Data Brokers

Thousands of data brokers in the United States buy, aggregate, disclose, and sell billions of data elements on Americans with virtually no oversight. As the data broker industry proliferates, companies have enormous financial incentives to collect consumers’ personal data, while data brokers have little financial incentive to protect consumer data. For these companies, consumers are the product, not the customer. Companies also maintain information about consumers that is often inaccurate, wrongfully denying them credit, housing, or even a job.

Data brokers collect and aggregate many types of personal information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, children, education, profession, income, political preferences, and cars and real estate owned. Data brokers also collect information on an individual’s purchases, where they shop, and how they pay for their purchases. In addition, data brokers collect health information, the sites we visit online, and the advertisements we click on. And thanks to the proliferation of smartphones and wearables, data brokers collect and sell real-time location data.

The lack of a comprehensive baseline U.S. privacy law has allowed the data broker industry to build profiles on millions of Americans at great cost to our privacy, civil rights, national security, and democracy. Congress must pass comprehensive privacy legislation and create a U.S. Data Protection Agency to regulate the out-of-control data broker industry.

The Data Broker Industry

Data brokers use secret algorithms to build profiles on every American citizen, regardless of whether the individual even knows that the data broker exists. As such, consumers now face the specter of a “scored society” where they do not have access to the most basic information on how they are evaluated. The data broker industry’s secret algorithms can be used to determine the interest rates on mortgages and credit cards, raise consumers’ interest rates, or deny people jobs. In one instance, a consumer found that his credit score suffered a forty-point hit simply because he requested accurate information about his mortgage. Data brokers even scrape social media and score consumers based on factors such as their political activity on Twitter.

The use of algorithms can also have widespread discriminatory effects. The Equal Credit Opportunity Act (ECOA) prohibits lenders from discriminating in credit decisions. Still, studies have demonstrated that Black and Latino communities have lower credit scores as a group than whites. Current law does not allow consumers or regulators to evaluate these scores to determine whether they violate ECOA. Although consumers have the right to request their credit scores, they do not have the right to know how this score is determined.

Algorithmic explainability and transparency are crucial to accountability. Absent rules requiring the disclosure of these secret scores and the underlying data and algorithms upon which they are based, consumers will have no way to know the extent of, let alone solve, these problems.

Legislative Efforts to Regulate Data Brokers

There is no federal law in the United States that regulates the data broker industry. As a result, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. EPIC supports state and federal legislative efforts that set limits on data brokers’  collection, use, retention, and disclosure of personal data. EPIC also strongly advocates for the creation of a U.S. Data Protection Agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.

Some states have made efforts to regulate data brokers. For example, Vermont and California have enacted laws to shine a light on the data broker industry. Vermont passed the nation’s first data broker legislation in 2018, requiring data brokers to “register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.” The California Legislature passed a similar law in the following year, requiring data brokers to register annually with California’s Attorney General and provide information about how consumers may opt-out of the sale of their personal information.” While these laws have allowed the public to see a public listing of data brokers, stronger regulation is needed to restrict the buying and selling of Americans’ personal data.

EPIC’S Work on Data Brokers

EPIC has a particular interest in protecting consumer privacy and has played a leading role in developing the authority of the Federal Trade Commission to safeguard the privacy rights of consumers.

In 2005, EPIC brought a complaint to the FTC against data broker ChoicePoint that produced a $10 million settlement – then the largest in the FTC’s history for violation of federal privacy law. A 2001 article in the Wall Street Journal reported that ChoicePoint provided personal information to at least thirty-five government agencies, and EPIC subsequently filed a series of Freedom of Information Act requests that determined that ChoicePoint had several multi-million dollar contracts with law enforcement agencies to sell personal data. In its complaint, EPIC urged the FTC to investigate the compilation and sale of personal dossiers by data brokers such as ChoicePoint. EPIC argued that the dossiers may constitute “consumer reports” for purposes of the Fair Credit Reporting Act, thus subjecting both the information seller and the buyer to regulation under the Act. Following the FTC’s investigation and a hearing before California’s Senate Banking Committee where EPIC also testified, ChoicePoint paid $10 million in civil penalties and announced a series of reforms.

EPIC has also filed a number of amicus briefs in federal and state appellate cases concerning data broker and consumer privacy issues.

In January 2016, EPIC submitted an amicus brief to the U.S. Supreme Court case Utah v. Strieff. In the brief, EPIC argued that the information contained in government databases should not attenuate the taint of an unlawful police stop, as an individual’s name now gives officers access to sophisticated government databases containing an extraordinary amount of detailed and sometimes inaccurate personal information – some of which is pulled from third-party data brokers. Thus, forcing individuals to disclose their identities during stops where police officers have less than probable cause raises constitutional concerns.

In March 2016, EPIC filed an amicus brief in Smith v. LexisNexis Screening Solutions. The case was brought by a job applicant who was denied employment after a background report incorrectly stated that he had a criminal record. In the brief, EPIC highlighted the industry practice of selling background reports with inaccurate information, arguing that companies should be strictly liable when they fail to maintain accuracy in these reports. On September 12, 2016, the U.S. Court of Appeals for the Sixth Circuit held that LexisNexis had been negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information in Smith’s credit report.