Every time you use the internet, you leave a huge trail of information in your wake–and it’s not just your browser history full of cat videos. Companies called data brokers are constantly collecting a thousand little nuggets of information behind you, adding them up into a profile of you, and selling the profiles for lots of money. Data brokers still move in mysterious ways, leaving unanswered questions: how are they getting their data? Who’s buying it? And, perhaps most importantly: can you, the consumer, do anything about it?
Those are the key questions that the US government is trying to find answers to. It turns out, though, that the companies that collect mountains of personal information about everyone online are quite hesitant to divulge meaningful information about themselves.
The Senate Commerce Committee recently published a report (PDF) delving into the details of data mining, but even the United States government had trouble tracking down some of the answers they were looking for. The committee report sought to answer four major questions about data brokers:
- What data about consumers does the data broker industry collect?
- How specific is this data?
- How does the data broker industry obtain consumer data?
- Who buys this data and how is it used?
As Ars Technica says in a summary of the report, the authors didn’t have much trouble with the first two points, and were able to find out what data is kicking around. But data collection companies were cagey at best when it came to revealing how they obtain data and discussing to whom it is sold.
Currently, the report finds, data brokers operate with “minimal transparency” and “behind a veil of secrecy”:
Data brokers typically amass data without direct interaction with consumers, and a number of the queried brokers perpetuate this secrecy by contractually limiting customers from disclosing their data sources. Three of the largest companies – Acxiom, Experian, and Epsilon–to date have been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it.
The report also adds that “the respondent companies’ voluntary policies vary widely regarding consumer access and correction rights regarding their own data,” with many companies providing “virtually no rights” for the consumers who are, in this case, the product being sold.
There is no comprehensive list of companies operating as data brokers, and because data brokers operate in the business-to-business world, most of their activities are not covered by existing consumer protection laws.
Being the subject of ever-more-targeted marketing doesn’t necessarily sound scary or problematic, but the level of detail that a person’s profile can hold is startling. The report cites the now-famous case where Target figured out a girl was pregnant before her own family did, sending coupons to their house. It also raises concerns about price differentials from shopper to shopper, based on profile information.
Acxiom claims it has data on 700 million consumers globally, and another company, Datalogix, claims its information “includes almost every US household.” Another company provided the committee a list of almost 75,000 different data points it tracks in its system. About the only way not to be a collection of information in a broker’s database is to live completely off the grid, never use the internet, and use only cash you earn under the table and keep stuffed under a mattress. Even the paranoid among us are fairly simple to profile at least to a basic level.
The data collection industry, naturally, feels that voluntary self-regulation is sufficient to treat consumers fairly and make sure data privacy is properly maintained. The report doesn’t go as far as saying that voluntary self-regulation doesn’t help anyone, but it does point out that opt-out policies and requests for deletion of personal data are essentially toothless in the real world. Opting out of data collection from one company doesn’t help a person in the real world, where literally hundreds of other companies are still gathering the same data, and clamoring to sell it.
Ultimately, the conclusion drawn in the report is that consumers “shouldexpect that data brokers will draw on this data without their permission,” and that at this time, “consumers have minimal means of learning–or providing input–about how data brokers collect, analyze, and sell their information.”