Rebecca Joslin – Cyberlaw (Spring 2013)
1
Data Brokers: What Do They Know, Who Do They Share It With, And What Privacy
Considerations Are At Stake?
Introduction
In today’s information age, there is little question that there are economic benefits
to the flow and market exchange of certain kinds of information. For American consumers,
a large network of data brokerage companies facilitate the flow of information between
consumers and companies by collecting personal information about consumers from a
variety of public and non-‐public sources, and reselling the information to other companies.
These collection, maintenance, and dissemination practices often occur without the
knowledge of consumers. This industry has been the subject of increasing scrutiny in the
last year, due in large part to the unregulated space in which data brokers conduct their
online and offline data collection. The lack of a governing regulatory framework has
caused the data brokerage industry to be viewed by many not as a vital source of
information collection, protection, and dissemination essential in today’s market economy,
but rather as unwelcome and secretive digital surveillance of today’s consumers.
Recent government efforts to study privacy practices and the collection and
dissemination of consumer information in the data brokerage industry include two
separate Congressional inquiries and an ongoing FTC investigation. This research project
will give a general overview of the data broker industry and will provide an overview of the
current regulatory framework under which the industry operates, the regulatory interests
of the FTC’s investigation and the Congressional inquiries, and the responses I received
when I submitted information requests to seven different data brokers.
Rebecca Joslin – Cyberlaw (Spring 2013)
2
The Industry
It is difficult to say with accuracy exactly what information is collected by data
brokers and, perhaps more importantly, how it is collected, stored, and distributed in the
market. According to the Privacy Rights Clearinghouse, the online and offline collection of
consumer data is conducted through public and semi-‐public records; for example, the data
includes information provided when consumers buy a house, get married, file for divorce,
fill out surveys, obtain drivers licenses, get arrested, vote, or establish a social networking
profile.1 Data brokers have, to date, been less-‐than-‐transparent about the sources of their
data – protecting the collection methods as a trade secret and preferring not to pinpoint
exactly how consumer information is aggregated, analyzed, and from which sources it is
collected.2 This is problematic for consumers, government agencies, and industry
participants alike, in light of the individual privacy concerns surrounding the activities of
these companies.
While certain aspects of this industry that operates largely under the consumer
radar are somewhat unsettling, there are certain benefits to the flow of information in
today’s market economy. Data brokers represent a multi-‐billion dollar industry directed at
the aggregation of the information of hundreds of millions of Americans, which is then sold
to third parties for targeted advertising, marketing, and other purposes.3 Many of these
companies also provide direct benefits to consumers by providing fraud monitoring
services. Further, the data brokerage industry provides significant benefit to the economy
1 https://www.privacyrights.org/online-‐info-‐broker-‐faq#legal 2 http://www.aclu.org/blog/technology-‐and-‐liberty/data-‐brokers-‐release-‐information-‐about-‐their-‐operations-‐response 3 http://www.nytimes.com/2012/12/09/business/company-‐envisions-‐vaults-‐for-‐personal-‐data.html
Rebecca Joslin – Cyberlaw (Spring 2013)
3
in general by facilitating better marketing of products and services to consumers. Data
brokers collect financial, retail, and recreational information to create a consumer profile
that is then sold to clients like airlines, automakers, banks, credit card issuers, and retailers
to maintain and recruit their customer bases and to reduce unnecessary marketing toward
unlikely customers.4 For example, categorization of consumers based on housing
information (like, for example, those that live in apartment buildings or in the heart of
larger cities) allows companies to efficiently market to particular population segments –
and reduces, for example, things like lawnmower advertisements to those to whom the
advertisements likely do not appeal.
Important to note is the ubiquity of the data brokerage industry in the economy,
society, and government; the industry is simultaneously scrutinized for what some have
called “shadowy” privacy practices and heavily utilized by a myriad of industry
participants.5 Data-‐driven marketing fosters competition by ensuring that numerous
industry participants can better reach consumers.6 Government leaders, scientists,
corporate leaders, health officials, and education specialists are anxious to see if new kinds
of analysis of large data sets can yield insights into how people behave, what they might
buy, and how they might respond to new products, services, and public policy programs.7
Aside from the marketing and advertising economic benefits, the industry is an essential
4 http://www.nytimes.com/2012/07/25/technology/congress-‐opens-‐inquiry-‐into-‐data-‐brokers.html?_r=0. 5 http://news.cnet.com/8301-‐31322_3-‐57388097-‐256/in-‐the-‐world-‐of-‐big-‐data-‐privacy-‐invasion-‐is-‐the-‐business-‐model/ 6 http://www.the-‐dma.org/cgi/disppressrelease?article=1566 7 http://www.elon.edu/e-‐web/predictions/expertsurveys/2012survey/future_Big_Data_2020.xhtml
Rebecca Joslin – Cyberlaw (Spring 2013)
4
part of America’s job creation, economic growth, and global leadership.8 The Direct
Marketing Association notes that data-‐driven marketing represents 8.7% of total US GDP,
and data-‐driven marketers collectively fuel 9.2 million US jobs by providing economic
growth and job creation to global brands, start-‐ups, and everything in between.9 The rise
of the data mining industry has subjected industry participants to careful study in recent
years.
Regulatory Concerns
Congressional and agency inquiries and investigations into the data broker industry
are centered around various regulatory concerns, including individual consumer privacy
concerns, general lack of industry transparency, consumer access to and control of
information, and the potential for misuse of data. The industry has been largely
cooperative with respect to all recent investigations, preferring to respond to
Congressional and agency letters rather than invite further scrutiny for failure to respond
to this type of investigation. At the same time, however, the industry has taken a defensive
stance when it comes to accusations about the potential consumer privacy concerns and
questions about the potential for misuse of data; industry responses to inquiries are
summarized below, but for the most part data brokerage companies defend their practices
as a lawful and essential part of America’s economy. Nonetheless, lawmakers and agency
representatives alike have spearheaded investigations into the industry to better
understand data protection practices, the implications of those practices with respect to
consumer privacy, and the regulatory schema under which the industry currently operates. 8 Id. 9 Id.
Rebecca Joslin – Cyberlaw (Spring 2013)
5
Preliminary Investigations and Current Regulation
More details about the inner workings of the data brokerage industry are likely
forthcoming. In 2010, the FTC began an investigation into the practices of more than a
dozen information aggregators. The final report, published in March 2012, sets forth best
practices for businesses to protect the privacy of American consumers and give consumers
greater control over the collection and use of their personal data. This report expands on a
preliminary staff report the FTC issued in December 2010, which included a framework of
recommendations for privacy protection policies to be adopted by companies handling
consumer data – including privacy by design, consumer control, and greater transparency
for the collection and use of consumer data.10 The 2012 report redefined the scope of the
privacy framework, included an analysis of the regulatory framework governing the
activities of data brokers, and included proposed solutions for consumer privacy protection
moving forward. The FTC’s recommendations occupy two realms: government action and
industry self-‐regulation.
Importantly, the privacy report noted that unless data brokers use information for
credit, employment, insurance, housing, or other similar purposes, there are no laws on the
books requiring them to maintain the privacy of consumer data.11 This lack of regulation is
at the heart of the recent increase in scrutiny surrounding the data brokerage industry –
and has prompted numerous calls for legislation (at both the state and federal levels) 10 http://ftc.gov/opa/2012/03/privacyframework.shtm. “Privacy by Design” is a term of art, reflecting the theory that companies should build in consumer privacy protections at every stage in developing their products – including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. 11 http://ftc.gov/os/2012/03/120326privacyreport.pdf at 66.
Rebecca Joslin – Cyberlaw (Spring 2013)
6
aimed at the industry’s privacy practices. The FTC recommends that Congress consider
baseline privacy legislation, and supports any national legislation aimed at providing or
securing consumer access to information held by the network of data brokers; further, the
FTC recommends that the industry itself implement the final privacy framework through
company and working group initiatives and through strong and enforceable self-‐regulatory
initiatives.12
With respect to industry self-‐regulation, the FTC report contains numerous specific
recommendations. Noting that data brokers buy, compile, and sell highly personal
information about consumers (who are often unaware that the companies even exist, and
do not know the purposes for which their data is collected and used), the FTC recommends
primarily that the data brokerage industry increase transparency regarding these practices
through internal initiatives, guided by the policy objectives outlined in the framework
above.13 The FTC report also calls on data brokers who compile consumer data for
marketing purposes to explore creation of a centralized website where consumers could
get information about industry practices and their operations for controlling data use and
dissemination within the large network of data brokerage companies.14 In the wake of
numerous calls for both industry self-‐regulation and government intervention, the FTC
urges data broker industry participants to, at a minimum, consider adopting the
recommendations set forth in the report in order to better protect the privacy of American
consumers and give them greater control over the collection and use of their personal
information. The report concludes by outlining the FTC’s areas of focus in the realm of
12 Id at 72. 13 http://ftc.gov/opa/2012/03/privacyframework.shtm 14 Id.
Rebecca Joslin – Cyberlaw (Spring 2013)
7
consumer privacy protections over the next year: Do-‐Not-‐Track, Mobile Privacy
Protections, Data Brokers, Large Platform Providers, and Promotion of Enforceable Self-‐
Regulatory Codes.15
With more consumers becoming aware of data brokers’ activities and the
implications of data mining on their personal privacy, legislators are becoming increasingly
interested in learning more about the industry and pressing for greater consumer privacy
protection. A recent Pew Internet/Elon University survey of 1,021 Internet experts,
observers, and stakeholders measured current opinions about the potential impact of
human and machine analysis of newly emerging large data sets in the years ahead. The
survey was opt-‐in, online canvassing; 53% of respondents predicted that the rise of Big
Data is likely to be a “huge positive for society in nearly all respects” by 2020, while 39% of
survey participants said it is likely to be a “big negative”.16 Time Magazine, the Wall Street
Journal, and the New York Times have all published articles discussing the consumer
privacy implications of the data broker industry in recent months. Since July 2012, two
separate congressional inquiries have been directed at reducing the secrecy that shrouds
the activities of these companies.
2012 Congressional Inquiries
In July of 2012, Representative Edward Markey (D-‐Mass) and Representative Joe
Barton (R-‐Texas), along with six other members of the Bipartisan Congressional Privacy
Caucus, submitted inquiries to nine different data brokers, requesting that they provide 15 Id. 16 http://elon.edu/docs/e-‐web/predictions/expertsurveys/2012survey/PIP_Future_of_Internet_2012_Big_Data_7_20_12.pdf
Rebecca Joslin – Cyberlaw (Spring 2013)
8
answers to a detailed questionnaire regarding data collection, assembly, analysis, and
dissemination practices. The companies – Acxiom, Epsilon (Alliance Data Systems),
Equifax, Experian, Harte-‐Hanks, Intelius, Fair Isaac (FICO), Merkle, and Meredith Corp. –
were given three weeks to respond to the inquiry.
The inquiry itself began with a summary of the reasons for which the Caucus started
the investigation – the serious privacy concerns raised by the large-‐scale aggregation of the
personal information of hundreds of millions of American citizens.17 The committee cited a
recent article in the New York Times detailing how hidden dossiers on American consumers
often extend far beyond demographic information (like age, race, and sex) to include
“weight, height, marital status, education level, politics, buying habits, household health
worries, vacations, and so on”.18 The implications of the industry practices, stresses the
Caucus, extend beyond targeted advertising and economic benefit; as the Times article
points out, privacy advocates are troubled by industry practices involving the classification
of some consumers as high-‐value prospects (ripe for marketing campaigns and discount
mailers) while dismissing other consumers as low-‐value (“waste” in industry slang).19 The
Caucus notes that these practices have been termed “Weblining”, analogous to the illegal
practice of “Redlining” in the physical world – and cites the potential long-‐term impacts on
access to education, health care, employment, and other economic opportunities for these
low-‐value consumers.20 The Caucus’s letters to data brokerage companies concluded with
a detailed set of questions involving inquiries into the sources of consumer data, the 17 For an example of one of the inquiries sent to the data brokers, see Axciom’s letter: http://markey.house.gov/sites/markey.house.gov/files/documents/Axciom%20letter.pdf 18 http://www.nytimes.com/2012/06/17/technology/acxiom-‐the-‐quiet-‐giant-‐of-‐consumer-‐database-‐marketing.html?pagewanted=all 19 Id. 20 Id.
Rebecca Joslin – Cyberlaw (Spring 2013)
9
methods of data collection (including social media and mobile use and activity), services
offered to third parties, consumer access to personal information (including fees and
correction, opt-‐out, and deletion mechanisms, if they exist), and storage and encryption of
consumer information. The full letter can be accessed here.
In November 2012, the Caucus released the responses. Acxiom was the only
company that did not reject the categorization of its business practices as data brokerage,
and was also the only company to provide data on the number of consumers submitting
information requests: out of the 190 million consumers it has collected information on, as
few as 77 people per year (over the last two years) have requested access to their personal
information. Acxiom expressed an interest in “pushing for whatever steps are necessary to
make sure Americans know how this industry operates and are granted control over their
own information.”21 Equifax, a credit consumer reporting bureau, firmly rejected the
categorization of “data broker”, stating instead that the company “operates almost
exclusively in a heavily and closely regulated environment that is altogether inconsistent
with a data broker environment.”22 Harte-‐Hanks, a direct marketing company best known
for advertising fliers, does not consider itself a data broker because it “does not own a
database which describes consumers, represents consumer profiles, or contains consumer
dossiers [which are then] compiled, sold, or licensed”, while at the same time
acknowledging that it receives consumer information through social networking providers
at the request of its clients.23 One company called itself a “data provider”. Another
21 http://markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf 22 http://markey.house.gov/sites/markey.house.gov/files/documents/Equifax.pdf 23 http://markey.house.gov/sites/markey.house.gov/files/documents/Harte%20Hanks.pdf
Rebecca Joslin – Cyberlaw (Spring 2013)
10
reported that since it only “analyzes” data, it should not be considered a data broker.24
Many other companies providing responses to Representative Markey’s inquiry stated that
they do not allow access to consumer data because the information is anonymized and not
re-‐identifiable to individual consumers. Notably, the companies provided little explanation
of the distinction between the information they collect and use (like gender) versus the
information they create by analysis for profiling consumers (e.g.: female interested in
weight loss sent coupons for diet pills).25
The lack of consensus on the definition of “data broker” is at the heart of the
congressional inquiries and the regulatory interests of lawmakers and administrative
agencies. In a joint statement, the lawmakers stated the following: “The data brokers’
responses offer only a glimpse of the practices of an industry that has operated in the shadows
for years. Many questions about how these data brokers operate have ben left unanswered,
particularly how they analyze personal information to categorize and rate consumers. This
and other practices could affect the lives of nearly all Americans, including children and teens.
We want to work with the data broker industry so that it is more open about how it collects,
uses, and sells Americans’ information. Until then, we will continue our efforts to learn more
about this industry and will push for whatever steps are necessary to make sure Americans
know how this industry operates and are granted control over their own information.” While
the stated goal of the inquiry was the exposure of data broker practices to the public and
the improvement of transparency in the industry, Representative Markey stated that his
24 http://www.data-‐informed.com/lawmakers-‐disappointed-‐in-‐results-‐from-‐data-‐brokers-‐privacy-‐inquiry/ 25 http://markey.house.gov/press-‐release/lawmakers-‐release-‐information-‐about-‐how-‐data-‐brokers-‐handle-‐consumers%E2%80%99-‐personal
Rebecca Joslin – Cyberlaw (Spring 2013)
11
ultimate goal was to determine whether legislators should enact a law regulating the
industry.26
Furthering the continued government scrutiny aimed at the data brokerage
industry, Senator John D. Rockefeller IV (D-‐WV), Chairman of the Senate Commerce
Committee, initiated a second Congressional inquiry into the privacy practices of nine data
brokers – Acxiom, Experian, Equifax, Transunion, Epsilon, Reed Elsevier (Lexis-‐Nexis),
Datalogix, Rapleaf, and Spokeo in October 2012.27 In the letters the Committee sent to the
data brokers, Rockefeller expressed concern about the lack of information provided to
consumers by saying that, “An ever-‐increasing percentage of their lives will be available for
download, and the digital footprint they will inevitably leave behind will become more
specific and potentially damaging, if used improperly.”28 This second Congressional
investigation only confirms that legislators and regulators remain concerned about the
uncertainty surrounding the exact practices of the data broker industry – including the
extent of the material collected, the third parties to whom it is disclosed, and the uses of the
information by the third parties.
In response to the Congressional inquiries, the Direct Marketing Association, the
largest trade association dedicated to data-‐driven marketing, issued a response expressing
concern about the heightened scrutiny. The DMA is concerned that lawmakers are
questioning legitimate commercial data practices that the industry believes are essential to
26 http://www.nytimes.com/2012/07/25/technology/congress-‐opens-‐inquiry-‐into-‐data-‐brokers.html?_r=0 27 http://www.commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=a42a865a-‐be30-‐4171-‐8278-‐86ee0a8c76fb 28 http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-‐5ac8-‐4157-‐a97b-‐a658c3c3061c
Rebecca Joslin – Cyberlaw (Spring 2013)
12
America’s job creation, economic growth, and global leadership positions; further, the DMA
accuses the Congressional inquiries of scrutinizing the fuel on which America’s free market
engine runs – targeted advertising.29 The DMA insists that market participants are not
merely snooping on the private lives of consumers, but rather provide essential data
collection so that companies ensure their ads reach only the most interested consumers.30
Underlying much of the legislative and administrative concern is the risk that some data
brokers or third party purchasers could use consumer dossiers (including financial
information, akin to credit reports) for improper purposes – like excluding individual
consumers from certain offers or charging different prices based on the consumer’s
profile.31 The inquiries also focus on consumers’ ability to access and correct information
maintained about them; in its letter, the DMA notes that the only harm to consumers of
inaccurate data is irrelevant advertisements. Nevertheless, the Congressional inquiries are
not the only source of increased scrutiny directed at the data broker industry – the Federal
Trade Commission opened an investigation in December 2012.
FTC Investigation
Following the initial 2010 FTC inquiry outlined above, the FTC began a directed
investigation aimed at studying how the data brokerage industry collects, uses, stores, and
disseminates information. To begin, the FTC issued orders requiring nine data brokerage
companies to file special reports that will provide the agency with information about
29 http://the-‐dma.org/news/August-‐13-‐2012-‐DMALetter.pdf 30 Id. 31 http://www.nytimes.com/2012/10/11/technology/senator-‐opens-‐investigation-‐of-‐data-‐brokers.html
Rebecca Joslin – Cyberlaw (Spring 2013)
13
privacy practices industry-‐wide.32 Specifically, the FTC seeks details about the information
the companies collect and where they get it, how they store, use, and disseminate it, and
the extent to which people can get access to information data brokers have about them,
correct inaccuracies, and opt out of having their information sold.33 The nine data brokers
– Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and
Recorded Future – were required to file responses by February 1, 2013.34 My attempts to
contact the FTC about the information contained in the company responses (and the
possibility of gaining early access to the reports for research purposes for this paper) have
not yielded substantive information. I emailed the FTC staff associated with the orders sent
to data brokers; the staff persons declined to provide information about how many data
brokers responded (and if they did so in a timely manner), what the responses contained,
or when the agency’s report would be published – though I’ve been informed that an
official FTC report of the agency’s findings is forthcoming, likely within the year. The data
broker responses themselves will likely be released to the public after the FTC analyzes
them internally and the report of agency findings is created.
Nevertheless, government scrutiny of the data brokerage industry remains at an all-‐
time high. Industry and trade association responses to both Congressional inquiries
emphasize that the information collected is used for marketing and commercial purposes
only – and not for regulated or improper purposes. While consumer reporting agencies are
required by law to disclose individuals’ credit reports, data brokers are under no obligation
32 http://www.ftc.gov/opa/2012/12/databrokers.shtm 33 Id. 34 http://www.ftc.gov/os/2012/12/121218databrokerssection6border.pdf
Rebecca Joslin – Cyberlaw (Spring 2013)
14
to show consumers information collected for marketing purposes.35 The FTC’s regulatory
concern is the misuse of information by third parties; to the extent that the data mined by
the data broker industry is used improperly to injure or discriminate against consumers,
government regulation is a necessary next step toward consumer protection.
While it appears that Congress and the FTC are at least exploring the possibility of
more top-‐down regulation of the industry, the DMA cautioned Congress against adopting
any new laws targeting data brokers; instead, the DMA and industry participants argue that
industry self-‐regulation is the best approach to address any privacy concerns. These
industry-‐based initiatives are widespread and diverse. The Consumer Data Industry
Association is an international trade association is aimed at ensuring that consumer data is
collected, maintained, and used by third parties in responsible ways. To help marketers
better understand applicable government regulations and industry practices aimed at
consumer data collection and use, the Direct Marketing Association has created a Data
Governance Certification program to establish industry-‐based initiatives, educate
participants about government compliance issues (with specific attention to customer
notice and access), and inspire innovation without infringing consumer privacy.36 The
Network Advertising Initiative sponsors the AdChoices icon; when the icon appears near an
online ad, consumers can click on it to learn more about privacy choices and opt-‐out tools.
Whether these various industry-‐based initiatives will satisfy lawmakers and other
regulatory bodies remains to be seen.
35 Id. 36 http://www.targetmarketingmag.com/article/dma-‐data-‐governance-‐certification-‐balancing-‐marketing-‐rewards-‐big-‐data-‐its-‐risks/2
Rebecca Joslin – Cyberlaw (Spring 2013)
15
My Inquiries
One of the primary areas of focus in the Congressional inquiries and the FTC’s
ongoing investigation is the extent to which data brokers allow consumers to access and
correct their information or to opt out of having their personal information stored or
sold.37 The next portion of my research involved sending information requests to seven
data providers (many of which were targets of Congressional or FTC inquiries) to discover
the amount of personal information these companies had managed to collect about me, as
well as their profiles of my consumer behavior. The seven data providers, Acxiom,
Datalogix, eBureau, Epsilon, Intelius, Peekyou, and Rapleaf, each responded differently to
my consumer inquiry; some provided telling reports, others provided reports containing
very little personally identifiable information, and still others provided no report at all.
Acxiom
Acxiom, in its response to Representative Markey, noted that over the last two years
only 77 people per year requested access to their personal information held by the
company (out of 190 million consumers whose information is collected).38 As far as
consumer access to information, however, Acxiom is much more forthcoming than other
companies in the same industry. The company’s Consumer Data Information page allows
consumers to learn more about the data Acxiom collects and how it is used, to discover
which Personicx Cluster consumers fall into, to opt out of Acxiom’s marketing and directory
products, and to request a report of the risk and fraud data Acxiom has about them (for a
$5 processing fee). My own inquiry to Acxiom involved emails to their privacy center, as
37 http://www.ftc.gov/opa/2012/12/databrokers.shtm, see also the FTC orders issued December 18, 2012. 38 http://www.markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf
Rebecca Joslin – Cyberlaw (Spring 2013)
16
well as the submission of an inquiry that would provide me with their directory and fraud
prevention information. To verify my identity with the company, I mailed a check to their
US office as well as providing my name, address, social security number, driver’s license
information, and date of birth.
Acxiom provides three types of data products, each with distinct data uses:
marketing and data products, directory products, and fraud detection and prevention
products. The marketing and data products contain publicly available information,
surveys, and information from other data collectors. The company sells this information to
companies, political associations, and non-‐profit organizations for marketing, fundraising,
and customer service efforts. Personicx is Acxiom’s household-‐level consumer
segmentation marketing product; the process categorizes US households into one of
seventy different segments (based on demographic characteristics) and twenty-‐one life
stage groups (consisting of demographic groups sharing similar life events, like having
babies, getting married, or approaching retirement). These categories are used by
marketers to target specific consumer interests in advertising, customer service, and
fundraising efforts. The company’s website allows consumers to discover which clusters
they fall into by simply providing simple demographic information – age, marital status,
homeowner status, household income, zip code, and household net worth.39 My own
demographic information yields the following:
Mixed Singles: Cluster #61: Cluster 61 is an ethnically mixed group, with a
particularly high concentration of Asians, Hispanics, and African-‐Americans. They
are a younger group of urbanites either in school or recently out of school and
39 https://isapps.acxiom.com/personicx/personicx.aspx
Rebecca Joslin – Cyberlaw (Spring 2013)
17
barely – economically speaking – making their way in the big city. With youth and
tight finances, they tend to be more cash-‐prone, leveraging money orders and debit
cards as needed. They have below-‐average incomes and minimal net worth at this
point in their lives. All single and childless, they spend a lot of their free time either
socializing at trendy night spots or exercising. These city dwellers particularly enjoy
going to the movies. Their strong interest in foreign travel is most likely driven by
visits to family abroad. If they have a car at all, chances are it is a subcompact,
perfect for maneuvering in congested traffic.
This is where my own analysis gets interesting, at least on a personal level. After
researching the data brokerage industry and reading about all of the possible information
these companies have about me, I was worried about how accurate this type of consumer
segmentation might be. As it turns out, I don’t really fall into this description at all. I’m
Caucasian, I don’t leverage money orders or debit cards to make ends meet, I rarely enter
“trendy night spots” even when I do have free time (which is rare, as a law student), I
dislike going to the movies, my interest in foreign travel is not driven by visits to family
abroad (as most of my family resides in Idaho and Wyoming, which are far from exotic
foreign destinations), and I own a midsize SUV. The consumer profile correctly identified
only that I am in school, unmarried with low net worth and low income, and that I enjoy
exercise. For marketing or advertising purposes, the profile is likely still accurate enough
to be useful for third parties purchasing this type of information from Acxiom; but the
accuracy of the consumer segmentation profile was far from “creepy”, as this type of
profiling has been characterized. The company’s other marketing products (which
consumers can opt-‐out of) consist of individual data (name, address, gender, education,
Rebecca Joslin – Cyberlaw (Spring 2013)
18
voter party, occupation, date of birth, etc.), demographics, interests (obtained from surveys
or derived from inquiries or purchases), purchase behavior (apparel, home improvement,
books, computers/electronics, etc.), life event data (derived from self-‐reported surveys or
public records), technology indicators (including computer and cell phone preference
information), wealth indicators, real property data (sourced from real property recorder
and assessor sources), vehicle data, health interests (from self-‐reported surveys or
summarized from purchase data), and social media indicators (gathered only from the
public portion of social network sites by the user).40
The company’s directory products consist of information from published white and
yellow pages of telephone books, and are used by companies, political associations, non-‐
profit organizations, government agencies, and consumers to search for contact
information. The same page on Acxiom’s website allows consumers to opt-‐out of targeting
in online ads, as well as opt-‐out of targeting in all ads and offers from Acxiom clients.
Acxiom’s fraud detection and prevention products contain identifying information
from public and private sources (including sensitive information like Social Security
Numbers), and are used by qualified companies in selected industries, non-‐profit
organizations, and government agencies to verify the identities of customers and
investigate fraud.41 From the site, consumers can request their US Reference Information
Report for a $5 processing fee; the report is later delivered electronically (encrypted and
password protected).
40 http://www.acxiom.com/uploadedFiles/Content/About_Acxiom/Privacy/AC-‐1255-‐10%20Acxiom%20Marketing%20Products.pdf 41 http://www.acxiom.com/about-‐acxiom/privacy/consumer-‐data-‐information/
Rebecca Joslin – Cyberlaw (Spring 2013)
19
As I mentioned above, requesting the report involves providing your name, address,
social security number, driver’s license information, date of birth, and an email address. It
isn’t all that surprising, then, that my own US Reference Information Report contained all of
the above information – along with alternative names (Rebecca, Becca, Rebecca A, Rebecca
Ann, etc.), previous addresses (including my parents’ house in Pocatello, Idaho), phone
numbers (associated with my parents’ house, but not my cell phone), and voter registration
information (registered Democrat with the State of Utah). Acxiom does allow consumers to
contact them about correction of inaccurate information contained in their reports – my
own report did not contain inaccurate information, but did contain some irrelevant
information for their targeted advertising purposes (like, for example, each of my previous
addresses in the Boise, Idaho area where I lived while attending Boise State University).
Datalogix
The Datalogix privacy policy describes how the company uses data to provide
services for its customers. To provide targeted advertising data for its third-‐party
purchasers, the company uses algorithms to create interest-‐segments (like “travel
enthusiast” or “green consumer”). The privacy policy further outlines the company’s
security, data integrity, and third-‐party transfer practices.42 Consumers can send
information requests to the company to discover the extent of the information the
company has about them, as well as the interest segments into which they have been
classified. I sent such an inquiry, along with a copy of my Utah driver’s license to complete
the verification process. These documents were sent via USPS on February 14, 2013; to
date, I have received no response from the company.
42 http://www.datalogix.com/privacy
Rebecca Joslin – Cyberlaw (Spring 2013)
20
eBureau
eBureau, a target of the FTC investigation but not the Congressional inquiries,
collects and licenses online and offline data for use in the products and services the
company provides to customers and third party purchasers. In addition to personal
information, the company collects and aggregates general information about its users
(through the use of cookies); the company provides customers with the ability to access the
data report including their personal information, but does not disclose aggregate
information because it is not linked to individual users. To request the report, consumers
must provide the company with personal information (name, address, phone number) and
verifying information (copy of driver’s license or other ID card, as well as a current utility,
phone, or credit card bill with account numbers redacted). My inquiry included a request
to view my eBureau privacy report, as well as a copy of my Utah drivers license and a copy
of my most recent Comcast internet bill with the account number redacted.
My data report from eBureau included the same identifying information that I
provided to establish my identity (name, address, phone number), as well as date of birth,
other addresses, and other phone numbers (one of which happened to be a phone number
that I do not recognize). In the “Consumer File Contents” field of the report, the company
indicated that my information was “unknown” in the following fields: gender, marital
status, estimated age, homeowner status, and years of education. The company does have
policies in place to allow consumers to correct inaccurate information in their data reports
(like the unknown phone number). Here again, I was surprised at the lack of information
the company had about me, aside from the information that is public record or that I
provided to them to verify my identity in order to gain access to the report.
Rebecca Joslin – Cyberlaw (Spring 2013)
21
Epsilon
In its response to Representative Markey’s inquiry, Epsilon stated that it uses
consumer data from a number of both private and public sources to provide marketing
services to retailers, media companies, charities, political organizations, and magazines so
that these companies might provide targeted advertising to interested consumers.43
Consumers may request access to their Epsilon Consumer Report by providing personally
identifiable information (name, gender, year of birth, address, etc.) and a $5 check to the
company. Consumers can opt-‐out of third party marketing programs by sending a simple
request to the company’s privacy center. My own Epsilon report yielded no information;
the Household Data, Household Demographics, Household Real Property Data, and
Household Interests sections were all completely blank. The company did not have any
Self-‐Reported Information linked to my personal information either; it appears that until I
sent the information request, my information was not found in any of Epsilon’s databases.
Intelius
Intelius calls itself an “information commerce company”; providing consumers and
businesses with information about people, businesses, and assets.44 The myriad services
provided by the company include background checks, reverse phone verification, property
and area information, people search, email search, as well as consumer services like
employment screening, marriage/divorce records, criminal background checks, and public
records searches – all of which require a fee to access. As with many other companies in
43 http://markey.house.gov/sites/markey.house.gov/files/documents/Epsilon.pdf, see also http://www.epsilon.com/consumer-‐preference-‐center 44 http://corp.intelius.com
Rebecca Joslin – Cyberlaw (Spring 2013)
22
the data industry, they also provide fraud prevention services (for a set monthly fee).45 “As
a courtesy”, the company allows consumers to opt-‐out of company services or edit
information contained on the website.46 I sent a data inquiry to the company, requesting
access to my consumer information or, in the alternative, removal of my information from
their website. To verify my identity, I included a copy of my Utah driver’s license (with
photo and DL number crossed out). To date, I have received no response from Intelius.
PeekYou
PeekYou is an online search engine that allows users to search for friends, family,
colleagues, and acquaintances across the Public Web.47 Their algorithm calculates the
likelihood of any URL being associated with an individual – the URLs can include news
articles, homepages, blog posts, social networking profiles, or public records entries.48
Rather than categorizing the company as a data miner, they prefer to be considered a
search engine – the company does not index financial or medical history unless it is openly
shared on the Internet. Consumer PeekYou pages can be corrected or removed; opt-‐out
requests sent to the company are honored within a few business days – but the company is
quick to note that, because it merely aggregates information like a search engine, the
information contained in a PeekYou profile is still available through traditional engines like
Google or Bing.
I sent an inquiry to the company requesting more information about their data
collection, use, and dissemination practices. In response, I was linked to the company’s
Privacy Pledge and Privacy Policy pages. To confirm my identity when I submitted my 45 http://www.intelius.com/idprotect.html 46 http://www.intelius.com/privacy.php 47 http://www.peekyou.com/about/corporate/site/faq 48 Id.
Rebecca Joslin – Cyberlaw (Spring 2013)
23
electronic request, I was sent a follow-‐up email asking me to verify my identity. The
company merely treated my inquiry as an opt-‐out request – and pointed out that the opt-‐
out only removes my listing from the PeekYou website – not from the public record
companies from which they source their information (including PeopleSmart, Spokeo,
Intelius, USSearch, PeopleFinders, and BeenVerified). To remove the records from these
companies, I would be required to contact them directly.
Nonetheless, simply entering my first and last name on the PeekYou website
returned a number of very personal results without any verification process at all: the data
returned by a simple search included my full name, age, my hometown (Pocatello, Idaho),
my parents’ address and phone number (redacted as “2xxx Sxxxxxxxxx Dx, Pocatello, ID”
and “(208) 238-‐xxxx”), and the website of a dinner theater at which I volunteered in high
school (westsideplayers.org). In the search results, PeekYou includes links to their
strategic partners (the sources mentioned above). The PeopleSmart link provided me with
even more very personal information – including my current location (Salt Lake City),
social networking profile links, and names of possible relatives (including my mother,
father, paternal grandmother, and paternal grandfather). This was perhaps the most
unsettling report to me; the fact that these websites knew names of my relatives –
especially my grandparents, who did not use the Internet with regularity and certainly did
not have social networking profiles or other meaningful online presence – felt violative of
my personal privacy (and theirs). Opt-‐out requests sent to the company are honored
quickly, but the data aggregation and reporting practices of this company in particular felt
much less like advertising data and more like a very personal dossier of irrelevant
information for advertising purposes.
Rebecca Joslin – Cyberlaw (Spring 2013)
24
Rapleaf
Rapleaf aggregates consumer data from data providers and maps it to consumer
email addresses throughout the US; the company sources data from other data bureaus,
and its marketing partners use Rapleaf’s email link system for a range of marketing and
advertising activities. Rapleaf also collects data from public sources including surveys,
census data, and public records. In a case study of one of its marketing partners, Rapleaf
describes how it used the email list created by a restaurant loyalty program to learn more
about the restaurant’s customer base. The restaurant used the profiles created by Rapleaf
to tailor advertising and marketing to its loyal customer base. The profiles included
segment information like median age, homeowner status, relationship status, education,
lifestyle and interest information, and income range.49
Discovering the extent of information and the customer segmentation profile
Rapleaf has associated with a particular consumer is as simple as submitting an online
request. Once the email address has been verified, a consumer has complete access to basic
demographics, interests, and miscellaneous information that the company has associated
with that email address. My own email address ([email protected]), which has been
my primary email for a number of years, was associated only with my gender – the
company correctly identified only that I am female. The report returned no age
information, interests, or miscellaneous information. Notably, with Rapleaf’s consumer
profile allows consumers to edit and remove data in their consumer profile –but they can
also add data if they desire. This, according to Rapleaf, allows the company to partner with
others to give consumers a more personalized advertising experience.
49 https://www.rapleaf.com/pdfs/Rapleaf_Maggianos.pdf
Rebecca Joslin – Cyberlaw (Spring 2013)
25
Conclusion
In recent months, mainstream media and consumer privacy advocates have been
quick to jump to alarmist conclusions about the activities of the data broker industry. More
than a few newspaper articles and reports have made a connection between data
brokerage companies and “Big Brother”, the totalitarian government leader famous in
George Orwell’s 1984. So, is Big Brother watching American consumers?
In a way, yes. Consumers are being watched not by a totalitarian government, but
by data brokerage companies that aggregate consumer information to create digital
profiles of more than 190 million Americans, according to Acxiom’s response to
Congressman Markey. The collection and dissemination of personal information is, on one
side of the debate, problematic and intrusive for many consumers, while on the other side
an integral part of today’s economy. While industry participants claim that the biggest risk
to consumers is irrelevant advertisement, there is much more to the problem than that.
Consumers deserve to know more about the industry practices in general; industry-‐wide
lack of transparency only adds to the consumer alarm and widespread distrust of data
miners. Lack of consumer access to and control over their own information feels violative
of consumer privacy on a basic level. Finally, the most obvious risk related to the data
brokerage industry is not the targeted advertising and marketing (or the possibility of
irrelevant advertisements for consumers), but rather the possibility that the information
aggregated by data collectors would be used to unlawfully profile consumers or to
otherwise circumvent other regulations regarding the use of consumer data. Sensitive
health and personal information aggregated by data miners and linked to individual
Rebecca Joslin – Cyberlaw (Spring 2013)
26
consumers requires more than industry-‐based protection; government regulation relating
(at a bare minimum) to the use of this information seems more appropriate than industry
best practices, and necessary to protect consumers from unlawful profiling.
Certain key industry players have indicated a desire to move toward increased
transparency: Jennifer Barrett Glasgow, chief privacy officer of Acxiom, indicates a belief
that the industry needs to take a proactive approach toward explaining how their practices
benefit business and consumers by saying, “Companies generally want to maximize their
use of data to make information valuable for both the company and the consumer, but
those goals are unachievable if data collection initiatives feel ‘plain-‐old creepy’”.50 Indeed,
the entire industry may be better served by eliminating secrecy surrounding its practices
and working to establish trust with consumers about proper collection and use of their
data. Individual privacy is a hot-‐button issue in American politics today: from CISPA to the
various inquiries into the activities of data brokers outlined above, legislators and
government agencies are in constant debate about how best to protect competing
consumer privacy, economic, and government interests. It remains to be seen whether
industry-‐based initiatives will satisfy lawmakers and government agencies enough to quell
the current calls for top-‐down regulation, or whether the recent government inquiries will
ultimately lead to increased government regulation and proposed legislation.
50 http://data-‐informed.com/leading-‐senator-‐opens-‐inquiry-‐into-‐brokers-‐collection-‐and-‐management-‐of-‐consumer-‐data/