Dealing with a Data Broker? Here's What you Need to Know
The FTC recently released its report, “Data Brokers: A Call for Transparency and Accountability.” The report is the result of a study of nine data brokers and provides legislative recommendations and best practices. Here’s what companies considering or currently dealing with data brokers should know.
I. Transparency is Key: Inform Consumers About Your Company’s Use of Data Brokers
As is evident from the title of the report, transparency is important. Although primarily focused on data brokers themselves, the FTC also recommends consumer-facing companies providing data to and receiving data from data brokers provide clear notice to consumers about the company’s data broker practices. To the extent possible, notice should include both of the following:
- The names of the data brokers to which the company provides data
- Information about or links to a description of the data brokers’ access and opt-out policies
Companies purchasing risk-mitigation products for identity verification and fraud detection should also consider providing notice to consumers who are denied the ability to complete a transaction (e.g., purchase a product). For example, a company may use a risk-mitigation product to prevent fraud. If fraud is detected, and as a result, the consumer is denied the ability to complete a transaction, the company should provide the identity of the data brokers upon whose data it relied to the consumer. This, however, is not a one-size-fits-all approach and the level of transparency should be tied to the significance of the benefit or transaction in question.
II. Provide Consumer Access and Choice
Consumers should have access to and choice about their data, even if it is controlled by data brokers. Again, consumer-facing companies using data brokers should provide consumers with information about or links to the data brokers’ access and opt-out policies to ensure consumers have the ability to access their data, opt-out and, if necessary, correct any errors.
III. Limit Data Collection and Retention
Despite the technological advances and increasingly low cost of data storage, companies should limit data collection and retention to what is necessary. This is true even if the data is received from a data broker. What is necessary depends in part on the purpose of such data. For example, companies may need to retain outdated data, such as an old consumer address, to verify a consumer’s identity. However, the FTC notes older addresses may be less relevant for marketing purposes.
IV. Pay Attention to the Permitted and Prohibited Uses of Data
Data usage may be limited by contract and/or statute. Some data brokers go one step further and “seed” or audit their clients to ascertain whether data is being used for contractually prohibited purposes. Data uses contractually prohibited by data brokers may include the following:
- Reuse or resale of the data without permission
- Decoding or reverse engineering of the data
- Illegal or illicit uses
- Uses in violation of the FCRA, GLBA, HIPAA, or COPPA
- Uses in violation of industry self-regulatory guidelines
Regardless of the contractual limitations placed on data usage, it is important to keep in mind statutes including the FCRA, GLBA, HIPAA, COPPA and/or other guidelines may apply.
V. Think Twice Before Collecting and Sharing Sensitive Information With Data Brokers
Although HIPAA and other statutes may impose requirements on the treatment of some sensitive information (e.g., Protected Health Information), what the FTC considers sensitive information may be broader than what is currently regulated. This is particularly true given the ability of data brokers to combine large data sets and produce derivative data. In its recommendations to Congress, the FTC recommends requiring companies to obtain consumers’ affirmative express consent before collecting and sharing sensitive information with data brokers. It is not clear what constitutes “sensitive information” in this context, but the FTC notes some consumers may consider some data sensitive even if not universally considered as such.
The FTC is paying more attention to data brokers and companies dealing with data brokers. If you have any questions about this or privacy policies generally, please contact Peter Guffin at pguffin@pierceatwood.com.