Companies that silently gather data on consumers should be more transparent about what they do and should give consumers more control over the information they collect, a Federal Trade Commission report said Tuesday.
The report examines the practices of nine data brokers: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intellius, PeekYou, RapLeaf, and Recorded Future. It concludes that the data gathering industry in the US operates without meaningful transparency or public accountability and recommends that Congress consider legislation to address those deficiencies.
"The extent of consumer profiling today means that data brokers often know as much -- or even more -- about us than our family and friends, including our online and in-store purchases, our political and religious affiliations, our income and socioeconomic status, and more," said FTC Chairwoman Edith Ramirez in a statement. "It's time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist."
The report finds that data brokers have information on almost every US consumer, collect billions of data points every month, and often share this information with other data brokers. The companies collect information about what people buy, their social media activity, product registrations, magazine subscriptions, religious and political affiliations, and a variety of other details. They combine online and offline information to create categorical profiles, some of which might offend those so characterized or might be considered sensitive because they focus on ethnicity, income, education level, or health conditions.
[How much do you trust your gut? Read Big Data Debate: Do Analytics Trump Intuition?]
For example, categories such as "Urban Scramble" and "Mobile Mixers" include a high-concentration of Latinos and African Americans with low incomes. The category "Rural Everlasting" refers to "single men and women over the age of 66 with 'low educational attainment and low net worths.' " Other categories include those believed to be pregnant, those concerned about diabetes, and those concerned about high cholesterol.
The report notes these categorizations could create costs for consumers if, for example, insurance companies elect to use these profiles to evaluate individuals' health or injury risks.
Peggy Hudson, senior VP of government affairs for the Direct Marketing Association, said in an emailed statement that the DMA has long supported transparency and consumer choice through services like DMAchoice, for opting out of mailings, and through cooperation with the Digital Advertising Alliance.
Hudson contends that, despite thousands of pages of documentation and two years of investigation, the FTC report "finds no actual harm to consumers, and only suggests potential misuses that do not occur."
Daniel Castro, director of the Center for Data Innovation, a think data promoting data usage in business that's affiliated with the Information Technology and Innovation Foundation, said in an emailed statement that forcing companies to provide consumers with notice after every transaction would hinder commerce while doing little to promote consumer trust. "The FTC seems to be stuck in a notice-and-choice world while everyone else is trying to move on," he said.
In a follow-up email, Castro elaborated on why he believes notice-and-consent, the traditional privacy paradigm, is no longer relevant. He favors the term "notice-and-choice," perhaps because the absence of "consent" implies a transgression of some sort. The absence of choice merely suggests a more limited menu of options.
"The problem with notice-and-choice is it's disruptive to the free flow of data," said Castro. "For example, if Google had to serve up (in the words of the FTC) a 'prominent notice to consumers' every time somebody clicked 'search,' we wouldn't have things like Google Flu trends."
Castro argues that notice-and-choice worked for the world of paper records, but breaks in the digital world, in terms of online products and services. "You don't see a lot of petitions asking the government 'please require websites to give us more pop-up notices.' Or citizens calling their members of Congress saying they wish their hair stylists and plumbers would be like their doctors and give them a HIPAA-like privacy notice before providing them a service."
Castro, like Hudson, chides the FTC report for its focus on "speculative harms." Yet, such data gathering represents a speculative harm in part because there's so little transparency. How is an individual to know whether he or she has been harmed by a data transaction -- through a higher insurance premium, for example -- if the data broker does not reveal what data was sold and the data buyer does not explain the data's impact on decision making?
Perhaps more to the point, privacy is not measured by the absence of harm. An unknown person standing in your bedroom at night may not do any harm. But you would probably prefer more privacy, even with the assurance that your lurking guest merely wants to see if you're in the market for sleeping pills.
Private clouds are moving rapidly from concept to production. But some fears about expertise and integration still linger. Also in the Private Clouds Step Up issue of InformationWeek: The public cloud and the steam engine have more in common than you might think. (Free registration required.)