Data Companies Respond to Congressional Inquiry, Lawmakers Want More
Nine data companies’ responses were inadequate to questions about their business practices, said a joint statement Thursday from Reps. Ed Markey, D-Mass., and Joe Barton, R-Texas, co-chairs of the Congressional Privacy Caucus, and other lawmakers. “The data brokers’ responses offer only a glimpse of the practices of an industry that has operated in the shadows for years,” the lawmakers said. They want more information about “how they analyze personal information to categorize and rate consumers.” The legislators said they'll “continue our efforts to learn more about this industry and will push for whatever steps are necessary to make sure Americans know how this industry operates and are granted control over their own information” (http://xrl.us/bnyohp).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Other lawmakers signing the letter included House Commerce Committee Ranking Member Henry Waxman, D-Calif.; Commerce, Manufacturing and Trade Subcommittee Ranking Member G.K. Butterfield, D-N.C.; Reps. Steve Chabot, R-Ohio; Austin Scott, R-Ga.; Bobby Rush, D-Ill.; and Jan Schakowsky, D-Ill. The lawmakers sent the companies questions about their practices in July (CD July 26 p14). A Democratic Capitol Hill aide told us the members will continue to investigate privacy concerns around data brokers and will work with companies in next Congress.
All respondents except for one disagreed with being defined as data brokers. “Let us clear up a misunderstanding you may have about FICO and our business model; we do not believe FICO is a data broker as that term is commonly understood,” credit-score provider FICO wrote in response. Because the company provides “sophisticated decision management solutions” rather than selling consumer profiles based on aggregated data, FICO is not a data broker, it said. “There is no consensus definition of the term ‘data broker,'” Experian said. Considering “today’s data-driven economy, we believe that it would be difficult to define any such term that does not sweep in a huge swath of the American business economy,” the company wrote. It asked Congress to “consider the entire landscape of today’s data economy” as it proceeds with consideration of privacy issues.
The FTC refers to data brokers as “companies that buy, compile, and sell personal information about consumers who they don’t typically interact directly with,” Chairman Jon Leibowitz said in a written statement. The commission has been “unanimous” in calling for “greater transparency in this industry,” he said: “We're not trying to brand the industry with the term ‘data broker’ as a scarlet letter,” since many of their purposes are “beneficial to consumers,” such as fraud prevention. Yet “consumers should have a right to know who has their data, why it’s being used, and what choices they have about it,” Leibowitz said.
The companies said they receive consumer data from a variety of sources, including consumer-facing companies and publicly available information. Epsilon wrote that it receives data about a consumer’s location, demographics, finances and interests from “federal and state governmental agencies, catalog and retail companies, charities, magazines, retailers, utility companies, marketers and other information brokers.” The company also obtains the information from responses to marketing surveys and “public property records, telephone directories and certain public information posted to social media sites.” Equifax, which said it doesn’t get consumer data from social media, told the members that the company receives “anonymous and aggregated asset and investment information from various financial institutions,” which it uses to build models that “may communicate estimates of consumer wealth, income, credit behavior and spending.” Equifax said it receives demographic data -- ranging from names of adults in a household to their “purchasing habits, media interests and lifestyle” -- from third parties that get data from surveys, the U.S. Census, subscription cards and warranty registration cards. Besides the Census, Experian wrote that it gets its consumer data from public records including “property records, business filings, professional licenses, car or boat registration information and sports licenses."
Respondents detailed their data minimization, retention and security policies. Direct marketing company Harte-Hanks writes contracts with its clients with data minimization and limited use in mind, the company said. “We strive to minimize the information we receive to only the information which is necessary and outline the permitted uses of such information in connection with our client contracts.” Like most respondents, Harte-Hanks outlined the “administrative, technical and physical controls” it uses to protect client data, such as encryption and a retention policy that requires the company to keep data “only for the shortest possible duration."
Most data companies provide consumers with the ability to opt out of being included in their marketing databases without charge, according to their responses. Not all offer consumers the ability to access or change the information companies possess about them. “The fact is that consumer access and correction are not suitable safeguards for marketing data,” Experian wrote. The costs of allowing consumers to change that information, “based on modeled or inferred information, to make it more accurate is not worth the cost,” Experian said. Citing an FTC report on consumer privacy released in March, Experian said “the only potential ‘harm’ to consumers from inaccurate marketing data would be irrelevant advertising."
The policies regarding collection of information about children vary across the companies, according to their responses. Epsilon said the information it collects about children through “surveys, product registrations and certain suppliers ... is generally limited to basic elements such as name, address, gender and date of birth.” At Harte-Hanks, any information collected about minors has been approved for collection by each minor’s parents, the company wrote. It cited sending coupons to parents who reported their child’s birthday. “Our websites are not intended for use by minors,” Harte-Hanks’ response said, and if a child is contacted by the company, “we invite parents to contact us directly so that we may help resolve the unintentional error."
The imposed and voluntary regulations in place protect consumers, respondents said. “Existing sectoral information use laws and self-regulatory direct marketing regimes adequately protect consumers from any potential ‘harm’ that may arise from these practices,” Epsilon wrote. Acxiom cited the Constitution’s balance of “privacy interests with other interests, so it is important to understand both the privacy implications and the commercial, law enforcement, and other beneficial uses of data.”