GAO Report Highlights Compelling Reasons for New Federal Privacy Law
Consumers keep sharing and disclosing lots of personal data—each time they shop, surf the Web, subscribe to magazines, or contribute to charities. Mounds of this data are being compiled and combined, creating so-called digital dossiers that outline much about who we are—or, at least, some approximation of who companies think we are, based on our consumer preferences. As our data gets resold, recombined, and repurposed, we often have little idea who has data about us, where a given company may have initially obtained that data, and what that data will be used for in the future. It feels as if we have no real control over our own data. This is the brave new world of big data.
To date, Congress has not yet addressed the challenges of big data. It has yet to pass new privacy legislation in the U.S., despite the launch of several bills, and a White House report recommending a privacy bill of rights for consumers. Just before Thanksgiving, the US General Accountability Office (GAO) published a report, Information Resellers (“the Report”) that calls for new federal privacy legislation. The Report focuses on the new challenges arising from data reselling and the new types of companies that are aggregating information from consumers at high rates. The Report finds that there are holes in the current privacy framework, which consists of a patchwork effort, with laws governing specific sectors including health information, financial information, and children’s data, but with much data also falling outside of the regulatory net. In this column, I will evaluate the Report, and discuss why its findings have merit—although those findings also leave Congress and others hanging when it comes to how to achieve a legislative fix.
The GAO Report: Mind the Gaps
On November 15, 2013, the GAO released its Report on the statutory protections for consumers with regard to the use of data for marketing purposes by data brokers. The Report, therefore, focused primarily on companies that compile and resell consumer personal information as a way of highlighting the new world of big data and its consequent big-data governance gaps. The major takeaway? For now, consumers are at mercy of data aggregators, who hold our vital information in their data vaults.
The breadth of data collection is impressive and includes: our names, purchases, and voter registrations; our children’s ages; our real or perceived ailments; our social-media activities; and even our astrological forecasts. All of this information—and much more data—is for sale, and, in most cases, consumers are powerless to stop the sale of the data, or even to control it.
“The core message of our study is that there definitely is a need to look at the privacy framework so people understand just how much of their information may be available to others,” said Alicia Puente Cackley, the Director of Financial Markets and Community investment at the GAO. Cackley and her team prepared the 61-page study at the request of West Virginia Senator Jay D. Rockefeller IV, a Democrat who chairs the Senate Committee on Commerce, Science, and Transportation.
Making the Case for Congressional Action: Giving Consumers Some Access and Control over Data “Smorgasbords”
The GAO Report makes the case that data brokers/resellers have a vast and surprising assortment of data about us. Indeed, one commentator called it a data smorgasbord. The Report outlines the types of data that different data resellers collect. Experian, for example, collects and sells the following type of information about consumers, as of 2013:
|Hobbies and interests||Astrology/psychic reading, boating, gardening, photography, politics, religion, self-improvement, volunteering.|
|Pet owners||Cats, dogs, other pets.|
|Reading preferences||Bible/devotional, children’s, history, mystery, nonfiction, romance, science fiction.|
|Collecting||Art/antiques, die cast miniatures, dolls, plates, sports memorabilia, and stamps/coins.|
|Cooking and entertaining||Baking, gourmet cooking, recipes, wine appreciation.|
|Health and fitness||Healthy living, interest in fitness, natural/herbal remedies, personal care/beauty care, reduce fat/cholesterol, vegetarian, weight conscious.|
|Music preference||Christian, classical/opera/big band, country, jazz/new age, oldies, rhythm and blues, rock|
|Sweepstakes and gambling||Casino gambling, lotteries, sweepstakes.|
|Sports and recreation||Boating/sailing, camping/hiking, fishing, golf, hunting, motorcycles, racing/autos, running/jogging, skiing, swimming, tennis, outdoors.|
|Occupation||Beauty (cosmetologists, barbers, manicurists) civil servants, clergy, clerical/office workers, doctors/physicians/surgeons, executives/administrators, farming/agriculture, health services, middle management, nurses, professional/technical, retail service, retired, sales, marketing, self-employed, skilled/trade/machine operator/laborer, teacher/educator.|
|Financial investments||Certificates of deposit/money market funds, mutual funds/annuities, Individual Retirement Accounts, life insurance, real estate, stocks or bonds.|
|Ailments||Allergies, Alzheimer’s disease, angina, arthritis/rheumatism, asthma, back pain, cancer, clinical depression, diabetes, emphysema, erectile dysfunction, epilepsy, frequent heartburn, gum problems, hearing difficulty, high blood pressure, high cholesterol, irritable bowel syndrome, lactose intolerant, ulcer, menopause, migraines/frequent headaches, multiple sclerosis, osteoporosis, Parkinson’s disease, prostate problems, psoriasis/eczema, sinusitis/sinuses.|
|Visual impairments||Contact lenses, eyeglasses, visual impairments/correction.|
And in light of the massive files that are being compiled, the GAO noted that consumers have very little rights to actually control the collection and the onward movement of their data. The GAO found that that the current federal statutory privacy scheme contains “gaps” and “does not fully reflect” Fair Information Practice Principles (“FIPPs”). Consumers, it seems, do not always have proper control or knowledge of their data—and this is one of the core messages of the Report: Congress needs to consider better ways to give consumers some basic rights to see and know how their data is being collected and shared, and to have access rights in order to make corrections to erroneous information.
FIPPs, developed by the Federal Trade Commission (FTC) is a set of five key principles rooted in the Privacy Act of 1974. They are simple principles focused on consumer rights of notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress.
The Report outlines arguments from both proponents of privacy-law reform and those who prefer the status quo. The Report acknowledges, for example, that there are potential benefits to the collection of big data that come from improved targeted advertising and as a result, a quicker and easier consumer experience. The Report also noted that critics of privacy reform point to the important innovations that have been developed through the use of data collection. New types of services have arisen. Location-tracking services, for example, are now possible because of the capture of mobile-phone data that can help provide consumers with relevant information as they move through town. Moreover, it also allows for more important emergency tracking services as well.
The GAO Report ultimately concludes that although some industry participants have stated that current privacy laws are adequate—particularly in light of self-regulatory measures—there are gaps in the current statutory privacy framework that do not fully address “changes in technology and marketplace practices that fundamentally have altered the nature and extent to which personal information is being shared with third parties.”
Key changes that are identified come from the development of the online tracking of consumers, mobile applications, location tracking, and mobile payments. While each of these new activities may be covered somewhat by existing privacy laws, the GAO points out that there is no general legislation that regulates the collection of information for these new activities.
The GAO report also notes that existing law is not aligned with the fair information practice principles (FIPPs). According to the GAO, Congress should strengthen the current consumer-privacy framework. In doing so, the Report notes, Congress should consider the following:
- The adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under the Fair Credit Reporting Act
- Whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;
- What changes, if any, are needed, in the permitted sources and methods for data collection; and
- What privacy controls should be imposed related to new technologies, such as web tracking and mobile devices?
In the End, The GAO’s Final Recommendations Leave Readers Hanging
The GAO’s Report also discussed the potential advantages and disadvantages of implementing a comprehensive, federal-based privacy-law regime, as opposed to the current, state-based, sector-specific method of regulation.
First, a comprehensive regime could fill any gaps left by a sector-specific regulatory model—including those businesses and forms of data that do not fit neatly into existing frameworks. Second, a comprehensive baseline law would offer uniform privacy protections to consumers on a more reliable and consistent basis. It would also allow for potential harmonization with other jurisdictions, including the European Union.
However, the GAO Report acknowledges that a one-size-fits all regulatory approach could be burdensome for businesses, because no single law could be crafted to fit the practices of each individual company or industry in an adequate fashion. The Report also states that many industry stakeholders believe that the current sector-specific approach is well-suited for addressing any gaps existing in the current framework. Congress could, for instance, strengthen, and extend the scope of, existing legislation such as the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act (HIPAA).
The GAO Report is the most recent expression of support for comprehensive privacy legislation from within the federal government. The White House has been advocating a new Privacy Bill of Rights that would allow consumers to better access their data, and that would ask companies to respect the context in which data was gathered, when deciding how or when to share or sell it to third parties. In this regard, the Report echoes the Obama Administration’s 2012 Privacy Blueprint. The FTC’s 2012 Privacy Report also reiterated the agency’s support for a privacy law that is targeted at data brokers—which would be more of a sectoral approach. The GAO Report, by contrast, implies that a general privacy law could be used to address the issues that were raised in this more recent analysis.
The Report, while not a scintillating read, makes a case for why consumers have little protection in light of new technologies and new types of uses of technology, where consumer data is captured. These are the regulatory gaps, which leave some data collection currently unregulated. In addition, there are gaps in how information, when collected, is handled. FIPPs are an essential baseline for how consumer data should be treated.
But at the end of the day, the bigger question of passing one new comprehensive law, or a series of laws, or amendments to sector-specific laws, has so far been left unanswered. The GAO Report builds a case for reform, but leaves the “how” up in the air. We are left, instead, with its parting words: “The challenge will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can accord.”