The Federal Trade Commission, in a report (PDF) published on Tuesday, describes the industry of data collection as pervasive, mysterious, and vulnerable to errors and breaches. Data brokers have collected a breathtaking amount of information about people, which they use to sell other businesses a variety of products related to marketing, fraud detection, and other services. The FTC is pushing Congress for legislation that would make it easier for people to find out what data brokers know and to get them to fix any errors—but doesn’t suggest slowing down the collection or use of this kind of data.
The report is based on data collected from nine companies: Acxiom (ACXM), CoreLogic (CLGX), Datalogix, EBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. These data brokers were compelled to share information with the commission in December 2012. According to the FTC, the companies have done a great job of finding data to crunch. One has information on 1.4 billion consumer transactions; another adds 3 billion new records to its databases each month. While the report doesn’t address credit scores, the framework of the debate is much the same.
There’s nothing illegal happening here, and the FTC says customers benefit from better marketing and services because of it. But the commission also says the same data that identify a motorcycle enthusiast could both get him a discount on a biking magazine and make it easier to charge him more for car insurance. What really worries the FTC is the impossibly opaque way the data are collected and managed, which it describes as a game of telephone that would be virtually impossible for anyone to trace backward:
“The nine data brokers studied obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the commission’s study provide data to each other. Accordingly, it would be virtually impossible for a consumer to determine how a data broker obtained his or her data; the consumer would have to retrace the path of data through a series of data brokers.”
This is where the FTC thinks the government should get involved. It suggests a law that would mandate the creation of a centralized portal where data brokers explain themselves, disclose their sources, and give people the opportunity to opt out. For more sensitive information, such as medical data, retailers and other businesses that collect such data would have to get customers to explicitly agree before they shared it with data brokers.
Much of what’s on the FTC’s list is already included in a bill introduced by Senator Jay Rockefeller (D-W.Va.) in February. The bill—which doesn’t give specific protections for different kinds of data—has been referred to committee, as has a related bill in the House of Representatives. Both the commission and Rockefeller are focused specifically on data brokers and not on consumer-facing Internet companies whose businesses are also based on gathering data and analyzing it for marketing purposes.
The commission also hints at the appeal of some variation of the so-called right to be forgotten. It says brokers don’t make a convincing case for why they should hold on to information in perpetuity. “Although stored data may be useful for business purposes, the risk of keeping the data may outweigh the benefits,” the FTC writes. “For example, identity thieves and other unscrupulous actors may be attracted to the collection of consumer profiles that would give them a clear picture of consumers’ habits over time, thereby enabling them to predict passwords, challenge questions, or other authentication credentials.” But the commission stops short in its legislative proposals of including any requirement to cull databases over time.
The Direct Marketing Association, a trade group whose members include four of the nine companies mentioned in the report (Acxiom, Rapleaf, Corelogic, and Datalogix), greeted the report with an emphatic “So what?” “One interesting thing about this report is that after thousands of pages of documentation submitted over the two years of thorough inquiry by the FTC, the report finds no actual harm to consumers and only suggests potential misuses that do not occur,” Peggy Hudson, the group’s senior vice president for government affairs, said in a statement.
The DMA opposes Rockefeller’s bill and says that providing customers with the ability to access and correct marketing information would end up hurting them by discouraging the use of data-heavy tactics. In a statement in February, the group called its industry “the brightest beacon of American innovation,” and the “the engine of the U.S. economic and employment growth.” It says data-driven marketing added $156 million in revenue to the U.S. economy in 2012.