When the Federal Trade Commission (FTC) speaks, Sen. Jay Rockefeller (D-WV), chairman of the U.S. Senate Commerce Committee and self-styled “champion of consumer privacy,” apparently listens. Two years ago, with the help and encouragement of the FTC, Rockefeller led passage of the Restore Online Shoppers’ Confidence Act (colloquially known as “Rockefeller”), which banned the practice of “data pass” between online sellers and upsellers in which the latter could use the consumer’s credit card number in another transaction without getting it again from the consumer. Now, again on cue from the FTC, he is setting his sights on the practices of a truly formidable target – the data brokerage industry, which is the nerve center of the new “Big Data” world of mass data collection and sharing on the Internet.
Last March, in its most recent privacy report, “Protecting Consumer Privacy in an Era of Rapid Change,” the FTC, in an effort to broaden the scope and effectiveness of consumer privacy protection, recommended that Congress pass a law to provide “greater transparency for, and control over, the practices of information brokers.” Noting that consumers never deal directly with data brokers and have little understanding of what they do, it suggested that Congress could model such legislation on a previously passed House bill which created a procedure for consumers to access and dispute personal data held by brokers, similar to what they can do with credit reporting agencies. In addition, the FTC called on data brokers to create a centralized website where consumers could learn who they are, how they collect and use their data for marketing purposes, and what access rights and choices they offer them.
Specifically citing the FTC recommendation and several reported data privacy and security lapses, last month Rockefeller launched a major investigation of the data brokerage industry, sending letters to nine of its most prominent members – Acxiom, Experian, Equifax, Transunion, Epsilon, Reed Elsevier (Lexis-Nexis), Datalogix, Rapleaf and Spokeo. The letters ask them to answer detailed interrogatories aimed at finding out: 1) what data about consumers they collect; 2) how specific it is (i.e., to consumers, computers or devices); 3) how they obtain it (including sources, contracts and amounts paid); 4) who buys it (including customer names, contracts and amounts paid); 5) how it’s marketed, sold and used; and 6) what notice, access, dispute and opt-out rights, if any, they offer consumers. Responses were due by Nov. 2.
Because it is a small agency (albeit with enormous power), the FTC has developed new methods in recent years to increase its “bang for the buck” in Internet fraud enforcement. This has included joint “sting” operations with state attorneys general, working in concert with Visa and Master Card to curtail negative option marketing by tightening the vice they hold over credit card processors, and building chargeback-based cases against Internet marketers by first subpoenaing “back-end” merchant account records from their processors. Now, with Sen. Rockefeller once again on its side and on the march, the FTC also stands a good chance of achieving maximal compliance leverage in the area of consumer privacy protection by “going to the heart” of Big Data itself – the data brokers that, like the payment processors, control the toll gates and make it all happen.