FTC Calls For Legislative Oversight of Data Brokers

Posted on by Richard H. Levey

The Federal Trade Commission has issued a report recommending, in part, that data brokers offer consumers greater transparency into, and control over, data collected and stored. While the commission's suggestions are not likely to be passed into law anytime soon, the marketing community will monitor the reception the recommendations receive on Capitol Hill and at large.

Within the report, the FTC reaffirms its support of legislation which would give access rights to consumers to information held by data brokers. It also suggests the data broker industry explore creating a centralized web site where firms that compile and sell data for marketing could identify themselves, describe how they collect consumer data, and disclose the types of firms to which they sell data.

The proposed site would also detail the access rights and other choices such firms offer consumers, and provide links to their own sites where consumers could exercise these options.

The FTC paper cites several "data breaches and vulnerabilities related to consumer information", as well as announced planned data uses which did not occur due to consumer backlash as justification for its suggestions.

According to the FTC, "companies that do not intend to undermine consumer privacy simply lack sufficiently clear standards to operate and innovate while respecting the expectations of consumers" and "companies that do seek to cut corners on consumer privacy do not have adequate legal incentives to curtail such behavior."

Linda A. Woolley, the Direct Marketing Association's executive VP of Washington operations, feels the suggestions cover too wide a swath of data practices. "I defy the FTC to show me where the harm is," she says. "It is a perception of harm, a perception of intrusion. We are talking about data used for marketing purposes – not data used for whether you should get insurance, or a loan, or employment."

Woolley acknowledges the need for data security, such as file encryption and segregation, in data shepherding. "DMA actively supports national security legislation," she says. "But that is different from privacy legislation, and from the data broker things the FTC is talking about."

 

She raises the issue of both the cost and the authentication concerns of consumers reviewing information within data brokerages. Systems would need to be created that would ensure consumers can only review their data, as opposed to anyone else's. Without these, the review mechanism could potentially create just the sort of data breaches it seeks to curtail.

Other concerns stem from the potentially broad definition of "data broker" – which could greatly expand the number of companies covered by the FTC's suggestions.

"This framework doesn't define them," says Don Hinman, senior VP at Epsilon Targeting. Consider companies that process data for supermarket loyalty programs. They could, potentially, be considered data brokers, Hinman suggests.

Hinman does support strengthening the principles of privacy, and providing information about what data is out in the marketing arena, how it is used, and providing consumers with choices, most often in the form of the ability to opt out.

He's also comfortable with the idea of a centralized web site that would inform consumers regarding who the data collectors are, what data they have and how they use it. "Consumers should know what is out there and how it is being used," Hinman says. "The question is at what point, if you try to raise the standards of consumer privacy protection, at what point do you install Big Brother as a watchdog over these practices?"

One area in which Hinman has a clear disagreement with the report concerns a comment from comments submitted by the World Privacy Forum, which claims "the fact that many self-regulatory initiatives that arose in response to the Commission's 2000 recommendation for privacy legislation were short-lived and failed to provide long-term privacy protections for consumers".

Not so, says Hinman, who chaired the DMA's Committee on Ethical Business Practice in 2007 and 2008. "It is easy to throw out a statement like that without backing it up." Through the committee, he adds, the DMA has maintained a strong effort in monitoring ethical business. And in February the DMA, as part of the Digital Advertising Alliance, was commended by the White House for its self-regulatory efforts.

The report itself doesn't represent an immediate threat to marketing practices, according to Hinman. Overall, he sees the report as the launching point for a dialog between marketers, consumer, the FTC and Congress regarding what might improve.

"And that takes time," he adds.

Not that the industry will be content to wait for the conclusion of that dialog. The DMA's messaging will change to reflect the importance of data collection and use, Woolley says. "We have been shy about talking about talking about how many beneficial uses of data there are, and how many things consumer take for granted based on data," she adds.

The FTC report acknowledges that data practices differ based on industry use. Mortgage companies maintain data for the life of the mortgage, and auto dealers keep information for years to manage service records and inform customers of new offers.

"We're pleased that [the report] reflects recognition of context, and that different businesses can apply [data] differently," says Jennifer Barrett Glasgow, chief privacy officer at Acxiom, adding that its tenets are preferable to those within a proposal from the European Union which relies heavily on a consumer opt-in model.

Barrett Glasgow is concerned about how far calls for making data anonymous will go. IP addresses, she points out, have at times been considered personally identifiable. But there are methods of anonymizing these such as using hashing or encoding so they can be used for non-personalized marketing purposes. If these methods are used, marketers should publicly commit to not re-identifying them once they have been disguised.

The FTC's suggestions are part of a larger framework of privacy suggestions, which include:

* Continued support and development of do-not-track education efforts and mechanisms for consumers, including those created by the Digital Advertising Alliance and the World Wide Web Consortium

* Improved privacy protections from mobile service providers

* An increased focused on privacy concerns raised by Internet service providers, operating systems, browsers and social media firms

* Promotion of enforceable self-regulatory codes, in conjunction with efforts by the Department of Commerce

The FTC's report is a counterpart to several large-scale privacy bills currently being considered in Congress, including the Commercial Privacy Bill of Rights Act of 2011 (S. 799), Building Effective Strategies to Promote Responsibility Accountability, Choice, Transparency, Innovation Consumer Expectations and Safeguards Act (H.R. 611) and the Consumer Privacy Protection Act of 2011 (H.R. 1528).

There's a wide gap between legislation being introduced and legislation being passed, however: Given the looming November elections, the likelihood of any substantial legislation being enacted is low.

That said, the data industry shouldn't act as if it has been given a reprieve. "We have been saying that it is time for the U.S. business community [to act regarding] what should be in legislation," says Acxiom's Barrett Glasgow. "Eventually we will regulate marketing to a better degree than we are today. I want to be sure that it is not reactive legislation from an incident, but rather something well thought out and modeled after industry self-regulation."

More

Get Content Like This Delivered to Your Inbox

×