Discover the under-the-radar industry known as data brokers, operating silently yet profoundly influencing your digital life. They specialize in the collection, analysis, and resale of personal data, often without the knowledge or consent of the individuals that data relates to. While data brokers’ services are widely relied on in marketing activities, their operations invite considerable privacy concerns and legal implications.
What are Data Brokers and What Do They Do
Data brokers, also known as information brokers or data providers, are companies that collect, analyze, package, and sell information about individuals from a variety of sources.
These businesses primarily operate in the shadows, often unknown to the very individuals whose data they’re handling. They gather data from numerous sources, including public records, social media platforms, and online and offline purchasing data. This data is then processed, cross-referenced with other data, and sold to other businesses, advertisers, marketers, and even government agencies.
How Do Data Brokers Collect Data?
Data brokers collect data through various methods. They use both offline and online sources to gather as much information as possible.
Offline sources can include public records like government records, registries, or professional databases. Online sources, on the other hand, can be as broad as your digital footprints – think of online purchases, web browsing habits, social media interactions, health data, precise geo-location, and much more.
Often, data brokers also buy data from other companies that collect information about their customers, such as retailers or service providers.
How Data Brokers Sell Your Personal Data
Data brokers typically sell data in bulk to businesses, advertisers, and government agencies. This data can be used for a variety of purposes, such as targeted advertising, market research, risk mitigation, and even identity verification processes.
The data can be packaged in a variety of ways, including detailed individual profiles, aggregated data reports, or analytics insights. Often, the buyers of this data have no direct relationship with the individuals whose data is being sold, which is one of the main criticisms of this industry.
Are Data Brokers Legal?
The short answer – yes. There are no laws prohibiting data brokers from doing business.
However, it is the way that they do business that raises many legal concerns and many countries have no comprehensive laws that regulate data brokers. With the rise of privacy laws, there are new limitations as to what and how a business is allowed to share personal data and the rise in privacy enforcement is also contributing to the awareness of the problem.
In Europe, the General Data Protection Regulation (GDPR) also sets limitations and hefty fines for violating them, and more countries are in the process of enacting laws that aim to implement stricter rules about data collection, sharing, and consent.
In the United States, there is no federal law that fully regulates the data broker industry. However, two states, Vermont and California, have enacted data broker laws.
These laws define a data broker as a business that knowingly collects and sells or licenses to third parties the personal information of consumers with whom it does not have a direct relationship. The Vermont law requires data brokers to register annually with the Secretary of State, while the California law requires registration with the Attorney General.
The California legislature is currently considering new data broker legislation, which, if passed, would substantially up the ante for data brokers operating in California and could potentially spread to other states.
Data Brokers and Privacy Risks
The mass amounts of data being collected by data brokers are harvested from numerous sources. The Electronic Privacy Information Center (EPIC) provides a comprehensive report on the matter. The concerning aspect is that this data collection and sharing mostly happens without the knowledge or consent of the individuals involved. This lack of transparency and consent is a serious invasion of privacy and is the crux of the controversy surrounding data brokers.
Moreover, clients of data brokers, such as businesses and advertisers, often have no direct relationship with the individuals whose data they are using. Another disturbing issue lies in the fact that government agencies such as intelligence authorities are also using the services of data brokers since it’s easier and cheaper for them to purchase the data than having to go through the legal process involved in requesting a search warrant. Even more disturbing is that the data they receive from data brokers is often more comprehensive than what they could collect themselves.
Herein lies another significant issue – the question of liability. While data brokers might operate within the legal frameworks, the end users of the data – the clients – could face legal repercussions if they use data obtained without the consent of the individuals to whom it pertains.
For example, under the GDPR, organizations can face hefty fines if they process personal data without the individual’s consent. It’s important to note that ignorance is not an excuse; organizations cannot sidestep responsibility by claiming they were unaware that the data they bought was collected without proper consent.
In essence, clients of data brokers could find themselves in legal hot water for privacy violations, even if they are not directly responsible for data collection.
Other Risks Involved When Using Data Brokers
There are other significant risks and concerns associated with the operations of data brokers. These include:
- Accuracy: The data collected may not always be accurate, leading to potential misuse. Incorrect data could impact someone’s creditworthiness and employment prospects or even result in wrongful accusations. Furthermore, incorrect data doesn’t benefit data brokers’ clients and even harms their business decisions.
- Reputational Risks: Using data obtained from brokers can pose reputational risks for businesses. If it becomes public knowledge that a company is using purchased data for targeted marketing or other purposes, it could lead to backlash from consumers who view such practices as invasive or unethical.
- Dependence on Third-Party Data: Relying on third-party data may lead to dependency, limiting the company’s ability to gather and use its first-party data effectively. First-party data is often more accurate and reliable, as it’s collected directly from the customers.
While data brokers operate legally in many jurisdictions, the industry is under-regulated, leading to a lack of transparency about their practices, the source of their data, and if the individuals relating to the personal data have provided their consent to share, sell, or otherwise use their data. There has been some movement from governmental bodies, though, such as the Federal Trade Commission (FTC) in the US, which has called for greater transparency and accountability for data brokers, and the more recent cases where the FTC sued Kohava, a location data broker or the class-action lawsuit filed in California targeting Otonomo, another data broker
Conclusion
There is a need for comprehensive laws that regulate data brokers. You have to be very careful when using data received from data brokers, as you may be held liable in the end for using data illegally harvested and shared. Therefore we recommend avoiding the use of personal data coming from third parties that cannot provide proof of where they received the data from, that the individuals related to the data have provided their consent to share and use their data, and that the third-party take the liability of any damages arising from using the data upon themselves. You should conduct due diligence on any third-party you engage with and make sure to enter into a written agreement with them.
In conclusion, the operations of data brokers underline the growing tension between the burgeoning data economy and individual privacy rights. As we navigate this complex landscape, understanding the practices of data brokers, the inherent privacy issues, and the potential legal implications are crucial for both individuals and businesses.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.