data brokers: what do they know, who do they share it with and what privacy considerations are at...

Rebecca Joslin – Cyberlaw (Spring 2013)

1

Data Brokers: What Do They Know, Who Do They Share It With, And What Privacy

Considerations Are At Stake?

Introduction

In today’s information age, there is little question that there are economic benefits

to the flow and market exchange of certain kinds of information. For American consumers,

a large network of data brokerage companies facilitate the flow of information between

consumers and companies by collecting personal information about consumers from a

variety of public and non-‐public sources, and reselling the information to other companies.

These collection, maintenance, and dissemination practices often occur without the

knowledge of consumers. This industry has been the subject of increasing scrutiny in the

last year, due in large part to the unregulated space in which data brokers conduct their

online and offline data collection. The lack of a governing regulatory framework has

caused the data brokerage industry to be viewed by many not as a vital source of

information collection, protection, and dissemination essential in today’s market economy,

but rather as unwelcome and secretive digital surveillance of today’s consumers.

Recent government efforts to study privacy practices and the collection and

dissemination of consumer information in the data brokerage industry include two

separate Congressional inquiries and an ongoing FTC investigation. This research project

will give a general overview of the data broker industry and will provide an overview of the

current regulatory framework under which the industry operates, the regulatory interests

of the FTC’s investigation and the Congressional inquiries, and the responses I received

when I submitted information requests to seven different data brokers.


2

The Industry

It is difficult to say with accuracy exactly what information is collected by data

brokers and, perhaps more importantly, how it is collected, stored, and distributed in the

market. According to the Privacy Rights Clearinghouse, the online and offline collection of

consumer data is conducted through public and semi-‐public records; for example, the data

includes information provided when consumers buy a house, get married, file for divorce,

fill out surveys, obtain drivers licenses, get arrested, vote, or establish a social networking

profile.1 Data brokers have, to date, been less-‐than-‐transparent about the sources of their

data – protecting the collection methods as a trade secret and preferring not to pinpoint

exactly how consumer information is aggregated, analyzed, and from which sources it is

collected.2 This is problematic for consumers, government agencies, and industry

participants alike, in light of the individual privacy concerns surrounding the activities of

these companies.

While certain aspects of this industry that operates largely under the consumer

radar are somewhat unsettling, there are certain benefits to the flow of information in

today’s market economy. Data brokers represent a multi-‐billion dollar industry directed at

the aggregation of the information of hundreds of millions of Americans, which is then sold

to third parties for targeted advertising, marketing, and other purposes.3 Many of these

companies also provide direct benefits to consumers by providing fraud monitoring

services. Further, the data brokerage industry provides significant benefit to the economy

1 https://www.privacyrights.org/online-‐info-‐broker-‐faq#legal 2 http://www.aclu.org/blog/technology-‐and-‐liberty/data-‐brokers-‐release-‐information-‐about-‐their-‐operations-‐response 3 http://www.nytimes.com/2012/12/09/business/company-‐envisions-‐vaults-‐for-‐personal-‐data.html


3

in general by facilitating better marketing of products and services to consumers. Data

brokers collect financial, retail, and recreational information to create a consumer profile

that is then sold to clients like airlines, automakers, banks, credit card issuers, and retailers

to maintain and recruit their customer bases and to reduce unnecessary marketing toward

unlikely customers.4 For example, categorization of consumers based on housing

information (like, for example, those that live in apartment buildings or in the heart of

larger cities) allows companies to efficiently market to particular population segments –

and reduces, for example, things like lawnmower advertisements to those to whom the

advertisements likely do not appeal.

Important to note is the ubiquity of the data brokerage industry in the economy,

society, and government; the industry is simultaneously scrutinized for what some have

called “shadowy” privacy practices and heavily utilized by a myriad of industry

participants.5 Data-‐driven marketing fosters competition by ensuring that numerous

industry participants can better reach consumers.6 Government leaders, scientists,

corporate leaders, health officials, and education specialists are anxious to see if new kinds

of analysis of large data sets can yield insights into how people behave, what they might

buy, and how they might respond to new products, services, and public policy programs.7

Aside from the marketing and advertising economic benefits, the industry is an essential

4 http://www.nytimes.com/2012/07/25/technology/congress-‐opens-‐inquiry-‐into-‐data-‐brokers.html?_r=0. 5 http://news.cnet.com/8301-‐31322_3-‐57388097-‐256/in-‐the-‐world-‐of-‐big-‐data-‐privacy-‐invasion-‐is-‐the-‐business-‐model/ 6 http://www.the-‐dma.org/cgi/disppressrelease?article=1566 7 http://www.elon.edu/e-‐web/predictions/expertsurveys/2012survey/future_Big_Data_2020.xhtml


4

part of America’s job creation, economic growth, and global leadership.8 The Direct

Marketing Association notes that data-‐driven marketing represents 8.7% of total US GDP,

and data-‐driven marketers collectively fuel 9.2 million US jobs by providing economic

growth and job creation to global brands, start-‐ups, and everything in between.9 The rise

of the data mining industry has subjected industry participants to careful study in recent

years.

Regulatory Concerns

Congressional and agency inquiries and investigations into the data broker industry

are centered around various regulatory concerns, including individual consumer privacy

concerns, general lack of industry transparency, consumer access to and control of

information, and the potential for misuse of data. The industry has been largely

cooperative with respect to all recent investigations, preferring to respond to

Congressional and agency letters rather than invite further scrutiny for failure to respond

to this type of investigation. At the same time, however, the industry has taken a defensive

stance when it comes to accusations about the potential consumer privacy concerns and

questions about the potential for misuse of data; industry responses to inquiries are

summarized below, but for the most part data brokerage companies defend their practices

as a lawful and essential part of America’s economy. Nonetheless, lawmakers and agency

representatives alike have spearheaded investigations into the industry to better

understand data protection practices, the implications of those practices with respect to

consumer privacy, and the regulatory schema under which the industry currently operates. 8 Id. 9 Id.


5

Preliminary Investigations and Current Regulation

More details about the inner workings of the data brokerage industry are likely

forthcoming. In 2010, the FTC began an investigation into the practices of more than a

dozen information aggregators. The final report, published in March 2012, sets forth best

practices for businesses to protect the privacy of American consumers and give consumers

greater control over the collection and use of their personal data. This report expands on a

preliminary staff report the FTC issued in December 2010, which included a framework of

recommendations for privacy protection policies to be adopted by companies handling

consumer data – including privacy by design, consumer control, and greater transparency

for the collection and use of consumer data.10 The 2012 report redefined the scope of the

privacy framework, included an analysis of the regulatory framework governing the

activities of data brokers, and included proposed solutions for consumer privacy protection

moving forward. The FTC’s recommendations occupy two realms: government action and

industry self-‐regulation.

Importantly, the privacy report noted that unless data brokers use information for

credit, employment, insurance, housing, or other similar purposes, there are no laws on the

books requiring them to maintain the privacy of consumer data.11 This lack of regulation is

at the heart of the recent increase in scrutiny surrounding the data brokerage industry –

and has prompted numerous calls for legislation (at both the state and federal levels) 10 http://ftc.gov/opa/2012/03/privacyframework.shtm. “Privacy by Design” is a term of art, reflecting the theory that companies should build in consumer privacy protections at every stage in developing their products – including reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. 11 http://ftc.gov/os/2012/03/120326privacyreport.pdf at 66.


6

aimed at the industry’s privacy practices. The FTC recommends that Congress consider

baseline privacy legislation, and supports any national legislation aimed at providing or

securing consumer access to information held by the network of data brokers; further, the

FTC recommends that the industry itself implement the final privacy framework through

company and working group initiatives and through strong and enforceable self-‐regulatory

initiatives.12

With respect to industry self-‐regulation, the FTC report contains numerous specific

recommendations. Noting that data brokers buy, compile, and sell highly personal

information about consumers (who are often unaware that the companies even exist, and

do not know the purposes for which their data is collected and used), the FTC recommends

primarily that the data brokerage industry increase transparency regarding these practices

through internal initiatives, guided by the policy objectives outlined in the framework

above.13 The FTC report also calls on data brokers who compile consumer data for

marketing purposes to explore creation of a centralized website where consumers could

get information about industry practices and their operations for controlling data use and

dissemination within the large network of data brokerage companies.14 In the wake of

numerous calls for both industry self-‐regulation and government intervention, the FTC

urges data broker industry participants to, at a minimum, consider adopting the

recommendations set forth in the report in order to better protect the privacy of American

consumers and give them greater control over the collection and use of their personal

information. The report concludes by outlining the FTC’s areas of focus in the realm of

12 Id at 72. 13 http://ftc.gov/opa/2012/03/privacyframework.shtm 14 Id.


7

consumer privacy protections over the next year: Do-‐Not-‐Track, Mobile Privacy

Protections, Data Brokers, Large Platform Providers, and Promotion of Enforceable Self-‐

Regulatory Codes.15

With more consumers becoming aware of data brokers’ activities and the

implications of data mining on their personal privacy, legislators are becoming increasingly

interested in learning more about the industry and pressing for greater consumer privacy

protection. A recent Pew Internet/Elon University survey of 1,021 Internet experts,

observers, and stakeholders measured current opinions about the potential impact of

human and machine analysis of newly emerging large data sets in the years ahead. The

survey was opt-‐in, online canvassing; 53% of respondents predicted that the rise of Big

Data is likely to be a “huge positive for society in nearly all respects” by 2020, while 39% of

survey participants said it is likely to be a “big negative”.16 Time Magazine, the Wall Street

Journal, and the New York Times have all published articles discussing the consumer

privacy implications of the data broker industry in recent months. Since July 2012, two

separate congressional inquiries have been directed at reducing the secrecy that shrouds

the activities of these companies.

2012 Congressional Inquiries

In July of 2012, Representative Edward Markey (D-‐Mass) and Representative Joe

Barton (R-‐Texas), along with six other members of the Bipartisan Congressional Privacy

Caucus, submitted inquiries to nine different data brokers, requesting that they provide 15 Id. 16 http://elon.edu/docs/e-‐web/predictions/expertsurveys/2012survey/PIP_Future_of_Internet_2012_Big_Data_7_20_12.pdf


8

answers to a detailed questionnaire regarding data collection, assembly, analysis, and

dissemination practices. The companies – Acxiom, Epsilon (Alliance Data Systems),

Equifax, Experian, Harte-‐Hanks, Intelius, Fair Isaac (FICO), Merkle, and Meredith Corp. –

were given three weeks to respond to the inquiry.

The inquiry itself began with a summary of the reasons for which the Caucus started

the investigation – the serious privacy concerns raised by the large-‐scale aggregation of the

personal information of hundreds of millions of American citizens.17 The committee cited a

recent article in the New York Times detailing how hidden dossiers on American consumers

often extend far beyond demographic information (like age, race, and sex) to include

“weight, height, marital status, education level, politics, buying habits, household health

worries, vacations, and so on”.18 The implications of the industry practices, stresses the

Caucus, extend beyond targeted advertising and economic benefit; as the Times article

points out, privacy advocates are troubled by industry practices involving the classification

of some consumers as high-‐value prospects (ripe for marketing campaigns and discount

mailers) while dismissing other consumers as low-‐value (“waste” in industry slang).19 The

Caucus notes that these practices have been termed “Weblining”, analogous to the illegal

practice of “Redlining” in the physical world – and cites the potential long-‐term impacts on

access to education, health care, employment, and other economic opportunities for these

low-‐value consumers.20 The Caucus’s letters to data brokerage companies concluded with

a detailed set of questions involving inquiries into the sources of consumer data, the 17 For an example of one of the inquiries sent to the data brokers, see Axciom’s letter: http://markey.house.gov/sites/markey.house.gov/files/documents/Axciom%20letter.pdf 18 http://www.nytimes.com/2012/06/17/technology/acxiom-‐the-‐quiet-‐giant-‐of-‐consumer-‐database-‐marketing.html?pagewanted=all 19 Id. 20 Id.


9

methods of data collection (including social media and mobile use and activity), services

offered to third parties, consumer access to personal information (including fees and

correction, opt-‐out, and deletion mechanisms, if they exist), and storage and encryption of

consumer information. The full letter can be accessed here.

In November 2012, the Caucus released the responses. Acxiom was the only

company that did not reject the categorization of its business practices as data brokerage,

and was also the only company to provide data on the number of consumers submitting

information requests: out of the 190 million consumers it has collected information on, as

few as 77 people per year (over the last two years) have requested access to their personal

information. Acxiom expressed an interest in “pushing for whatever steps are necessary to

make sure Americans know how this industry operates and are granted control over their

own information.”21 Equifax, a credit consumer reporting bureau, firmly rejected the

categorization of “data broker”, stating instead that the company “operates almost

exclusively in a heavily and closely regulated environment that is altogether inconsistent

with a data broker environment.”22 Harte-‐Hanks, a direct marketing company best known

for advertising fliers, does not consider itself a data broker because it “does not own a

database which describes consumers, represents consumer profiles, or contains consumer

dossiers [which are then] compiled, sold, or licensed”, while at the same time

acknowledging that it receives consumer information through social networking providers

at the request of its clients.23 One company called itself a “data provider”. Another

21 http://markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf 22 http://markey.house.gov/sites/markey.house.gov/files/documents/Equifax.pdf 23 http://markey.house.gov/sites/markey.house.gov/files/documents/Harte%20Hanks.pdf


10

reported that since it only “analyzes” data, it should not be considered a data broker.24

Many other companies providing responses to Representative Markey’s inquiry stated that

they do not allow access to consumer data because the information is anonymized and not

re-‐identifiable to individual consumers. Notably, the companies provided little explanation

of the distinction between the information they collect and use (like gender) versus the

information they create by analysis for profiling consumers (e.g.: female interested in

weight loss sent coupons for diet pills).25

The lack of consensus on the definition of “data broker” is at the heart of the

congressional inquiries and the regulatory interests of lawmakers and administrative

agencies. In a joint statement, the lawmakers stated the following: “The data brokers’

responses offer only a glimpse of the practices of an industry that has operated in the shadows

for years. Many questions about how these data brokers operate have ben left unanswered,

particularly how they analyze personal information to categorize and rate consumers. This

and other practices could affect the lives of nearly all Americans, including children and teens.

We want to work with the data broker industry so that it is more open about how it collects,

uses, and sells Americans’ information. Until then, we will continue our efforts to learn more

about this industry and will push for whatever steps are necessary to make sure Americans

know how this industry operates and are granted control over their own information.” While

the stated goal of the inquiry was the exposure of data broker practices to the public and

the improvement of transparency in the industry, Representative Markey stated that his

24 http://www.data-‐informed.com/lawmakers-‐disappointed-‐in-‐results-‐from-‐data-‐brokers-‐privacy-‐inquiry/ 25 http://markey.house.gov/press-‐release/lawmakers-‐release-‐information-‐about-‐how-‐data-‐brokers-‐handle-‐consumers%E2%80%99-‐personal


11

ultimate goal was to determine whether legislators should enact a law regulating the

industry.26

Furthering the continued government scrutiny aimed at the data brokerage

industry, Senator John D. Rockefeller IV (D-‐WV), Chairman of the Senate Commerce

Committee, initiated a second Congressional inquiry into the privacy practices of nine data

brokers – Acxiom, Experian, Equifax, Transunion, Epsilon, Reed Elsevier (Lexis-‐Nexis),

Datalogix, Rapleaf, and Spokeo in October 2012.27 In the letters the Committee sent to the

data brokers, Rockefeller expressed concern about the lack of information provided to

consumers by saying that, “An ever-‐increasing percentage of their lives will be available for

download, and the digital footprint they will inevitably leave behind will become more

specific and potentially damaging, if used improperly.”28 This second Congressional

investigation only confirms that legislators and regulators remain concerned about the

uncertainty surrounding the exact practices of the data broker industry – including the

extent of the material collected, the third parties to whom it is disclosed, and the uses of the

information by the third parties.

In response to the Congressional inquiries, the Direct Marketing Association, the

largest trade association dedicated to data-‐driven marketing, issued a response expressing

concern about the heightened scrutiny. The DMA is concerned that lawmakers are

questioning legitimate commercial data practices that the industry believes are essential to

26 http://www.nytimes.com/2012/07/25/technology/congress-‐opens-‐inquiry-‐into-‐data-‐brokers.html?_r=0 27 http://www.commerce.senate.gov/public/index.cfm?p=PressReleases&ContentRecord_id=a42a865a-‐be30-‐4171-‐8278-‐86ee0a8c76fb 28 http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-‐5ac8-‐4157-‐a97b-‐a658c3c3061c


12

America’s job creation, economic growth, and global leadership positions; further, the DMA

accuses the Congressional inquiries of scrutinizing the fuel on which America’s free market

engine runs – targeted advertising.29 The DMA insists that market participants are not

merely snooping on the private lives of consumers, but rather provide essential data

collection so that companies ensure their ads reach only the most interested consumers.30

Underlying much of the legislative and administrative concern is the risk that some data

brokers or third party purchasers could use consumer dossiers (including financial

information, akin to credit reports) for improper purposes – like excluding individual

consumers from certain offers or charging different prices based on the consumer’s

profile.31 The inquiries also focus on consumers’ ability to access and correct information

maintained about them; in its letter, the DMA notes that the only harm to consumers of

inaccurate data is irrelevant advertisements. Nevertheless, the Congressional inquiries are

not the only source of increased scrutiny directed at the data broker industry – the Federal

Trade Commission opened an investigation in December 2012.

FTC Investigation

Following the initial 2010 FTC inquiry outlined above, the FTC began a directed

investigation aimed at studying how the data brokerage industry collects, uses, stores, and

disseminates information. To begin, the FTC issued orders requiring nine data brokerage

companies to file special reports that will provide the agency with information about

29 http://the-‐dma.org/news/August-‐13-‐2012-‐DMALetter.pdf 30 Id. 31 http://www.nytimes.com/2012/10/11/technology/senator-‐opens-‐investigation-‐of-‐data-‐brokers.html


13

privacy practices industry-‐wide.32 Specifically, the FTC seeks details about the information

the companies collect and where they get it, how they store, use, and disseminate it, and

the extent to which people can get access to information data brokers have about them,

correct inaccuracies, and opt out of having their information sold.33 The nine data brokers

– Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and

Recorded Future – were required to file responses by February 1, 2013.34 My attempts to

contact the FTC about the information contained in the company responses (and the

possibility of gaining early access to the reports for research purposes for this paper) have

not yielded substantive information. I emailed the FTC staff associated with the orders sent

to data brokers; the staff persons declined to provide information about how many data

brokers responded (and if they did so in a timely manner), what the responses contained,

or when the agency’s report would be published – though I’ve been informed that an

official FTC report of the agency’s findings is forthcoming, likely within the year. The data

broker responses themselves will likely be released to the public after the FTC analyzes

them internally and the report of agency findings is created.

Nevertheless, government scrutiny of the data brokerage industry remains at an all-‐

time high. Industry and trade association responses to both Congressional inquiries

emphasize that the information collected is used for marketing and commercial purposes

only – and not for regulated or improper purposes. While consumer reporting agencies are

required by law to disclose individuals’ credit reports, data brokers are under no obligation

32 http://www.ftc.gov/opa/2012/12/databrokers.shtm 33 Id. 34 http://www.ftc.gov/os/2012/12/121218databrokerssection6border.pdf


14

to show consumers information collected for marketing purposes.35 The FTC’s regulatory

concern is the misuse of information by third parties; to the extent that the data mined by

the data broker industry is used improperly to injure or discriminate against consumers,

government regulation is a necessary next step toward consumer protection.

While it appears that Congress and the FTC are at least exploring the possibility of

more top-‐down regulation of the industry, the DMA cautioned Congress against adopting

any new laws targeting data brokers; instead, the DMA and industry participants argue that

industry self-‐regulation is the best approach to address any privacy concerns. These

industry-‐based initiatives are widespread and diverse. The Consumer Data Industry

Association is an international trade association is aimed at ensuring that consumer data is

collected, maintained, and used by third parties in responsible ways. To help marketers

better understand applicable government regulations and industry practices aimed at

consumer data collection and use, the Direct Marketing Association has created a Data

Governance Certification program to establish industry-‐based initiatives, educate

participants about government compliance issues (with specific attention to customer

notice and access), and inspire innovation without infringing consumer privacy.36 The

Network Advertising Initiative sponsors the AdChoices icon; when the icon appears near an

online ad, consumers can click on it to learn more about privacy choices and opt-‐out tools.

Whether these various industry-‐based initiatives will satisfy lawmakers and other

regulatory bodies remains to be seen.

35 Id. 36 http://www.targetmarketingmag.com/article/dma-‐data-‐governance-‐certification-‐balancing-‐marketing-‐rewards-‐big-‐data-‐its-‐risks/2


15

My Inquiries

One of the primary areas of focus in the Congressional inquiries and the FTC’s

ongoing investigation is the extent to which data brokers allow consumers to access and

correct their information or to opt out of having their personal information stored or

sold.37 The next portion of my research involved sending information requests to seven

data providers (many of which were targets of Congressional or FTC inquiries) to discover

the amount of personal information these companies had managed to collect about me, as

well as their profiles of my consumer behavior. The seven data providers, Acxiom,

Datalogix, eBureau, Epsilon, Intelius, Peekyou, and Rapleaf, each responded differently to

my consumer inquiry; some provided telling reports, others provided reports containing

very little personally identifiable information, and still others provided no report at all.

Acxiom

Acxiom, in its response to Representative Markey, noted that over the last two years

only 77 people per year requested access to their personal information held by the

company (out of 190 million consumers whose information is collected).38 As far as

consumer access to information, however, Acxiom is much more forthcoming than other

companies in the same industry. The company’s Consumer Data Information page allows

consumers to learn more about the data Acxiom collects and how it is used, to discover

which Personicx Cluster consumers fall into, to opt out of Acxiom’s marketing and directory

products, and to request a report of the risk and fraud data Acxiom has about them (for a

$5 processing fee). My own inquiry to Acxiom involved emails to their privacy center, as

37 http://www.ftc.gov/opa/2012/12/databrokers.shtm, see also the FTC orders issued December 18, 2012. 38 http://www.markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf


16

well as the submission of an inquiry that would provide me with their directory and fraud

prevention information. To verify my identity with the company, I mailed a check to their

US office as well as providing my name, address, social security number, driver’s license

information, and date of birth.

Acxiom provides three types of data products, each with distinct data uses:

marketing and data products, directory products, and fraud detection and prevention

products. The marketing and data products contain publicly available information,

surveys, and information from other data collectors. The company sells this information to

companies, political associations, and non-‐profit organizations for marketing, fundraising,

and customer service efforts. Personicx is Acxiom’s household-‐level consumer

segmentation marketing product; the process categorizes US households into one of

seventy different segments (based on demographic characteristics) and twenty-‐one life

stage groups (consisting of demographic groups sharing similar life events, like having

babies, getting married, or approaching retirement). These categories are used by

marketers to target specific consumer interests in advertising, customer service, and

fundraising efforts. The company’s website allows consumers to discover which clusters

they fall into by simply providing simple demographic information – age, marital status,

homeowner status, household income, zip code, and household net worth.39 My own

demographic information yields the following:

Mixed Singles: Cluster #61: Cluster 61 is an ethnically mixed group, with a

particularly high concentration of Asians, Hispanics, and African-‐Americans. They

are a younger group of urbanites either in school or recently out of school and

39 https://isapps.acxiom.com/personicx/personicx.aspx


17

barely – economically speaking – making their way in the big city. With youth and

tight finances, they tend to be more cash-‐prone, leveraging money orders and debit

cards as needed. They have below-‐average incomes and minimal net worth at this

point in their lives. All single and childless, they spend a lot of their free time either

socializing at trendy night spots or exercising. These city dwellers particularly enjoy

going to the movies. Their strong interest in foreign travel is most likely driven by

visits to family abroad. If they have a car at all, chances are it is a subcompact,

perfect for maneuvering in congested traffic.

This is where my own analysis gets interesting, at least on a personal level. After

researching the data brokerage industry and reading about all of the possible information

these companies have about me, I was worried about how accurate this type of consumer

segmentation might be. As it turns out, I don’t really fall into this description at all. I’m

Caucasian, I don’t leverage money orders or debit cards to make ends meet, I rarely enter

“trendy night spots” even when I do have free time (which is rare, as a law student), I

dislike going to the movies, my interest in foreign travel is not driven by visits to family

abroad (as most of my family resides in Idaho and Wyoming, which are far from exotic

foreign destinations), and I own a midsize SUV. The consumer profile correctly identified

only that I am in school, unmarried with low net worth and low income, and that I enjoy

exercise. For marketing or advertising purposes, the profile is likely still accurate enough

to be useful for third parties purchasing this type of information from Acxiom; but the

accuracy of the consumer segmentation profile was far from “creepy”, as this type of

profiling has been characterized. The company’s other marketing products (which

consumers can opt-‐out of) consist of individual data (name, address, gender, education,


18

voter party, occupation, date of birth, etc.), demographics, interests (obtained from surveys

or derived from inquiries or purchases), purchase behavior (apparel, home improvement,

books, computers/electronics, etc.), life event data (derived from self-‐reported surveys or

public records), technology indicators (including computer and cell phone preference

information), wealth indicators, real property data (sourced from real property recorder

and assessor sources), vehicle data, health interests (from self-‐reported surveys or

summarized from purchase data), and social media indicators (gathered only from the

public portion of social network sites by the user).40

The company’s directory products consist of information from published white and

yellow pages of telephone books, and are used by companies, political associations, non-‐

profit organizations, government agencies, and consumers to search for contact

information. The same page on Acxiom’s website allows consumers to opt-‐out of targeting

in online ads, as well as opt-‐out of targeting in all ads and offers from Acxiom clients.

Acxiom’s fraud detection and prevention products contain identifying information

from public and private sources (including sensitive information like Social Security

Numbers), and are used by qualified companies in selected industries, non-‐profit

organizations, and government agencies to verify the identities of customers and

investigate fraud.41 From the site, consumers can request their US Reference Information

Report for a $5 processing fee; the report is later delivered electronically (encrypted and

password protected).

40 http://www.acxiom.com/uploadedFiles/Content/About_Acxiom/Privacy/AC-‐1255-‐10%20Acxiom%20Marketing%20Products.pdf 41 http://www.acxiom.com/about-‐acxiom/privacy/consumer-‐data-‐information/


19

As I mentioned above, requesting the report involves providing your name, address,

social security number, driver’s license information, date of birth, and an email address. It

isn’t all that surprising, then, that my own US Reference Information Report contained all of

the above information – along with alternative names (Rebecca, Becca, Rebecca A, Rebecca

Ann, etc.), previous addresses (including my parents’ house in Pocatello, Idaho), phone

numbers (associated with my parents’ house, but not my cell phone), and voter registration

information (registered Democrat with the State of Utah). Acxiom does allow consumers to

contact them about correction of inaccurate information contained in their reports – my

own report did not contain inaccurate information, but did contain some irrelevant

information for their targeted advertising purposes (like, for example, each of my previous

addresses in the Boise, Idaho area where I lived while attending Boise State University).

Datalogix

The Datalogix privacy policy describes how the company uses data to provide

services for its customers. To provide targeted advertising data for its third-‐party

purchasers, the company uses algorithms to create interest-‐segments (like “travel

enthusiast” or “green consumer”). The privacy policy further outlines the company’s

security, data integrity, and third-‐party transfer practices.42 Consumers can send

information requests to the company to discover the extent of the information the

company has about them, as well as the interest segments into which they have been

classified. I sent such an inquiry, along with a copy of my Utah driver’s license to complete

the verification process. These documents were sent via USPS on February 14, 2013; to

date, I have received no response from the company.

42 http://www.datalogix.com/privacy


20

eBureau

eBureau, a target of the FTC investigation but not the Congressional inquiries,

collects and licenses online and offline data for use in the products and services the

company provides to customers and third party purchasers. In addition to personal

information, the company collects and aggregates general information about its users

(through the use of cookies); the company provides customers with the ability to access the

data report including their personal information, but does not disclose aggregate

information because it is not linked to individual users. To request the report, consumers

must provide the company with personal information (name, address, phone number) and

verifying information (copy of driver’s license or other ID card, as well as a current utility,

phone, or credit card bill with account numbers redacted). My inquiry included a request

to view my eBureau privacy report, as well as a copy of my Utah drivers license and a copy

of my most recent Comcast internet bill with the account number redacted.

My data report from eBureau included the same identifying information that I

provided to establish my identity (name, address, phone number), as well as date of birth,

other addresses, and other phone numbers (one of which happened to be a phone number

that I do not recognize). In the “Consumer File Contents” field of the report, the company

indicated that my information was “unknown” in the following fields: gender, marital

status, estimated age, homeowner status, and years of education. The company does have

policies in place to allow consumers to correct inaccurate information in their data reports

(like the unknown phone number). Here again, I was surprised at the lack of information

the company had about me, aside from the information that is public record or that I

provided to them to verify my identity in order to gain access to the report.


21

Epsilon

In its response to Representative Markey’s inquiry, Epsilon stated that it uses

consumer data from a number of both private and public sources to provide marketing

services to retailers, media companies, charities, political organizations, and magazines so

that these companies might provide targeted advertising to interested consumers.43

Consumers may request access to their Epsilon Consumer Report by providing personally

identifiable information (name, gender, year of birth, address, etc.) and a $5 check to the

company. Consumers can opt-‐out of third party marketing programs by sending a simple

request to the company’s privacy center. My own Epsilon report yielded no information;

the Household Data, Household Demographics, Household Real Property Data, and

Household Interests sections were all completely blank. The company did not have any

Self-‐Reported Information linked to my personal information either; it appears that until I

sent the information request, my information was not found in any of Epsilon’s databases.

Intelius

Intelius calls itself an “information commerce company”; providing consumers and

businesses with information about people, businesses, and assets.44 The myriad services

provided by the company include background checks, reverse phone verification, property

and area information, people search, email search, as well as consumer services like

employment screening, marriage/divorce records, criminal background checks, and public

records searches – all of which require a fee to access. As with many other companies in

43 http://markey.house.gov/sites/markey.house.gov/files/documents/Epsilon.pdf, see also http://www.epsilon.com/consumer-‐preference-‐center 44 http://corp.intelius.com


22

the data industry, they also provide fraud prevention services (for a set monthly fee).45 “As

a courtesy”, the company allows consumers to opt-‐out of company services or edit

information contained on the website.46 I sent a data inquiry to the company, requesting

access to my consumer information or, in the alternative, removal of my information from

their website. To verify my identity, I included a copy of my Utah driver’s license (with

photo and DL number crossed out). To date, I have received no response from Intelius.

PeekYou

PeekYou is an online search engine that allows users to search for friends, family,

colleagues, and acquaintances across the Public Web.47 Their algorithm calculates the

likelihood of any URL being associated with an individual – the URLs can include news

articles, homepages, blog posts, social networking profiles, or public records entries.48

Rather than categorizing the company as a data miner, they prefer to be considered a

search engine – the company does not index financial or medical history unless it is openly

shared on the Internet. Consumer PeekYou pages can be corrected or removed; opt-‐out

requests sent to the company are honored within a few business days – but the company is

quick to note that, because it merely aggregates information like a search engine, the

information contained in a PeekYou profile is still available through traditional engines like

Google or Bing.

I sent an inquiry to the company requesting more information about their data

collection, use, and dissemination practices. In response, I was linked to the company’s

Privacy Pledge and Privacy Policy pages. To confirm my identity when I submitted my 45 http://www.intelius.com/idprotect.html 46 http://www.intelius.com/privacy.php 47 http://www.peekyou.com/about/corporate/site/faq 48 Id.


23

electronic request, I was sent a follow-‐up email asking me to verify my identity. The

company merely treated my inquiry as an opt-‐out request – and pointed out that the opt-‐

out only removes my listing from the PeekYou website – not from the public record

companies from which they source their information (including PeopleSmart, Spokeo,

Intelius, USSearch, PeopleFinders, and BeenVerified). To remove the records from these

companies, I would be required to contact them directly.

Nonetheless, simply entering my first and last name on the PeekYou website

returned a number of very personal results without any verification process at all: the data

returned by a simple search included my full name, age, my hometown (Pocatello, Idaho),

my parents’ address and phone number (redacted as “2xxx Sxxxxxxxxx Dx, Pocatello, ID”

and “(208) 238-‐xxxx”), and the website of a dinner theater at which I volunteered in high

school (westsideplayers.org). In the search results, PeekYou includes links to their

strategic partners (the sources mentioned above). The PeopleSmart link provided me with

even more very personal information – including my current location (Salt Lake City),

social networking profile links, and names of possible relatives (including my mother,

father, paternal grandmother, and paternal grandfather). This was perhaps the most

unsettling report to me; the fact that these websites knew names of my relatives –

especially my grandparents, who did not use the Internet with regularity and certainly did

not have social networking profiles or other meaningful online presence – felt violative of

my personal privacy (and theirs). Opt-‐out requests sent to the company are honored

quickly, but the data aggregation and reporting practices of this company in particular felt

much less like advertising data and more like a very personal dossier of irrelevant

information for advertising purposes.


24

Rapleaf

Rapleaf aggregates consumer data from data providers and maps it to consumer

email addresses throughout the US; the company sources data from other data bureaus,

and its marketing partners use Rapleaf’s email link system for a range of marketing and

advertising activities. Rapleaf also collects data from public sources including surveys,

census data, and public records. In a case study of one of its marketing partners, Rapleaf

describes how it used the email list created by a restaurant loyalty program to learn more

about the restaurant’s customer base. The restaurant used the profiles created by Rapleaf

to tailor advertising and marketing to its loyal customer base. The profiles included

segment information like median age, homeowner status, relationship status, education,

lifestyle and interest information, and income range.49

Discovering the extent of information and the customer segmentation profile

Rapleaf has associated with a particular consumer is as simple as submitting an online

request. Once the email address has been verified, a consumer has complete access to basic

demographics, interests, and miscellaneous information that the company has associated

with that email address. My own email address ([email protected]), which has been

my primary email for a number of years, was associated only with my gender – the

company correctly identified only that I am female. The report returned no age

information, interests, or miscellaneous information. Notably, with Rapleaf’s consumer

profile allows consumers to edit and remove data in their consumer profile –but they can

also add data if they desire. This, according to Rapleaf, allows the company to partner with

others to give consumers a more personalized advertising experience.

49 https://www.rapleaf.com/pdfs/Rapleaf_Maggianos.pdf


25

Conclusion

In recent months, mainstream media and consumer privacy advocates have been

quick to jump to alarmist conclusions about the activities of the data broker industry. More

than a few newspaper articles and reports have made a connection between data

brokerage companies and “Big Brother”, the totalitarian government leader famous in

George Orwell’s 1984. So, is Big Brother watching American consumers?

In a way, yes. Consumers are being watched not by a totalitarian government, but

by data brokerage companies that aggregate consumer information to create digital

profiles of more than 190 million Americans, according to Acxiom’s response to

Congressman Markey. The collection and dissemination of personal information is, on one

side of the debate, problematic and intrusive for many consumers, while on the other side

an integral part of today’s economy. While industry participants claim that the biggest risk

to consumers is irrelevant advertisement, there is much more to the problem than that.

Consumers deserve to know more about the industry practices in general; industry-‐wide

lack of transparency only adds to the consumer alarm and widespread distrust of data

miners. Lack of consumer access to and control over their own information feels violative

of consumer privacy on a basic level. Finally, the most obvious risk related to the data

brokerage industry is not the targeted advertising and marketing (or the possibility of

irrelevant advertisements for consumers), but rather the possibility that the information

aggregated by data collectors would be used to unlawfully profile consumers or to

otherwise circumvent other regulations regarding the use of consumer data. Sensitive

health and personal information aggregated by data miners and linked to individual


26

consumers requires more than industry-‐based protection; government regulation relating

(at a bare minimum) to the use of this information seems more appropriate than industry

best practices, and necessary to protect consumers from unlawful profiling.

Certain key industry players have indicated a desire to move toward increased

transparency: Jennifer Barrett Glasgow, chief privacy officer of Acxiom, indicates a belief

that the industry needs to take a proactive approach toward explaining how their practices

benefit business and consumers by saying, “Companies generally want to maximize their

use of data to make information valuable for both the company and the consumer, but

those goals are unachievable if data collection initiatives feel ‘plain-‐old creepy’”.50 Indeed,

the entire industry may be better served by eliminating secrecy surrounding its practices

and working to establish trust with consumers about proper collection and use of their

data. Individual privacy is a hot-‐button issue in American politics today: from CISPA to the

various inquiries into the activities of data brokers outlined above, legislators and

government agencies are in constant debate about how best to protect competing

consumer privacy, economic, and government interests. It remains to be seen whether

industry-‐based initiatives will satisfy lawmakers and government agencies enough to quell

the current calls for top-‐down regulation, or whether the recent government inquiries will

ultimately lead to increased government regulation and proposed legislation.

50 http://data-‐informed.com/leading-‐senator-‐opens-‐inquiry-‐into-‐brokers-‐collection-‐and-‐management-‐of-‐consumer-‐data/