An Industry in the Shadows: Data Brokers

You don’t know them, but they definitely know you.

It is a $200 billion industry yet most people don’t know that it exists. Welcome to the world of data brokers. Because these companies have no direct interaction with consumers, there is no public awareness. This allows data brokers to operate with a disturbing level of freedom.

What Are Data Brokers?

The California legislature has defined the term data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

And they have been around for quite some time. In 2013, a US Senate Committee published a review of the data broker industry and among other things, found the following: 1) they sell products that identify financially vulnerable customers; 2) they sell information about consumer offline behavior to online marketers; 3) they enable discrimination in pricing, services, and opportunities; and 4) they operate in the shadows and are completely unregulated.

Some of the largest data brokers include LiveRamp (formerly Acxiom until 2018), Experian, Epsilon, Corelogic, Datalogix, Intelius, and PeekYou. These companies are behemoths. To give you an idea, in 2017, the New York Times reported that Acxiom had more than 23,000 servers collecting consumer data from more than 50 trillion  yearly data “transactions” leading to $1.13 billion in sales revenue. That said, Acxiom had an advantage over the other data brokers because it had been collecting offline consumer data for 40 years, which it then used to complement its consumer-profiling database of 190 million people and 126 million U.S. households.

There are three general categories of data brokers:

  1. People search sites that allow users to input a piece of information such as a name which results in a report containing information about the person such as aliases, birthdates, interests, affiliations, addresses and address history, education, employment, marriage and divorce histories and status, bankruptcy information, social media profiles, property records and details on their relatives. Examples of these types of data brokers include: Spokeo, PeekYou, PeopleSmart, and Pipl.
  2. Marketers that develop profiles on consumers and categorize people based on age, ethnicity, education, income, number of children and interests. Examples include Datalogix, ASL Marketing Inc., as well as subsidiaries and divisions of Experian and Equifax.
  3. Risk mitigation companies such as ID Analytics that offer products to verify identities and help detect fraud.

Where Do They Get Their Information?

Data brokers find information on people through public documents such as birth certificates, voter registrations, the census, and property, court, bankruptcy and professional license records. Additionally, data brokers scour social media sites and buy information, such as people’s purchase histories and warranty registration information, from commercial sources.

Many data brokers work together in a digital data assembly line. For example, Edvisors has a number of websites for college bound students who give away their personal information in exchange for a chance to win a scholarship.  That information is then repackaged by ALC, a data reseller. ALC sells a master file to advertisers that includes the names and addresses of up to 3 million students at a rate of $95 per 1,000 names and for a small premium, a marketer can buy the name of the college each student plans to attend and their expected field of study.

How Does This Affect You as a Consumer?

The biggest overall risk that consumers unknowingly face in the case of data brokers is that they operate behind a veil of secrecy and therefore have no accountability.

There are also more specific risks, depending on the type of business. For instance, people search sites subject consumers to the possibility of doxing because they provide easy access to personal information. Doxing is when someone (usually with malicious intent) looks for and publicizes a person’s private identifying information online.

Erroneous information in the hands of the marketing and risk mitigation data brokers can also have serious effects. To illustrate, a person might be misclassified as a high credit risk, resulting in high interest loans being advertised to them when they are eligible for lower interest loans. Even with accurate information, the system that data brokers use to categorize people as high value or “waste” (an industry term) can have a huge long term impact because a certain segment of the population will never see promotions for things like higher education and health care services.

Additionally, relying on data from a consumer’s search histories where the consumer searched for certain medical conditions such as heart disease or diabetes can result in assumptions of the consumer’s ill health when in actuality, they were conducting those searches for a friend. These ill-founded assumptions can find their way into health insurance premium quotes.

In the risk mitigation sector, a consumer may have an address that matches one that has been incorrectly associated with fraud, which then renders them unable to complete a transaction. This issue is amplified by the fact that there is no easy way for consumers to access the information that is out there about them, much less to correct or delete it.

Aside from the harms identified above, other threats include the use of personal information for identity theft or to get into password protected websites by using the personal information to answer security questions.

Also, the data brokers themselves are vulnerable to security breaches, which affect millions of people. To list a few: Equifax experienced a breach which affected 147 million people; 1.6 billion records were stolen in the 2003 Acxiom breach; and 15 million T-Mobile records were accessed from Experian’s servers in 2015. Yet the industry remains largely unregulated.

Few States Have Laws Regulating Data Brokers

Only two states, Vermont and California, thus far have enacted laws focused on data brokers and both fall woefully short of necessary consumer protections.

Vermont Law

Vermont was the first state to enact a data broker law, which became effective on January 1, 2019. The law defines “brokered personal information” to include name, address, social security number, unique biometric data, and “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the customer with reasonable security.”

The law requires annual registration with the Vermont Attorney General along with a $100 registration fee. The data broker is also required to disclose the following information on an annual basis: 1) its procedures related to the collection, storage and sale of personal information; 2) its practices, if any, for allowing consumers to opt out; and 3) the number of data breaches that occurred in the previous year as well as the number of consumers affected.  There are additional disclosures required if the data brokers knowingly retain the personal information of minors. Notably, it requires the brokers to disclose their opt out procedures only if they have them, but they are not required  to offer consumers the opportunity to opt out.

Finally, the Vermont law requires the development, implementation, and maintenance of a security protocol. Additionally, it states that a violation constitutes an unfair and deceptive act in commerce which violates Vermont’s consumer protection law.

California Law

In 2019, California Governor Gavin Newson signed AB 1202 into law, which requires data brokers to register with the state attorney general for a fee. They must provide their name, and primary physical, email and website addresses, along with any other additional information they want to provide. Failure to register by January 31st each year will subject them to penalties, including $100 for each day they are not registered. California’s law applies to a wider swath of companies than Vermont’s in that it relies on the broad definitions of the California Consumer Privacy Act (CCPA).

For example, the CCPA includes a monetary exchange or “other valuable consideration” when it comes to defining the “sale” of personal information. It also defines “personal information” more expansively, as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably be linked, directly or indirectly, with a particular consumer or household.” Ultimately, AB 1202 was passed to allow consumers to more easily exercise their rights of access, deletion and opting out as provided by the CCPA.

While the California law increases the visibility of data brokers, it does nothing in the way of changing their practices or creating accountability. Notably, the law does not contain any security requirements, which opens large numbers of consumers up to risk as observed by the breaches listed above. The data broker registry has been compared to the federal do not call list which never lived up to its purpose.

Calls for More Regulation

As far back as May 2014, the Federal Trade Commission (FTC) released a 110-page report on data brokers. Among other things, the report recommended: 1) a law that requires consumer-facing companies to alert their customers that they share data with behind-the-scenes data brokers and to give them the opportunity to opt out; 2) that data brokers create a centralized mechanism to allow consumers to access their data and to give them the opportunity to opt out; and 3) a requirement that data brokers reveal the names and categories of their data sources and explain that they use raw data as well as inferences made from such data.

Federal lawmakers have considered passing the federal Data Broker List Act, which would create a national registry overseen by the FTC. As noted above, a registry is only a first small step. However, to date, there is no federal legislation.

Given that this industry is so lucrative and so unregulated, it should come as no surprise that during these last few months alone, the number of data brokers registered in California has increased from 240 to 382 brokers. This only magnifies the urgency of shining a light on data brokers and pushing for stronger legislation requiring them to be accountable.

Data brokers operating in the shadows: another reason to join the DDP movement to help you gain control over your data.