Data Brokers and Consumer Privacy – Current Legislation and What You Need to Know

As consumers, we have the right to privacy. However, this basic right is not assured when it comes to the web where information is both the fuel and the currency, and where laws often fail to keep up.
Transparency and online privacy. What you need to know about online protection rules

How Is Your Privacy Violated Online?

Everytime you download a free app, buy something and leave your contact details to a brand you like, or use online services and social networks, you share data about yourself. It means that some entity out there stores this information and uses it to make money either by advertising their goods and services to you as a consumer, or by selling the information they collect about you to third parties. This is how your data gets to data brokers and people-search sites, the unscrupulous profilers that create, purchase and sell dossiers about virtually everyone.

Why Worry?

Data Breaches

There are roughly 4000 data broker companies worldwide and the United States alone is home to the biggest industry giants, like Acxiom, Equifax, Experian, and Pipl. Just in 2017 alone, 886 data gathering organizations based in the US failed to safeguard their databases. As a result, almost 400 million personal records were leaked. This exposed data included US citizen’s names, home addresses, birthdates, phone numbers, Social Security numbers, political views, certain medical records, student grades and much more.

Related: What Is a Data Breach? Learn How to Protect Yourself and What to Do After a Data Breach

Don’t let corporations invade your private life

OneRep scans the web for your personal records and and removes them from top search sites in the U.S. 

Increased Risk of Being Attacked Both On- and Offline

In recent years, people-search sites have dramatically ramped up the collection and sharing of personal records. Unfortunately, it’s perfectly legal despite the fact that the exposed personal information is published without consent and is a huge privacy threat. Not to mention it can make you the target of a stalker, fraudster, identity thief, or any other wrongdoer

Here are a few questions you should be asking yourself: 

  1. Are there any laws preventing data brokers and people-search sites from the collection of consumer data?  
  2. What, if anything, has Congress done to control such unwanted activity?
  3. What can I do to protect my online privacy from data brokers and people-search sites? 
  4. Are these entities required to delete consumer profiles upon request? 

Data Brokers and Legislation

Unlike the EU’s GDPR, in the U.S. there isn’t a central federal privacy law pertaining to various aspects of consumer privacy, including data broker regulation. 

The current consumer privacy legislative structure looks like this:

According to the FTC, the law protects consumers in privacy cases regarding finances, employment, insurance, housing, and other limited instances. Data privacy laws apply to credit bureaus, employee screening services (FCRA), and health care providers (FCRA, HIPAA) but information brokerage falls outside their jurisdiction most of the time. This lack of regulation makes the data brokers’ position stronger when it comes to lawsuits.  

Your privacy matters. Let us help.

OneRep offers its members continuous monitoring and automated removal of their private information from the web.

However, over the past few years things have started to change for data brokers. In the absence of a comprehensive federal privacy law, numerous states have been working on their own laws regulating consumer and data privacy. A few regulations have already been adopted to increase transparency in the murky industry. 

VERMONT LAW

The first data broker law was enacted in May 2018 in Vermont. Thought not entirely comprehensive, the law did several important things:

Straightened definitions
The Vermont law defined data brokers as a business that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

The law also provided a generous definition of the brokered personal information, which includes name, address, date and place of birth, mother’s maiden name, government-issued IDs, as well as biometric data, the information of immediate family members, and any information that could reasonably identify a consumer.

Related: Understanding Personally Identifiable Information: What Is PII and How To Protect It Online

Built transparency
Data brokers operating in Vermont must now register annually with the state or face penalties of up to $10,000 per year.

Also, they are required to share information regarding their practices of collection, storage or sale of consumers’ personal information, disclose their opt-out processes and inform the authorities of any security breaches.

Outlawed fraudulent collection
The law prohibits acquisition of personal information fraudulently or with the intent to commit fraud, harassment or discrimination.

Increased security
Companies trading data on Vermont’s residents must adopt adequate industry-standard protections and comprehensive data security programs.

Made credit freezes free
Credit freezes are an important way for consumers to safeguard themselves and neutralize the fallout of a data breach. Vermont’s law bans credit agencies from charging consumers fees for this protection.

CCPA/CRPA

The most important and influential data privacy law in the U.S. so far, California’s Consumer Privacy Act (CCPA), was inspired by the GDPR. It took effect on January 1, 2020 and was later amended by the California Privacy Rights Act (CPRA). The law regulates data privacy practices of any company that earns more than $25 mln per year, processes the personal information of at least 50,000 California consumers or makes more than half of their annual revenue by selling personal information. 

Under the CCPA Californians have the following rights:

Know what personal information is collected
California consumers are entitled to know the categories of information collected and see any specific pieces of information a company has on them.

Opt out of the personal information sale
Consumers can request companies to not share their data with other companies, whether it’s done for money or not.

Remove personal information upon request
Californians can request any company that has gathered their data – as well as anyone the company has shared the data with – to delete it from their records. However, this doesn’t automatically cancel future data collections. Consumers have to make a choice whether to continue based on their knowledge of how their data is being collected. The only way to avoid information harvesting is to stop using the company’s products or services completely.  

Sue companies for data breaches
This right is beneficial for consumers as the threat of lawsuits is likely to cause companies to improve their data-handling practices. 

Data Brokers and Congress

In 2020 Congress didn’t pass the Data Accountability and Trust Act that would have had a huge impact on the data broker industry. Among other things, the bill looked to

  • Establish industry-wide security standards 
  • Require data brokers to go through postbreach and annual privacy audits
  • Prohibit collecting information under false pretenses
  • Force data brokers to get consent to collect sensitive data 
  • Mandate opt-outs 
  • Create a national list of data brokers

There may be plenty of reasons why this and other privacy bills weren’t enacted. However, it’s also noteworthy that in 2020, data brokers collectively spent as much as $29 million on federal lobbying –  the amount that rivaled the spending of individual Big Tech firms like Facebook and Google. Obviously, the legal landscape around consumer privacy is changing, and data brokers are getting anxious to have a say in legislation matters as they’re facing a real threat to their business model by the emerging privacy regulations.

When stakes are that high, corporations become very resourceful in their attempts to convince Congressmen to hear their voice. With all that lobbying, can one be sure that lawmakers don’t put the companies that fund their campaigns ahead of the safety and security of the consumers they represent?

Data Brokers and Your Right to Opt-out

Even though the law obliges data brokers and people-search sites to remove personal information upon request, not all of them offer a meaningful opt-out of their databases. Often, this opt-out process is intentionally difficult and time-consuming, and can’t be done via a single phone call. Instead, you’ll be asked to fill out forms, send faxes and snail mail, and sometimes do all three!  

Even more so, each website’s process is unique and hard to learn more about so if you decide to remove your personal information, prepare yourself for a long and rough road. It is far easier to buy background reports on all your neighbors than it is to scrub your personal details from these sites. For this reason, OneRep has created free removal guides for 100+people-search sites to help you through the opt-out process All you’ll need is patience and determination to get it done. 

Consumers who successfully opt-out of the data broker websites that exposed their info then face the challenge of repeating the process over and over again as there is a risk that the removed information can be relisted any time. Also, new people-search sites are created all the time so monitoring the web is important if you want to make sure your information is protected. 

If you don’t have much time or patience to keep your information private, we suggest you try OneRep’s automatic platform that will do all the hard work for you. 

Get protected with OneRep

OneRep scans 106 people-search sites every few months to make sure your name hasn’t been relisted. 

Even though privacy legislation is being tightened, data brokers are a reality that won’t go away any time soon. Under these circumstances it’s important to know how to protect yourself. Read our guide to internet privacy to get simple, actionable tips that will keep you and your family safe at all times. 

Sources

  1. https://thenextweb.com/news/the-little-known-data-broker-industry-is-spending-big-bucks-lobbying-congress-syndication
  2. https://www.congress.gov
  3. https://legislature.vermont.gov/bill/status/2018/H.764 
  4. https://www.senate.gov/legislative/Public_Disclosure/database_download.htm
  5. https://www.opensecrets.org/federal-lobbying
  6. https://www.fastcompany.com/90606571/state-data-privacy-laws-2021
  7. https://iapp.org/resources/article/us-state-privacy-legislation-tracker
  8. https://www.jdsupra.com/legalnews/the-year-to-come-in-u-s-privacy-9238400
  9. https://www.fastcompany.com/90445374/what-californias-new-privacy-law-really-means-for-you
  10. https://nyujlpp.org/quorum/kraus-transparency-first-step-regulating-data
  11. https://www.csoonline.com/article/3356458/landmark-laws-data-brokers-and-the-future-of-us-privacy-regulation.html
  12. https://www.lawfareblog.com/federal-privacy-rules-must-get-data-broker-definitions-right
  13. https://www.varonis.com/blog/us-privacy-laws
  14. https://www.washingtonpost.com/business/2019/06/24/data-brokers-are-getting-rich-by-selling-your-secrets-how-states-are-trying-stop-them
  15. https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law
  16. https://techcrunch.com/2020/07/09/data-brokers-tracking
  17. https://techcrunch.com/2020/02/13/gilliband-law-data-agency
  18. https://iapp.org/news/a/at-senate-hearing-lawmakers-incredulous-data-brokers-a-no-show 
  19. https://www.ftc.gov/enforcement/statutes/fair-credit-reporting-act
  20. https://www.cdc.gov/phlp/publications/topic/hipaa.html 
  21. https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly–a0741114794/ 
  22. https://clearcode.cc/blog/adtech-user-rights-gdpr/
Iryna Slabodchykava

Content Strategy Manager at OneRep | LinkedIn

Table of Contents

4000

data broker companies worldwide