Read the original article: Federal Privacy Rules Must Get “Data Broker” Definitions Right
Corporate data collection is all over the headlines, between a recent Senate hearing on antitrust, the appointment of Tim Wu as the president’s special assistant for technology and competition policy, the nomination of Lina Khan for Federal Trade Commission (FTC) commissioner, and growing momentum on the Hill for federal privacy legislation. Much of this privacy conversation focuses on social media companies like Facebook and Twitter, and how they monetize data and feed their artificial intelligence algorithms, as well as market dominant players like Amazon, and how they might internally use data for anti-competitive behavior.
Yet data brokerage—in broad terms, companies buying and selling data on consumers—remains heavily underdiscussed in these conversations on potential regulatory action. Those engaged in this practice include companies that sell large datasets that other firms use to microtarget online ads, and companies that aggregate information from public records and link them to individuals on their websites (those “click here to run a background check” ads you see on search engines). Some companies, such as Lexis/Nexis, have transformed their traditional business into data brokerage, while others, such as traditional consumer reporting agencies and companies that help local governments digitize their records, have often made data brokerage just one component of what they do. That’s why the entity that directly and initially collects a consumer’s information is often only the first in a long chain that will acquire it. All of this means data brokerage must be a core component of federal privacy legislation and enforcement actions.
As with many data concepts, defining the practice of “data brokerage,” or the “data brokerage industry,” or what constitutes a “data broker” itself is complicated. But to strengthen their efforts in developing federal privacy rules, policymakers have some foundation. This post examines existing definitions and understandings of data brokerage in U.S. law and policy. It analyzes the scope of these definitions, surrounding context, and some of the costs and benefits of the various terms. Putting appropriate privacy and security controls on the practice of data brokerage is no easy task, but this could be one place to start.
Existing State Laws: California and Vermont Case Studies
A few states define data brokers and data brokerages in their respective laws. California Civil Code § 1798.99.80, which requires data brokers to register with the state, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
The code specifies several exemptions from this definition:
(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
Vermont Statute 9 V.S.A. § 2430—which similarly mandates data brokerage disclosure to the state, which then lists those firms in an online database—defines a data broker as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” It then provides the following exemptions for entities:
(i) developing or maintaining third-party e-commerce or application platforms;
(ii) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
(iii) providing publicly available information related to a consumer’s business or profession; or
(iv) providing publicly available information via real-time or near-real-time alert services for health or safety purposes.
First, the definitions themselves. California’s definition predicates the data broker qualification on a business knowingly collecting and selling personal information on consumers “with whom the business does not have a direct relationship.” This “direct relationship” clause is key, because it excludes a wide range of businesses from being classified as data brokers by drawing a distinction between an entity that is a data broker and a firm that engages in data brokerage. Facebook, for instance, would ostensibly not be deemed a data broker under this definition if it were to sell information on its own users to a third party—for, after all, those users have a direct business relationship with the platform. Nor would Facebook be deemed a data broker if it engaged in the practice of data brokerage—knowingly collecting and selling the information of its users to a third party—because the users on which it is selling data are direct customers. Yet such a sale, particularly given Facebook’s extensive reach in the U.S. and abroad, would raise numerous concerns about privacy, democracy and national security.
Federal policymakers should consider whether this is a worthwhile distinction. If the company is selling data on consumers, does it really matter to the regulator if the company has a direct relationship with them? And how is a direct relationship defined, exactly? If I complain to Facebook about a user posting my Social Security number, does that interaction now constitute a direct relationship with the firm?
Perhaps the data broker and data brokerage distinction does not matter: One could argue that federal policy should control for the end case, the sale of the U.S. customer’s information. Or the distinction could be reflective of a policy aimed to impose even greater restrictions on companies that sell data directly obtained from their own customers—under the argument that firms in this category have an even greater need to responsibly process and handle the data, because they are the direct collectors of said information. However, the California law did not use this distinction to impose such greater restrictions, suggesting maybe that companies advocated to be excluded from a data broker classification to avoid potential future obligations, like downstream liability for how customers use the data.
Nonetheless, the data broker entity and data brokerage activity distinction under California law appears to become less meaningful with a firm like Equifax—which was recently reported as having sold user utility data to a third-party company that then sold the information to the Department of Homeland Security. Equifax is not listed on California’s data broker registry. The company’s business relationship with the average consumer is arguably more indirect than direct—but it buys and also sells their indirectly acquired and very personal financial and other information. This begs the question of whether Equifax should be classified as a data broker as a matter of public policy if it is selling consumer data to third parties, including federal law enforcement. California’s distinction between a data broker entity and one engaging in the practice of data brokerage—and its exclusion of myriad data-selling and data-sharing firms in the process—demonstrates a need for fundamental reconsideration when crafting federal law and policy over this practice and this industry.
Vermont’s definition of a data broker virtually mirrors California’s, but for the inclusion of the phrase “or licenses” when speaking about activities, in addition to collecting and selling, that fall under the defined activities of a data broker. Companies as a result do not need to technically sell information
[…]
Read the original article: Federal Privacy Rules Must Get “Data Broker” Definitions Right