May 29, 2014 – The Federal Trade Commission (FTC) released a report May 27 in which it asks Congress to consider legislation that would require data brokers to provide consumers with access to their data and give them the ability to opt out of having that information shared. These legislative recommendations “would begin to build meaningful levels of transparency, access and control into the data broker industry,” FTC Commissioner Julie Brill said in a statement.
“Consumer privacy certainly is a hot-button issue in this digital age,” said Coalition for Healthcare Communication Executive Director John Kamp. “This report is a shot fired across the bow by FTC, so the pharmaceuticals industry and marketers need to pay more attention to these data-related issues.”
The FTC report, “Data Brokers: A Call for Transparency and Accountability” (FTCdatabrokerreport) is the result of a study of nine data brokers. Although consumers benefit from data broker practices that can help them find the products and services they prefer, these practices – which include consumer profiling – also raise privacy concerns. “It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist,” according to FTC Chairwoman Edith Ramirez.
The FTC expresses specific concerns about protecting sensitive information, such as health information, from adverse decision making. For example, the FTC is concerned that if a consumer has expressed interest in a certain disease state, such as diabetes, the consumer may not be considered for a job.
“Although this is not an unreasonable concern,” Kamp said, “there is no evidence that this adverse decision making is actually happening. It would be unfortunate to create a law that solves a problem that doesn’t exist.”
In its report, the FTC makes the following recommendations to Congress.
For data brokers that provide marketing products, Congress should consider these goals:
- Centralized Portal. Require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt-outs;
- Access. Require data brokers to give consumers access to their data, including any sensitive data, at a reasonable level of detail;
- Opt-Outs. Require opt-out tools, that is, a way for consumers to suppress the use of their data;
- Inferences. Require data brokers to tell consumers that they derive certain inferences from raw data;
- Data Sources. Require data brokers to disclose the names and/or categories of their data sources, to enable consumers to correct wrong information with an original source;
- Notice and Choice. Require consumer-facing entities – such as retailers – to provide prominent notice to consumers when they share information with data brokers, along with the ability to opt-out of such sharing; and
- Sensitive Data. Further protect sensitive information, including health information, by requiring retailers and other consumer-facing entities to obtain affirmative express consent from consumers before such information is collected and shared with data brokers.
For brokers that provide “risk mitigation” products, legislation should:
- When a company uses a data broker’s risk mitigation product to limit a consumer’s ability to complete a transaction, require the consumer-facing company to tell consumers which data broker’s information the company relied on; and
- Require the data broker to allow consumer access to the information used and the ability to correct it, as appropriate.
For brokers that provide “people search” products, legislation should:
- Require data brokers to allow consumers to access their own information, opt-out of having the information included in a people search product, disclose the original sources of the information so consumers can correct it, and disclose any limitations of an opt-out feature.