In the battle over consumer data privacy, Apple CEO Tim Cook has emerged as one of the strongest voices urging tech companies to do more to protect their customers. His latest salvo is an essay published in TIME magazine, in which he takes aim at the data broker industry. Customers, he says, should have a way to learn about the data that has been collected about them by data brokers and then delete it once and for all. The best solution, he suggests, would be a data broker clearinghouse created by the Federal Trade Commission (FTC).
Data brokers and their sprawling data ecosystem
According to Cook and many other privacy experts, one of the biggest problems in the tech industry is that many customers do not even know how much data is being collected about them. And, even worse, they have absolutely no idea how extensive the data broker ecosystem in the United States has become. Customers might assume that the likes of Facebook and Google are collecting, analyzing and perhaps even selling data about them, but they have no idea about what all the third-party data brokers are doing with this data. Data is constantly being packaged, re-packaged, sold, and re-sold to the highest bidder, and that has to stop, says Cook.
The concept of the data broker clearinghouse
The creation of a data broker clearinghouse would help to restore digital privacy. And it would also help to shine a brighter light on the dark corners of the data broker ecosystem. Who are these companies, and why are they trading your data to other companies? Most data brokers have no direct relationship with customers, and furthermore, have no incentive whatsoever to initiate contact with these customers. In some cases, data broker companies act as unofficial credit reporting agencies, offering detailed data about users upon request. A data broker collects information for the simple purpose of repackaging it and selling it later.
As Cook sees it, all data brokers in the United States would need to join this clearinghouse if they want to continue to do business. Moreover, they would need to provide transparency information to this data broker clearinghouse. In addition to providing a list of all data that they have on customers, they would be asked to provide specific information about any recent security breaches, as well as a list of all transactions involving this data. And here’s the really big idea – customers would also be able to delete any of this data, thereby removing this data from the vast data broker ecosystem forever.
This “delete forever” clause is especially important, because it would prevent an information broker from classifying, ranking and scoring consumers in ways they do not want. Right now, data brokers collect personal information about consumers from a wide range of sources, including online purchase histories, credit card usage, public records (such as motor vehicle records), and social media. Sometimes, this consumer data is used for marketing purposes; other times, it is used for risk mitigation purposes (such as lenders trying to verify the identify of a bank customer). However, far too often, data points that might include email addresses, online social media behavior and public records are assembled into sophisticated profiles that can be sold to insurance companies, lenders or employers for a wide range of other purposes.
Thus far, Tim Cook’s proposal for a data broker clearinghouse has generated a lot of support from privacy advocates. And it has even generated support from prominent data broker Acxiom, which has supported Cook’s call for GDPR-like regulation. According to Acxiom, a data broker clearinghouse would be a great way to root out the “nefarious players” in the ecosystem and force everyone to play by the same rules.
The big picture view, of course, is that the data broker clearinghouse would eventually become part and parcel of a national privacy law, which Tim Cook also supports. It would restore power to consumers, and would place data brokers under the regulatory purview of the federal government. The FTC, for example, is charged with the task of protecting consumers from fraud and deceptive business practices, so it’s only natural to extend their scope and reach into what has thus far been a very unregulated data broker ecosystem.
Vermont embraces the data broker clearinghouse concept
Importantly, one U.S. state – Vermont – has already put into place legislation that creates a statewide data broker clearinghouse. According to a new state law that went on the books on January 1, all data brokers collecting data on Vermont citizens must register with the state by the end of January 2019 and provide transparency information, including information about any security breaches, information about how customers can opt out of data collection and data sharing, and information about any data collected on minors. In addition, Vermont lawmakers suggested that any national data broker should assume that it has collected information about Vermont citizens and register with the state. This is essentially the data broker clearinghouse concept envisioned by Tim Cook, applied at the state level.
In many ways, this Vermont data broker clearinghouse is going to be an important test case. The data broker law that went into effect at the start of the year is the first of its kind in the country, and the probability is high that other states will soon follow with data broker laws of their own.
What is also notable about the new Vermont law is how detailed all of the requirements are for data brokers. In addition to providing all necessary transparency information to consumers, they must also create a comprehensive security program, train employees on security, and encrypt all records that they are transmitting to third parties. Moreover, Vermont is also very detailed in how it defines “data broker” and how it defines the type of data (including “biometric data”) that is included as part of the law. The idea is clear: it’s time to hold data brokers to a much higher standard, especially from a consumer reporting perspective.
The first step towards comprehensive privacy legislation
For privacy advocates, the Vermont law and the public support of tech companies like Apple is a positive sign that momentum is starting to build for national privacy legislation in the U.S. that would be at least as stringent as the European General Data Protection Regulation (GDPR), which went into effect in May 2018.
This legislative momentum is important because, even after the FTC created a 110-page report on the data broker industry back in May 2014, little has been done to regulate the industry. Even after the massive Equifax data breach in 2017, which impacted nearly 140 million people, nothing was done in terms of comprehensive legislation. 2019 might finally be the year that momentum for a data broker clearinghouse leads to legislation at the national level in order to protect consumers from unscrupulous data brokers.