Rebecca

Joslin Cyberlaw (Spring 2013) Data Brokers: What Do They Know, Who Do They Share It With, And What Privacy Considerations Are At Stake? Introduction In todays information age, there is little question that there are economic benefits to the flow and market exchange of certain kinds of information. For American consumers, a large network of data brokerage companies facilitate the flow of information between consumers and companies by collecting personal information about consumers from a variety of public and non-public sources, and reselling the information to other companies. These collection, maintenance, and dissemination practices often occur without the knowledge of consumers. This industry has been the subject of increasing scrutiny in the last year, due in large part to the unregulated space in which data brokers conduct their online and offline data collection. The lack of a governing regulatory framework has caused the data brokerage industry to be viewed by many not as a vital source of information collection, protection, and dissemination essential in todays market economy, but rather as unwelcome and secretive digital surveillance of todays consumers. Recent government efforts to study privacy practices and the collection and dissemination of consumer information in the data brokerage industry include two separate Congressional inquiries and an ongoing FTC investigation. This research project will give a general overview of the data broker industry and will provide an overview of the current regulatory framework under which the industry operates, the regulatory interests of the FTCs investigation and the Congressional inquiries, and the responses I received when I submitted information requests to seven different data brokers.

Rebecca Joslin Cyberlaw (Spring 2013) The Industry It is difficult to say with accuracy exactly what information is collected by data

brokers and, perhaps more importantly, how it is collected, stored, and distributed in the market. According to the Privacy Rights Clearinghouse, the online and offline collection of consumer data is conducted through public and semi-public records; for example, the data includes information provided when consumers buy a house, get married, file for divorce, fill out surveys, obtain drivers licenses, get arrested, vote, or establish a social networking profile.1 Data brokers have, to date, been less-than-transparent about the sources of their data protecting the collection methods as a trade secret and preferring not to pinpoint exactly how consumer information is aggregated, analyzed, and from which sources it is collected.2 This is problematic for consumers, government agencies, and industry participants alike, in light of the individual privacy concerns surrounding the activities of these companies. While certain aspects of this industry that operates largely under the consumer

radar are somewhat unsettling, there are certain benefits to the flow of information in todays market economy. Data brokers represent a multi-billion dollar industry directed at the aggregation of the information of hundreds of millions of Americans, which is then sold to third parties for targeted advertising, marketing, and other purposes.3 Many of these companies also provide direct benefits to consumers by providing fraud monitoring services. Further, the data brokerage industry provides significant benefit to the economy 1 https://www.privacyrights.org/online-info-broker-faq#legal 2 http://www.aclu.org/blog/technology-and-liberty/data-brokers-release-information- about-their-operations-response 3 http://www.nytimes.com/2012/12/09/business/company-envisions-vaults-for- personal-data.html 2

Rebecca Joslin Cyberlaw (Spring 2013) in general by facilitating better marketing of products and services to consumers. Data brokers collect financial, retail, and recreational information to create a consumer profile that is then sold to clients like airlines, automakers, banks, credit card issuers, and retailers to maintain and recruit their customer bases and to reduce unnecessary marketing toward unlikely customers.4 For example, categorization of consumers based on housing information (like, for example, those that live in apartment buildings or in the heart of larger cities) allows companies to efficiently market to particular population segments and reduces, for example, things like lawnmower advertisements to those to whom the advertisements likely do not appeal. Important to note is the ubiquity of the data brokerage industry in the economy,

society, and government; the industry is simultaneously scrutinized for what some have called shadowy privacy practices and heavily utilized by a myriad of industry participants.5 Data-driven marketing fosters competition by ensuring that numerous industry participants can better reach consumers.6 Government leaders, scientists, corporate leaders, health officials, and education specialists are anxious to see if new kinds of analysis of large data sets can yield insights into how people behave, what they might buy, and how they might respond to new products, services, and public policy programs.7 Aside from the marketing and advertising economic benefits, the industry is an essential

4 http://www.nytimes.com/2012/07/25/technology/congress-opens-inquiry-into-data- brokers.html?_r=0. 5 http://news.cnet.com/8301-31322_3-57388097-256/in-the-world-of-big-data-privacy- invasion-is-the-business-model/ 6 http://www.the-dma.org/cgi/disppressrelease?article=1566 7 http://www.elon.edu/e- web/predictions/expertsurveys/2012survey/future_Big_Data_2020.xhtml 3

Rebecca Joslin Cyberlaw (Spring 2013) part of Americas job creation, economic growth, and global leadership.8 The Direct Marketing Association notes that data-driven marketing represents 8.7% of total US GDP, and data-driven marketers collectively fuel 9.2 million US jobs by providing economic growth and job creation to global brands, start-ups, and everything in between.9 The rise of the data mining industry has subjected industry participants to careful study in recent years. Regulatory Concerns Congressional and agency inquiries and investigations into the data broker industry

are centered around various regulatory concerns, including individual consumer privacy concerns, general lack of industry transparency, consumer access to and control of information, and the potential for misuse of data. The industry has been largely cooperative with respect to all recent investigations, preferring to respond to Congressional and agency letters rather than invite further scrutiny for failure to respond to this type of investigation. At the same time, however, the industry has taken a defensive stance when it comes to accusations about the potential consumer privacy concerns and questions about the potential for misuse of data; industry responses to inquiries are summarized below, but for the most part data brokerage companies defend their practices as a lawful and essential part of Americas economy. Nonetheless, lawmakers and agency representatives alike have spearheaded investigations into the industry to better understand data protection practices, the implications of those practices with respect to consumer privacy, and the regulatory schema under which the industry currently operates. 8 Id. 9 Id. 4

Rebecca Joslin Cyberlaw (Spring 2013) Preliminary Investigations and Current Regulation More details about the inner workings of the data brokerage industry are likely

forthcoming. In 2010, the FTC began an investigation into the practices of more than a dozen information aggregators. The final report, published in March 2012, sets forth best practices for businesses to protect the privacy of American consumers and give consumers greater control over the collection and use of their personal data. This report expands on a preliminary staff report the FTC issued in December 2010, which included a framework of recommendations for privacy protection policies to be adopted by companies handling consumer data including privacy by design, consumer control, and greater transparency for the collection and use of consumer data.10 The 2012 report redefined the scope of the privacy framework, included an analysis of the regulatory framework governing the activities of data brokers, and included proposed solutions for consumer privacy protection moving forward. The FTCs recommendations occupy two realms: government action and industry self-regulation. Importantly, the privacy report noted that unless data brokers use information for credit, employment, insurance, housing, or other similar purposes, there are no laws on the books requiring them to maintain the privacy of consumer data.11 This lack of regulation is at the heart of the recent increase in scrutiny surrounding the data brokerage industry and has prompted numerous calls for legislation (at both the state and federal levels) 10 http://ftc.gov/opa/2012/03/privacyframework.shtm. Privacy by Design is a term of art, reflecting the theory that companies should build in consumer privacy protections at every stage in developing their products including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. 11 http://ftc.gov/os/2012/03/120326privacyreport.pdf at 66. 5

Rebecca Joslin Cyberlaw (Spring 2013) aimed at the industrys privacy practices. The FTC recommends that Congress consider baseline privacy legislation, and supports any national legislation aimed at providing or securing consumer access to information held by the network of data brokers; further, the FTC recommends that the industry itself implement the final privacy framework through company and working group initiatives and through strong and enforceable self-regulatory initiatives.12 With respect to industry self-regulation, the FTC report contains numerous specific recommendations. Noting that data brokers buy, compile, and sell highly personal information about consumers (who are often unaware that the companies even exist, and do not know the purposes for which their data is collected and used), the FTC recommends primarily that the data brokerage industry increase transparency regarding these practices through internal initiatives, guided by the policy objectives outlined in the framework above.13 The FTC report also calls on data brokers who compile consumer data for marketing purposes to explore creation of a centralized website where consumers could get information about industry practices and their operations for controlling data use and dissemination within the large network of data brokerage companies.14 In the wake of numerous calls for both industry self-regulation and government intervention, the FTC urges data broker industry participants to, at a minimum, consider adopting the recommendations set forth in the report in order to better protect the privacy of American consumers and give them greater control over the collection and use of their personal information. The report concludes by outlining the FTCs areas of focus in the realm of 12 Id at 72. 13 http://ftc.gov/opa/2012/03/privacyframework.shtm 14 Id. 6

Rebecca Joslin Cyberlaw (Spring 2013) consumer privacy protections over the next year: Do-Not-Track, Mobile Privacy Protections, Data Brokers, Large Platform Providers, and Promotion of Enforceable Self- Regulatory Codes.15 With more consumers becoming aware of data brokers activities and the implications of data mining on their personal privacy, legislators are becoming increasingly interested in learning more about the industry and pressing for greater consumer privacy protection. A recent Pew Internet/Elon University survey of 1,021 Internet experts, observers, and stakeholders measured current opinions about the potential impact of human and machine analysis of newly emerging large data sets in the years ahead. The survey was opt-in, online canvassing; 53% of respondents predicted that the rise of Big Data is likely to be a huge positive for society in nearly all respects by 2020, while 39% of survey participants said it is likely to be a big negative.16 Time Magazine, the Wall Street Journal, and the New York Times have all published articles discussing the consumer privacy implications of the data broker industry in recent months. Since July 2012, two separate congressional inquiries have been directed at reducing the secrecy that shrouds the activities of these companies. 2012 Congressional Inquiries In July of 2012, Representative Edward Markey (D-Mass) and Representative Joe Barton (R-Texas), along with six other members of the Bipartisan Congressional Privacy Caucus, submitted inquiries to nine different data brokers, requesting that they provide 15 Id. 16 http://elon.edu/docs/e- web/predictions/expertsurveys/2012survey/PIP_Future_of_Internet_2012_Big_Data_7_20 _12.pdf 7

Rebecca Joslin Cyberlaw (Spring 2013) answers to a detailed questionnaire regarding data collection, assembly, analysis, and dissemination practices. The companies Acxiom, Epsilon (Alliance Data Systems), Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac (FICO), Merkle, and Meredith Corp. were given three weeks to respond to the inquiry. The inquiry itself began with a summary of the reasons for which the Caucus started the investigation the serious privacy concerns raised by the large-scale aggregation of the personal information of hundreds of millions of American citizens.17 The committee cited a recent article in the New York Times detailing how hidden dossiers on American consumers often extend far beyond demographic information (like age, race, and sex) to include weight, height, marital status, education level, politics, buying habits, household health worries, vacations, and so on.18 The implications of the industry practices, stresses the Caucus, extend beyond targeted advertising and economic benefit; as the Times article points out, privacy advocates are troubled by industry practices involving the classification of some consumers as high-value prospects (ripe for marketing campaigns and discount mailers) while dismissing other consumers as low-value (waste in industry slang).19 The Caucus notes that these practices have been termed Weblining, analogous to the illegal practice of Redlining in the physical world and cites the potential long-term impacts on access to education, health care, employment, and other economic opportunities for these low-value consumers.20 The Caucuss letters to data brokerage companies concluded with a detailed set of questions involving inquiries into the sources of consumer data, the 17 For an example of one of the inquiries sent to the data brokers, see Axcioms letter: http://markey.house.gov/sites/markey.house.gov/files/documents/Axciom%20letter.pdf 18 http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of- consumer-database-marketing.html?pagewanted=all 19 Id. 20 Id. 8

Rebecca Joslin Cyberlaw (Spring 2013) methods of data collection (including social media and mobile use and activity), services offered to third parties, consumer access to personal information (including fees and correction, opt-out, and deletion mechanisms, if they exist), and storage and encryption of consumer information. The full letter can be accessed here. In November 2012, the Caucus released the responses. Acxiom was the only company that did not reject the categorization of its business practices as data brokerage, and was also the only company to provide data on the number of consumers submitting information requests: out of the 190 million consumers it has collected information on, as few as 77 people per year (over the last two years) have requested access to their personal information. Acxiom expressed an interest in pushing for whatever steps are necessary to make sure Americans know how this industry operates and are granted control over their own information.21 Equifax, a credit consumer reporting bureau, firmly rejected the categorization of data broker, stating instead that the company operates almost exclusively in a heavily and closely regulated environment that is altogether inconsistent with a data broker environment.22 Harte-Hanks, a direct marketing company best known for advertising fliers, does not consider itself a data broker because it does not own a database which describes consumers, represents consumer profiles, or contains consumer dossiers [which are then] compiled, sold, or licensed, while at the same time acknowledging that it receives consumer information through social networking providers at the request of its clients.23 One company called itself a data provider. Another 21 http://markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf 22 http://markey.house.gov/sites/markey.house.gov/files/documents/Equifax.pdf 23 http://markey.house.gov/sites/markey.house.gov/files/documents/Harte%20Hanks.pdf 9

Rebecca Joslin Cyberlaw (Spring 2013) reported that since it only analyzes data, it should not be considered a data broker.24 Many other companies providing responses to Representative Markeys inquiry stated that they do not allow access to consumer data because the information is anonymized and not re-identifiable to individual consumers. Notably, the companies provided little explanation of the distinction between the information they collect and use (like gender) versus the information they create by analysis for profiling consumers (e.g.: female interested in weight loss sent coupons for diet pills).25 The lack of consensus on the definition of data broker is at the heart of the congressional inquiries and the regulatory interests of lawmakers and administrative agencies. In a joint statement, the lawmakers stated the following: The data brokers responses offer only a glimpse of the practices of an industry that has operated in the shadows for years. Many questions about how these data brokers operate have ben left unanswered, particularly how they analyze personal information to categorize and rate consumers. This and other practices could affect the lives of nearly all Americans, including children and teens. We want to work with the data broker industry so that it is more open about how it collects, uses, and sells Americans information. Until then, we will continue our efforts to learn more about this industry and will push for whatever steps are necessary to make sure Americans know how this industry operates and are granted control over their own information. While the stated goal of the inquiry was the exposure of data broker practices to the public and the improvement of transparency in the industry, Representative Markey stated that his 24 http://www.data-informed.com/lawmakers-disappointed-in-results-from-data-brokers- privacy-inquiry/ 25 http://markey.house.gov/press-release/lawmakers-release-information-about-how- data-brokers-handle-consumers%E2%80%99-personal 10

Rebecca Joslin Cyberlaw (Spring 2013) ultimate goal was to determine whether legislators should enact a law regulating the industry.26 Furthering the continued government scrutiny aimed at the data brokerage

industry, Senator John D. Rockefeller IV (D-WV), Chairman of the Senate Commerce Committee, initiated a second Congressional inquiry into the privacy practices of nine data brokers Acxiom, Experian, Equifax, Transunion, Epsilon, Reed Elsevier (Lexis-Nexis), Datalogix, Rapleaf, and Spokeo in October 2012.27 In the letters the Committee sent to the data brokers, Rockefeller expressed concern about the lack of information provided to consumers by saying that, An ever-increasing percentage of their lives will be available for download, and the digital footprint they will inevitably leave behind will become more specific and potentially damaging, if used improperly.28 This second Congressional investigation only confirms that legislators and regulators remain concerned about the uncertainty surrounding the exact practices of the data broker industry including the extent of the material collected, the third parties to whom it is disclosed, and the uses of the information by the third parties. In response to the Congressional inquiries, the Direct Marketing Association, the largest trade association dedicated to data-driven marketing, issued a response expressing concern about the heightened scrutiny. The DMA is concerned that lawmakers are questioning legitimate commercial data practices that the industry believes are essential to 26 http://www.nytimes.com/2012/07/25/technology/congress-opens-inquiry-into-data- brokers.html?_r=0 27 http://www.commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id= a42a865a-be30-4171-8278-86ee0a8c76fb 28 http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-5ac8- 4157-a97b-a658c3c3061c 11

Rebecca Joslin Cyberlaw (Spring 2013) Americas job creation, economic growth, and global leadership positions; further, the DMA accuses the Congressional inquiries of scrutinizing the fuel on which Americas free market engine runs targeted advertising.29 The DMA insists that market participants are not merely snooping on the private lives of consumers, but rather provide essential data collection so that companies ensure their ads reach only the most interested consumers.30 Underlying much of the legislative and administrative concern is the risk that some data brokers or third party purchasers could use consumer dossiers (including financial information, akin to credit reports) for improper purposes like excluding individual consumers from certain offers or charging different prices based on the consumers profile.31 The inquiries also focus on consumers ability to access and correct information maintained about them; in its letter, the DMA notes that the only harm to consumers of inaccurate data is irrelevant advertisements. Nevertheless, the Congressional inquiries are not the only source of increased scrutiny directed at the data broker industry the Federal Trade Commission opened an investigation in December 2012. FTC Investigation Following the initial 2010 FTC inquiry outlined above, the FTC began a directed

investigation aimed at studying how the data brokerage industry collects, uses, stores, and disseminates information. To begin, the FTC issued orders requiring nine data brokerage companies to file special reports that will provide the agency with information about 29 http://the-dma.org/news/August-13-2012-DMALetter.pdf 30 Id. 31 http://www.nytimes.com/2012/10/11/technology/senator-opens-investigation-of- data-brokers.html 12

Rebecca Joslin Cyberlaw (Spring 2013) privacy practices industry-wide.32 Specifically, the FTC seeks details about the information the companies collect and where they get it, how they store, use, and disseminate it, and the extent to which people can get access to information data brokers have about them, correct inaccuracies, and opt out of having their information sold.33 The nine data brokers Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future were required to file responses by February 1, 2013.34 My attempts to contact the FTC about the information contained in the company responses (and the possibility of gaining early access to the reports for research purposes for this paper) have not yielded substantive information. I emailed the FTC staff associated with the orders sent to data brokers; the staff persons declined to provide information about how many data brokers responded (and if they did so in a timely manner), what the responses contained, or when the agencys report would be published though Ive been informed that an official FTC report of the agencys findings is forthcoming, likely within the year. The data broker responses themselves will likely be released to the public after the FTC analyzes them internally and the report of agency findings is created. Nevertheless, government scrutiny of the data brokerage industry remains at an all- time high. Industry and trade association responses to both Congressional inquiries emphasize that the information collected is used for marketing and commercial purposes only and not for regulated or improper purposes. While consumer reporting agencies are required by law to disclose individuals credit reports, data brokers are under no obligation

32 http://www.ftc.gov/opa/2012/12/databrokers.shtm 33 Id. 34 http://www.ftc.gov/os/2012/12/121218databrokerssection6border.pdf 13

Rebecca Joslin Cyberlaw (Spring 2013) to show consumers information collected for marketing purposes.35 The FTCs regulatory concern is the misuse of information by third parties; to the extent that the data mined by the data broker industry is used improperly to injure or discriminate against consumers, government regulation is a necessary next step toward consumer protection. While it appears that Congress and the FTC are at least exploring the possibility of more top-down regulation of the industry, the DMA cautioned Congress against adopting any new laws targeting data brokers; instead, the DMA and industry participants argue that industry self-regulation is the best approach to address any privacy concerns. These industry-based initiatives are widespread and diverse. The Consumer Data Industry Association is an international trade association is aimed at ensuring that consumer data is collected, maintained, and used by third parties in responsible ways. To help marketers better understand applicable government regulations and industry practices aimed at consumer data collection and use, the Direct Marketing Association has created a Data Governance Certification program to establish industry-based initiatives, educate participants about government compliance issues (with specific attention to customer notice and access), and inspire innovation without infringing consumer privacy.36 The Network Advertising Initiative sponsors the AdChoices icon; when the icon appears near an online ad, consumers can click on it to learn more about privacy choices and opt-out tools. Whether these various industry-based initiatives will satisfy lawmakers and other regulatory bodies remains to be seen. 35 Id. 36 http://www.targetmarketingmag.com/article/dma-data-governance-certification- balancing-marketing-rewards-big-data-its-risks/2 14

Rebecca Joslin Cyberlaw (Spring 2013) My Inquiries One of the primary areas of focus in the Congressional inquiries and the FTCs

ongoing investigation is the extent to which data brokers allow consumers to access and correct their information or to opt out of having their personal information stored or sold.37 The next portion of my research involved sending information requests to seven data providers (many of which were targets of Congressional or FTC inquiries) to discover the amount of personal information these companies had managed to collect about me, as well as their profiles of my consumer behavior. The seven data providers, Acxiom, Datalogix, eBureau, Epsilon, Intelius, Peekyou, and Rapleaf, each responded differently to my consumer inquiry; some provided telling reports, others provided reports containing very little personally identifiable information, and still others provided no report at all. Acxiom Acxiom, in its response to Representative Markey, noted that over the last two years

only 77 people per year requested access to their personal information held by the company (out of 190 million consumers whose information is collected).38 As far as consumer access to information, however, Acxiom is much more forthcoming than other companies in the same industry. The companys Consumer Data Information page allows consumers to learn more about the data Acxiom collects and how it is used, to discover which Personicx Cluster consumers fall into, to opt out of Acxioms marketing and directory products, and to request a report of the risk and fraud data Acxiom has about them (for a $5 processing fee). My own inquiry to Acxiom involved emails to their privacy center, as 37 http://www.ftc.gov/opa/2012/12/databrokers.shtm, see also the FTC orders issued December 18, 2012. 38 http://www.markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf 15

Rebecca Joslin Cyberlaw (Spring 2013) well as the submission of an inquiry that would provide me with their directory and fraud prevention information. To verify my identity with the company, I mailed a check to their US office as well as providing my name, address, social security number, drivers license information, and date of birth. Acxiom provides three types of data products, each with distinct data uses:

marketing and data products, directory products, and fraud detection and prevention products. The marketing and data products contain publicly available information, surveys, and information from other data collectors. The company sells this information to companies, political associations, and non-profit organizations for marketing, fundraising, and customer service efforts. Personicx is Acxioms household-level consumer segmentation marketing product; the process categorizes US households into one of seventy different segments (based on demographic characteristics) and twenty-one life stage groups (consisting of demographic groups sharing similar life events, like having babies, getting married, or approaching retirement). These categories are used by marketers to target specific consumer interests in advertising, customer service, and fundraising efforts. The companys website allows consumers to discover which clusters they fall into by simply providing simple demographic information age, marital status, homeowner status, household income, zip code, and household net worth.39 My own demographic information yields the following: Mixed Singles: Cluster #61: Cluster 61 is an ethnically mixed group, with a particularly high concentration of Asians, Hispanics, and African-Americans. They are a younger group of urbanites either in school or recently out of school and 39 https://isapps.acxiom.com/personicx/personicx.aspx 16

Rebecca Joslin Cyberlaw (Spring 2013) barely economically speaking making their way in the big city. With youth and tight finances, they tend to be more cash-prone, leveraging money orders and debit cards as needed. They have below-average incomes and minimal net worth at this point in their lives. All single and childless, they spend a lot of their free time either socializing at trendy night spots or exercising. These city dwellers particularly enjoy going to the movies. Their strong interest in foreign travel is most likely driven by visits to family abroad. If they have a car at all, chances are it is a subcompact, perfect for maneuvering in congested traffic. This is where my own analysis gets interesting, at least on a personal level. After researching the data brokerage industry and reading about all of the possible information these companies have about me, I was worried about how accurate this type of consumer segmentation might be. As it turns out, I dont really fall into this description at all. Im Caucasian, I dont leverage money orders or debit cards to make ends meet, I rarely enter trendy night spots even when I do have free time (which is rare, as a law student), I dislike going to the movies, my interest in foreign travel is not driven by visits to family abroad (as most of my family resides in Idaho and Wyoming, which are far from exotic foreign destinations), and I own a midsize SUV. The consumer profile correctly identified only that I am in school, unmarried with low net worth and low income, and that I enjoy exercise. For marketing or advertising purposes, the profile is likely still accurate enough to be useful for third parties purchasing this type of information from Acxiom; but the accuracy of the consumer segmentation profile was far from creepy, as this type of profiling has been characterized. The companys other marketing products (which consumers can opt-out of) consist of individual data (name, address, gender, education,

17

Rebecca Joslin Cyberlaw (Spring 2013) voter party, occupation, date of birth, etc.), demographics, interests (obtained from surveys or derived from inquiries or purchases), purchase behavior (apparel, home improvement, books, computers/electronics, etc.), life event data (derived from self-reported surveys or public records), technology indicators (including computer and cell phone preference information), wealth indicators, real property data (sourced from real property recorder and assessor sources), vehicle data, health interests (from self-reported surveys or summarized from purchase data), and social media indicators (gathered only from the public portion of social network sites by the user).40 The companys directory products consist of information from published white and yellow pages of telephone books, and are used by companies, political associations, non- profit organizations, government agencies, and consumers to search for contact information. The same page on Acxioms website allows consumers to opt-out of targeting in online ads, as well as opt-out of targeting in all ads and offers from Acxiom clients. Acxioms fraud detection and prevention products contain identifying information from public and private sources (including sensitive information like Social Security Numbers), and are used by qualified companies in selected industries, non-profit organizations, and government agencies to verify the identities of customers and investigate fraud.41 From the site, consumers can request their US Reference Information Report for a $5 processing fee; the report is later delivered electronically (encrypted and password protected).

40 http://www.acxiom.com/uploadedFiles/Content/About_Acxiom/Privacy/AC-1255- 10%20Acxiom%20Marketing%20Products.pdf 41 http://www.acxiom.com/about-acxiom/privacy/consumer-data-information/ 18

Rebecca Joslin Cyberlaw (Spring 2013) As I mentioned above, requesting the report involves providing your name, address, social security number, drivers license information, date of birth, and an email address. It isnt all that surprising, then, that my own US Reference Information Report contained all of the above information along with alternative names (Rebecca, Becca, Rebecca A, Rebecca Ann, etc.), previous addresses (including my parents house in Pocatello, Idaho), phone numbers (associated with my parents house, but not my cell phone), and voter registration information (registered Democrat with the State of Utah). Acxiom does allow consumers to contact them about correction of inaccurate information contained in their reports my own report did not contain inaccurate information, but did contain some irrelevant information for their targeted advertising purposes (like, for example, each of my previous addresses in the Boise, Idaho area where I lived while attending Boise State University). Datalogix The Datalogix privacy policy describes how the company uses data to provide

services for its customers. To provide targeted advertising data for its third-party purchasers, the company uses algorithms to create interest-segments (like travel enthusiast or green consumer). The privacy policy further outlines the companys security, data integrity, and third-party transfer practices.42 Consumers can send information requests to the company to discover the extent of the information the company has about them, as well as the interest segments into which they have been classified. I sent such an inquiry, along with a copy of my Utah drivers license to complete the verification process. These documents were sent via USPS on February 14, 2013; to date, I have received no response from the company. 42 http://www.datalogix.com/privacy 19

Rebecca Joslin Cyberlaw (Spring 2013) eBureau eBureau, a target of the FTC investigation but not the Congressional inquiries,

collects and licenses online and offline data for use in the products and services the company provides to customers and third party purchasers. In addition to personal information, the company collects and aggregates general information about its users (through the use of cookies); the company provides customers with the ability to access the data report including their personal information, but does not disclose aggregate information because it is not linked to individual users. To request the report, consumers must provide the company with personal information (name, address, phone number) and verifying information (copy of drivers license or other ID card, as well as a current utility, phone, or credit card bill with account numbers redacted). My inquiry included a request to view my eBureau privacy report, as well as a copy of my Utah drivers license and a copy of my most recent Comcast internet bill with the account number redacted. My data report from eBureau included the same identifying information that I provided to establish my identity (name, address, phone number), as well as date of birth, other addresses, and other phone numbers (one of which happened to be a phone number that I do not recognize). In the Consumer File Contents field of the report, the company indicated that my information was unknown in the following fields: gender, marital status, estimated age, homeowner status, and years of education. The company does have policies in place to allow consumers to correct inaccurate information in their data reports (like the unknown phone number). Here again, I was surprised at the lack of information the company had about me, aside from the information that is public record or that I provided to them to verify my identity in order to gain access to the report.

20

Rebecca Joslin Cyberlaw (Spring 2013) Epsilon In its response to Representative Markeys inquiry, Epsilon stated that it uses

consumer data from a number of both private and public sources to provide marketing services to retailers, media companies, charities, political organizations, and magazines so that these companies might provide targeted advertising to interested consumers.43 Consumers may request access to their Epsilon Consumer Report by providing personally identifiable information (name, gender, year of birth, address, etc.) and a $5 check to the company. Consumers can opt-out of third party marketing programs by sending a simple request to the companys privacy center. My own Epsilon report yielded no information; the Household Data, Household Demographics, Household Real Property Data, and Household Interests sections were all completely blank. The company did not have any Self-Reported Information linked to my personal information either; it appears that until I sent the information request, my information was not found in any of Epsilons databases. Intelius Intelius calls itself an information commerce company; providing consumers and

businesses with information about people, businesses, and assets.44 The myriad services provided by the company include background checks, reverse phone verification, property and area information, people search, email search, as well as consumer services like employment screening, marriage/divorce records, criminal background checks, and public records searches all of which require a fee to access. As with many other companies in

43 http://markey.house.gov/sites/markey.house.gov/files/documents/Epsilon.pdf, see also http://www.epsilon.com/consumer-preference-center 44 http://corp.intelius.com 21

Rebecca Joslin Cyberlaw (Spring 2013) the data industry, they also provide fraud prevention services (for a set monthly fee).45 As a courtesy, the company allows consumers to opt-out of company services or edit information contained on the website.46 I sent a data inquiry to the company, requesting access to my consumer information or, in the alternative, removal of my information from their website. To verify my identity, I included a copy of my Utah drivers license (with photo and DL number crossed out). To date, I have received no response from Intelius. PeekYou PeekYou is an online search engine that allows users to search for friends, family,

colleagues, and acquaintances across the Public Web.47 Their algorithm calculates the likelihood of any URL being associated with an individual the URLs can include news articles, homepages, blog posts, social networking profiles, or public records entries.48 Rather than categorizing the company as a data miner, they prefer to be considered a search engine the company does not index financial or medical history unless it is openly shared on the Internet. Consumer PeekYou pages can be corrected or removed; opt-out requests sent to the company are honored within a few business days but the company is quick to note that, because it merely aggregates information like a search engine, the information contained in a PeekYou profile is still available through traditional engines like Google or Bing. I sent an inquiry to the company requesting more information about their data

collection, use, and dissemination practices. In response, I was linked to the companys Privacy Pledge and Privacy Policy pages. To confirm my identity when I submitted my 45 http://www.intelius.com/idprotect.html 46 http://www.intelius.com/privacy.php 47 http://www.peekyou.com/about/corporate/site/faq 48 Id. 22

Rebecca Joslin Cyberlaw (Spring 2013) electronic request, I was sent a follow-up email asking me to verify my identity. The company merely treated my inquiry as an opt-out request and pointed out that the opt- out only removes my listing from the PeekYou website not from the public record companies from which they source their information (including PeopleSmart, Spokeo, Intelius, USSearch, PeopleFinders, and BeenVerified). To remove the records from these companies, I would be required to contact them directly. Nonetheless, simply entering my first and last name on the PeekYou website

returned a number of very personal results without any verification process at all: the data returned by a simple search included my full name, age, my hometown (Pocatello, Idaho), my parents address and phone number (redacted as 2xxx Sxxxxxxxxx Dx, Pocatello, ID and (208) 238-xxxx), and the website of a dinner theater at which I volunteered in high school (westsideplayers.org). In the search results, PeekYou includes links to their strategic partners (the sources mentioned above). The PeopleSmart link provided me with even more very personal information including my current location (Salt Lake City), social networking profile links, and names of possible relatives (including my mother, father, paternal grandmother, and paternal grandfather). This was perhaps the most unsettling report to me; the fact that these websites knew names of my relatives especially my grandparents, who did not use the Internet with regularity and certainly did not have social networking profiles or other meaningful online presence felt violative of my personal privacy (and theirs). Opt-out requests sent to the company are honored quickly, but the data aggregation and reporting practices of this company in particular felt much less like advertising data and more like a very personal dossier of irrelevant information for advertising purposes.

23

Rebecca Joslin Cyberlaw (Spring 2013) Rapleaf Rapleaf aggregates consumer data from data providers and maps it to consumer

email addresses throughout the US; the company sources data from other data bureaus, and its marketing partners use Rapleafs email link system for a range of marketing and advertising activities. Rapleaf also collects data from public sources including surveys, census data, and public records. In a case study of one of its marketing partners, Rapleaf describes how it used the email list created by a restaurant loyalty program to learn more about the restaurants customer base. The restaurant used the profiles created by Rapleaf to tailor advertising and marketing to its loyal customer base. The profiles included segment information like median age, homeowner status, relationship status, education, lifestyle and interest information, and income range.49 Discovering the extent of information and the customer segmentation profile

Rapleaf has associated with a particular consumer is as simple as submitting an online request. Once the email address has been verified, a consumer has complete access to basic demographics, interests, and miscellaneous information that the company has associated with that email address. My own email address (beccajoslin@gmail.com), which has been my primary email for a number of years, was associated only with my gender the company correctly identified only that I am female. The report returned no age information, interests, or miscellaneous information. Notably, with Rapleafs consumer profile allows consumers to edit and remove data in their consumer profile but they can also add data if they desire. This, according to Rapleaf, allows the company to partner with others to give consumers a more personalized advertising experience. 49 https://www.rapleaf.com/pdfs/Rapleaf_Maggianos.pdf 24

Rebecca Joslin Cyberlaw (Spring 2013) Conclusion In recent months, mainstream media and consumer privacy advocates have been

quick to jump to alarmist conclusions about the activities of the data broker industry. More than a few newspaper articles and reports have made a connection between data brokerage companies and Big Brother, the totalitarian government leader famous in George Orwells 1984. So, is Big Brother watching American consumers? In a way, yes. Consumers are being watched not by a totalitarian government, but

by data brokerage companies that aggregate consumer information to create digital profiles of more than 190 million Americans, according to Acxioms response to Congressman Markey. The collection and dissemination of personal information is, on one side of the debate, problematic and intrusive for many consumers, while on the other side an integral part of todays economy. While industry participants claim that the biggest risk to consumers is irrelevant advertisement, there is much more to the problem than that. Consumers deserve to know more about the industry practices in general; industry-wide lack of transparency only adds to the consumer alarm and widespread distrust of data miners. Lack of consumer access to and control over their own information feels violative of consumer privacy on a basic level. Finally, the most obvious risk related to the data brokerage industry is not the targeted advertising and marketing (or the possibility of irrelevant advertisements for consumers), but rather the possibility that the information aggregated by data collectors would be used to unlawfully profile consumers or to otherwise circumvent other regulations regarding the use of consumer data. Sensitive health and personal information aggregated by data miners and linked to individual

25

Rebecca Joslin Cyberlaw (Spring 2013) consumers requires more than industry-based protection; government regulation relating (at a bare minimum) to the use of this information seems more appropriate than industry best practices, and necessary to protect consumers from unlawful profiling. Certain key industry players have indicated a desire to move toward increased transparency: Jennifer Barrett Glasgow, chief privacy officer of Acxiom, indicates a belief that the industry needs to take a proactive approach toward explaining how their practices benefit business and consumers by saying, Companies generally want to maximize their use of data to make information valuable for both the company and the consumer, but those goals are unachievable if data collection initiatives feel plain-old creepy.50 Indeed, the entire industry may be better served by eliminating secrecy surrounding its practices and working to establish trust with consumers about proper collection and use of their data. Individual privacy is a hot-button issue in American politics today: from CISPA to the various inquiries into the activities of data brokers outlined above, legislators and government agencies are in constant debate about how best to protect competing consumer privacy, economic, and government interests. It remains to be seen whether industry-based initiatives will satisfy lawmakers and government agencies enough to quell the current calls for top-down regulation, or whether the recent government inquiries will ultimately lead to increased government regulation and proposed legislation.

50 http://data-informed.com/leading-senator-opens-inquiry-into-brokers-collection-and- management-of-consumer-data/ 26