Each year, several privacy bills are presented to Congress, and each year, several privacy bills never leave committee. Members of Congress tout the importance of online privacy to Americans, but fail to put words into action. This time it may be different and the regulatory structure put in place is essential to protect personal data. A key element is to ensure that data brokers are covered by this legislation and benefit from the oversight that is desperately needed.
In 2000, the Federal Trade Commission (“FTC”) released its third report “Privacy Online: Fair Information Practices in the Electronic Marketplace” examining the state of online privacy and the effectiveness of industry self-regulation. .1 The FTC has identified growing consumer concerns about their online privacy and the limited success of industry certification efforts. As a result, the FTC urged Congress to enact legislation that would ensure adequate protection of consumer privacy online, while also recognizing that industry self-regulation should play an important role. Congress has not passed legislation providing comprehensive privacy protection.
In 2014, the FTC released a report highlighting growing concerns about data brokers. Data brokers collect consumer information from public and non-public sources and sell that information to businesses. The information can be sought for harmless purposes such as targeting dog lovers for a new product or for harmful purposes such as compiling an alcoholic list.2 Although data brokers operate legally, this is largely because they have no direct contact or relationship with the consumer. The FTC has raised concerns about the ability of these brokers to collect information from a growing number of sources, analyze it using new and emerging algorithms and models, and store information. indefinitely due to lower storage costs. The FTC has urged Congress to enact legislation to ensure adequate protection of the privacy of consumers online, and Congress has failed to enact comprehensive privacy protections.
Americans’ concerns about their privacy have grown as commerce and activity move to online platforms. According to the Pew Research Center, more than 81% of Americans feel they have little or no control over the data companies collect and 79% are very or somewhat concerned about how companies use their data. .3 These sentiments are valid given that the customer’s personally identifiable information is compromised in 44% of all data breaches.
There appears to be real momentum behind Congress to finally pass a privacy law that offers comprehensive protections after multiple high-profile data breaches and Schrems II’s invalidation of the EU-Privacy Shield. United States. Therefore, this is an impeccable time to probe and recommend a regulatory structure for the oversight of data brokers. While some may want to abolish the data brokerage industry altogether, this idea is impractical and overlooks the market efficiency benefits that databases provide. However, since sensitive data is collected and the information can reveal a detailed profile of an individual, regulation and oversight would help limit bad actors.
Personal data markets operate similarly to financial markets in that there are primary markets, the collection of data from consumers, secondary markets, the sale and exchange of data, and brokers, brokers in data. Today’s data industry parallels the financial markets of the pre-Great Depression era where market participants were subject to little or no regulation. After the collapse of the financial markets and as part of New Deal-era legislation, Congress passed the Securities Act of 1933 and the Securities Exchange Act of 1934. While these laws regulated supply and trading of securities in the primary and secondary markets, most of the cross-dealer trades were unregulated. The Maloney Act of 1938 amended the Exchange Act authorizing the National Association of Securities Dealers (“NASD”) to impose and enforce regulations on the conduct of brokers. Although the NASD is a voluntary self-regulatory organization (“SRO”), it was still under the oversight of the Securities and Exchange Commission. Today, NASD is called the Financial Industry Regulatory Authority (“FINRA”) which delivers licensing exams, creates, interprets, enforces rules and resolves disputes. Companies and individuals who wish to do business with the public must be certified as members of FINRA.
Comprehensive data privacy legislation will have a similar effect on the Securities Act and the Exchange Act in that it will regulate the face of the industry. Data protection law will address how data is collected, notices required and consumers’ rights in relation to their information. In addition, the legislation will address how companies that collect information directly from consumers handle that data and the limits on selling or sharing. However, like the financial markets, data brokers operate in a way that could largely bypass these requirements. Congress should mandate an OAR similar to FINRA which is overseen by the FTC. The SRO should require licensing exams for people handling data at member data brokerage firms and should help streamline education and training on industry best practices. The OAR must be able to implement, interpret and apply rules to quickly adapt to the fast-paced nature of the tech industry. Most importantly, the SRO should have an arbitration body that allows businesses and consumers to bring complaints against data brokers for improper actions.
Given Congress’ history with privacy legislation, this may be the only opportunity. An SRO for data brokers would ensure that a regulator is established to protect consumers, set market standards and provide the necessary oversight. Learning from other industries is crucial to avoiding similar mistakes, and luckily for personal data markets, financial markets serve as a glaring example.
1 Federal Trade Commission, Online Privacy: Fair Information Practices in the Electronic Marketplace: Report to Congress (May 2000)
2Testimonial from Pam Dixon, Executive Director, World Privacy Forum (December 18, 2013)
3 Pew Research Center, Americans and privacy: worried, confused, and unable to control their personal information (November 15, 2019)