FTC official attacks data brokers at industry conference

A top Federal Trade Commission (FTC) official on Thursday delivered a speech sharply critical of data brokers’ practices at a conference populated by many of the biggest players in that industry.

The speech signaled an FTC poised to more aggressively take on an industry that has exploded in recent years even as it has steadily eroded individual privacy.

“With increasing precision, companies are collecting and sharing a staggering amount of information about American consumers,” Samuel Levine, the FTC’s consumer protection chief, said in the speech delivered at the Consumer Data Industry Association Law and Industry Conference.

He noted that “without much cost or effort, anyone in the United States or abroad can obtain detailed information about where Americans spend their days, sleep at night, what health conditions they have, who they associate with, as well as what their religious faith and political interests are.”

That power “should concern all of us,” Levine said, noting that the data brokerage industry operates as if in a “fever” as it gathers and sells ever more data on Americans who are profiled with information that can be “easily weaponized.”

Research shows the industry was valued at $240 billion in 2021 and is projected to grow to more than $450 billion in the next decade, Levine said.

Levine said he is particularly concerned by how data brokers “maximize” their extraction of consumer data, leaving no stone unturned as they compile digital dossiers that individuals have no way of controlling.

The speech comes as officials at multiple levels of government have increased their attention on the industry. California legislators recently cleared legislation to rein in data brokers.

Seeking transparency and clarity

Levine warned companies to evaluate what consumer data they collect and how transparent they are with customers about their practices; do more to vet third parties they share data with; impose rules on “downstream” use of customer data; and provide “simple to understand and easy-to-access instructions to consumers on how to take advantage of their legal rights.”

Underscoring that point, Justin Sherman, a leading expert on data brokers, told Recorded Future’s The Record that the debate over consumer consent is “broken” since nobody reads the lengthy documents where privacy policies and terms of service agreements are laid out “with legalese and jargon that’s entirely incomprehensible to most people.”

The FTC understands this reality and Levine directly addressed it in his speech, said Sherman, who is the founder and CEO of Global Cyber Strategies, a research and advisory firm, as well as a senior fellow at Duke University’s Sanford School of Public Policy.

The fact that Levine delivered this speech to the Consumer Data Industry Association, whose members include the major consumer reporting agency data brokers, “shows that the FTC is willing to engage directly with consumer reporting companies while also putting them on notice to not violate the law,” Sherman said.

In recent months the FTC has penalized three companies for “unlawfully” sharing consumers’ sensitive health data, Levine said. He noted that the orders in these cases not only require consumer consent before sharing such data, but also “prohibit the practice altogether.”

However, the commission has faced setbacks in its efforts to rein in data brokers. In May a federal judge dismissed a lawsuit the FTC filed against the location data broker Kochava, saying the commission failed to provide enough evidence of wrongdoing.

Last year, the FTC launched a “rulemaking proceeding” around commercial surveillance and lax data security practices, which would give it more authority to regulate the industry. Levine said the agency is now reviewing more than 11,000 comments on the proposed rule and is speaking with stakeholders.

However, in an appearance before Congress on Wednesday, FTC Commissioner Rebecca Kelly Slaughter said the agency is best poised to take on data brokers through individual enforcement action while Congress can make sweeping changes to the industry’s practices — comments that highlight the stakes for the American Data and Privacy Protection Act. That legislation, which died in the last Congress, remains in limbo in the House Energy and Commerce Committee.