In the spring, a small company no one has ever heard of lost the information of millions of Americans. Exactis leaked people’s contact information—along with whether they believe you are a smoker or drinker, and even the interests and habits of children—onto the public internet. This summer, another company gleefully bragged about sitting on “oceans of data” that could predict health care costs based on whether you purchase plus-size clothing and your television-viewing habits. These data brokers—companies that collect and sell or license the personal data of individuals with whom they have no business relationship—claim to be in the marketing business, but the implications of all this data have raised alarm bells for years and have serious security and safety implications.
New privacy laws in California, Europe, and elsewhere across the globe have restarted momentum around a national privacy law in Congress. As part of that, on Wednesday, the Senate Commerce Committee will hold a hearing called “Examining Safeguards for Consumer Data Privacy,” where representatives from Amazon, Apple, AT&T, Charter Communications, Google, and Twitter will discuss their data practices. But the hearing, like the national conversation, will pay too much attention to the online data practices of big technology companies that people are already aware of. No one from a data broker will be at the hearing—which is no surprise, given these companies’ ability to stay under the radar. (It’s also notable that there won’t be a consumer-privacy advocate testifying.)
That low profile has helped them escape much regulation. In 2014, the Federal Trade Commission suggested reforms that focused on shining more light on data-broker practices, which included services involved with marketing, risk mitigation, and “people search” (like those sites that seem to have everyone’s addresses on them). The FTC recommended giving people some degree of access to data and insight into how it might be used. One proposal was the creation of a one-stop shop that would help individuals learn more about these companies—particularly whether a data broker even offered ways for people to opt out of having their data brokered.
The data-broker industry’s response was dismissive. There was no evidence their activities were harmful, companies argued. Offering up this sort of information for sale can be used, according to industry representatives, “to locate missing family members, witnesses in criminal and civil matters, parents who are delinquent in child support payments, and owners of recalled automobiles.” Maybe the many companies that aggregate our information and profile us have convinced themselves they’re offering a public service, but we can’t overlook the dangers.
Rampant, unchecked data collection has costs. Often, those costs are borne by the most vulnerable among us. Buying and selling data facilitates everything from government surveillance to financial exploitation. Five years ago, the same Senate Commerce Committee issued a detailed report highlighting how data brokers identified financially vulnerable populations in categories like “Rural and Barely Making It” or “Ethnic Second-City Strugglers.” Lists of sexual assault survivors were being packaged and sold. The committee warned that data brokers “operate behind a veil of secrecy,” a situation that a follow-up report from the World Privacy Forum cautioned “hides racism, denies due process, [and] undermines privacy rights.”
The Equifax data breach was just a year ago. The sensitive information of hundreds of millions of Americans was lost at the hands of a data broker whose entire business purpose is to hoard and secure information. For a multibillion-dollar company, Equifax’s response reflected a fundamental disregard for basic information security, offering up public-facing websites that were insecure and tweeting out fake help websites. But even as privacy debates rage, Congress has yet to respond in any meaningful fashion. While Congress holds hearing, states have stepped in. For instance, California’s new privacy law permits individuals to opt out from any company selling their data has received the most attention. And in May, Vermont enacted H 764, the first law in the country to regulate data brokers. The law will require data brokers to provide more information about what they collect; put in place reasonable security procedures; avoid using data for stalking, committing fraud, or engaging in illegal discrimination; and, importantly, register with the Vermont secretary of state in order to create a centralized database for the public to see broker-contact information, purchaser credentialing, recent security breaches, and any options to opt out of data collection—all recommendations the FTC made in 2014.
What was industry’s response this time? Vermont’s modest privacy law was unconstitutional, according to the Software & Information Industry Association.
This claim relies on a maximalist view of a 2011 Supreme Court decision. In Sorrell v. IMS Health, the court struck down an earlier Vermont law that restricted the sale of medical-prescription information for marketing purposes. The Supreme Court held that Vermont had discriminated against “speech with a particular content” and “specific speakers, namely pharmaceutical manufacturers” in violation of the First Amendment. Any law that burdens an entity’s ability to use data or information that it has lawfully acquired will face some level of scrutiny under the First Amendment, but that doesn’t mean it’s unconstitutional. In fact, the Supreme Court acknowledged that privacy was “integral to the person” and “essential to freedom.” The issue was that Vermont hadn’t actually identified how its law advanced anyone’s privacy interests or how it was narrowly tailored to achieve this.
This may explain why critics have been so quick to argue that a public registry of data brokers serves “no apparent reason or discernible public purpose.” But a data-broker registry serves an obvious purpose: It brings into the sunlight companies that are operating in darkness and secrecy. Vermont’s law acknowledges the basic fact that few individuals are “aware that data brokers exist, who the companies are, or what information they collect, and may not be aware of available recourse.” This is absolutely true. After the Equifax breach, people understandably confused the company with Experian. Exactis, which had the major breach earlier this year, is a 10-person outfit, based in Florida. Big data brokers like BlueKai and Datalogix have been wrapped into the Oracle Data Cloud.
Vermont doesn’t intend to shut down any of the buying and selling of data by these companies, but it does have a compelling interest to require disclosures to protect people from the abusive use of their data. Unchecked and unpoliced data sales invade people’s privacy and lead to real harms. And the very nature of the data-broker industry requires a centralized information point. Absent the sort of one-stop shop proposed by the FTC—soon to be available to Vermonters—there is no way for any single individual to escape from, let alone learn about, these companies. Sure, you can pay for services that offer to opt you out of different “people search” services or monitor inaccuracies in the information being scraped and sold by these companies, but these are costly half measures. Individuals can only exercise their privacy rights against data brokers if they know they exist.
Amazon, Apple, AT&T, Charter Communications, Google, and Twitter can be rightly criticized for their privacy practices, but at least they seem to be coming around to the fact that we need new privacy rules. Charter, for instance, has called on Congress to pass a national privacy law, while Apple says it views privacy as a “fundamental human right.” Meanwhile, data brokers speak of “ethically sourced” data and “enhanced transparency“ through self-regulation. The reality is that while many companies now collect a whole lot of our information, there’s really only one industry that doesn’t want us to know much about it in exchange. Data brokers may know everything about you—but they still don’t want you to know about them.
