On May 27, the Federal Trade Commission (FTC) issued a report on the data broker industry that found data brokers operate with a “fundamental lack of transparency.” The commission unanimously recommended that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them that are collected and shared by data brokers. Not well-recognized at the time were a number of concerns, mini-dissents if you will, expressed by Federal Trade Commissioner Josh Wright. I recently asked Commissioner Wright some questions about his “dissent by footnotes.”
You had a number of concerns that were noted in footnotes. Why did you choose to express your concerns that way, rather than through a concurrence or even a dissent?
Wright: The data broker report serves an important function in getting descriptive data about the industry out into the world. Through the use of the commission’s 6(b) authority, staff was able to obtain some important information about the types of activities in which data brokers are engaging. Most of the report is concerned with describing these activities and, to the limited extent that the report offered recommendations with which I disagreed, I thought those disagreements were best expressed through concise statements in the footnotes rather than a separate statement because the former more appropriately reflected the scope of my concerns about the report.
Regarding recommended legislation for improving consumer control over information shared by data brokers for marketing purposes, you question whether the costs associated with allowing consumers to opt out of all data-sharing for marketing purposes would outweigh the potential benefits to consumers. Can you explain the cost-benefit analysis you’re alluding to, including the type of costs and benefits would be included in the calculus?
Wright: Serious cost-benefit analysis concerning consumers and privacy requires rigorous study of consumer preferences. By that, I mean what is required to understand how and to what extent consumers value information is much more than survey evidence that purports to elicit consumer preferences by merely asking consumers whether “they are concerned about privacy.” I would also like to see evidence of the incidence and scope of consumer harms rather than just speculative hypotheticals about how consumers might be harmed before regulation aimed at reducing those harms is implemented. Accordingly, we also would need to quantify more definitively the incidence or value of data broker practices to consumers before taking or endorsing regulatory action. The report acknowledges that these practices have some benefits to consumers. But I would like this component of the equation to be more thoroughly examined.
We have a lot of work to do on the cost side of the ledger as well. We have no idea what the costs for businesses would be to implement consumer control over any and all data shared by data brokers and to what extent these costs would ultimately be passed on to consumers. This could be especially problematic in areas where the costs to businesses are high but where the ultimate benefit to consumers is minimal. For example, the costs to effectuate opt-out mechanisms might be high in certain circumstances and may not offer consumers any real benefit. If consumers have minimal concerns about the sharing of certain types of information—perhaps information that is already publicly available—I think we should know that before requiring data brokers to alter their practices and expend resources.
You also question whether a centralized portal, where consumers could learn about data brokers and their practices as well as opt-out tools, would benefit users. Can you elaborate?
Wright: I found the “centralized mechanism” or “centralized portal” recommendation problematic on two fronts. First, I did not see any evidence in the report that a centralized portal would necessarily be an effective way for consumers to learn about data broker practices. Indeed, the report itself recognized that industry members have expressed concern that this mechanism could be unwieldy and might overwhelm consumers. In attempting to respond to this concern, the report—without referencing any underlying empirical evidence about consumer preferences or behavior—simply suggested that the portal be limited to the largest data brokers, perhaps the 50 biggest ones. I did not think much thought went into that recommendation—for example, the 50 largest data brokers might be the ones with the most consumer-friendly practices. What about smaller data brokers that might specialize in collecting and using more sensitive information or information that consumers are completely unaware is collected and used? Under the report’s recommendation, consumers would never see a disclosure about the data collected by those entities.
Second, I objected to this recommendation because bundled along with the centralized mechanism recommendation was the recommendation that data brokers be required to provide consumers with the ability to opt out of data collection. The report did not stop at merely recommending the “disclosure” of existing opt-out tools on the centralized portal. Instead, the report made the blanket recommendation that consumers should be able to opt out of any and all data collection, without providing any sort of analysis of the costs and benefits of requiring such opt-out ability.
The FTC recommends that Congress consider requiring data brokers to provide consumers with enough detail “that [consumers] can see the breadth of categories the data broker has about them” and suggests relying on special categories of data similar to those established under the Fair Credit Reporting Act (FCRA) to ensure that consumers have access to certain types of sensitive data about them. You are “wary” of applying a “FCRA-like” framework that, as proposed by the FTC, “would allow consumers to control uses of the data about which they care most” without first conducting a “more robust balancing of the benefits and costs associated with imposing these requirements” on data brokers. What do you see as being the potential downsides of applying FCRA-like consumer access and rectification measures within the data broker industry?
Wright: The report did not produce any actual evidence that the Fair Credit Reporting Act framework provides insufficient consumer protection. Data brokers will be covered by the FCRA if they engage in activities covered by that statute. To me, it seemed that the report was recommending that rather than engaging in the kind of cost-benefit analysis that underlies the letter and spirit of the FCRA, we should instead let consumers pick and choose the types of information that they would prefer data brokers not to share. This would be a fine solution if there were no costs on the other side of the equation. In a nutshell, the biggest downside I see is that we would be implementing a regulatory regime without attempting carefully to quantify the costs and benefits before doing so.
The report noted that individuals potentially may be harmed by errors in consumer profiles if those errors do not trigger statutory protections allowing individuals to access and correct data about them, such as the protections provided under the FCRA. The FTC recommends that Congress enact legislation to force data brokers to provide individuals with transparency, access and correction functionality “tied to the significance of the benefit or transaction in question.” You believe that such measures are premature because there “is no evidence about the existence or scope of this hypothetical problem.” What harm do you see in the commission’s recommendation that Congress consider enacting such measures?
Wright: The primary harm is the risk that the commission’s recommendation gives the false impression that we have considered carefully the costs and benefits of the proposed solution when we have not. Crafting a solution before one identifies the size, scope and nature of a potential problem gives rise to a number of concerns. First, the hypothetical problem may never develop or its development may be stunted by some other activity in the market. Second, the proposed solution may overshoot the mark and end up overcorrecting and causing its own set of problems. Finally, by acting prematurely, we do not give the market the opportunity to respond with solutions of its own, which are often more creative in design and precise in execution than regulatory responses.
You believe the FTC’s law enforcement authority is the “appropriate vehicle” to address the potential unlawful discriminatory use of data and that more “evidence about the existence, nature and scope of such problematic uses” is needed before imposing additional obligations on data brokers to conduct due diligence in view of securing data from unscrupulous entities. Could you elaborate on evidence you think is needed first, and how do you anticipate such evidence will be developed and presented to the commission?
Wright: One of the best ways for the commission to develop this evidence would be to investigate these arguably problematic practices. If and when we find our law enforcement authority to be insufficient to protect consumers, the exercise of diagnosing the source of the insufficiency will guide a proper call for an appropriately tailored legislative response. I do not find it particularly persuasive to argue that these consumer harms are hard to detect and therefore it is appropriate to prophylactically recommend legislation. That is not an appropriate basis for commission action. I do not think it is the commission’s job, much less a sensible allocation of agency resources, to try to prevent harms that have not happened and might never happen.
Another way to develop this evidence is through commission research and public workshops. As noted in the report, the commission will examine the potential discriminatory effects of certain data collection practices at a September workshop.
Finally, despite your differing viewpoints on the specific recommendations listed above, the FTC “unanimously recommends that Congress should consider enacting legislation that would enable consumers to learn of the existence and activities of data brokers and provide consumers with reasonable access to information about them held by these entities.” In light of your other dissenting footnotes, what are the key operational tenets of a legislative framework that would increase transparency of data-broker practices?
Wright: In considering whether and how to enact legislation that would enable consumers to learn of the existence and activities of data brokers, it would be useful for Congress to evaluate the effectiveness of various approaches used historically to educate consumers. There are many examples in the marketplace—some more successful than others—that could guide Congress in its efforts to reach consumers and increase transparency about information collection and use practices. As the report points out, at least one data broker has launched a website to provide consumers with information about its practices and access to data collected about consumers. This model could be studied to determine whether it is reaching the intended audience and providing the desired information. To be clear, I am not necessarily opposed to the idea of a centralized portal or some other type of centralized mechanism. As I acknowledged in one of my footnotes, it is a useful idea in theory. Perhaps firms will adopt this idea on their own should it prove to satisfy consumers’ needs. But it is very important to study consumer preferences and behavior first before one can suggest that a mandatory and centralized portal would make consumers better off in any meaningful way.
In addition to determining the proper vehicle to provide disclosures to consumers, Congress should also ensure that information is presented to consumers in a manner and scope that will facilitate transparency and understanding without overwhelming the typical consumer. Again, there are many examples in the marketplace that illustrate the most effective means of providing information, not the least of which is some excellent empirical work performed by staff economists and lawyers at the commission.
Underpinning both of these concepts would be the inclusion of a robust cost-benefit analysis. Examining the costs and benefits I have outlined above, and evaluating them in the particular context of any proposed legislative solution, would help ensure a narrowly tailored piece of legislation that would provide real benefits to consumers without imposing undue significant costs.
This originally was posted to the International Association of Privacy Professionals (IAPP) Privacy Advisor on July 31, and is reprinted in its entirety with permission from the IAPP.