Watchdog vows crackdown on 'harmful' world of surveillance-by-data-broker
Promise of action excites some, others wish America had Cali-style Delete Act for personal info
Analysis An American watchdog today said it will propose fresh rules governing the type of personal information data brokers can collect and sell – as the White House hosted a roundtable on how to better protect individuals from unwanted surveillance.
Back in March, the US government's Consumer Financial Protection Bureau (CFPB) launched an inquiry into companies that track people's daily activities and trade that information. This personal info can be harvested from public records, scraped from social media, bought from financial institutions and other outfits, and collected from mobile apps and websites – and all packaged up for resale, ideally anonymized and aggregated.
More than 7,000 responses came in to the CFPB's request for information, and the bulk of these echo concerns raised by Congress: data brokers are not complying with privacy laws and instead of selling very personal information.
"Reports about monetization of sensitive information — everything from the financial details of members of the US military to lists of specific people experiencing dementia — are particularly worrisome when data is powering artificial intelligence and other automated decision-making about our lives," CFPB Director Rohit Chopra told The Register in a statement via email.
"The CFPB will be taking steps to ensure that modern-day data brokers in the surveillance industry know that they cannot engage in illegal collection and sharing of our data," he added.
Specifically, those steps include rules to ensure data brokers comply with the US Fair Credit Reporting Act (FCRA). This would ensure any companies that monetize consumer data would be prohibited from selling it for purposes other than those allowed by the 1970 federal law.
What's in store for data brokers
Chopra provided more details about its proposals during today's White House roundtable.
First, he said, a data broker that sells certain types of consumer data would be defined as a "consumer reporting agency."
This would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse
"The CFPB is considering a proposal that would generally treat a data broker's sale of data regarding, for example, a consumer's payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations," Chopra said.
"This would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse."
The second proposal aims to clarify so-called "credit header data," and whether this is a consumer report.
This is personally identifying information — names, addresses, and Social Security numbers — contained in consumer reports generated by Equifax, Experian, TransUnion, and other credit reporting organizations.
Data brokers typically use this credit header data, which they purchase from the big three, to create dossiers on individuals.
"The CFPB expects to propose to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don't wish to be contacted, such as domestic violence survivors," Chopra said.
How about a federal Delete Act?
Data privacy advocates including the Electronic Privacy Information Center (EPIC), Demand Progress, Just Futures Law, and the National Consumer Law Center applauded the CFPB proposals.
Data brokers have been allowed to profit off Americans' personal data with little to no oversight
"For far too long, data brokers have been allowed to profit off Americans' personal data with little to no oversight, compromising people's privacy and safety," EPIC senior counsel Ben Winters told The Register. "The CFPB's action will bring much needed transparency and accountability to the data broker market."
Some, however, said the new proposals don't go far enough.
"We need to go much further in cracking down on potential data broker abuses," BlackCloak CEO Chris Pierson told The Register.
In addition to heading the cybersecurity firm, Pierson also served as a member of the US Department of Homeland Security's Privacy Committee and Cybersecurity Subcommittee.
"This is not something that should be limited to organizations that are defined as credit reporting agencies under the FCRA," Pierson said.
"Instead, the Federal Trade Commission should be stepping in with regulations to limit information collection on all persons for any reason and the associated selling of their data through data brokers in general."
Funnily enough, AI models must follow privacy law – including right to be forgottenREAD MORE
Pierson said California's so-called Delete Act, which is moving through the US West Coast state's Senate and Assembly, could and should be used as a national model.
The proposed law, if passed, would create an online portal where people can request their personal information be removed from data-broker tracking.
"This is a critical improvement to current laws, as it creates a one-click method for removing this data from all data brokers," Pierson said. "There are hundreds of data brokers, so right now consumers have to go to each one individually to have their information removed."
It's a long and time-intensive process, and "most people don't stand a chance," he added. "California is setting the stage for major changes with its law, but I'd like to see Congress move in a similar direction so that we have federal legislation to support it."
Lawsuits and new laws
Chopra co-hosted the roundtable along with the White House Office of Science and Technology Policy Director Arati Prabhakar, National Economic Council Director Lael Brainard, Federal Trade Commission Chair Lina Khan, and Principal Deputy Assistant Attorney General Brian Boynton.
At that gathering, Chopra talked about "protecting Americans from harmful data broker practices," adding: "It’s critical that there’s some accountability when it comes to misuse or abuse of our private information and activities."
Also during the meeting, Prabhakar pointed back to the May 2020 Black Lives Matter protests that took place in Atlanta, Los Angeles, Minneapolis, and New York City.
"While that was happening, a consumer analytics company was sweeping up location data and device IDs and browser histories," she said. "They were then using AI to predict the race and the age and the gender and the zip codes of the participants. That was all data that they were selling."
These types of protests are "the backbone of our democracy," Prabhakar continued. "And yet these people were having their data used in this way."
- Proposed ban on data brokers selling warrantless personal info to Feds revived
- Court gives FTC 30 days to swing again in privacy bout with location data slinger
- Biden attacks Big Tech's data addiction, wants more protection for kids
- One year after Roe v Wade overturned and 'uterus surveillance' looks grim
Both the White House meeting and the CFPB proposals follow other moves by the Biden administration and Congress to crack down on data brokers.
Last year the FTC sued Kochava in an attempt to force the analytics firm to stop selling personal information. While the lawsuit was thrown out, essentially for being too vague, it has since been refiled with the courts.
President Joe Biden also called out data brokers in his February State of the Union address.
And just last month, the House Judiciary Committee advanced a draft law that would prevent data brokers from selling US citizens' personal information to law enforcement and federal agencies without a warrant. ®