out data for marketing purposes
Standardized language around opt out
Prominent placement on home page of a button or link that
says opt out
Notice to consumers that an opt-out request has been
received and acted upon
Due process rights for consumers denied an opt out
Consequences for data brokers that do not comply
Opt outs for all without cost or prerequisites and with
simple procedures
Reform and oversight of affiliate marketing of consumers'
personally identifiable data. Affiliate marketing of consumer
information creates very significant challenges for consumers. The
businesses selling the data should exercise appropriate and reasonable
oversight.
List brokers who are selling PII of consumers must allow consumers
to see the lists they are on and opt out. If a consumer is on a list,
why can't the consumer be made aware of that? The list could be
incorrect, and could have consequences if sold to an insurer or
employer.
The sale of lists that endanger lives or safety or wellness should
be stopped. There are lists all of us should be able to agree should
not exist. The lines can be drawn by regulatory agencies after
consulting with consumers and industry
No secret consumer scores, no unfair factors. There should full
publication of data elements (but not weights) used in consumer scores,
and all data elements used must be reasonable.
The expansion of the FCRA to include modern eligibility options.
Eligiblity uses of data have expanded. The law may need to be expanded
so that proxy credit scoring or modeled credit scoring clearly fall
under the law. There should also be limits on the use of sensitive
information in scoring and on the sale of health data in all contexts.
In addition, data brokers should be subject to strict disposal
requirements and time limits for all data held. Fair Information
Practices should be applied to consumer data broker practices and
lists.
Better Enforcement: Civil and in some cases criminal penalties when
there is a breach of the law. Private rights of action for aggrieved
consumers should be allowed, togegther with effective enforcement and
oversight by the FTC and CFPB.
Conclusion
I agree that the data broker industry is complex, as is our digital
world, as are the lives of all of us who live in this world. But that
is no excuse for avoiding the necessary discussions that will need to
take place between all stakeholders.
In this testimony, I have said many things. It can be summed up in
this way:
Individuals should have the right to stop harmful collection
and categorization activity and to force the permanent and
immediate expungement of all data that is factually incorrect,
data that arrives at an incorrect conclusion about them, or
data that influences decisions about a consumer in a negative
way.
This was the idea behind the Fair Credit Reporting Act of 1974. It
was a good idea then, and the fundamental values remain the same today.
Thank you for your attention to these matters. I welcome your
questions, and will be happy to provide further research or input.
The Chairman. Thank you, Ms. Dixon. And you are exactly
right; this is the beginning of a dialog. And we need to probe
deeply, without fear of consequence, and then we need to do
something about it. That will be a judgment that we will have
to make, but you have already suggested a change in HIPAA,
which is, you know, it used to be very sacred and still is but
not in all cases. So I thank you for your testimony.
Professor Joseph Turow. Now, Dr. Turow is the Associate
Dean for Graduate Studies, the Annenberg School for
Communications at the University of Pennsylvania.
STATEMENT OF JOSEPH TUROW, ROBERT LEWIS SHAYON
PROFESSOR OF COMMUNICATION, ASSOCIATE DEAN FOR
GRADUATE STUDIES, ANNENBERG SCHOOL FOR
COMMUNICATION, UNIVERSITY OF PENNSYLVANIA
Mr. Turow. Thank you, Chairman Rockefeller, members of the
Committee.
In a bit of a different tack, I would like to address two
key questions about data brokers and their collection of
information about Americans for marketing purposes.
First, if we take sensitive topics like health and
employment out of the equation, what possible harm can come
from using people's data for marketing purposes? After all,
what we are talking about is simply targeting for product
advertising.
Second, haven't data brokers and their lists been around
for over a century? And if so, what makes them today any
different from the past?
Let's start with the history question. It is true that
marketers compiled and bought lists of prospects way back into
the 19th century. These lists became more detailed in the 20th
century. But the differences between the lists of even 35 years
ago and those of today is extreme. The biggest distinction is
the amount of information brokers have now and how they deal
with it.
Lists of the old days were pretty static. The numbers of
data points companies had about us was rather small. It was
difficult to interconnect pieces of data, and the data didn't
change all that quickly. Today, data brokers can collect huge
amounts of information about tens of millions, even hundreds of
millions of people. They update that information frequently.
And they use high-speed computers and advanced statistics to
draw conclusions in ways previous generations of data brokers
could hardly imagine.
Consider Acxiom's recent data catalog. It contains 41 pages
of information about individual Americans that Acxiom sells to
marketers. That information ranges from the amount of money
people make to the kinds of vacations they take, to the number
of friends they have on social media, to the value of
neighborhoods they live in, to diseases they have an interest
in, to how tall they are, to whether they gamble, to their
media uses and much more. Axiom sells any number of these items
about individuals, as well as packages of these data, tailored
to marketers from different industries.
In addition, through its Acxiom Operating System, the data
broker has created a kind of universal cookie to find and
follow people across desktops, laptops, mobile phones, and
tablets, as well as to collect yet more information about them
from these media.
Like Acxiom, other data brokers continually run programs
that connect our dots for marketers and then attach them to
other ideas the marketers have about us. The brokers often
bring together pieces of information that people did not expect
would be merged when they disclosed them separately to various
online and offline entities. The results are buckets of
descriptions and interpretations, stories of our lives, our
economic value, and our potential that we don't know exist and
may not agree with.
The consequences of their use in marketing can be profound
and disturbing. For example, merchants can charge you more than
others for products based on features they tag you with that
you don't even know you have shared. Say a data broker's
knowledge you regularly buy antacids blends into a complex
algorithm to predict that you are inclined to accept higher
prices for recreation than most people. That is great news to
travel companies searching online for those types of people.
Using apps and personalized coupons, physical and virtual
stores can change their prices based on what they know about
you. Data brokers can add information about your lifetime value
to retailers' understanding of you from receipts. The results
can dictate the kinds of items you see at discount and how much
that discount will be.
Negative data broker signals about you can mean having to
wait longer than others for customer service, being rejected as
a valued customer, and being offered coupons for non-nutritious
foods.
Based on predictions of your engagement with the digital or
addressable ads, media firms can change the news and
entertainment offerings you receive compared to news and
entertainment offerings your neighbor or coworkers get. The
result: you systematically see different worlds from your
friends or work colleagues because of the stories brokers tell
about you.
Now, many of these examples already are taking place. All
of them are quite plausible. Data brokers trumpet that they
often make the individuals they sell to marketers for ads
anonymous so there is no problem. But anonymity of this sort is
not reassuring. If I am followed online and offline by buckets
of data that tell particular stories about me, it doesn't
matter if my name is Joe Turow or 2588704.
Anonymously and with our full personal information, data
brokers are encouraging a world of data-driven social
discrimination that is becoming widespread precisely because it
comes with all sorts of advertising.
Surveys I have conducted since 1999 consistently suggest
Americans worry about what firms learn and think about them.
Poignantly, I have heard people say they will change their
activities or how they talk about themselves online to be
treated better by marketers. The difficulty, of course, is that
it is often impossible to know whether and how that is going to
work.
We are only at the beginning of a data-driven century. Data
brokers will be central to how we think of ourselves and lead
our lives. For the sake of democratic ideals and relationships,
let's limit what and how much data brokers can collect and
share until, as a society, we know how to create regimes of
data respect, where people have control over the most important
elements of their identity.
Thank you.
[The prepared statement of Mr. Turow follows:]
Prepared Statement of Joseph Turow, Robert Lewis Shayon Professor of
Communication, Annenberg School for Communication, University of
Pennsylvania
I would like to address two key questions about data brokers and
their collection of information about Americans for marketing purposes:
First, haven't data brokers and their lists been around for over a
century and if so what makes today any different from the past? Second,
if we take sensitive topics like health treatments and employment
issues out of the equation--which many agree should be done--what
possible harm can come by using people's data for marketing purposes?
After all, what we're talking about is simply targeting for product
advertising.
Let's start with the history question. It is true that marketers
compiled and bought lists of prospects way back into the 19th century.
These lists became more detailed into the 20th century. But the
difference between list of even 35 years ago and those of today is
extreme. The biggest distinction is the amount of information brokers
have and how they deal with it. Lists of the old days were pretty
static. The numbers of data points companies had about us was rather
small, it was difficult to interconnect pieces of data, and the data
did not change all that quickly. Today's data brokers can collect huge
amounts of information about tens of millions, even hundreds of
millions, of people. They update that information frequently, and they
use high-speed computers and advanced statistics to draw conclusions in
ways previous generation of data brokers could hardly imagine.
Consider Acxiom's recent data catalog, which was available online
until the company abruptly took it off a number of months ago. It
contains 41 pages of information about individual Americans that Acxiom
sells to marketers. That information ranges from the amount of money
the people make, to the kinds of vacations they take, to the number of
friends they have on social media, to the value of the neighborhoods
they live in, to diseases they have an interest in, to how tall they
are, to whether they gamble, to their media usage, and much more. Axiom
sells any number of these items about individuals as well as packages
of these data tailored to marketers from different industries. In
addition, through its Axiom Operating System the data broker has
created a kind of universal cookie to find and follow people across
desktops, laptops, mobile phones, and tablets as well as to collect yet
more information about them from these media.
Like Acxiom, other data brokers continually run programs that
connect our dots for marketers--and then attach them to other ideas the
marketers have about us. The brokers often bring together pieces of
information that people did not expect would be merged when they
disclosed them separately to various online and offline entities. The
results are buckets of descriptions and interpretations--stories--of
our lives, our economic value, and our potential that we don't know
exist and may not agree with. The consequences of their use in
marketing can be profound and disturbing. For example:
Merchants can charge you more than others for products based
on features they tag you with that you don't even know you've
shared. Say a data broker's knowledge you regularly buy
antacids blends into a complex algorithm to predict that you
are inclined to accept higher prices for recreation than most
people. That's great news to travel companies searching online
for those types of people.
Using apps and personalized coupons, physical and virtual
stores can change their prices based on what they know about
you. Data brokers can add information about your ``lifetime
value'' to retailers' understanding of you from receipts. The
result can dictate the kinds of items you will see at discount
and how much that discount will be.
Negative data broker signals about you can mean having to
wait longer than others for customer service, being rejected as
a valued customer, and being offered coupons for non-nutritious
foods.
Based on predictions of your ``engagement'' with the digital
or ``addressable'' ads, media firms can change the news and
entertainment offerings that you receive compared to the news
and entertainment neighbors or coworkers get. The result: you
systematically see different worlds from your friends or work
colleagues because of the stories brokers tell about you.
Many of these examples are already taking place. All of them are
quite plausible. Data brokers trumpet that they often make the
individuals they sell marketers for ads anonymous, so there is no
problem. But anonymity of this sort is not reassuring. If I am followed
online and offline by buckets of data that tell particular stories
about me, it doesn't matter if my name is Joe Turow or 2588704.
Anonymously and with our full personal information, data brokers are
encouraging a world of data-driven social discrimination that is
becoming widespread precisely because it comes with all sorts of
advertising. Surveys I have conducted since 1999 consistently suggest
Americans worry about what firms learn and think of them. Poignantly, I
have heard people say they will change their activities or how they
talk about themselves online to be treated better by marketers. The
difficulty, of course, is that it's often impossible to know what will
work.
We're only at the beginning of a data-driven century. Data-brokers
will be central to how we think of ourselves and lead our lives. For
the sake of democratic ideals and relationships, let's limit what and
how much data brokers can collect and share until as a society we know
how to create regime of data respect where people have control over the
most important elements of their identity.
The Chairman. Thank you very much.
Mr. Hadley, Tony Hadley, is Experian's Senior Vice
President of Government Affairs and Public Policy.
Please. We welcome you.
STATEMENT OF TONY HADLEY, SENIOR VICE PRESIDENT OF GOVERNMENT
AFFAIRS AND PUBLIC POLICY, EXPERIAN
Mr. Hadley. Thank you, and good afternoon, Chairman
Rockefeller and members of the Committee. My name is Tony
Hadley, and I am Experian's Vice President of Government
Affairs and Public Policy.
Experian is a leading provider of data and information
services that bring significant value to consumers and the
economy. We welcome the Committee's interest and dialog in the
marketing data industry and this opportunity to describe how
Experian collects and uses data.
I have submitted a fuller statement, but I am going to
summarize just a couple points.
First, Experian truly believes that responsible
information-sharing significantly enhances economic
productivity in the United States and provides many benefits to
consumers. Economists have called the manner in which U.S.
companies collect and share consumer information among
affiliated companies and third parties the secret ingredient to
our productivity, innovation, and ability to compete in the
global marketplace.
Experian shares data to help make consumers and small-
business lending more efficient. We share to help facilitate
access to fair and affordable credit; to help protect consumers
from fraud, including identity theft; to help consumers gain
greater financial literacy; and to help companies reach
consumers with timely and relevant communications and marketing
offers. Marketing data, in particular, brings lowers prices and
greater convenience to consumers by strengthening competition.
Nonprofit organizations and government agencies also depend
upon consumer data to efficiently serve the needs of people and
citizens. And just as important, Experian's data allows small
companies, including many in the state of West Virginia and the
other states around the nation, to compete with larger
companies who maintain very sizable customer data bases. So
Experian provides small businesses with the same data sets that
their larger competitors have so that they can compete and grow
their companies.
A significant point I would like to make also is that the
operations of Experian Marketing Services and the data it
collects and uses and shares is completely separate from
Experian's operations as a consumer credit bureau. No
eligibility determinations relating to credit, insurance,
employment, housing, or any other decision under the FCRA is
ever made with Experian marketing data. Experian has in place
strict policies as well as technological, management, and
procedural controls to ensure there is complete separation.
Experian shares data responsibly by carefully safeguarding
compliance with all privacy and consumer protection laws and
industry self-regulatory standards. We even promote new
industry self-regulatory standards and best business practices.
The Committee has also sought specific information about
our clients and our data sources. Experian provides marketing
data to a wide variety of client organizations in the private,
government, and nonprofit sectors that market to consumers
through multiple channels, both online and offline. The largest
sectors we serve are retail, media, and financial services, but
our products are used by nearly all sectors of the economy.
Experian uses include the sources for specific products in
which the Committee has expressed interest. Most of our data
comes from public records and publicly available information
such as ZIP-code-level census information, local property
records, and telephone directories. Added to this, many people
voluntarily provide data to Experian by filling out surveys and
questionnaires.
These multiple sources of data are aggregated at the
household level, then analyzed and modeled to predict household
preferences and propensities. Such methods result in a group of
consumers receiving messages and advertising that they are more
likely interested in responding to. When all is said and done,
we help marketers make the best guess about what messages and
marketing solicitations a group of consumers may be most
interested in responding to.
Finally, I want to emphasize that Experian has made every
effort to be forthcoming and cooperative throughout the inquiry
launched by the Committee this year. We have spent considerable
time and resources to ensure that the information and documents
we have provided are helpful to the Committee's work in
understanding the marketplace. To date, Experian has provided
the Committee with eight submissions, totaling over 3,000
pages. And we believe this provides a full description of our
products, services, and consumer protections.
We are here today as the only corporate representative in
that spirit of cooperation to help the Committee better
understand our role in data services and the role we play in
the economy and the lives of consumers.
We thank you for your attention and for inviting us to
appear here, and we look forward to continuing to work with
you. And I will answer any questions the Committee might have.
Thank you.
[The prepared statement of Mr. Hadley follows:]
Prepared Statement of Tony Hadley, Senior Vice President of Government
Affairs and Public Policy, Experian
Good afternoon, Chairman Rockefeller, Ranking Member Thune, and
members of the Committee. My name is Tony Hadley and I am Experian's
Senior Vice President of Government Affairs and Public Policy. Experian
is a leading provider of data and information services that bring
significant benefits to individual consumers, the economy and society
as a whole. We welcome the Committee's interest in the marketing data
industry and this opportunity to describe to the Committee how Experian
obtains and uses data. I would like to raise a few key points at the
outset of my testimony today.
First, Experian believes responsible information sharing
significantly enhances economic productivity in the United States and
provides many benefits to consumers. Economists have called the manner
in which U.S. companies collect and share consumer information among
affiliated entities and third parties the ``secret ingredient'' to our
productivity, innovation and ability to compete in the global
marketplace. One needs only to look at data-intensive industries like
telecommunications, information technology, online services, financial
services, retail and health care to see this innovation at work.
Indeed, Experian data products and services are central to countless
transactions within these vital business sectors.
Experian also shares data to help make consumer and small business
lending more efficient; to help facilitate access to fair and
affordable credit; to help protect consumers from fraud, including
identity theft; to help facilitate greater financial literacy among
consumers; and to help companies reach consumers with timely and
relevant communications and marketing offers.
A second significant point I would like to make is that the
operations of Experian Marketing Services and the data that it
collects, uses and shares are completely separate from Experian's
operations as a consumer credit bureau. No eligibility determinations
relating to credit, insurance, employment, housing or other decisions
covered by the Fair Credit Reporting Act are made with Experian
marketing data. Experian has in place strict policies, as well as
technological and procedural controls, to ensure this complete
separation.
At the Committee's request, and in recognition that credit data
differs from marketing data, Experian's responses to the Committee's
inquiry have focused on our operations involving data for marketing
purposes. That is what I will speak to for the remainder of my
testimony.
Marketing data, in particular, brings lower prices and greater
convenience to consumers by strengthening competition. Both large and
small businesses rely on data to make their marketing efforts more
efficient and to identify new customers. Nonprofit organizations and
government agencies also depend upon consumer data to efficiently serve
the needs of people and citizens and to enable e-government. For the
Internet, this has meant providing more and improved content to
consumers. Consumers also benefit from receiving relevant advertising
offers that they are more likely to value and use. Marketing data is a
critical driver behind the growth and efficiency of e-commerce.
Importantly, Experian's data allows small companies, including many
in the state of West Virginia and throughout the country, to compete
with larger companies that maintain sizeable customer data assets of
their own. Experian Marketing Services helps small businesses to
successfully identify new customers, thereby establishing and fueling
successful businesses.
Experian shares data responsibly--by carefully safeguarding
compliance with all privacy and consumer protection laws and industry
self-regulatory standards, advancing and observing industry best
practices, and establishing and monitoring adherence to our own
corporate policies and practices. These ``best practices'' help balance
the benefits to consumers that result from information sharing while
responding to legitimate concerns consumers may have about how
information about them is collected, shared, used and protected.
Marketing data differs in important ways from consumer credit data.
Experian's marketing data is drawn primarily from public records and
other publicly available sources and includes data that is ``modeled''
or predicted rather than actual, raw data from consumers. In addition,
we strive for the highest standards of data quality. It is also
important to recognize that the only negative consequence to consumers
of inaccurate marketing information would be the possibility of
uninteresting advertising and marketing. For this and other reasons,
the Federal Trade Commission has recommended that it is not necessary
to require consumer disclosure and correction for consumer data used
only for marketing purposes.
As described in our materials provided to the Committee, Experian
has a robust internal compliance program designed to ensure that
marketing data is only used for marketing purposes. Experian's
marketing data assets are regulated under many different authorities
such as Section 5 of the Federal Trade Commission Act, the Controlling
the Assault of Non-Solicited Pornography and Advertising (CAN-SPAM)
Act, the National Do Not Call Registry, the Children's Online Privacy
Protection Act (COPPA), and comparable state laws and regulations. The
Direct Marketing Association's Guidelines for Ethical Business Practice
provide an additional foundation for our compliance approach to
marketing data. Further, Experian's global corporate information
values--balance, accuracy, security, integrity and communication--
formally guide our data collection and use practices. Our global
information values align with the fair information practices and
principles embraced by the FTC and other international organizations,
including the OECD, the European Union and APEC.
Finally, I want to emphasize that Experian has made every effort to
be forthcoming and cooperative throughout the inquiry launched by the
Committee over a year ago. We have consistently been assured that this
inquiry aims to build a general understanding within the Committee of
the marketing data ecosystem. We have also been active in policy
dialogues promoting effective data security and privacy principles for
all data. We have spent considerable time and resources to ensure that
the information and documents we have provided are helpful to the
Committee's work in understanding the marketplace. To date, Experian
has provided the Committee with eight submissions totaling over three
thousand pages, which we believe should provide a full description of
our products, services and consumer protections. We have also met with
the offices of the Senators on the Committee to describe our practices
and respond to any questions about our company, products and services.
We are here today, in the spirit of cooperation, to help the Committee
better understand the role our data services play in the economy and in
the lives of consumers.
The Committee has also sought specific information about our
clients and our data sources, so I would like to provide a few details
about the categories and nature of each. As I just mentioned, Experian
has already provided a great deal of information and internal
documents, some of which we regard as competitively sensitive, to
explain the types and categories of clients we serve.
These include client organizations in the private, government and
non-profit sectors that communicate and market to consumers through
multiple channels including direct mail, catalog, telephone, e-mail,
mobile, Internet display ads, social media, highway billboards,
newspapers and other publications. The largest sectors we serve are
retail, media and financial services. We also provide marketing
services to clients involved in automotive, professional services,
telecommunications, consumer goods, healthcare, travel, insurance,
utilities, education and politics. In total, Experian's data and
services are used by all sectors of the economy.
We have also provided to the Committee details on the categories of
data sources we use, including the sources for specific products in
which the Committee has expressed interest. As I previously stated, a
good deal of our data comes from public records and publicly available
information such as ZIP-code level Census information that does not
identify specific individuals, local property records, and telephone
and similar directories. Added to this, many people voluntarily provide
data to Experian by filling out surveys and questionnaires, both online
and offline, which contain clear disclosures of the fact that
information that the individual provides will be used for marketing
purposes. Some selected business partners also provide Experian
consumer information after they have gained appropriate consent from
the consumer or have de-identified or modeled customer data at the ZIP-
code level.
These multiple sources of data are often aggregated at the
household level, then analyzed and modeled to predict household
preferences and propensities. The analysis is aimed largely at helping
marketers understand key segmentation factors such as approximate age,
gender, education level, family size and estimated family income.
Marketers can then use these key demographic segments and propensity
models in combination with their own customer data to tailor relevant
messages to existing or potential customers. Such age-old methods
result in a group of consumers receiving messages and advertising that
they are more likely interested in and will respond to--benefiting the
consumer and the business. When all is said and done, we help marketers
make the ``best guess'' about what messages and marketing solicitations
a group of consumer may be most interested in responding to at the time
they are interested.
Finally, Experian has shared materials on our range of marketing
products and services, on how we assure the quality and integrity of
our data, and on numerous other topics. In particular, we have informed
the Committee about the robust privacy framework that Experian has in
place to ensure that regulated data is used only for permissible
purposes, while marketing data is used only for marketing purposes. To
maintain this strict division, Experian uses a combination of measures
such as dedicated compliance teams, employee training, and contractual
restrictions including audit rights. With respect to marketing products
in particular, Experian's compliance team uses auditing steps such as
mail piece review and list ``seeding'' to monitor how data is used by
clients.
We have also shared with the Committee information about the
consumer protections we provide for marketing data, including offering
consumers transparency about our practices through privacy statements
and the option to suppress the use of their data for various types of
marketing solicitations.
Thank you for your attention, and for inviting me to appear before
the Committee. I look forward to answering any questions the Committee
may have.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Hadley, very much.
I want to get this right: Jerry Cerasale. Did I do it
right?
Mr. Cerasale. You did it correctly. Thank you. I appreciate
it.
The Chairman. I am thrilled.
You are the Senior Vice President of Government Affairs for
the Direct Marketing Association, DMA. We welcome your
testimony.
STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT OF
GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCATION
Mr. Cerasale. Thank you. Senator Rockefeller, members of
the Committee, DMA appreciates the opportunity to be here today
and to talk about this important subject.
On a personal note, I want to say that I have testified
before this committee many times, I have testified before other
committees before Congress, and today, on my last day of work
before I retire, I want to thank Congress for the opportunities
they have given me to participate in dialog here before the
Congress. And I appreciate it.
Senator Rockefeller, I will not be here when you retire at
the end of this Congress, so I want to say personally we thank
you for your service to the United States.
Now back to why I am here today, talking about data. Data--
--
The Chairman. Are we allowed to ask you questions, or is
your----
[Laughter.]
Mr. Cerasale. Yes, you can ask questions. Sadly, they know
where to find me to get the questions to me. They say I am a
phone call away, and I have promised that they can call me. I
didn't promise I would answer the phone, but that is beside the
point.
[Laughter.]
Mr. Cerasale. Anyway, data. Every consumer-facing business
in the United States uses data today. It is important, it
drives our economy, it is driving our current recovery. And it
is very, very important to us and to our members.
And in that light, DMA has created the Data-Driven
Marketing Institute, and it has commissioned a study to take a
look at the value of data and the uses of data in the American
economy. And we used a professor from Harvard Business School
and a professor from Columbia University, and they conducted
this value-of-data study and found that data is worth $156
billion a year to the American economy, 675,000 jobs, and 70
percent of that influence is related to sharing of data by
companies.
But even more importantly, this data-sharing helps small
businesses. It helps break down the barriers to entry so small
businesses can come in and compete with the big boys. And it
keeps them, once they get a foothold, it keeps them on a level
playing field.
But this is not new. This has been happening for a long
time. I will give you a couple of examples. L.L. Bean started
with a list of nonresident Maine hunters, and that is how that
started. The Discover card, which is one of the first credit
cards that was a reward credit card, began with a list of Sears
credit holders. Without those lists, those companies wouldn't
have started, those benefits from those two companies would not
have been realized. So it is important.
It is personal information that is used. And the United
States has some strong privacy laws: Fair Credit Reporting Act,
Children's Online Privacy Protection Act, CAN-SPAM, HIPAA, GLB,
Data Pass, and so forth. And those laws are complemented by
self-regulation by the industry.
And I can speak only for DMA here. DMA has a peer ethics
committee that meets monthly, handles complaints from consumers
and other businesses that are brought to it against members and
non-members. Most of them comply with our guidelines. Those
that don't, we publicize them on the webpage. If there is a
violation of law, we turn it over to the state AGs, to the
Federal Trade Commission, to the Postal Inspection Service, to
law enforcement.
And as we have looked at this, the Federal Trade Commission
has said that they support this complementary effort by self-
regulation, and we want to continue that. And we continually at
DMA update these guidelines so that they are alive and meet
today's real-world efforts.
One of the things that we can talk about, however, that all
of this is, in fact, working. The American consumers are voting
with their pocketbooks and their feet, and e-commerce is
growing, growing multiple times the rest of the economy,
because they have trust in this process. And think about it;
they need trust. They are purchasing something without having
it on hand and paying for it before they receive it. They need
to have that trust. And this economy, this data-driven economy
is, in fact, working.
Think about the great American success story, and I mean
really great American success story, Amazon. On Cyber Monday,
it sold 300 items per second. That shows that Americans have
confidence in this. Their needs as American consumers are being
met in this data-driven economy.
There are clearly concerns. There are concerns about what
is happening. You have heard them; it is in the report and
others. We have heard them today. We should focus on the
improper use of data and figure out how to prevent the improper
use of data.
But one of the things we can't do is pull away and stop
responsible uses of data that are driving this economy. That is
something that we have to be very careful of as part of this
dialog we are having today. The American economy, small
businesses, American workers, and American consumers rely on
and benefit from responsible data use. And America leads the
world in that category, and we hope to keep it that way.
Thank you very much for this opportunity. I look forward to
answering any of your questions.
[The prepared statement of Mr. Cerasale follows:]
Prepared Statement of Jerry Cerasale, Senior Vice President of
Government Affairs, Direct Marketing Association
I. Introduction
Chairman Rockefeller, Ranking Member Thune, and members of the
Committee, good afternoon and thank you for the opportunity to testify
before you today.
My name is Jerry Cerasale. I am the Senior Vice President of
Government Affairs for the Direct Marketing Association (``DMA''), the
world's largest trade association dedicated to advancing and protecting
responsible data-driven marketing. Today, I am pleased to testify on
behalf of the DMA and to discuss with the Committee the important role
that marketing data and database compilers play in aiding consumers and
fueling the United States economy.
Founded in 1917, the DMA (www.thedma.org) represents thousands of
companies and nonprofit organizations that use and support data-driven
marketing practices and techniques. On behalf of its member companies,
the DMA advocates industry standards for responsible marketing;
promotes relevance as the key to reaching consumers with desirable
offers; and provides cutting-edge research, education, and networking
opportunities to improve results throughout the end-to-end direct
marketing process.
My testimony today will describe the value that marketing data has
across the U.S. economy and affords to consumers. I will also explain
how marketing data is collected and how DMA members, including data
compilers, responsibly use and share this data to serve consumers.
Lastly, I will explain how DMA and its member companies are subject to
our longstanding and enforceable self-regulatory framework, the DMA
Guidelines for Ethical Business Practice (``DMA Guidelines'').
II. The Value of Data
Responsible collection and sharing of marketing data is critical to
today's information economy. When data is used to fuel data-driven
marketing, these practices provide many benefits for job growth,
entrepreneurship and innovation, as well as to individual consumers.
A. The Value of Data to the U.S. Economy and American Workforce
A recent study entitled, The Value of Data: Consequences for
Insight, Innovation & Efficiency in the U.S. Economy (``Value of
Data''), quantifies the critical role that the use and sharing of
marketing data plays in fueling economic growth.\1\ Commissioned by
DMA's Data-Driven Marketing Institute and conducted independently by
Professors John Deighton of Harvard Business School and Peter Johnson
of Columbia University, the study revealed that the Data Driven
Marketing Economy (``DDME'') generated $156 billion in revenue to the
United States economy and fueled more than 675,000 jobs in 2012 alone.
Further, the study found that an additional 1,038,000 people owe their
employment to these DDME jobs.\2\ The study estimated that 70 percent
of the value of the DDME--$110 billion in revenue and 475,000 jobs
nationwide--depends on the ability of firms to share data across the
DDME. If this ability to share data were curtailed, those jobs and
revenue would be impacted and the U.S. economy would be much less
efficient.
---------------------------------------------------------------------------
\1\ Deighton and Johnson, The Value of Data: Consequences for
Insight, Innovation & Efficiency in the U.S. Economy (2013), available
at http://ddminstitute.thedma.org/#valueofdata (hereinafter ``The Value
of Data'').
\2\ The Value of Data at 74.
---------------------------------------------------------------------------
The DDME is a uniquely American creation, and today data-driven
marketing is an important U.S. export. Just as the United States led
the world when Montgomery Ward developed the first mail order catalog
in 1872, and created digital market-making media by commercializing the
Internet browser in the 1990s, today the United States is at the
forefront of data-driven market growth. The Value of Data study found
that the United States leads the world in data science applied to the
marketplace, with DDME firms deriving up to 15 percent of their revenue
overseas, while employing nearly all of their workers inside the United
States.\3\
---------------------------------------------------------------------------
\3\ The Value of Data at 21.
---------------------------------------------------------------------------
The Value of Data study also found that database compilers are an
important piece of the DDME. For instance, list services and database
marketing input providers added $7 billion and 31,000 jobs to the
United States economy.\4\ They were able to do this by combining data
that they receive from various sources to create marketing
opportunities. Database compilers derive most of their economic effect
from their ability to share this data with marketers that, in turn, can
provide consumers with more relevant advertisements.
---------------------------------------------------------------------------
\4\ The Value of Data at 53-54.
---------------------------------------------------------------------------
B. The Value of Data to Entrepreneurship and Innovation
The use of data inspires new technological designs and fosters
entrepreneurship in the process. According to the Value of Data study,
the bridge between an idea and its implementation at scale is
considerably shorter in an information economy than in an industrial
economy.\5\
---------------------------------------------------------------------------
\5\ The Value of Data at 78.
---------------------------------------------------------------------------
The DDME, and the services offered by database compilers, are
essential to the success of start-up companies and other small
businesses. The Value of Data study found that the sharing of data
across the DDME enables small and innovative businesses to compete
effectively with big players, launching innovative offerings using
data. Data gives all companies, and especially small businesses, the
ability to effectively match products to customers both online and
offline, thereby lowering barriers to market entry for specialized or
niche offerings that previously could not have succeeded.
C. The Value of Data to Individual Consumers and Companies
Consumers demand personalization, and enterprises that know their
customers better can also serve them better. Data-driven marketing is
about discerning what customers want and need and engineering the
company to provide it. Consumers benefit from companies' responsible
collection and analysis of user data by receiving timely and relevant
offerings through the marketplace and products designed to meet their
needs. In this way, consumers enjoy a more informed and effective
shopping experience, which saves them both time and money.
According to the Value of Data study, the efficiency that data
brings to the practice of marketing also bears directly on consumer
welfare. Marketing absorbs a significant percentage of manufacturer
revenues, meaning that marketing costs can increase the price that
consumers pay for food and household products by up to $25 in every
$100 spent. When marketing is informed by data, it is more efficient
and some of this value flows back to consumers in the form of lower
prices.\6\
---------------------------------------------------------------------------
\6\ The Value of Data at 75.
---------------------------------------------------------------------------
In short, the flow of data throughout the DDME is creating
consumer-driven companies. Data sharing promotes competition and
entrepreneurship. In the process, jobs are created across the United
States and consumers are exposed to an array of new products and
services that would be unavailable or unknown to them absent data-
driven marketing.
III. The Responsible Collection and Use of Consumer Data
Marketing data comes through a variety of sources. It is analyzed
by marketers to make predictions about likely consumer preferences to
guide marketing campaigns.
A. Marketing Data Collected Directly from Consumers
A common source of marketing data is data obtained by businesses
from direct interaction with customers. When a customer purchases goods
in a local store or shops online, data about that purchase is gathered
by the marketer. Marketers use data from other sources, including
information from public records and other publicly-available sources,
such as U.S. Census data. Marketing data may also include self-reported
information that consumers choose to provide through surveys. Marketing
data does not include the types of information that create a risk of
identity theft or fraud to consumers, such as financial account numbers
or social security numbers.
B. Responsible Uses of Marketing Data
Marketers use marketing data to understand their existing customers
better or to identify prospective new customers, in order to predict
what types of offers are most likely to be valued by them. For example,
a local hardware store would want to send a coupon for a discount on a
lawnmower to a new home buyer with a lawn and a different coupon for
paint to a condominium buyer. Data will help this small business to be
more efficient in its advertising and provide more value to consumers.
Marketers may also use data to make other decisions related to their
businesses, such as what products to develop and offer in the future or
where to locate new retail outlets.
Data used for marketing is also ``modeled'' or inferred information
that represents a statistical prediction about consumers and does not
necessarily reflect the actual characteristics of one consumer or
household. For example, based on public property records and U.S.
Census data that is aggregated at the Zip Code or census tract level,
database compilers may estimate the average age of a dwelling in a
certain ZIP code. Marketers, such as a local roofing company, can then
use this information to make offers that are more likely to be valuable
to households in that ZIP code.
C. Marketing Data is Not Used for Eligibility Purposes
It is important to note that there is a difference between using
data for marketing purposes and using data for eligibility purposes.
The use of data for eligibility decisions related to credit, insurance,
and employment is regulated by the Fair Credit Reporting Act
(``FCRA''). The FCRA requires companies that make such decisions to
offer consumers certain disclosures about, and access to, the data used
to make those decisions.
In contrast, the use of data for marketing purposes is not used to
make decisions that impact whether a consumer can obtain credit. The
Federal Trade Commission (``FTC'') agrees that entities that maintain
data for marketing purposes do not need to provide consumers with
individualized access to marketing data, unlike consumer report
data.\7\ Instead of determining a consumer's ability to receive a loan
or get a job, the use data for marketing purposes determines which
coupon or advertisement he or she receives. The FCRA recognizes the
difference in these uses, which is why marketing is not included in the
types of activity that require increased levels of disclosure and
access.
---------------------------------------------------------------------------
\7\ Protecting Consumer Privacy at 65-66.
---------------------------------------------------------------------------
In addition, some policymakers have raised concerns that data
collected for advertising purposes could be used as a basis for
employment, credit, health care treatment, or insurance eligibility
decisions. In fact, these are hypothetical concerns that do not reflect
actual business practices. Nevertheless, industry has stepped forward
to address these concerns by expanding its codes of conduct to clarify
and ensure that such practices are prohibited and will never occur.\8\
This prohibition will help to ensure that consumers' browsing histories
will not be used against them when applying for a mortgage, job, or
insurance, or when seeking health care.
---------------------------------------------------------------------------
\8\ See Digital Advertising Alliance's Self-Regulatory Principles
for Multi-Site Data (2011), available at http://www.aboutads.info/
resource/download/Multi-Site-Data-Principles.pdf.
---------------------------------------------------------------------------
IV. The Value of Self-Regulation in the Data-Driven Marketing Economy
The DMA and its members are firmly committed to advancing
responsible data practices across the DDME. Our members deeply value
consumer trust and understand that responsible data practices are
critical to building and maintaining customer relationships. To that
end, the DMA believes that self-regulation and education are important
components for addressing consumer privacy while ensuring that data
flows continue to benefit consumers and the economy.
A. The DMA Guidelines for Ethical Business Practice
The DMA has a longstanding and enforceable self-regulatory
framework. The DMA, working with its members, implements and enforces a
set of best practices known as the Guidelines for Ethical Business
Practice (``DMA Guidelines''). The DMA Guidelines, which have been in
place for more than four decades and are a condition of membership in
the DMA, provide DMA member companies with standards for responsible
marketing practices by explaining how companies should provide
transparency, choices, and other protections to consumers. The DMA
regularly updates its guidelines to adapt to new technologies and
marketing practices.
There are more than 50 code sections in the DMA Guidelines that
regulate marketing data practices. I would like to focus on a few key
examples relevant to the subject of this hearing, and to database
compilers in particular.
1. Transparency
Transparency around data practices is a core principle of the DMA
Guidelines. For example, privacy policies are the primary way that
companies provide consumers with information about their data
practices. These polices typically provide consumers with detailed
information regarding what data is collected, how it is used, and the
choices that may be available to consumers. The DMA Guidelines require
that these policies be made accessible via online and offline channels,
and be easy to read and understand. The DMA Guidelines also require
members to periodically keep existing customers aware of the nature of
the use of their data, and how that use may have changed.
2. Choice
DMA members have long offered consumers the ability to opt out of
marketing. The DMA Guidelines require data-driven marketers to honor
within 30 days any request by a consumer to opt out of any use or
sharing of their data for marketing purposes.
In addition to the choices available from individual member
companies, the DMA offers a centralized choice tool for consumers at
DMAchoice.org. This service allows consumers to opt out of direct
mailings and to refine what categories of mail they receive. Also at
this website, consumers can remove their e-mail address from national
mailing lists. Through these programs, the DMA provides consumers with
an easy way to make informed choices about the marketing they wish to
receive.
The DMA's commitment to consumer choice also extends to online
interest-based advertising. The DMA Guidelines require third party data
collectors to provide consumers with the ability to exercise choice
with respect to the collection, use and transfer of information for
online interest-based advertising purposes. This choice must be
provided online and made available to consumers as specified in the DMA
Guidelines.
3. Access
Consistent with the FTC's views on individualized access to
marketing databases, the DMA Guidelines do not require members to allow
consumers to access individual records within marketing databases. The
DMA agrees with the FTC that the costs of providing such access would
outweigh the consumer benefits. The DMA is also concerned that in order
to allow consumers the ability to access and correct data, marketers
would have to collect and store additional personally identifying data
needed to authenticate consumers prior to access. In addition, as
noted, much marketing data is actually modeled or predicted data that
would not be meaningful to consumers. The DMA therefore believes that
its current guidelines around transparency and choice strike the
correct balance between consumer control and marketing needs to
encourage the continued growth and success of the DDME.
4. Guidelines Specific to Database Compliers
The DMA Guidelines include a section outlining specific
requirements for database compilers that assemble and share personally
identifiable information about consumers but do not have direct
relationships with those consumers.\9\ For example, these compilers
must, when requested by a consumer, suppress that consumer's data from
marketing databases. They must also disclose the nature and sources of
a consumer's data upon request, and they must allow their marketing
customers to divulge the compiler as the source of their marketing
data. The database compiler must additionally monitor the use of their
databases to assure compliance with the law and the DMA Guidelines. A
database compiler that discovers a violation of the law or the DMA
Guidelines may not ``turn a blind eye'' but should stop providing data
to that customer and either require compliance and/or refer the matter
to the DMA or law enforcement.
---------------------------------------------------------------------------
\9\ Direct Marketing Association, DMA Guidelines for Ethical
Business Practice at Article 36, available at http://thedma.org/
compliance/.
---------------------------------------------------------------------------
B. Enforcement
The DMA has a long history of proactive and robust enforcement. The
DMA Guidelines have been applied to hundreds of direct marketing cases
concerning deception, unfair business practices, personal information
protection, and other ethics issues. The DMA enforces compliance with
the DMA Guidelines upon both DMA member and nonmember organizations
across the DDME. In addition, companies that represent to the public
that they are DMA members but fail to comply with the DMA Guidelines
may be liable for deceptive advertising under Section 5 of the FTC Act
and comparable state laws.
The DMA receives matters for review in a number of ways: from
consumers, member companies, non-members, and consumer protection
agencies. Complaints referred to the DMA's Ethics Operating Committee
are reviewed against the DMA Guidelines and if a potential violation is
found to exist, the company will be contacted, investigated, and
advised on how it can come into full compliance. Most companies work
with the Ethics Operating Committee voluntarily to cease or change the
questioned practice.
However, if a member company does not cooperate and the Ethics
Operating Committee believes there are ongoing violations of the DMA
Guidelines, it can recommend that action be taken by the Board of
Directors and can make case results public. For example, in the period
spanning February 2012 through June 2013, the DMA Corporate & Social
Responsibility Committee reviewed 55 cases and 12 of these were made
public. Additional Board actions could include public censure,
suspension or expulsion from DMA membership. The DMA also refers cases
to Federal and state law enforcement authorities for review when
appropriate.
C. Business and Consumer Education
To help educate marketing professionals, regulators, and other
interested parties about the DMA Guidelines, the DMA regularly issues a
case report that summarizes questioned direct marketing promotions and
how enforcement cases were administered.\10\ The DMA also provides
member education regarding the DMA Guidelines through webinars, in-
person seminars, and regular written communications to members.
---------------------------------------------------------------------------
\10\ Direct Marketing Association, DMA Annual Ethics Compliance
Report 2012-2013 (2013), available at http://thedma.org/compliance/.
---------------------------------------------------------------------------
In addition to educating member companies about their
responsibilities under the DMA Guidelines, the DMA frequently offers
conferences, webinars, courses, seminars, and written materials to keep
companies up to date about new legal and policy developments. These
efforts help companies, especially small businesses, to comply with the
host of restrictions that govern data-driven marketing.
Finally, the DMA commits resources to educating consumers directly
about marketing practices and the choices available to consumers. A
section of our website is dedicated to ``Consumer Help'' and provides
consumers with access to the centralized DMAChoice.org tool for
managing their direct mail and e-mail preferences as well as a wealth
of information about how marketing works.
The Value of Data has helped us to quantify what marketers have
long known--the use and sharing of data for marketing provides
tremendous benefits for the U.S. economy and the American workforce,
for small and large businesses, and for individual consumers and
society as a whole.
Thank you again for inviting me to testify today, and I look
forward to answering questions from the Committee.
The Chairman. Thank you very much, sir.
I will start out the questioning, and then we will do it
according to order of arrival.
Mr. Hadley, one of the products that your company sells to
marketers is called ``ChoiceScore.'' This product targets what
you call ``underbanked'' consumers. Let me read your
description of the underbanked consumers: new legal immigrants,
recent graduates, widows, those with a generation bias against
the use of credit, followers of religions that historically
have discouraged credit, and consumers with transitory
lifestyles, such as military folks.
Mr. Hadley, the populations in this group are very
vulnerable to financial scams. We have experienced that in this
committee because we have done hearings about that,
particularly near military bases, where people take--you know,
these are relatively young people, they are overseas, they are
back for a while, and they are very vulnerable because they
need cash, and people could come in and really clean their
clocks, and do, and we have the testimony to prove that.
Last month in this committee, we held a hearing about
companies that target fraudulent financial products to our
military servicemembers. And military personnel are
unfortunately vulnerable to scams because of their financial
inexperience and their steady paychecks.
So, Mr. Hadley, why does your company single out and sell
lists of economically vulnerable groups like immigrants,
widows, and military personnel?
That is a very important question to me, because if you set
the probable response to whom your questions are aimed, your
marketing is aimed at, you can fairly well predict the type of
product they are going to get. I mean, you will be offering
them a nicer vacation, a less nice vacation, et cetera. But
when you put people in categories and they are vulnerable, that
is not called the L.L. Bean model.
So I would like you to respond to that question.
Mr. Hadley. Thank you, Senator.
We would be very concerned if lenders were using that
information for scamming purposes too. And we have processes
and procedures in place to ensure that nobody gains access to
that score for that purpose. Now----
The Chairman. And how does that work?
Mr. Hadley. We have an onboarding system by which we take
on a client that gets our information to know who they are. And
we also have a mail-piece review process to know what they are
going to offer the consumer. And if it is anything that looks
discriminatory or predatory, we will not provide our list to
them.
Now----
The Chairman. And this is your self-regulation?
Mr. Hadley. This is our self-regulation under DMA
standards. So if we were to violate that, we would be in
violation of our self-regulatory standards as well as our
contractual standards with our clients.
Now, what is important here is that there are somewhere
between 45 million and 50 million Americans who are outside the
mainstream of the credit markets in the United States. These
are underbanked, underserved consumers who financial
institutions cannot reach through credit scoring and credit
report. They don't have financial identities or a big enough or
even the presence of a credit file in order to bring them into
the mainstream of financial markets.
But that doesn't mean that they don't need access to
financial services. So banks use this data to try to reach out
to consumers who they can help to empower them, not to scam
them. We don't want to do business with financial institutions
who are trying to scam people, only to empower them.
And this is their best way to find those individuals who
are outside the mainstream--immigrants; new to credit, like
recent college graduates, exactly what we are talking about
here--to give them an offer, an invitation to apply, so that
then they can make an eligibility determination regarding that
application under the Fair Credit Reporting Act.
But this is marketing literature, not eligibility
determination.
The Chairman. Who----
Mr. Hadley. Did I add to that for you?
The Chairman. Not entirely. Can you tell me, which are the
companies that buy this ChoiceScore product from you? We have
asked you that.
Mr. Hadley. Yes, they would be banks and financial
institutions and members of the financial community.
The Chairman. That is what is called a general answer.
Mr. Hadley. Yes. I can't tell you who our clients are. That
is a proprietary list of ours. It is like our secret
ingredient; the ones who would want that most are our
competitors.
And our counsel has informed me that they don't believe
that our ability to give that to you can be shielded from
disclosure through the rules of the Senate. If we thought they
could be--for example, under a law enforcement action, where it
could be shielded and protected from FOIA or other disclosures,
we could do that, but not under the rules of the Senate. And we
are very sorry about that, but we just simply can't do that.
Our counsel won't let us.
The Chairman. Oh. Well, there are a lot of counsels out
there looking for work.
[Laughter.]
The Chairman. My point is that--you have to keep up with
your competitors, and my point to you would be I am not
necessarily approving of what your competitors are doing. I
mean, maybe you want to keep up with them, but maybe they are
doing exactly what you are doing but on a larger scale. And----
Mr. Hadley. We don't want to keep up with most of our
competitors.
The Chairman.--a lot of those other companies,
incidentally, gave us the precise information which I want from
you.
Mr. Hadley. I would hope that the focus of the Committee
and FTC and others interested in these types of uses of data
would focus on those data brokers, because it is not Experian
that is doing that. We wouldn't have that within our business
model.
The Chairman. All right. Can you please provide the names
of the companies that buy lists of economically vulnerable
consumers from Experian?
Mr. Hadley. I can tell you the types of categories. And
there is a really good story----
The Chairman. But don't you understand how that doesn't
work up here?
Mr. Hadley. Yes.
The Chairman. The types of categories?
Mr. Hadley. But let me tell you----
The Chairman. It is very hard to pass the Tax Code with----
Mr. Hadley. Yes, let me tell you who buys them, and I can
name a few because they are public, right?
Our Mosaic segmentation system, it reflects the entirety of
the economic range of our economy. We don't leave out low-
income individuals. They exist within the economy and need
products and services, too. But the most frequent users of that
segmentation, the economically disadvantaged, Senator, are
typically government agencies and public policymakers who are
trying to get a view into them so that they can deliver them
messages and marketing materials about public services they are
eligible for.
Among the users of those are the West Virginia Department
of Health and Human Services, the Massachusetts Department of
Health and Human Services, the New Jersey Department of Health
and Human Services. They want to reach those people, let them
know what benefits they are eligible for so that they can come
and get them. They also use this data to update address lists
for their clients.
The Chairman. You will admit, won't you, that if a state
HHS, so to speak, will use that information, that is quite a
different kettle of fish from a for-profit, bottom-line-
oriented company?
Mr. Hadley. And we would put the departments of HHS through
the same review of who they are and what they want that
information for, because we wouldn't want them to use our
information to disadvantage those consumers, only to empower
them. So they would go through the same review.
The Chairman. All right. My time has expired. And you
happily engaged in an interesting process; you selectively
named some of your clients. If you can selectively do it, you
can broadly do it.
Mr. Hadley. Those are a matter of public record.
The Chairman. Well, that is the point.
Mr. Hadley. Right.
The Chairman. What should be a matter of public record is
what you do. This is an oversight committee. This is a serious
subject. We have the feeling people are getting scammed or
screwed by this feeling. It is up to you to talk us out of
that.
Mr. Hadley. But not by Experian. And I can assure you, Mr.
Rockefeller, the Experian executives are watching this right
now and they are hearing what you are saying. We respect your
point of view.
The Chairman. You think they are all glued to their TV
sets?
Mr. Hadley. No, to their monitors----
The Chairman. Oh, OK.
Mr. Hadley.--right? And so we want to be responsive to you,
seriously. And so we look forward to the dialog.
The Chairman. All right. Well, anyway, my time has expired.
And Senator Booker--it is going to be Senator Booker, then
Senator Johnson, then Senator Blumenthal, then Senator Markey.
That is just so I can hold everybody here.
STATEMENT OF HON. CORY BOOKER,
U.S. SENATOR FROM NEW JERSEY
Senator Booker. Good afternoon, and thank you very much for
your rich testimony.
You know, the Internet now--the ability for big data to be
used is actually a service to many consumers. It serves me
every time I go online, every time I am shopping.
And I love the fact that I can use this little device and
things will be pushed to me that are very valuable. And that is
how data-sharing helps to fuel our economy, is a service to
customers. There are so many great advantages of it.
I do have worries on the back end of that, which I think my
chairman, Senator Rockefeller, is making a point, and those are
the concerns of consumers.
And so, just one quick question about, you know, what
frustrates me when I am--you know, that I know my browser
history, these cookies are on my computer that are sort of
tracking and tracing what I am doing, and I understand the
upside and the benefit of it, but that is a little problematic
to me.
Could you--Mr. Cerasale?
Mr. Cerasale. Sure, Senator Booker.
There is a group that DMA is part of and started, the
Digital Advertising Alliance, on the online--following where
people are. And we have created an icon and a process to allow
consumers to opt out, totally or selectively, for any cookies
that are used to track their surfing, their browsing activity,
across unaffiliated websites. And that icon is a little
triangle with an----
Senator Booker. So you are saying--I am sorry to interrupt
you, just because I have so little time.
Mr. Cerasale. No problem.
Senator Booker. So you are saying that the industry is
trying to self-regulate----
Mr. Cerasale. Yes.
Senator Booker.--and find a way because you recognize that
this is a problem.
Mr. Cerasale. Yes. And approximately a little over a
million people have opted out. Over 10 million people have gone
to the website----
Senator Booker. I am a pretty tech-savvy, X-Gen guy; I
never heard of this. So----
Mr. Cerasale. OK.
Senator Booker.--that is problematic to me, just because I
am very engaged in the world of tech. So I didn't know there
was even an opt-out function. And I am concerned about my--so
the industry is trying to correct what they know is a problem,
true?
Mr. Cerasale. Right, to give consumers a choice,
absolutely.
Senator Booker. OK.
So, Ms. Rich, I am just curious, there is so much positive
here. I mean, the opportunity for big data to enrich our lives
gets me excited about what the future is. And so these
businesses, in some ways, have a wonderful public purpose. But
I do worry about the darker side in the way that my Chairman is
discussing.
And I really want to know--it is not as simple as saying
more transparency or--it is difficult to create a regulatory
framework that is nimble. I mean, this is such a changing
environment.
So, really, I just want to know for you, like, how are you
planning on using your 6(b) authority under the FTC Act to
study and stay abreast of this industry and see if there are
needs or opportunities, like in this one, where the industry is
not correcting or self-regulating, where we can get them to the
point where we are balancing all of these incredible positives
of big data with the obvious downsides?
Ms. Rich. We think about this every day, balancing the
positive but also protecting consumers. In this case, though, I
think the first step is pretty simple, as there is really very
little transparency about data brokers. And providing that
transparency is pretty basic. It is not a technological issue.
In more complex circumstances, the way we balance is we
engage in a constant learning process. We do workshops, we are
always learning about industry, we meet with consumer groups,
we meet with business groups. And we also, in everything we do,
we are always trying to develop flexible standards. We are
thinking about, you know, what about 20 years from now
especially in the orders we get, will this last, will this be
able to grow with innovation? And we make a lot of effort in
that regard.
But I do want to bring it back to--you know, we have some
basic steps here to bring about some transparency that
shouldn't undermine the data-driven economy. And, in fact,
there is nothing in that study that DMA did that addresses how
privacy would undermine the data-driven economy.
Senator Booker. Right. And because so much of what I am
doing for free on the Internet is made free because folks are
shooting ads at me that are targeted to my interests or needs
or what have you. But you are saying that there is just a
tremendous larger degree of transparency that needs to be given
to the public.
Ms. Rich. And we think that transparency--and we were
talking about this a few minutes ago--is completely consistent
with the growing economy. I mean, consumers are increasingly
demanding more information about how their data is being used.
When you give them information, they often develop more trust
in the businesses they are engaging with. And we think it is in
both consumers' interests and businesses' interests to provide
more information.
Senator Booker. I would love to hear what Mr. Hadley or Mr.
Cerasale have, if they have any resistance to that increased
transparency, but I am trying to stay on the good side of the
Chairman. I am the new kid on the block. So I will yield.
The Chairman. Senator Booker, you are always on the good
side of the Chairman so you can charge right ahead, but you
have blown that opportunity.
[Laughter.]
The Chairman. And so we are going to go to Senator Johnson,
to be followed by Senator Blumenthal, Senator Markey, and the
invincible Senator McCaskill.
Senator McCaskill. Did you say invisible?
The Chairman. Invincible.
STATEMENT OF HON. RON JOHNSON,
U.S. SENATOR FROM WISCONSIN
Senator Johnson. Invincible.
Well, thank you, Mr. Chairman.
By the way, this is an excellent discussion, this is a very
good hearing. I appreciate Senator Booker's good questioning. I
kind of want to pick up where he left off, talking a little bit
about transparency, because it is a great term.
I want to know exactly what the FTC wants to do in terms
of, what is your fix? What is transparency to you?
Ms. Rich. Well, in this context, what we have recommended
is that data brokers allow consumers access to the kind of
information that they maintain about consumers.
Senator Johnson. How?
Ms. Rich. Either through some sort of centralized--what we
recommended in a privacy report we did last year was either
through--possibly through some centralized website where
consumers can go. DMA has something like that for opt-out. DAA
has developed a centralized website for online tracking. And so
we have recommended that for data brokers.
Senator Johnson. So what would be on this centralized
information thing? What would be on there?
Ms. Rich. The names of data brokers, and then you would be
able to find out what kind of information they collect, and you
would be able to potentially opt out of the use of their data.
Senator Johnson. Mr. Hadley, can you tell me what that
sounds like to you and what problems the industry would have
with that and how restrictive that would be?
Mr. Hadley. Well, first, we want to be responsive and be
more transparent, although we, too, are trying to figure out
what that means in a meaningful way to consumers.
Regarding an opt-out website, here is the problem as I see
it: I don't know how to define ``data broker.'' I have never
seen a definition of ``data broker'' that wouldn't sweep in
tens of thousands of companies, because everyone exchanges data
and shares data and sells data within the Internet ecosystem.
That is how the business model of the Internet is.
So would we have a website with an entire industry on it?
And how would that really be meaningful to a consumer if you
throw that many companies up? Of course Experian would be on
that, but so would 10,000 other companies. That is not a
meaningful way of providing transparency.
Instead, what we are trying to explore is how can we make
the exchange and sharing of information responsibly more
meaningful to consumers. And we think one of the steps could be
working with the users of data brokers----
Senator Johnson. OK. Well, let me stop you, because I have
limited time.
With mailing lists, for example, you get a one-time use.
And I was trying to follow what you are talking about, because
it sounds like you have a system where you are making sure that
this material is not misused, because that is the real problem.
The violation is the misuse, the improper use of the
information.
For every time you sell data, is that restricted to a one-
time use that you already have determined is not a misuse?
Mr. Hadley. It is----
Senator Johnson. Or do you sell the data and they can use
it for years?
Mr. Hadley. No. It is sold pursuant to a contract, in some
cases one time, in some cases as a license over numerous times.
But we always have audit procedures in all of those situations
to know how they are using that data and what they are using it
for. And it is strictly limited to marketing purposes.
Senator Johnson. The information, you are saying it is, you
know, from public records, sometimes surveys. But is it also
from those cookies, and are you also getting it from all the
other Internet applications? And do you have agreements with
different people that gather all these cookies? I mean, is it a
much larger data-gathering than what we were kind of talking
about earlier?
Mr. Hadley. We do collect information online in that realm,
but it is all aggregated, anonymized data. There is no
personally identifiable information attached to it.
So, for example, we might be able to know what type of
consumer is visiting X website versus another website so that
we can share that in competitive intelligence for the industry.
So Macy's might want to know what Nordstrom shoppers look like,
in the aggregate, de-identified, so they can compete against
one another and vice versa.
Senator Johnson. Mr. Cerasale, again, as Senator Booker
talked about, there are incredible benefits by people using the
Internet, and of course we always take a look at, do you agree
to use this website? And I would say most people just say, yes,
I want to use this website, hit ``agree''; they don't really
read the, what, 300 pages of all the information saying, hey,
we are going to share this information. If you want to use this
phenomenal, free application, you are subjecting yourself to a
certain lack of privacy.
How do you get--is there any way of getting around that?
Mr. Cerasale. There is. I think that icon I was expressing
to Senator Booker is an easy--it says ``AdChoices,'' and I can
click on it; it tells you about what is happening of following
your web browsing across websites. And then there is a link
right to AboutAds.info, a website where you can opt out. That
type of--is how we are looking at it.
We have worked with NTIA in looking at mobile apps and the
small screen, and how do you let people know what type of
information you are collecting. So we need quick links from----
Senator Johnson. So, like, on a do-not-call list, can it be
one time and you are covered? Or is this application after
application after application?
Mr. Cerasale. On the DAA, it is one time and you are
covered, and it probably affects about 96 percent of the
targeted ads and so forth. That many people have signed up for
it, so it is pretty close.
Senator Johnson. And that icon is located where?
Mr. Cerasale. That icon is usually located right around the
ad that is targeted. And we have contracts with Canada, with
EU. We are working on Australia, starting with Latin America,
to try to make that icon worldwide.
Senator Johnson. OK. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you. And that was good questioning.
Senator Blumenthal?
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you, Mr. Chairman. And thank you
for having this hearing. Thank you for pursuing this profoundly
important issue with such far-ranging consequences for both
good and ill in our society.
And thank you to the staff for this truly remarkable study.
For anyone who doubts how to define a data broker, I recommend
the report, ``A Review of the Data Broker Industry: Collection,
Use, and Sale of Consumer Data for Marketing Purposes.'' There
is now an industry involved in this very far-reaching and far-
ranging collection, use, and marketing of data.
And one of the ironies is that almost every day in the
headlines and in the news we read about what the NSA is doing
in the collection and use of data about citizens in this
country who are protected by the Fourth Amendment. One of our
justices once defined the right of privacy as the right to be
left alone. Obviously, consumers do not have that same right
against this industry because it is not the government. And yet
their privacy interests may be just as much at risk and abused
as they are by the government.
And that is really what brings us here today, not only the
vast potential for good but also the downsides and the dark
side and the danger of the collection and use.
And I, quite honestly, did not expect anybody to come here
today and say, we are using this data to exploit people. You
know, I am not the naive. But I think you need to recognize
that others could use it for that purpose. And all you need to
do is turn to page 24 of this report and see the categories
that are sometimes used for marketing purposes.
And let me give you two very concrete examples of why I
think that people ought not to be compelled to surrender
personal privacy as the price of admission for the use of the
Internet. And that is really what we are talking about, the
sacrifice of privacy as the price of admission to the Internet.
In December 2012, the Wall Street Journal ran a story
entitled, ``Websites Vary Prices, Deals Based on Users'
Information.'' And it stated, in part, quoting, ``Websites are
adopting techniques to glean information about visitors to
their sites in real-time and then deliver different versions of
the web to different people. Prices change, products get
swapped, wording is modified, and there is little way for the
typical website user to spot it when it happens.''
So if you prefer Hilton hotels over Marriott hotels and the
wrong company gets its hands on that information, you could be
charged more for staying at one hotel or another than a person
just walking in off the street.
Now, I assume, Mr. Hadley, that you would join me in
feeling that such marketing practices and pricing practices
would be offensive and should be made illegal, perhaps.
Mr. Hadley. I would agree with you that that shouldn't be
happening. And Experian is not involved in dynamic----
Senator Blumenthal. I am not asking you about Experian. I
am not expecting that you will tell us that Experian is
involved in these kinds of----
Mr. Hadley. But dynamic pricing does exist. All you have to
do is look at the hotel and airline industry, and they have
variable pricing.
We don't provide products and services to allow them to
undertake that dynamic pricing. That is their choice, because
they are marketing their product or service.
Senator Blumenthal. Do you think it is fair to the
consumer?
Mr. Hadley. I wouldn't want it to happen to me, but I know
that it does. If I go to Las Vegas and there is a----
Senator Blumenthal. Well, the fact that it does is why we
are here today, right?
Mr. Hadley. I am not sure that it is illegal. It is just a
factor of----
Senator Blumenthal. Let me ask you, Mr. Cerasale----
Mr. Hadley.--the economics, right?
Senator Blumenthal. I am not asking you for your legal
opinion.
Mr. Cerasale, what do you think about that practice?
Mr. Cerasale. Dynamic pricing and changes in pricing are
there all the time, and you have--frequent flyers get different
prices. Grocery stores, people who have the card have different
prices. It is part of where we are today.
I think if it is discriminatory and so forth, you look at
it. It goes back to what I said. You want to look at use, not
the data itself or the collection of it, but use. If there is
an improper use----
Senator Blumenthal. Well, you would agree with me that
discriminatory pricing that charges people more because they
are regarded as more vulnerable, and without their knowing it,
would be, at best, unethical?
Mr. Cerasale. Yes--I--yes. And I believe there are laws----
Senator Blumenthal. Let me ask you another question.
Mr. Cerasale.--on that, as well.
Senator Blumenthal. And I am rushed for time. I am going to
use my last 4 seconds to ask you a question----
Mr. Cerasale. Sure.
Senator Blumenthal.--about a second area where I think
discrimination, the prospect of discrimination and exploitation
is raised. And that is in terms of job postings and screening
of job applicants.
I don't need to tell anybody in this building about the
devastating impact of long-term unemployment in this country.
And I have joined Senator Warren in a bill that would prohibit
the use of credit scores of job seekers in a discriminatory way
during the hiring process.
Let me ask you whether an employer could buy information
from your company, Mr. Hadley, for example, and use it to
target job postings in a way that discriminates against certain
job applicants, using the information that might be obtainable
from your company.
Mr. Hadley. Marketing data cannot be used for employment
screening and job eligibility. That is a case under the Fair
Credit Reporting Act. So they would have to obtain a credit
report, and all of the consumer rights would accrue to that
marketing----
Senator Blumenthal. Well, let me ask you, what would
prevent an employer from asking for information from your
company and then, on its own, using it in a discriminatory way?
Mr. Hadley. We would know who that company is and why they
were asking us for marketing information.
Senator Blumenthal. And you would----
Mr. Hadley. And we would know what----
Senator Blumenthal.--refuse to sell to them?
Mr. Hadley.--they were going to use it for, and we would
forbid them in our contract with them from using it for any
purpose under the Fair Credit Reporting Act, including
employment purposes.
Senator Blumenthal. If it is a violation of the Fair Credit
Reporting Act. What if they said to you it is not a violation?
Mr. Hadley. We would disagree with them, and we wouldn't
give them the----
Senator Blumenthal. Is that true of other companies in your
industry?
Mr. Hadley. I think it is a pretty standard practice among
those that belong to DMA and practice good standards.
I can't vouch for all of them, but it certainly is with
Experian. We know the bright line between those.
Mr. Cerasale. It would violate our----
Senator Blumenthal. Your company does, but from the
information that has been provided to my office, not all
companies do. Do you----
Mr. Hadley. Then it is a violation of law, and the FTC
should take action against those companies.
Mr. Cerasale. It is unethical, it violates our guidelines
to use marketing data----
Senator Blumenthal. It is unethical, it violates your
guidelines, but maybe the law----
Mr. Cerasale. That is correct.
Senator Blumenthal.--ought to be clarified so that
everybody understands it is illegal.
Mr. Chairman, I apologize for exceeding my time. I tried to
move as quickly--I want to apologize to the witnesses for
perhaps interrupting you.
Unlike Senator Booker, although I am still a new guy on the
block, I didn't say at the outset I was going to stop when I
should have. So----
The Chairman. Well----
Senator Blumenthal.--I know I am on your bad side now.
The Chairman. No, you are not on my bad side, but, you
know, you are clearly just sort of settling into this role of
being a licensed lawyer.
[Laughter.]
The Chairman. He was attorney general for 29 years.
Senator Blumenthal. I am a recovering lawyer.
[Laughter.]
The Chairman. Yes.
Senator Blumenthal. I apologize, Mr. Chairman, and----
The Chairman. No.
Senator Blumenthal.--thank you.
The Chairman. Senator Booker will learn from you.
[Laughter.]
The Chairman. Senator Markey?
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman, very much.
So the bottom line is that there are digital dossiers being
collected on every American right now by the companies
represented at this table. And there is a lot of promise from
that: services that can be provided. There is a lot of peril
from that: the compromise of the privacy and the most intimate
secrets of families that can go out and on sale across the
country and across the world.
And the bottom line is no company should be allowed to do
that. If the individual doesn't want that information
compromised, they should have a right to be able to control
that data. And no company should be allowed to play fast and
loose with the information which they have gathered about
Americans.
So I had a caucus meeting over on the House side last year,
and we had some of the gentlemen here today over there for
that. And we began to talk about propensity scores--propensity
scores. And that is a practice of attaching a propensity score
to individuals, hundreds of thousands, millions of Americans.
And the scores are created without the consumers' knowledge,
without the consumers' consent.
And then they become the basis for targeting offers,
benefits, products to certain consumers. And as a result of
these e-scores, high-value prospects may receive marketing
details and discounts regularly, but others may not. They may
be dismissed as low-value people, characterized as ``waste'' in
industry slang.
So, Ms. Dixon, what are the dangers attached to an industry
that engages in those kinds of practices, in terms of its
impact upon tens of millions of Americans?
Ms. Dixon. The real problem with the propensity scores and
the propensity values that are attached to consumers is that,
unlike a credit score that would be pulled, that would be
covered under the Fair Credit Reporting Act, but these scores
are not covered under the Fair Credit Reporting Act.
If they are health scores, they are not covered under
HIPAA, they are not being held by a healthcare provider.
So, therefore, you can be tagged with these
characteristics, and these characteristics are not under any
regulation. There is no law that says that an employer cannot
use these to determine job eligibility. There is no law that
says that an insurer cannot use these scores to determine
rates, because these are not regulated scores. So the
propensity scores are of great concern.
And, of course, consumers do not have the opportunity to
learn about these scores. These are secret scores. And
consumers do not have the opportunity to opt out of this, as
they would if the scores were covered under the Fair Credit
Reporting Act.
Senator Markey. Great.
So we have to do something about that, Mr. Chairman. You
know, we are hearing language about, well, that might not be
illegal, so we can actually pass a law and make it illegal. So
that is what this committee is all about.
And now let me go back to you again, Ms. Dixon. Thank you
for that.
We know that data brokers categorize people into market
segments, so-called ``suffering seniors,'' ``burdened by
debt,'' singles,'' ``credit crunch,'' ``city families.'' And
these are the real labels that actual data brokers use to
describe all these different segments out there as they are
trying to decide who they are going to be talking to.
But that categorization can cause real economic harm,
including profiling, redlining, and racial discrimination. And,
in fact, there is actually a term for it: not redlining, but
``web-lining.'' We are just going to use the web to kind of
segment people out. They are in the wrong income group, the
wrong racial group, the wrong sex, the wrong whatever. And they
just can do it. And there probably aren't enough laws on the
books to protect people against that.
Ms. Dixon, can you talk about that and what the need is to
fill in that vacuum, as well?
Ms. Dixon. There is an interesting situation that is going
on. And, interestingly enough, the DMA report came to the
conclusion that offline information and online information are
now thoroughly merged. And as a result, web-lining is real-
life-lining, as well, so what happens on the web now happens in
real life.
So if there is a discriminatory problem there, we are going
to be experiencing it elsewhere. It is a circular process now.
We can't just go online and block our cookies.
Any reasonable consumer who is shredding their Social
Security number, blocking cookies, and surfing the web
responsibly, they can still not evade being put on a list of
data brokers according to their health condition.
Senator Markey. So let's go to that line, that kind of
blurry line that has been allowed to be created, and what the
consequences are for consumers, kind of that line between
credit reporting agencies and data brokers that market
financial products. That is an atmosphere of ambiguity, and
some fraudsters could do some real harm to people, huh?
So if you could talk about that a little bit, Ms. Dixon.
Ms. Dixon. So the pseudo credit scores, or pseudo scores,
they are made up of about 1,500 factors. They are all non-
credit-file factors, so they don't fall under the Reporting
Act. They can include factors that would be prohibited under
the Equal Credit Opportunity Act. This is troubling, deeply
troubling.
So we don't know everything that goes into these scores. We
need to. We need to know how the scores are being used, and we
certainly don't want these scores being used to target
underserved Americans with predatory offers.
Senator Markey. And let's just move on to the next
category. You know, we can talk about the sale of lists of
people with particular diseases, huh? And just kind of
circulate those lists around to people, just so that, you know,
marketers know who not to even get anywhere near, huh? I am
going to get all the people with these different diseases that
we have been able to compile and just make a list of it and
make sure they are over here and they are walled off.
Talk a little bit about that and what that means for our
country.
Ms. Dixon. I was stunned, in doing my research, when I
found lists of people who were rape sufferers, people who were
genetic disease sufferers, people who were victims of domestic
violence. This was deeply troubling to me, and I was just
shocked.
So what is happening is that through survey instruments
that are operated online and through other methods that are
typically consumer-generated, people will volunteer this
information to websites, thinking they are getting help, you
know, from a website, and they will volunteer. And they have no
idea that this information is going to be attached to not just
a cookie but their name, their home address, their phone
number.
Senator Markey. And I am a lawyer but I have never had any
clients, so I am going to be careful in how I rule here. But it
just seems to me that it is kind of, on its face, a violation
of Section 5 of the Federal Trade Commission Act, violation of
unfair and deceptive practices.
So, Ms. Rich, back over there at that Federal Trade
Commission, what can you do about this?
Ms. Rich. I think--well, for all of these scenarios that
you described, especially the particularly disturbing ones
involving discrimination, we would obviously, if we had
specific targets we were looking at, take a close look to see
if it did violate the Fair Credit Reporting Act or the FTC Act.
We wouldn't give up on that.
But one thing I want to say about--you know, our laws are
limited, as I mentioned in my opening statement. For the Fair
Credit Reporting Act to apply, the data has to be collected and
used for certain purposes. And the FTC Act allows us to go
after deceptive practices, meaning affirmative false statements
or omissions need to be made, or unfair practices, and we have
a lot of hoops to jump through to prove those.
But there is nothing in our laws that would require the
entities amassing those lists to tell consumers about it or to
allow them access to the data they have on them. Those are the
limitations of our laws.
Senator Markey. Yes. Thank you. And, again, there is
nothing like a little Section 5 action, you know? But when you
are saying it is even beyond the penumbra of that, then we have
a real issue here.
And it is a real invitation for us to act, Mr. Chairman, so
that, you know, we put on the books the----
The Chairman. I am going to act----
Senator Markey.--actual specific language. Excuse me?
The Chairman.--since you have just gone through your second
round of questions.
[Laughter.]
Senator Markey. No, I know that, Mr. Chairman. I have now
taken your graciousness, your beneficence, and I have stretched
it, you know, to a point that----
The Chairman. Claire McCaskill is very unhappy. But she is
going to be even more----
Senator McCaskill. No, I am not.
The Chairman.--even more unhappy when I call on Senator
Thune, who----
Senator McCaskill. I am not unhappy at all.
The Chairman.--he and I were the first two to come.
And then you.
STATEMENT OF HON. CLAIRE McCASKILL,
U.S. SENATOR FROM MISSOURI
Senator McCaskill. No, I think it is terrific to have
Senator Markey on this committee. And he obviously has worked
on this issue in the House, and I think we will all benefit
from the amount of time and effort he has spent at it.
I want to try to home in on a couple of things.
The case, Mr. Hadley, of Experian and Superget. You
purchased the company Court Ventures in 2012, in the spring of
2012. For more than a year after the time you purchased this
company that had all this data, you were taking monthly wire
transfers from Singapore, and your company did nothing. And as
it turns out, those wire transfers were coming from a man in
Vietnam who specialized in identity theft and was marketing the
information that you owned to criminals to ruin people's lives.
So my first question to you is, you were quoted as saying,
``We would know who was buying this.'' You were getting wire
transfers from Singapore on a monthly basis, and no one
bothered to check to see who that was?
Mr. Hadley. Now, I want to be clear that this was not
Experian marketing data; this was Experian authentication data.
So it is under a different company, a different use. So I just
want you to know that it is not part----
Senator McCaskill. I don't understand the distinction.
The Chairman. Nor do I.
Senator McCaskill. I think it is a distinction without a
difference. I believe it was data that you owned, Experian
owned. You had purchased this data from Court Ventures, and
they had, in fact----
Mr. Hadley. No. Let me clarify.
Senator McCaskill.--sold it to someone else.
Mr. Hadley. Yes, let me clarify that for you, because we
have provided a full response to that question to the
Committee, and it is part of the eight submissions that we have
given.
And I do have to say that it is an unfortunate situation.
And the incident is still under investigation by law
enforcement agencies, so I am really extremely limited in what
I can say publicly about it, but I do want to say this.
The suspect in the case obtained data controlled by a third
party--that was U.S. Info Search, that was not an Experian
company--through a company we bought, Court Ventures----
Senator McCaskill. OK. Let me----
Mr. Hadley.--prior to the time that we acquired that
company. And to be clear, no Experian data was ever accessed in
that deal.
Senator McCaskill. I understand what you are saying. Here
is what happened. You had U.S. Info Search----
Mr. Hadley. No, we did not----
Senator McCaskill. No, no, I am--U.S. Info Search existed,
and Court Ventures existed. They decided----
Mr. Hadley. And they had a partnership.
Senator McCaskill.--for commercial reasons, to make more
money, to combine their information. And so they had a sharing
agreement, those two companies, correct?
Mr. Hadley. Right.
Senator McCaskill. OK. So these two companies had a sharing
agreement. Then you bought one of those companies.
Mr. Hadley. Court Ventures.
Senator McCaskill. Correct. So now you owned it. Now you
stood in their place. Are you a lawyer?
Mr. Hadley. I am not a lawyer, but I understand we stood in
their place, right.
Senator McCaskill. Are there any lawyers on the panel?
OK. She will back me up.
[Laughter.]
Senator McCaskill. You stand in their place when you buy
this. So now you are there.
Now, you said in your earlier testimony, we would know who
was buying this. So you now are part of their transactions.
Mr. Hadley. During----
Senator McCaskill. And you were receiving the benefit of
these monthly wires.
Mr. Hadley. So, during the due diligence process, we didn't
have total access to all the information we needed in order to
completely vet that. And by the time we learned about the
malfeasance, I think 9 months had expired. The Secret Service
came to us, told us of the incident, and we immediately began
cooperating with the Secret Service to bring this person to
justice.
Senator McCaskill. OK.
Mr. Hadley. And we are continuing to cooperate with law
enforcement in that realm. This was--we were a victim and
scammed by this person.
Senator McCaskill. Well, I would say the people who had all
their identity stolen were the----
Mr. Hadley. And we know who they are, and we are going to
make sure that they are protected. There has been no allegation
that any harm has come, thankfully, in this scam.
[The Committee received the following letter regarding Mr.
Hadley's previous statement. The author of the letter requested
that the statement be removed from this hearing record.]
Venable LLP
Washington, DC, March 18, 2014
Via e-mail:
Peter Curtin
U.S. Senate Committee on Commerce, Science, and Transportation
254 Russell Senate Office Building
Washington, DC.
Re: Correction to Transcript on Hearing Titled, ``What Information Do
Data Brokers Have on Consumers, and How Do They Use It?''
Dear Mr. Curtin,
Lines 12-14 in the attached document are crossed out. In reviewing
the testimony, we checked with the Experian lawyers that are directly
involved in handling this matter, and they have indicated that these
lines are not accurate. In actuality, Experian does not know the
identities of the individuals as the data was owned and controlled by
U.S. Infosearch.
Sincerely,
Stuart Ingis,
Venable LLP.
Senator McCaskill. OK.
Mr. Hadley. And we have closed that down, and----
The Chairman. Let Senator McCaskill----
Mr. Hadley.--we have modified our process----
The Chairman. Let Senator McCaskill continue.
Senator McCaskill. OK. So let's talk about that process.
This person who got this man who they lured to Guam to arrest
and who is now facing criminal charges in New Hampshire, they
posed as an American-based private investigator.
What is your vetting process when people want to buy your
stuff?
Mr. Hadley. That would have been Court Ventures who would
have vetted that prior to our----
Senator McCaskill. OK, but I am talking about now, you.
What is your vetting process?
Mr. Hadley. Right now, before we would allow access--first,
let me say that that person would have not gained access to
Experian or this data if they had gone through our vetting
processes prior to the acquisition.
Senator McCaskill. And what would have stopped him?
Mr. Hadley. We would have known who that company is. We
would have had a physical onsite inspection of that company. We
would have known who that business is and what that business's
record is. We would have known exactly why they wanted that
data and for what purposes. And that would have been enshrined
in our contract. And we would have known the kinds of systems
they have in place to protect the data that they gained.
Those are all incumbent upon us under the Gramm-Leach-
Bliley Act and the FCRA.
Senator McCaskill. Well, listen, I understand that this was
not a crime that began under your watch.
Mr. Hadley. Thank you.
Senator McCaskill. But you did buy the company, and you did
keep getting the wire transfers from Singapore. And the only
reason you ever questioned them is because the Secret Service
knocked on your door. I don't know how long those wire
transfers from Singapore would have gone on until you caught
them. I don't have confidence that it would have stopped at
all.
So I guess what my point is here, I maybe do not feel as
strongly as others on this panel that behavioral marketing is
evil. I believe behavioral marketing is a reality, and,
frankly, the only reason we have everything we have on the
Internet for free is because of behavioral marketing. So I
don't see behavioral marketing as an evil unto itself.
What I do see is some desperate need for Congress to look
at how consumers can get this information, what kind of
transparency is there, and whether or not companies that allow
monthly wire transfers into their coffers from Singapore from a
criminal who is trying to rip off identity theft, whether or
not they should be held liable for no due diligence on checking
those wire transfers from Singapore until the Secret Service
knocked on their door.
And that is what I think we need to be looking at. And I
don't think there is enough--I mean, I know that some of my
friends on the other side of the aisle, you say trial lawyers,
and they break out in a sweat. But the truth is that if there
were some liability in this area, it would be amazing how fast
people could clean up their act. And, unfortunately, in too
many instances there is not clear liability because we haven't
set the rules of the road.
So I didn't mean to pick on you, Mr. Hadley, but this is a
great example. And you are not a fly-by-night company.
Mr. Hadley. No, we are not.
Senator McCaskill. If this is happening under your watch,
can you imagine what is going on with companies that are not as
established as yours? I think it is----
Mr. Hadley. Cybersecurity is a huge problem.
Senator McCaskill. It is serious and significant, and we
need to look at it.
Thank you all very much.
The Chairman. Thank you, Senator McCaskill.
Senator Thune, to be followed by Senator Fischer.
Senator Thune. Thank you, Mr. Chairman.
Mr. Hadley, one of the big users of your service is the
Federal Government, correct?
Mr. Hadley. Yes.
Senator Thune. OK. Are there some areas in which you can
identify how the Federal Government uses your services?
Mr. Hadley. Certainly.
The biggest users of Experian data in the Government are
the Department of Health and Human Services. Right now, we
operate on HealthCare.gov to authenticate the identities of
individuals signing up for health care to make sure that fraud
is eliminated on that, to make sure that Tony is getting an
account, establishing the account, and not an imposter in his
name.
We also have a contract with the Social Security
Administration as they move persons for online accounts from
paper-based accounts. We all get our Social Security statement
in the mail; they want people to move online to get those. So
we authenticate individuals to have online accounts with the
Social Security Administration.
We, too, believe that HHS could be a good user of our
marketing data, particularly in the lower economic echelons, to
reach out to people to see if they are eligible for health care
and try to determine how to market that process to them. They
haven't done that yet, but the state agencies are far ahead of
them in that way, of using these economic segments to reach out
and inform consumers of benefits that are available to them.
Senator Thune. So for purposes of Obamacare implementation,
they are using you to authenticate people who are applying but
not, at this moment, to market, the Federal Government. The
state----
Mr. Hadley. That is exactly right.
Senator Thune.--exchanges are.
Mr. Hadley. Right.
Senator Thune. OK.
Some have concerns about the profiles that data brokers
compile on consumers, that they will have a long-lasting impact
and put these consumers at a disadvantage, especially if that
information is incorrect. And I would like to have you respond
to that incorrect-information issue or concern.
Mr. Hadley. Yes. Our data is highly accurate. It comes from
very reputable sources. We know what sources they are, and we
check those sources to make sure of the integrity of that data.
Marketing profiles are not static. This is very important.
They change. When I was a young man with young children, I used
to get a lot of ads for diapers. Then my sons grew up, and I
got solicitations and they got solicitations for college. Soon,
I got solicitations for home equity loans because they knew
that I might want to finance my sons' college education. Now I
am getting solicitations for retirement planning and for
vacations. So my marketing profile has changed with my age and
my family status and my interests that I have expressed to data
brokers.
I want to make one point that is very clear here, with
health information. Experian has health information from
consumers, but only--only--on an opt-in basis, if they have
said and clearly opted into telling us what their ailments are
and saying, I am an arthritis sufferer, I want to know about
new products and services coming onto the market to help me; or
I suffer from migraines.
These are not used, though, never used, for healthcare
eligibility. They are used so that consumer product companies
can offer solicitations and coupons for over-the-counter drugs,
for the most part.
Senator Thune. Yes.
Mr. Hadley. So it is always opt-in with health for
Experian, clear and conspicuous opt-in.
Senator Thune. Mr. Cerasale, there have also been concerns
raised that consumers should not only have the ability to see
what information is collected about them for marketing purposes
but also have the ability to correct it. And I am wondering
what your thoughts are on that.
Mr. Cerasale. On first look, that sounds like a great idea.
However, as you delve deeper into it, as you look at access and
then correction for marketing data--this is data that, as Mr.
Hadley has said, is not used for eligibility purposes. But as
you look into access to marketing data, it requires you to
authenticate who is coming in. In other words, is it Jerry
Cerasale or is it an imposter? And in order to have that data,
in order to be able to authenticate, you need more data.
So in the essence of access and then correction, it is
going to require more data, more accurate data, because you can
have inaccuracies in marketing data. Tony says that it is
great, but it is not as precise as Fair Credit Reporting data
because it is not for eligibility; it determines what ad I will
receive, what type of offer I will receive. And if a marketer
is off, it is 95 percent correct, that is OK because it is not
worth the expense to go to 100 percent, whereas in Fair Credit
Reporting you need it.
So having access and correction requires more data. And, of
course, it is, therefore, more expensive, as well. So, I mean,
let's be truthful here. But I think it goes against the idea
you are worried about with data because you are going to create
more data on the marketing side and requiring it to be more
precise, and therefore that is an issue. You need to have one
bit of information more than the imposter in order to prevent
that kind of fraud in that area. So it raises that problem.
Senator Thune. Ms. Rich, the FTC released a report on
consumer privacy in 2012 that recommended, and I quote,
``companies should provide reasonable access to the consumer
data they maintain; the extent of access should be
proportionate to the sensitivity of the data and the nature of
its use,'' end quote.
The report continued that, for marketing data, the
commission believes that the cost of providing individualized
access to consumers would likely outweigh the benefits.
Can you comment on that statement, expand on what the costs
and benefits would be to have individualized access to
marketing data?
Ms. Rich. What we said in the report was that, you know--
and, obviously, the report was a prelude to further discussion
and potentially Congress acting, because at the time we were
recommending legislation.
But what we said in the report is that we saw a difference
between marketing data and, for example, fraud mitigation and
identity verification products, and that for marketing data it
might be appropriate to not only give consumers access to the
categories of data that is collected about them but to allow
them to suppress use of the data, but not necessarily to give
them individualized access.
But we didn't say there shouldn't be access at all. We said
there should be access to the categories of data and an ability
to suppress use of the data. And then, for other products, it
may be appropriate to give individualized information about the
data.
Senator Thune. OK. But the calculation you made, according
to this at least, is that the individualized access to
consumers would likely outweigh the benefits for marketing
purposes.
Ms. Rich. Yes. Yes. But for further consideration also by
Congress. But, yes, we did see a difference, we did see a
distinction between marketing uses and other uses.
Senator Thune. OK.
Mr. Chairman, thank you.
The Chairman. Thank you.
Senator Fischer?
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman and Ranking
Member.
Ms. Rich, in your testimony, you referenced the
commission's activities with regard to enforcement. Can you
describe to me what you think the focus of the enforcement
activity should be?
Ms. Rich. Well, we always, in our enforcement, focus on
uses of data that have the potential to harm consumers. And
most of our enforcement actions have been in the area of the
Fair Credit Reporting Act because that is where we have our
strongest tools. And when data is used for purposes covered by
the FCRA, it can be used to deny consumers important benefits
like employment or credit.
Senator Fischer. Do you think that the FTC has done a good
job with its existing authority to address what has been the
number-one consumer complaint for the past 13 years running,
and that is fighting identity theft?
Ms. Rich. We are trying our hardest. We don't have the
authority to go after the perpetrators of identity theft, but
one of the main reasons we are so strong in our data security
enforcement is that we do believe that it is the responsibility
of companies to protect sensitive information, and to maintain
and protect it from getting in the hands of identity thieves.
Senator Fischer. Are you able to identify the thieves
themselves? And what happens then? How does that all work?
Ms. Rich. Well, you know, many of the thieves are overseas.
We do work with criminal authorities, and sometimes they are
investigating the thieves while we are investigating the
companies that failed to maintain reasonable procedures to
protect the data.
Often, the thieves are never caught because they are in
Russia or China. But if a company does not maintain reasonable
procedures to protect data, we have some good tools to hold
them liable. Although, we continue to recommend passage of a
strong data security law that would give us civil penalty
authority and strengthen those tools.
Senator Fischer. Have you brought those forward before this
committee? I am a new member on the Committee. Has the FTC
suggested those in the past?
Ms. Rich. Yes. Senator Rockefeller would be very--Chairman
Rockefeller would be very familiar with our advocacy for data
security and data breach legislation.
Senator Fischer. OK. Thank you very much.
Mr. Turow, when we talk about the data broker--and you had
a definition of a data broker as somebody who connects the dots
for marketers, is that correct, in your testimony?
Mr. Turow. That is not my only definition, but certainly
that is what they do. They can do that.
One thing I would like to point out--may I go on?
Senator Fischer. Yes.
Mr. Turow. One thing I would like to point out that I don't
know if we have had enough discussion about today, which is, it
is not just discrete bits of information that is going on more
and more and that are sold, and it is not just the aggregation
of these. Really, what is happening is the industry and so much
of our world is turning into an actuarial activity. It really
is the predictive analytics that are changing the ballgame.
And so a person can be giving out the most benign-sounding
piece of data, and that can turn against him or her in an
instant if it gets put into an algorithm that comes up with an
either accurate or inaccurate sense of who that person is.
And we have no way to deal with this at this point and no
way--even to where I have been told in the ad industry that the
word ``soccer mom''--that I have had people tell me they don't
know, necessarily, how a person is tagged as a soccer mom. The
number of data points--seriously told me this--the number of
data points that are involved in designating a soccer mom, the
person said in the ad agency to me, was such that they couldn't
tell me where that got that designation from.
Now, if it is true, that is very complicated. And if it is
not true, that is a problem in itself. And I was trying to
figure out why it is that ad companies can't tell people where
particular labels on them come from. And now I am being told
more and more it is the algorithm, it is the predictability.
Senator Fischer. With your definition or an expanded
definition, then, how many private companies do you think can
be classified as this, just in the United States? How many
private companies are we talking about?
Mr. Turow. I haven't seen a definition, but I would agree
that more and more we are dealing with companies of all sorts
connecting lots----
Senator Fischer. It would be like any small business?
Mr. Turow. I wouldn't worry----
Senator Fischer. The big box retailers? Who?
Mr. Turow.--so much about a small business, but I would
worry about big supermarkets.
Senator Fischer. Big box retailers?
Mr. Turow. I would worry about, yes, big box stores. I
would worry about a whole lot of companies that on a daily--we
haven't talked about retail outlets and the fact that the
Internet inside a store and the connecting of online and
offline is taking place increasingly as people walk through
looking at products, the so-called moment of truth, and how
that relates to the algorithms I have been discussing. What
does it mean to have predictive analytics stare you in the face
while you are deciding diapers, OK, or something even more
important?
And, in fact, the notion--it may be that Experian doesn't
deal with over-the-counter drugs, but there are companies that,
in one way or another, take what people purchase over the
counter and solicit opinions through sweepstakes about their
health activities and purchases and sell them, very clearly.
Senator Fischer. So what I hear you saying is what I
believe, that really almost any retailer could be classified
then----
Mr. Turow. If they share data, and I have----
Senator Fischer. And how, then, do you believe the
government should become involved in private business in this
country, when you have that expanded definition?
Mr. Turow. It obviously makes it much more complicated. And
that is what I have begun to believe that, at least as a start,
there may be some useful public discussion in asking how many
data points firms are allowed to buy and sell about us at a
time and how they can be merged to other data points, so that
we won't have continual flows of data being appended to our
lives.
It is really an interesting difficulty that you bring up--
--
Senator Fischer. OK. Thank you.
Mr. Turow.--aside from the fact that, for example, if you
go to Kroger's website and look at their privacy policy, I
couldn't figure out head nor tail whether they sell that stuff,
because they use words like ``affiliates'' and
``subsidiaries,'' and it is done in such a way that it is
extremely difficult to tell.
And I know of one company that sells bracelets for health
where I looked at their website, and basically at one point
after they say what data they can get out of the bracelet, they
say, some of this data might indicate poor health on your part.
And then the issue is, what do they do with it?
Senator Fischer. Right.
Mr. Turow. And we don't know. You can't tell.
Senator Fischer. Right. Thank you.
Mr. Chairman, could I ask Ms. Rich if she wanted to say
something? She is eager----
Ms. Rich. I am going like this.
Senator Fischer. And I was trying to stay within my time
limit, seriously. Thank you, Mr. Chairman.
Ms. Rich?
Ms. Rich. I just wanted to add something to the point you
were making about the number of data brokers. One of the things
that we--the way we think about it at the FTC, to make it a
more manageable issue and problem, is to focus on the non-
consumer-facing data brokers, because, after all, if the issue
is really about transparency, at least that is where the
concerns are the greatest, that consumers don't even know who
those invisible, behind-the-scenes companies are.
And although I think that there has been a lot of
discussion about how the definition is so broad we can work on
that. But I think it is kind of proof of the problem, not that
there isn't a solution. Because the fact that Pam says there
are thousands of data brokers and the Committee report says
hundreds and the industry says hundreds, I mean, I think that
is part of the problem. We don't know who all these entities
are and we don't have a handle on it. And that is part of the
proof that there really isn't transparency in this industry.
Senator Fischer. So would you say that just about any
website that a person goes to, they are in danger of having
information gathered that they may not want to have either
private companies or the government know about?
Ms. Rich. Well, I mean, as I was saying, if we are talking
about the data broker issue, we would prefer to focus on the
non-consumer-facing sites, where they are truly not
transparent.
You know, we have other recommendations for consumer-facing
websites. We think there should be choices and opt-outs there
so that consumers have some ability to prevent sales to third
parties if they so choose.
But for this data broker problem, we at the FTC would
really like to focus on the non-consumer-facing sites.
Senator Fischer. OK. Thank you very much.
Thank you, Mr. Chair.
The Chairman. Thank you, Senator Fischer.
We have a vote at 4:30. I would like to ask one more
question.
And this is coming right at you, Dr. Turow. You have been
taking all kinds of notes.
Mr. Turow. I have.
The Chairman. So you are ready. I would like to further
explore the notion that data brokers are selling products to
help marketers target pitches to the specific interests and
needs of consumers.
Let's take a product called ``Relying on Aid.'' This is a
grouping of consumers that the data broker defines as follows:
``These single retirees of limited means and meager retirement
savings are just barely able to make ends meet.''
The description goes on to say, ``With only a high school
education at best, it has been hard to get ahead. Poorly
insured and Medicare/Medicaid-dependent, they are generally
pessimistic about their economic situation,'' and,
incidentally, about themselves.
My question to you, Professor Turow: In your testimony, you
highlight some other ways companies may be using such consumer
lists that don't necessarily involve product pitches, such as
deciding who should have to wait longer for customer service,
who should be rejected as a valued customer, or who should be
offered coupons for only non-nutritious foods.
What thoughts come to your mind when you hear data brokers
are marketing descriptions like ``Relying on Aid'' to potential
consumers?
Mr. Turow. It is not unpredictable. It has been going on
for years. It is a problem, I agree, and it is going to get
worse as the baby boomers get older. I think we are only
beginning to see the tip of the iceberg here.
But I think one of the issues is also that, as we get more
individualized----
The Chairman. What do you mean, tip of the iceberg?
Mr. Turow. I think we are going to have this huge
generation of older people in 15 years that are going to be----
Senator Thune. Not you.
[Laughter.]
Mr. Turow.--divebombed with these kinds of offers. And I
was beginning to say, it is going to be more particularized.
The thing about that category, Chairman Rockefeller, is
that it is a category. More and more, that is going to become
anachronistic. And what it is going to be is a particular
person who can be maybe even more persuaded because of other
characteristics that predict that. So that category will be
broken up----
The Chairman. Including low self-esteem.
Mr. Turow. Yes, and a lot of other things: what kind of car
they drive that leads them to be this, that, and the other
thing. So that you won't even be able to point to the category
in a catalog anymore; it will be something that you won't be
able to easily track down. And yet those people will be
targeted increasingly because of the situations they are under.
The same category, only divided up into millions and millions
of people and personalized.
The Chairman. So what would you do about it?
Mr. Turow. As I said, I think--well, these are social
questions. And I believe that we have to worry about the kinds
and the amounts of data that get combined. I don't have an
answer for that. I think it is a very important social
discussion. At this point in time, we haven't had that social
discussion.
People don't even know this stuff is going on. Our studies
have shown that people know they are being tracked. But when
you ask people basic questions of how this stuff works and how
they think it works--we did a 2005 study in which Americans
said, a majority, a clear majority of Americans said that they
think that price discrimination is illegal. OK?
We continually find that people see the word ``privacy
policy'' on a website, they think it means--and we have done
this five times in national surveys--they think the words
``privacy policy'' means that the site can't share information
about you without your permission.
The ad icon is a great idea, but it doesn't work. You know,
the studies have shown, including one that we did a couple of
years ago, that Americans, like Senator Booker, have no clue
that it exists most of the time.
I suggest--and that is how I got into the algorithm thing.
The idea for an icon that I had originally, before this one
came out, was that when you clicked on an ad that was tailored
to you, you could find out who gave you the ad, what were the
elements of the ad, why did you get that particular ad just at
that moment.
But those data are considered too proprietary, and then
people tell me the algorithm doesn't help. And so, at this
point in time, there is nobody who wants to volunteer to give
that information.
The Chairman. And people use barcoding, don't they----
Mr. Turow. Well, I----
The Chairman.--to find out names and addresses and other
stuff?
Mr. Turow. Oh, yes. And even if you are anonymous--a very
short example that happened to me. It is not quite a big data
company, but it shows the direction.
I was at O'Hare, and I had to switch planes when one of my
planes was canceled. So I went to the customer service place of
the affiliated airline. They asked me to put my barcode in, and
they gave me a number. On the side of me, on the screen, it
said, the amount of time it will take to serve you will be
based on your priority in terms of your status with our loyalty
program.
The Chairman. Interesting.
Mr. Turow. And so I, fortunately, had a lot of points, I
got served pretty quickly, but I noticed there were people who
were just sitting there. And that meant that they didn't get
the flights that they could have gotten.
The Chairman. This is segmenting Americans. It is pre-
predicting what will happen to them by virtue of the
circumstances into which they fall.
Mr. Turow. And who is valued----
The Chairman. And all the research has been done to put
them in that situation so they can control how they market and
maximize their profit and maybe end up absolutely giving a
horrible experience to that consumer.
Mr. Turow. I agree.
The Chairman. Senator Thune, I have something I want to
say, but you are important around here. Do you want----
Senator Thune. No, go ahead. I am fine.
The Chairman. OK.
I want to come back--since before 9/11, I have been on the
Intelligence Committee, and every day I wake up to seven
newspapers with nothing but NSA headlines. And I am here to
tell you, as one of the authors of FISA and the PATRIOT Act and
all the rest of it, that the NSA is so secure in its protection
of privacy as compared to this group that we are talking to,
these data brokers, it is not even close.
This affects, as was pointed out, anybody, everybody. Who
knows? NSA knows. They are only likely to interact at a .000001
percent of people that they conclude need, you know, further
observation. This is everybody, anybody, but more than that,
divided into race, economic activities, education.
And there is something--I can't prove it is wrong, but
there is something lethal about it. There is something unfair
about it. It is something like--you know, if somebody is poor
or less educated--and this is what I have spent my life--I come
from West Virginia, where a lot of people face these problems.
They are stigmatized. They have to live with it. The system is
stacked against them. And a lot of people are making a lot of
money out of it, and one are the data brokers.
I am not asking for an argument because the bell just went
off. But I am here to say that this is a very serious
situation. I think everybody here agrees this has not been
talked about. We have done an investigation of it, FTC has
looked at it, you all have looked at it, you certainly have.
And we have to continue on this thing.
You know, the slogan of one of the companies that the
Committee reviewed in this investigation, the company says it
lives by the following words: ``Just because you can doesn't
mean you should.'' Unfortunately, I have been thinking about
this because today's testimony and the Committee's inquiry
shows the industry as a whole is falling far short of that
standard--appears to be falling far short of that standard. In
fact, it seems to me the motto of data brokers is: ``We can,
and indeed we will.'' Full of optimism.
We heard from Ms. Dixon about the lists generated by data
brokers from genetic disease sufferers and dementia sufferers
to payday-loan responders, products that seem tailor-made for
businesses seeking to take advantage of consumers. I hate that.
I personally am revolted by that. I have seen it in the
treatment of coal miners and their safety. I have seen it in
every aspect of life in the state that I come from and
elsewhere, living abroad. I don't like it.
I think it is our job as a government to minimize that
possibility and to bring out into sunlight what is going on. If
Senator Booker doesn't know that this is happening to him--he
does now, and he doesn't like it. Senator McCaskill really
nailed something that could not be responded to.
And so we are going to continue on this track. I think it
is serious, and I think it is a dark underside of American life
on which people make a lot of money and cause a lot of people
to suffer even more and, therefore, have even lower self-
esteem, which is not the America we want.
This hearing is adjourned.
[Whereupon, at 4:30 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Question Submitted by Hon. John D. Rockefeller IV
to Jessica Rich
Question. Ms. Rich, the Commission currently has authority under
the Fair Credit Reporting Act to seek enforcement actions against data
brokers that provide information that is used to make eligibility
decisions about consumers. Furthermore, the Commission has its broad
organic authority under the FTC Act to enforce against unfair or
deceptive acts or practices. However, the Commission lacks authority to
mandate the type of transparency that all of the hearing's witnesses
apparently agree is important for the industry. In this context, does
the FTC have authority to require data brokers to allow consumers to:
Access the information data brokers possess on them?
Correct any inaccuracies?
Affirmatively ``opt out'' and prevent the data broker from
selling their information?
Answer. Although the FTC has used its authority under the Fair
Credit Reporting Act (FCRA) and the FTC Act to take action against
unlawful practices by data brokers, the FTC does not have the authority
to impose the requirements you identify. The FTC has consistently
treated the Fair Credit Reporting Act (FCRA) as an enforcement
priority. It has brought almost 100 cases alleging violations of the
FCRA, obtaining in excess of $30 million in civil penalties. However,
as we explained in our March 2012 report Protecting Consumer Privacy in
an Era of Rapid Change: Recommendations for Businesses and Policymakers
(Privacy Report), the FCRA covers only some data broker activities. The
FCRA generally does not cover data brokers that maintain data for
marketing purposes and for other non-marketing purposes, such as to
locate people or detect fraud. Thus, consumers do not have, for all
data broker activities, the access, correction, or consumer control
rights the FCRA provides for data brokers engaged in certain
eligibility determinations.
In addition, the FTC has used its authority under the FTC Act to
address unfair or deceptive practices in the data broker industry. See,
e.g., United States v. ChoicePoint, Inc., No. 1:06-cv-00198 (N.D. Ga.
Feb. 15, 2006) (FTC alleged, among other things, that a data broker
engaged in unfair practices by failing to properly screen or monitor
purchasers of sensitive consumer data) ; In re U.S. Search, Inc., FTC
Docket No. C-4317 (Mar. 25, 2011) (FTC alleged that a data broker
deceived consumers by offering an opt out that was ineffective). Unless
they are implemented as remedies to a violation of the FTC Act,
however, we do not currently have the authority to require data brokers
to provide consumers with access or correction rights, or to allow
consumers to suppress or opt out of the sale or use of data held by
data brokers.
In recognition of these gaps, the agency recommended legislation,
in its March 2012 Privacy Report, that would offer the consumer rights
you have identified.
______
Response to Written Questions Submitted by Hon. Kelly Ayotte to
Jessica Rich
Question 1. Earlier this year, FTC Commissioner Julie Brill called
upon state AGs to take a more active role in investigating and holding
accountable data brokers for violations of the Fair Credit Reporting
Act. Can you talk about the role of state law enforcement officials in
this field? Does your agency work closely with your state law
enforcement counterparts on pursing privacy and marketing complaints?
Answer. The FTC has consistently treated the Fair Credit Reporting
Act (FCRA) as an enforcement priority. It has brought almost 100 cases
alleging violations of the FCRA, obtaining in excess of $30 million in
civil penalties. State attorneys general (AG) also have a role to play
in enforcing the FCRA. Under section 621 of the FCRA, state AGs can
bring an FCRA enforcement action, so long as they provide the FTC and
the Consumer Financial Protection Bureau with advance notice; the FTC
has the right to intervene in such matters. This provision ensures that
states coordinate their FCRA enforcement efforts with the appropriate
Federal regulators. In addition, we work very closely with the states
to educate identity theft victims of their rights under the FCRA. Our
Tax Identity Theft Awareness week, involving multiple outreach events
across the country, is a good example of our collaborative efforts with
states to protect consumers in this area. See ftc.gov/taxidtheft.
Outside the FCRA, the FTC and state AGs cooperate often on privacy
and security and related marketing investigations. One notable example
is the action the FTC brought with 35 state AGs against LifeLock for
deceptive claims about the effectiveness of LifeLock's identity theft
services and its security measures. This 2010 action is one of the
largest FTC-state coordinated privacy-related settlements on record.
The FTC has also pursued several Do Not Call privacy cases with state
AGs serving as co-plaintiffs, including enforcement actions brought
against Dish Network, LLC, United States Benefits, LLC and Worldwide
Info Services, Inc. In addition, the FTC participates in monthly
telephone conferences with members of the National Association of
Attorneys General's Do Not Call working group. The FTC continues to
coordinate with state AGs on a variety of law enforcement
investigations involving privacy and security in order to avoid
duplication of efforts and ensure appropriate and responsible
allocation of enforcement resources.
Question 2. When we look at current Federal law governing data
brokers, we have Fair Credit Reporting Act, Graham-Leach-Bliley, HIPPA,
Children's Online Privacy Protection Act, and Electronic Communications
Privacy Act. Plus there are 50 AGs policing behavior and activity. In
addition to that, we have brokers touting their aggressive self-
regulatory policies. Can you address specifically what more
legislation, mandates or regulations you think we need? Some have
argued that before we add more laws and/or regulations to the books, we
should enforce the ones we have.
Answer. While these statutes all provide important protections for
consumer data, they have limitations. Gramm-Leach-Bliley, for example,
applies only to financial institutions; HIPAA covers only medical
records maintained by specifically defined medical providers; the
Children's Online Privacy Protection Act does not cover data collection
or use for individuals age 13 and over; and the Electronic
Communications Privacy Act is focused on government access to
electronic data. Similarly, as we explained in our March 2012 report
Protecting Consumer Privacy in an Era of Rapid Change; Recommendations
for Businesses and Policymakers (Privacy Report), the Fair Credit
Reporting Act covers only some data broker activities. The FCRA
generally does not cover brokers that maintain data for marketing
purposes and for other non-marketing purposes, such as to locate people
or detect fraud.
The Commission agrees that self-regulation can be an effective way
to protect consumer interests while promoting innovation. The
Commission has long supported robust, enforceable self-regulatory
mechanisms established by industry to protect consumers. As we noted in
our Privacy Report, however, self-regulatory efforts by the data broker
industry have lagged. The Commission has monitored data brokers since
the 1990s. In 1997, the Commission held a workshop to examine database
services used to locate, identify, or verify the identity of
individuals, referred to at the time as ``individual reference
services.'' The workshop prompted industry members to form the self-
regulatory Individual Reference Services Group (IRSG). The Commission
subsequently issued a report on the workshop and the IRSG in which it
commended the progress made by the industry's self-regulatory programs,
but noted that the industry's efforts did not adequately address the
lack of transparency of data broker practices. Although industry
ultimately terminated the IRSG, a series of public breaches--including
one involving ChoicePoint--led to renewed scrutiny of the practices of
data brokers. The Privacy Report noted that the industry has continued
to operate since then with a lack of transparency. To address this
concern, the Privacy Report expressed support for legislation that
would give consumers access to information held by data brokers.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Jerry Cerasale
Question. Most consumers would like to believe that any of their
personal information held by companies is private, secure, and
accurate. However, with rapidly changing marketing strategies and
technology platforms, consumers are no longer sure that this is the
case.
Mr. Cerasale: How do your members, both large and small marketers,
work to promote consumer trust in your services? How can a lack of
consumer trust in private data storage and use policies impact the
broader economy?
Answer. Consumer trust forms the bedrock of the Data-Driven
Marketing Economy--and the American economy as a whole. Consumer trust
is critical to a company's success, regardless of the size of the
business. This is especially true for remote sellers that rely on
customers to purchase goods sight unseen. Businesses have every
incentive to protect and promote consumer trust in the goods and
services they deliver.
While businesses are already incentivized to promote consumer
trust, DMA supports this incentive with a robust ethics and compliance
program that calls on its members to adhere to its Guidelines on
Ethical Business Practice. For more than four decades, DMA has
administered its Guidelines and promoted accountability for its
members, setting a high bar for responsible marketing. The DMA Ethics
Policy and Ethics Operating Committees develop, update and enforce
DMA's Guidelines as part of DMA's public trust with regulators and
consumers. The accountability program is flexible enough to address
ongoing changes in technology, markets, consumer interest and new
business practices.
Data security is a prime example of DMA's commitment to maintaining
consumer trust, having long served as a core principle of the DMA's
Guidelines. Like many elements in the Guidelines, the DMA's data
security standards have remained far from static. In January 2014, the
DMA approved updated Business Ethical Guidelines on data security,
calling on every data-driven marketer to take proactive measures to
further enhance data security across the data-driven marketing
industry.
In addition to data security, DMA members are committed to offering
consumers' choice, and to using marketing data for marketing purposes,
not for eligibility such as employment and financial transactions.
These and other consumer-friendly practices help build and maintain
trust in the data-driven marketplace.
When it comes to assessing whether businesses have gained
consumers' trust and confidence, the proof is in the numbers. Remote
selling, including through ecommerce, is a fast growing segment of our
economy. More broadly, the data-driven marketing economy (``DDME'')
added $156 billion in revenue to the U.S. economy and fueled more than
675,000 jobs in 2012 alone.
$110 billion and 46,000 jobs depend on the ability of firms to
exchange data across the DDME.\1\ Indeed, responsible use of data by
marketers has revolutionized one of the most costly aspects of doing
business in any industry. As businesses of all sizes innovate to
deliver more efficient, convenient, and secure marketing and
transactional solutions, consumers are responding with a vote of
confidence with their feet and with their pocketbooks.
---------------------------------------------------------------------------
\1\ Deighton and Johnson, The Value of Data: Consequences for
Insight, Innovation & Efficiency in the U.S. Economy (2013), available
at http://ddminstitute.thedma.org/#valueofdata
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Kelly Ayotte to
Jerry Cerasale
Question 1. Do self-regulatory programs, such as the DMA's
Guidelines for Ethical Business Practice, and other industry codes of
conduct based on these and other guidelines, promote responsible use
and sharing of data in the marketplace? How widespread is adoption of
these programs in the marketing industry? How do governing
organizations enforce the rules of these programs against bad actors?
Answer. Yes. Self-regulatory programs, like the one administered by
the DMA, not only promote, but also require companies to engage in the
responsible use and sharing of data in the data driven marketing
economy (``DDME''). The DMA believes that self-regulation and education
are important components for addressing consumer privacy while ensuring
that data flows continue to benefit consumers and the economy.
DMA Reach & Scope. The DMA has established an enforceable framework
of industry best practices that focus on providing transparency,
choice, and other protections to consumers. At the foundation of this
framework are the DMA Guidelines for Ethical Business Practice (``DMA
Guidelines''), which have been adopted by all DMA members, representing
every segment of the marketing industry. In addition, the DMA enforces
its guidelines against both members and non-members covering thousands
of companies, making the DMA Guidelines the standard for the industry.
DMA members deeply value consumer trust and understand that
responsible data practices are critical to building and maintaining
customer relationships. To that end, the DMA and its members have
developed and implemented more than 50 code sections in the DMA
Guidelines that regulate marketing data practices, which are regularly
updated to adapt to new technologies and business practices. The DMA
Guidelines address a wide variety of marketing practices including, the
conduct of data brokers, sweepstakes, mobile marketing, internet-based
marketing, and texting.
Enforcement. The DMA has a long history of enforcing these
guidelines. The DMA Guidelines have been applied to hundreds of cases
concerning a wide range of issues including deception, unfair business
practices and personal information protection. In addition, companies
that represent to the public that they are DMA members, but fail to
comply with the DMA Guidelines, may be liable for deceptive advertising
under Section 5 of the FTC Act and comparable state laws.
Compliance Process. The DMA receives complaints from consumers,
members, nonmembers, and consumer protection agencies. These complaints
are reviewed by the DMA's Ethics Operating Committee and if a potential
violation is found to exist, the company will be contacted,
investigated, and advised on how it can cure the violation. Most
companies work with the Ethics Operating Committee voluntarily to cease
or change the questioned practice. However, if a company does not
cooperate with the Ethics Operating Committee, action can be taken by
the Board of Directors and the results of the investigation may be made
public. For example, from February 2012 to June 2013, the DMA Corporate
& Social Responsibility Committee reviewed 55 cases and 12 of these
were made public.\1\ Additional Board actions could include public
censure, suspension or expulsion from the DMA. The DMA also refers
cases to Federal and state law enforcement authorities for review when
appropriate.
---------------------------------------------------------------------------
\1\ Direct Marketing Association, DMA Annual Ethics Compliance
Report 2012-2013 (2013), available at http://thedma.org/compliance/.
---------------------------------------------------------------------------
Education. Beyond enforcement of the DMA Guidelines, the DMA also
provides education to both businesses and consumers about responsible
data collection and use. Through the regular publishing of case reports
that summarize questioned marketing promotions, webinars, in-person
seminars, and regular communication with its members, the DMA helps to
promote best practices in the industry. This communication and
education is a great benefit to small businesses as they begin to
market their products and services to consumers. The DMA also maintains
a section of our website focused on consumers entitled ``Consumer
Help,'' and offers consumers a centralized tool to help manage their
direct mail and e-mail preferences at DMAChoice.org.
Question 2. In large part, New Hampshire's economy depends on small
businesses and start-up companies. My husband is the owner of a small
business. Does the use and sharing of data across all sectors of the
economy help or hurt the ability of small businesses to compete with
larger entities in the marketplace? Does the use and sharing of data
increase or decrease barriers to entry in the marketplace? How do these
trends impact job creation?
Answer. Small businesses benefit significantly from the use and
sharing of data. A recent study entitled, The Value of Data:
Consequences for Insight, Innovation & Efficiency in the U.S. Economy
(``Value of Data''), quantified the important role that the use and
sharing of data plays in fueling economic growth.\2\ This study, which
was conducted independently by Professors John Deighton of Harvard
Business School and Peter Johnson of Columbia University, revealed that
the Data Driven Marketing Economy (``DDME'') was a major asset to small
businesses and start-ups.
---------------------------------------------------------------------------
\2\ Deighton and Johnson, The Value of Data: Consequences for
Insight, Innovation & Efficiency in the U.S. Economy (2013), available
at http://ddminstitute.thedma.org/#valueofdata (hereinafter ``The Value
of Data'').
---------------------------------------------------------------------------
The Value of Data study found that the sharing of data across the
DDME enables small businesses to compete effectively with larger
competitors. Data gives all companies, and especially small businesses,
the ability to effectively match products to customers both on and
offline, lowering barriers to market entry for specialized or niche
offerings. Thanks to the responsible use and sharing of data across the
economy, small business have access to data they would not otherwise
have available to them, enabling them to more efficiently and
effectively market their products and better compete in the
marketplace. Data sharing also allows small businesses to incrementally
build their customer base, and grow their product in ways never before
available to companies of their size.
The Value of Data study also found that the DDME generated $156
billion in revenue to the United States economy and fueled more than
675,000 jobs in 2012 alone. Further, the study found that an additional
1,038,000 people owe their employment to these DDME jobs.\3\ The study
also found that in New Hampshire, the DDME was responsible for $1
billion in revenue and 3,000 jobs in the state's economy.\4\ The study
estimated that 70 percent of the value of the DDME--$110 billion in
revenue and 475,000 jobs nationwide--depends on the ability of firms to
share data across the DDME. If this ability to share data were
curtailed, those jobs and revenue would be impacted and the U.S.
economy would be much less efficient.
---------------------------------------------------------------------------
\3\ The Value of Data at 74.
\4\ The Value of Data at 96-98.
---------------------------------------------------------------------------
08