Privacy Legislation: Data Brokers Regulatory Authority
With regards to privacy legislation, Congress needs to ask itself the question posed by the philosopher Hillel: "and if not now, when?"
Every year multiple privacy bills are introduced in Congress and ever year multiple privacy bills never leave committee. The members of Congress tout the importance of online privacy for Americans, but fail to put words into action. This time it may be different and the regulatory structure established is critical to protecting personal data. One key item is ensuring data brokers are captured by this legislation and given the oversight that is desperately needed.
In 2000, the Federal Trade Commission ("FTC") issued its third "Privacy Online: Fair Information Practices in the Electronic Marketplace" report examining the state of online privacy and the efficacy of industry self-regulation.1 The FTC identified growing consumer concerns regarding their privacy online and the limited success of industry certification efforts. As a result, the FTC urged Congress to enact legislation that would ensure adequate protection of consumers' privacy online, while also acknowledging industry self-regulation should play an important role. Congress failed to pass legislation providing comprehensive privacy protections.
In 2014, the FTC released a report highlighting growing concerns around data brokers. Data brokers collect information about consumers from public and non-public sources and sell that information to businesses. The information may be sought for harmless purposes such as targeting dog-lovers for a new product or for harmful purposes such as compiling a list of alcoholics.2 While data brokers operate legally, this is largely because they have no direct contact or relationship with the consumer. The FTC raised concerns about these brokers’ ability to collect information from a growing number of sources, analyze it through new and emerging algorithms and models, and store information indefinitely due to the falling cost of storage. The FTC urged Congress to enact legislation to ensure adequate protection of consumer privacy online and Congress failed to pass any comprehensive privacy protection.
American's concerns over their privacy have grown as more commerce and activity shifts to online platforms. According to Pew Research Center, over 81% of Americans feel they have little or no control over the data collected by companies and 79% are very or somewhat concerned about how business are using their data.3 These sentiments are valid given customer personal identifiable information is compromised in 44% of all data breaches.
There seems to be real momentum behind Congress to finally pass a privacy act that provides comprehensive protections after multiple high-profile data breaches and the Schrems II invalidation of the EU-US Privacy Shield. Therefore, it is an impeccable moment to survey and recommend a regulatory structure for data broker oversight. While some may want to abolition of the data brokerage industry altogether, that idea is impractical and overlooks the market efficiency benefits the DBs provides. However, given that sensitive data is collected and the information can reveal a detailed profile on an individual, regulation and oversight would help curtail bad actors.
The personal data markets operate similarly to the financial markets in that there are primary markets, the collection of data from consumers, secondary markets, the selling and exchanging of data, and broker-dealers, data brokers. Today's data industry parallels the pre-Great Depression-era financial markets where market actors were subject to little or no regulation. After the collapse of the financial markets and as a part of the New Deal era legislation, Congress passed the Securities Act of 1933 and Securities Exchange Act of 1934. While these acts regulated the offering and trading of securities on the primary and secondary markets, over-the-counter exchanges between dealers were unregulated. The Maloney Act of 1938 amended the Exchange Act authorizing the National Association of Securities Dealers ("NASD") to impose and enforce regulations on broker-dealer conduct. Although NASD was a voluntary Self-Regulatory Organization ("SRO"), it was still under the Securities and Exchange Commission's oversight. Today, NASD is called the Financial Industry Regulatory Authority ("FINRA") which issues licensing exams, creates, interprets, enforces rules, and adjudicates disputes. Firms and individuals that wish to conduct business with the public must be certified as members of FINRA.
Comprehensive data privacy legislation will have a similar effect at the Securities Act and Exchange Act in that it will regulate the face of the industry. Data protection legislation will address how data is collected, notices required, and consumer rights with regard to their information. Also, the legislation will address how firms that directly collect information from consumers handle that data and limitations on selling or sharing. However, similar to the financial markets, the data brokers operate in a way that could largely circumvent these requirements. Congress should mandate an SRO similar to FINRA that is overseen by the FTC. The SRO should require licensing exams for individuals handling data at member data brokerage firms and should help streamline education and training in industry best practices. The SRO should be able to implement, interpret, and enforce rules to adapt quickly to the fast-paced nature of the technology industry. Most importantly, the SRO should have an adjudication arm that allows business and consumers to bring claims against data brokers for improper actions.
Given Congress's history with privacy legislation, this may be the one opportunity. An SRO for data brokers would ensure a regulatory body is established to protect consumers, establish market standards, and provide needed oversight. Learning from other industries is crucial to avoid similar mistakes and, luckily for the personal data markets, the financial markets serve as a glaring example.
1 Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress (May 2000)
2Testimony of Pam Dixon, Executive Director, World Privacy Forum (Dec. 18, 2013)
3 Pew Research Center, Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information (Nov 15, 2019)