The buying and selling of customer data is a multibillion-dollar, unregulated business that's growing larger by the day. Companies are selling information about you, and your company is probably selling data about its customers. Consumers are growing more concerned amid an endless string of data thefts and losses.
Want a list of 3,877 charity donors in Detroit? USAData will sell it to you for $465.24. How about 3,797 cat owners in Peoria? Available for $455.64. Interested in data on graduating high school seniors? The College Board sells that to 1,700 colleges and universities for 28 cents a kid. Then there are those who obtain cell phone and credit card records illegally and sell them to private investigators, law enforcement, and angry spouses planning a divorce.
It's a messy situation that's attracting the attention of legislators and government agencies. Businesses could find them- selves in a jam if they aren't careful how they buy, sell, and handle customer data; if they don't live up to their published privacy policies; and if they don't protect that data with ironclad security.
Taking The Fifth
Former data broker James Rapp testified last month before the U.S. House Energy and Commerce Committee about how easy it is to obtain telephone and credit card data by impersonating customers. Eleven others identified as data brokers refused to testify, invoking their right to not incriminate themselves.
U.S. Sen. Hillary Rodham Clinton, D.-N.Y., plans to introduce a "privacy rights" bill that would, among other things, protect phone records and require that consumers be notified when their personal information has been compromised. And in April, the Government Accountability Office, the investigative arm of Congress, issued a report that said data brokers often fail to follow privacy protection guidelines in the Privacy Act of 1974 when using information obtained from public sources.
Some data brokers are getting the message that changes are needed. ChoicePoint last year brought a spotlight to the industry's practices when it revealed it had previously sold information on 145,000 consumers to identity thieves posing as a legitimate business. Since then, ChoicePoint has restricted sales of personal information to supporting consumer-initiated events such as a job application or to large businesses that already have a relationship with the consumer. The company has abandoned some markets. It won't sell data to collection agencies, for instance, a move that cost it $15 million to $20 million in annual revenue. It also improved its screening of companies it sells data to, established procedures for auditing how clients use that data, and created a chief privacy officer post for the company and data privacy and security positions in each business unit, CPO Carol DiBattiste says.
Amid the bad publicity, ChoicePoint is shunning the label of data broker. "In my world, that's companies that aren't protecting the data or that are just selling data like phone numbers," DiBattiste says.