Transparency as a First Step to Regulating Data Brokers

By: Dillon Kraus

January 6, 2020

Over the past few years a number of legislative bodies have turned their focus to ‘data brokers.’ Data brokers hold huge amounts of data, both personally identifiable and otherwise, but attempts at data regulation have failed to bring them sufficiently out of the shadows. A few recent regulations, however, aim to increase transparency in this secretive industry. While transparency alone will not fully address concerns surrounding the data brokerage industry without additional actionable consumer rights, it is an important and necessary first step.

These bills present a new course for legislatures interested in protecting consumer privacy. The primary effect of these measures is to heighten transparency. The data brokerage industry lacks transparency because these companies do not have direct relationships with the consumers whose data they buy, package, analyze, and resell, and there is no opportunity for the consumer to opt out, correct, or even know of the data that is being sold. For companies regulated by the Fair Credit Reporting Act, such as traditional credit bureaus, customers have the right to request their personal data and request corrections if anything is wrong. But most collectors of data are not covered by the FCRA, and in those instances consumers often agree to click-wrapped Terms of Service provisions that include buried provisions allowing the collecting company to resell their data. Customers are left unaware that they have signed up to have their data sold, and with no assurances that that data is accurate.

Concerns with data brokers center on brokers’ relative opacity and the lack of public scrutiny over their activities. They control data from consumers with which they have no relationship, and in turn, consumers do not know which data brokers may have their data, or what they are doing with it. Standard Terms of Service contracts allow the original data collector to sell collected data to third parties, and allow those buyers to sell the data in turn, which creates a rapid cascade in which consumers, agreeing to the terms of service of one company, have allowed their personal data to proliferate to numerous companies of whose existence they may not even be aware. Proposed legislation would increase consumers’ access to information about how their data is being used, shining a light on the data brokerage industry and enabling consumers to limit the unfettered sharing of their data.

The first act affecting data brokers was “An act relating to data brokers and consumer protection” from Vermont in May of 2018 (“H.764”). The law has five main functions: it defines “data broker” as “in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship”; it requires data brokers to register with the Vermont Secretary of State annually and disclose certain information; it requires data brokers to have adequate security standards; it prohibits the acquisition of personal information fraudulently or with the intent to commit wrongful acts; and it makes efforts to remove financial barriers to protect consumer credit information. Required disclosures include whether consumers are able to opt out of data collection, whether they restrict who can buy their data, and whether the company has had any data breaches within the past year.

While the act provides consumers with useful information, it does not provide them with a way to act on that information. Missing from the act is a mandate to allow users to opt out of data collection, a way to access or review what data is collected and sold about them, or a way to know how their data was obtained and who’s buying it. Express violations of the law can only be enforced by the Vermont Attorney General. On one hand, this undermines the goals of enabling users’ greater control over their personal data. On the other, the Attorney General’s office may be the most natural entity to bring a lawsuit. The Attorney General’s greater access to information and resources may be important to bring suit when harms are difficult to trace or are spread across many parties.

Another aspect of H.764 is the prohibition against acquiring data through fraudulent means. In March, 2020, the Vermont Attorney General brought the first action enforcing this provision against Clearview AI, which had previously come under public scrutiny due to reporting from the New York Times. Clearview used “screen scraping” to compile a massive database of photographs, and then used facial recognition software to create a commercial facial identification service. The complaint alleges that Clearview acquired the images in its database fraudulently through its screen-scraping technology. These claims are being brought alongside claims under Vermont’s Unfair Acts and Practices law.

Following Vermont, California passed Assembly Bill No. 1202 in October of 2019 (“AB 1202”), which similarly defines “data brokers” as companies “in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship.” AB 1202 requires data brokers to file an online registration. It works in conjunction with the California Consumer Privacy Act (CCPA), which creates consumer rights such as the right to opt out of the sale of their personal data and the right to be forgotten. Alongside these active rights, the publication of data broker lists becomes useful to consumers looking to prevent the spread of their personal data, by elucidating which companies might hold their data, and enabling consumers to then reach out and exercise their rights. Perhaps because of the corresponding restrictions of the CCPA, AB 1202 excludes from its definition of data brokers companies that are covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act. AB 1202 also incorporates the CCPA’s definition of “business,” meaning companies must satisfy the CCPA’s thresholds (such as gross annual revenue in excess of $25 million; possess the personal information of 50,000 or more consumers, households, or devices; or earn more than half their annual revenue from selling consumers’ personal information) to fall under AB 1202.

Because these regulations do not cover companies that collect data directly from consumers, they cover a more niche group of companies than those covered by general privacy laws like the CCPA. As of this writing, there are 278 companies included in Vermont’s database, many of which are not public-facing. The list includes consumer data- and credit-reporting companies such as Equifax and Experian; people-search engines like Spokeo and ZoomInfo; advertising and marketing companies like Acxiom and Oracle; and companies that specialize in “risk mitigation” tasks such as background checks and other identity verification services. These companies buy data, or scrape it from publicly available sources, sell the resulting analysis.      

This analysis entails creating “audience segments” (or “user segments,” or simply “audiences”) that can be used to target consumers for ads, predict their eligibility for a job or a loan, or rate the riskiness of their lifestyle. These analytics can be purchased by other companies, government agencies, or even individuals—including, unfortunately, stalkers or harassers. Data broker’s access to user data isn’t akin to viewing a Facebook profile, however. Advertising technology platforms, for example, are generally less interested in user names and addresses and more interested in web and purchase history. These profiles are often part of large data aggregates, and are composed of a series of overlapping data points that allows a company to draw insights about certain demographics and user-bases. And while the possession of personal data certainly presents risks to individual consumers, there are also larger, less tangible dangers of unfettered data brokerage. Data brokers sell facial recognition software to law enforcement, demographic and lifestyle data to political groups, and user profiles to foreign governments.

The affected companies pushed strenuously against these new regulations. They argued that it would be too difficult to comply with changing laws while conducting their daily business; that much of the information is already publicly available; that breach disclosure would cause unnecessary alarm for consumers; and that the boundaries between data brokers and companies that collect data directly from consumers, like Facebook or Uber, are unclear and unfair, since the latter have much more data than many data brokers. These arguments largely failed to address the concern that motivated the legislation in the first place, i.e. the opacity that obscures these companies’ practices from public scrutiny.

Differences in state regulation make it difficult for data brokers to operate on a national level, and so, as with calls for a federal privacy law, there have been efforts to create a set of uniform federal regulations. The most recent attempt was the Data Broker Accountability and Transparency Act of 2019, introduced by Senators Markey, Blumenthal and Smith. This bill came on the heels of the Equifax data breach and would enable consumers to access and correct information held by data brokers; give them the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes; prohibit data brokers from engaging in discriminatory data use practices; and require data brokers to develop comprehensive privacy and data security programs and to provide reasonable notice in the case of breaches. The legislation would also empower the FTC to create a centralized website for consumers to view a list of covered data brokers and information regarding consumer rights.

The data industry has developed quickly and with little regulatory intervention. This has enabled rapid development and constant innovation, but has left little time to consider residual effects. As users consent to have their data resold, and data controllers sell it on to data brokers, and data brokers sell it again, there has been an explosive proliferation of consumers’ data flowing in the hands of numerous unknown entities. These companies and—up until recently, legislatures as indicated by their acquiescence—view data as acquired property to which a buyer is entitled, rather than something which carries with it some duty owed to the consumer from whom it originated. But as the practices and effects of data brokerage have come to light, a movement has begun to reclaim control of personal data, and to restrict external actors extracting value from it with little regard for its origin. These pieces of legislation, while simply a starting point, are important steps in shining a light on an industry that has operated largely in the dark, beginning the process of returning control to consumers.

Dillon Kraus, J.D. Class of 2021, N.Y.U. School of Law

Suggested Citation: Dillon Kraus, Transparency as a First Step to Regulating Data Brokers, N.Y.U. J. Legis. & Pub. Pol’y Quorum (2021).