Originally published by Canadian Lawyer Online, IT Girl Column, July 2014
On May 27, the U.S. Federal Trade Commission released its study of data broker practices entitled "Big Data: A Call for Transparency and Accountability." Based on its 18-month review of the data collection and use practices of nine significant data brokers (Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future), the FTC obtained detailed information regarding the data brokers' practices, including the nature and sources of consumer data they collect; how they use, maintain, and disseminate the data; and the extent to which data brokers currently allow U.S. consumers to access and correct data about them or to opt out of having their personal information sold or shared.
Not surprisingly, the report indicated "big data"
heralds some big problems for U.S. consumers (and virtually
everyone else) and a few (creepy) highlights are shared
below.
Interestingly, the FTC found none of the nine data brokers sampled
collected data directly from consumers. Rather, they collect data
from:
- government sources (even though some of this information is technically protected by law);
- other publicly available sources (i.e. social media, blogs, the Internet generally); and
- commercial sources (retailers, catalogue companies and other data brokers as well as from one another).
While each data broker source may provide only a few data
elements about a consumer's activities, data brokers typically
stitch all of these together to form a more detailed composite of
the consumer's life. It is virtually impossible for consumers
to determine the originator of a particular data element, given the
multiple layers of data brokers — this means there is very
little accountability on the part of individual brokers.
Data brokers sell both the actual and derived data elements to
their clients, creating lists of consumers with similar
characteristics and using the data to predict client behaviour.
Some of these data segments are relatively innocuous — like
"outdoor/hunting and shooting." Other segments rely on
ethnicity, income level, and education level or specific interests
mined from information provided, which are clearly more sensitive,
such as "financially challenged," "African-American
professional," "diabetes interest,"
"cholesterol focus," or "rural everlasting,"
which includes single men and women over the age of 66 with
"low educational attainment and low net worths."
The data brokers offer products in three broad categories:
- marketing (the biggest category by far);
- risk mitigation; and
- people search.
These products generated a combined total of approximately
$426-million in annual revenue in 2012 for the nine data brokers.
While "behavioural advertising" and targeting consumers
with ads based on their specific interests is old hat, this report
revealed the practice of "onboarding."
"Onboarding" is the process whereby a data broker adds
offline data into a cookie (the process of onboarding offline data)
to enable advertisers to target consumers virtually anywhere on the
Internet.
Onboarding clients either provide data about their customers to a
data broker to facilitate the process of finding those consumers on
the Internet to deliver targeted advertisements; or use a data
broker to identify an audience of consumers who are likely to share
particular characteristics and find those consumers on the Internet
to deliver advertisements.
After the data broker finds the relevant target consumer, it
places a cookie on the browsers of the consumer who has logged on
to the relevant web site that will include information the data
broker has appended to the consumer's profile. The data broker
can advertise to the consumer across the Internet for as long as
the cookie stays on the consumer's browser. The data broker
either acts as an advertising network itself by buying advertising
space on various web sites or contracts with advertising networks
that have secured advertising space on these web sites. All this
(largely) without actual consumer knowledge.
A staggering amount of data being collected on consumers —
one data broker's database has information on 1.4-billion
consumer transactions and more than 700-billion aggregated data
elements; another's database covers one trillion dollars in
consumer transactions. This massive collection of "big
data" (and the use of such data) reveals considerable privacy
risks, not the least being secondary impacts.
Consumers cannot easily mitigate the impact of poor financial
scoring or the possible misuse of health-related information that
would cause an insurance company to score the "diabetes
interest" consumer as high risk.
Privacy policies remain vague; only a few of the data brokers
offer any kind of data opt out or redress. Even if available,
opting-out typically does not take effect immediately, taking a
data broker several weeks to suppress a consumer's personal
information from its database. Furthermore, even if a consumer
tries to opt out, information about that consumer might still
appear in another consumer's records, such as that of a spouse.
Or, if a consumer submits identifying information in an opt-out
request that varies from the identifying information in the data
broker's records, theopt out may not capture all of those
records. Not to mention all the data that was previously sold by
the broker to other brokers downstream.
The FTC also noted some of the data brokers profiled store all
data collected indefinitely, even if it is later updated, unless
otherwise prohibited by contract. Although stored data may be
useful for future business purposes, it offers a tempting treat for
identity thieves.
Concerned by these findings, the FTC called for the U.S. Congress
to enact legislation that would enable consumers to learn of the
existence and activities of data brokers and provide consumers with
reasonable access to information (including sensitive data) about
them held by these entities (and allow for opt out to avoid sharing
such data for marketing purposes).
The FTC also proposed the creation of a centralized mechanism,
such as an Internet portal, where data brokers can identify
themselves, describe their information collection and use
practices, and provide links to access tools and opt outs.
Data brokers should also clearly disclose to consumers (e.g., on
their web sites) that they not only use the raw data they obtain
from their sources (such as a person's name, address, age, and
income range), but they also derive from the data certain data
elements, and these categories should be clearly identified. Data
brokers should also be required to disclose the names and/or
categories of their sources of data, so consumers are better able
to determine if, for example, they need to correct their data with
an original public record source.
Finally, the FTC advocated that Congress should require
consumer-facing companies to provide a prominent notice to
consumers that they share consumer data with data brokers and allow
consumers to opt out of sharing their information with data
brokers. In the meantime, the FTC urged data brokers to practise
"privacy by design" and reasonable precautions to ensure
downstream users of their data do not use it for unlawful
discriminatory purposes.
So where do we stand in Canada? At the recent meet and greet with
the new federal Privacy Commissioner Daniel Therrien in Toronto
earlier this month, the assembly of in-house lawyers, privacy
officers, and outside privacy practitioners unanimously requested
additional guidance from the OPC regarding big data practices, from
both sides of the table. This request was duly noted and given all
of the pressing matters on the OPC's plate (Bills C-13 and S-4,
just to name a few), I fear we will have a long wait on this urgent
matter.
Bonus CASL update
Last week I called the CRTC at the behest of a client on a
no-names basis in order to seek additional CASL guidance regarding
the "in-mail" features of LinkedIn. After waiting
patiently for the CRTC to call me back, I asked my questions to our
regulator and received the following response: "What is
LinkedIn?" After explaining the concept to the representative,
the young lady pointed me to a (utterly generic) section of their
CASL sub site and told me to consult a lawyer if I had further
questions.
True story. I couldn't make this one up if I tried.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.