Thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight. As the data broker industry proliferates, companies have enormous financial incentives to collect consumers’ personal data, while data brokers have little financial incentive to protect consumer data. For these companies, consumers are the product, not the customer. Companies also maintain information about consumers that is often inaccurate, wrongfully denying them credit, housing, or even a job.
Data brokers collect and aggregate many types of personal information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned. Data brokers also collect information on an individual’s purchases, where they shop, and how they pay for their purchases. In addition, data brokers collect health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.
The lack of a comprehensive baseline U.S. privacy law has allowed the data broker industry to build profiles on millions of Americans at great cost to our privacy, civil rights, national security, and democracy. Congress must pass comprehensive privacy legislation and create a U.S. Data Protection Agency to regulate the out-of-control data broker industry.
The Data Broker Industry
Data brokers use secret algorithms to build profiles on every American citizen, regardless of whether the individual even knows that the data broker exists. As such, consumers now face the specter of a “scored society” where they do not have access to the most basic information on how they are evaluated. The data broker industry’s secret algorithms can be used to determine the interest rates on mortgages and credit cards, raise consumers’ interest rates, or deny people jobs. In one instance, a consumer found that his credit score suffered a forty-point hit simply because he requested accurate information about his mortgage. Data brokers even scrape social media and score consumers based on factors such as their political activity on Twitter.
The use of algorithms can also have widespread discriminatory effects. The Equal Credit Opportunity Act (ECOA) prohibits lenders from discriminating in credit decisions. Still, studies have demonstrated that Black and Latino communities have lower credit scores as a group than whites. Current law does not allow consumers or regulators to evaluate these scores to determine whether they violate ECOA. Although consumers have the right to request their credit scores, they do not have the right to know how this score is determined.
Algorithmic explainability and transparency are crucial to accountability. Absent rules requiring the disclosure of these secret scores and the underlying data and algorithms upon which they are based, consumers will have no way to know the extent of, let alone solve, these problems.
Legislative Efforts to Regulate Data Brokers
There is no federal law in the United States that regulates the data broker industry. As a result, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. EPIC supports state and federal legislative efforts that set limits on data brokers’ collection, use, retention, and disclosure of personal data. EPIC also strongly advocates for the creation of a U.S. Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.
Some states have made efforts to regulate data brokers. For example, Vermont and California have enacted laws to shine a light on the data broker industry. Vermont passed the nation’s first data broker legislation in 2018, requiring data brokers to “register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.” The California Legislature passed a similar law in the following year, requiring data brokers to register annually with California’s Attorney General and provide information about how consumers may opt-out of the sale of their personal information.” While these laws have allowed the public to see a public listing of data brokers, stronger regulation is needed to restrict the buying and selling of Americans’ personal data.
EPIC’S Work on Data Brokers
EPIC has a particular interest in protecting consumer privacy and has played a leading role in developing the authority of the Federal Trade Commission to safeguard the privacy rights of consumers.
In 2005, EPIC brought a complaint to the FTC against data broker ChoicePoint that produced a $10 million settlement – then the largest in the FTC’s history for violation of federal privacy law. A 2001 article in the Wall Street Journal reported that ChoicePoint provided personal information to at least thirty-five government agencies, and EPIC subsequently filed a series of Freedom of Information Act requests that determined that ChoicePoint had several multi-million dollar contracts with law enforcement agencies to sell personal data. In its complaint, EPIC urged the FTC to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute “consumer reports” for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Following the FTC’s investigation and a hearing before California’s Senate Banking Committee where EPIC also testified, ChoicePoint paid $10 million in civil penalties and announced a series of reforms.
EPIC has also filed a number of amicus briefs in federal and state appellate cases concerning data broker and consumer privacy issues.
In January 2016, EPIC submitted an amicus brief to the U.S. Supreme Court case Utah v. Strieff. In the brief, EPIC argued that the information contained in government databases should not attenuate the taint of an unlawful police stop, as an individual’s name now gives officers access to sophisticated government databases containing an extraordinary amount of detailed and sometimes inaccurate personal information – some of which is pulled from third-party data brokers. Thus, forcing individuals to disclose their identities during stops where police officers have less than probable cause raises constitutional concerns.
In March 2016, EPIC filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. In the brief, EPIC highlighted the industry practice of selling background reports with inaccurate information, arguing that companies should be strictly liable when they fail to maintain accuracy in these reports. On September 12, 2016, the U.S. Court of Appeals for the Sixth Circuit held that LexisNexis had been negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information in Smith’s credit report.
Recent Documents on Data Brokers
Comments of EPIC to the CFPB On the Small Business Advisory Review Panel for Consumer Reporting Rulemaking
EPIC CFPB FCRA SPREFA Comment 10-30-23
Comments of EPIC on CFPB Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information
Data brokers can and should be regulated under the FCRA, CFPA, and similar laws, and EPIC urges the CFPB to adopt an expansive definition of data broker misconduct to capture the variety of harmful activity that data brokers undertake; shift the regulatory burden from individual consumers exercising their rights to data brokers and other entities profiting off harmful data collection and use; coordinate efforts with the FTC to prioritize data minimization and data security within its regulations; and clarify its interpretations of FCRA provisions and definitions using illustrative examples.
Data Brokers and Sensitive Data on U.S. Individuals
Justin Sherman | 2021
Out of Control
Norwegian Consumer Council | 2020
Testimony: Hearing on “Securing Consumers’ Credit Data in the Age of Digital Commerce”
Bruce Schneier | 2017
Data Brokers: A Call for Transparency and Accountability
Federal Trade Commission | 2014
The Scored Society: Due Process for Automated Predictions
Danielle Keats Citron, Frank Pasquale | 2014
Vermont Data Broker Law
Vermont Secretary of State | 2019