Defects in the DATA Act

Legislation Privacy
By Mark Verstraete – Edited by Michael Shammas [caption id="attachment_4074" align="alignleft" width="150"] Photo By: Nate Grigg - CC BY 2.0[/caption] On February 12, 2014, Senators Rockefeller (D-WV) and Markey (D-MA) introduced a bill that would require data brokers—companies that collect and sell consumer information to third parties—to be more transparent about their practices. The Data Broker Accountability and Transparency Act, S. __, 113th Cong. (Feb. 12, 2014) ("DATA Act"), represents an attempt to empower consumers to regain some control over their personal information. In reality, the transparency and control offered by the DATA Act is limited. The Act contains an opt-out feature that requires data brokers that use, share, or sell information for marketing purposes to furnish each individual, including consumers, with a “reasonable means for expressing a preference” not to have their information used for marketing. Other, non-marketing uses are outside the scope of the opt-out provision. Even more worrisome, each data broker is responsible for providing a method of opting out, decreasing the likelihood that consumers will actually be informed of and exercise their rights. Privacy Rights Clearinghouse maintains a list of over 250 currently active data brokers. If each broker on the list establishes a different opt-out procedure, consumers wishing to prevent the use of their personal information for marketing purposes will have to locate each data broker and comply with each one's specific opt-out procedures. A reasonable means of expressing an opt-out preference to one data broker may become unreasonable when repeated 250 times. A better solution would be to create a central database where consumers can indicate their opt-out preferences, akin to the FCC-affiliated ‘Do Not Call Registry,’ a centralized database for consumers to opt-out of telemarketing. Such a database would obviate the need to track down and inform 250 different organizations about one’s preferences. As for transparency, the DATA Act only requires that data brokers maintain a website notifying consumers how they can request their information in order to review and correct it. However, merely disclosing to consumers what data of theirs is held hardly qualifies as transparency. The data brokers' websites need not detail how consumer data is gathered, how it is used, or to whom it is sold. Without this information, consumers cannot make an informed decision about whether to review and correct their information. Participating in the review-and-correct procedure is costly—it takes time and may require giving up further privacy—and the benefits of the correction are inscrutable without knowing how a consumer’s personal data is used or to whom it is sold. Take, for example, Experian, one of the largest data brokers in the United States. Experian sells consumer information to a litany of business, including retailers, consumer products manufacturers, non-profits, Internet Service Providers ("ISPs"), media placement agencies, government agencies, real estate agents, and universities. However, the DATA Act does not require Experian to disclose what organizations receive a particular consumer’s personal information. A consumer may prefer that media placement agencies have correct information, but may not mind if a government agency has incorrect information. A consumer cannot signal this distinction in determining whether to correct her data because Experian will not reveal which organizations, if any, are purchasing the consumer's data. Furthermore, the transparency requirement does not require disclosure of how personal data is used. Consider The Fair Credit Reporting Act, 15 U.S.C. § 1681 (2003) ("FCRA"), which contains a review-and-correct procedure that is similar to the one in the DATA Act. The FCRA regulates consumer reports that are used by credit and insurance providers and other entities to make decisions that affect consumer eligibility. Because the FCRA has a narrow scope of uses for credit reports, consumers have a better idea of how their personal information is used. This enables consumers to better weigh the harms that could materialize from incorrect information and thus to make better-informed decisions about whether to correct it. In contrast, the DATA Act may not require data brokers to notify consumers how they can review and correct “modeled” data. This type of data is created by drawing inferences from “actual” data—information like date of birth, phone number, and shopping habits. The Senate Commerce Committee Report on data brokers cites an example of “modeled” data as labeling an individual as having allergies based on an over-the-counter purchase of allergy medicine. The data broker Acxiom currently has a review-and-correct procedure in place, but “modeled” data is not subject to it. “Modeled” data can be particularly invasive. For instance, Target developed a prediction program that determined which women were likely to be pregnant based on their shopping habits. This is a particularly invasive use of predictive models. However, if a data broker had created this model, and it was subject to a review-and-correct procedure, would it make sense - in terms of protecting consumer privacy or practically - to correct this information? Consumers could conceivably "correct" probabilistic predictions directly. For example, a woman whom Target identified as pregnant could submit a statement or medical records to the company explicitly denying her pregnancy. However, submitting medical records also implicates the woman's privacy interests, and it is not clear what Target would do with the information. Would it mechanically correct its prediction? Would it input the information as one more data point in its prediction algorithm? Without knowing more about how data-collecting entities respond to corrective measures, it is hard to weigh the benefits of correction against the potential invasion of privacy. On the other hand, consumers could “correct” bad data indirectly through the injection of good data. In the Target example, this would involve the consumer above determining which of Target's products the company has associated with not being pregnant, then buying those products. However, such a strategy may prove prohibitively time-consuming and, without greater knowledge of how entities like Target treat such data injections, of uncertain efficacy. The Senate Commerce Committee has taken significant steps toward bringing transparency to the data broker industry.  Specifically, Senator Rockefeller has led probing investigations into the industry, including one investigation on the heels of an instance of consumer information being sold to identity thieves. However, if the DATA Act is truly going to empower consumers, then it should incorporate lessons learned from past consumer protection efforts.