Data Brokers Need Reining In, and the FTC Needs the Authority to Do It

By David Hoffman, Associate General Counsel and Global Privacy Officer

The data broker industry has long been the bottom feeding portion of the growing data economy. They purport to be innovators but are in fact nothing more than malicious profiteers. Recent high-profile misuses of personal data have shown how dangerous this largely unregulated category of companies has become. The Federal Trade Commission (FTC), despite its best intentions, has neither the proper legal tools nor the resources it needs to do anything about this segment of the industry. That needs to change.

The closing panel at the FTC’s latest hearings on Competition and Consumer Protection in the 21st Century.

Many of the threats to and violations of personal data that have occurred over the past few years are the work of data brokers. They call themselves “technology companies,” but they don’t manufacture anything or create platforms on which others can innovate. Instead, they exist solely to monetize and weaponize the data of others. Together these data brokers comprise a wholly unregulated, secondary market for buying and selling individuals’ data, without any consequence for their own misuses of personal data or the misuses they empower. The industry uses technology to fuel business models that undermine public confidence in actual technology companies that care about engendering customer trust through protecting customer privacy.

The FTC is to be commended for the attention it has given to this issue in their recent hearings. However, the Commission does not have the resources, legal authorities or focus to properly protect the American people from unscrupulous data brokers. It is critical that Congress give the FTC what it needs to act as an adequately empowered privacy policy regulator.

Despite the FTC’s admirable efforts, the scope and reach of its authority under Section 5 of the FTC Act does not reach many of today’s data-driven business practices. For example, the FTC has had difficulties extending its Section 5 authority to govern the buying and selling of consumers’ data by data brokers who do not obtain data directly from individuals. As government records have become more available, and as people post more information on publicly available websites, data brokers have developed the ability to derive sensitive information about people without ever getting information directly from them. Another issue is that the FTC’s enforcement program does not have the teeth necessary to incentivize responsible and ethical data practices or deter bad actors from exploiting the complex and opaque ways data brokers process personal data. The comments Intel posted in conjunction with my participation in the FTC’s recent hearings on Competition and Consumer Protection in the 21st Century detail the specific remedies needed to more fully empower the FTC to address these issues.

In the past year, the American people have come to understand that foreign adversaries are working with data brokers to weaponize personal data and use it to manipulate citizens to destabilize our country. Data brokers also continue to create profiles to target victims of domestic violence, police, judges and victims of crime. While the FTC does not have the mission to protect the nation from foreign nation states, it does need to stop these data brokers from collecting, using and transferring personal data in ways that harm individuals and the country. With sufficient authorities and resources, the FTC could quickly begin an effort to shut down the profiting off the malicious use of profiles data brokers create from personal data. The time is now for Congress to empower the FTC and state attorneys general to stop data brokers from harming the American people.