Print Page | Contact Us | Sign In | Register
News & Press: In the Media

Vermont’s New Registry Highlights the Difficulties of Regulating Data Brokers

Tuesday, July 2, 2019   (0 Comments)
Posted by: Jeff Couture


By Douglas MacMillan

Until recently, Randy Koloski had never heard of Amerilist, a small business 25 miles north of Manhattan.

But for $150, Amerilist makes available a list of information on 5,000 people that includes Koloski’s name, home address, age, religion, education level and income.

Koloski, a school bus driver in Hartford, Vt., says he never agreed to turn over that data to Amerilist. “They shouldn’t have access to that,” he said upon learning of the database.

Lawmakers in Koloski’s home state are at the forefront of a national movement aiming to shine a light on companies such as Amerilist — data brokers that buy and sell the personal information of millions of Americans with whom they have no direct relationship. A state law passed last year required all businesses that trade data on Vermont’s residents to register publicly and share some basic information about how they operate.

Backerdan says Amerilist only resells data it obtains from other data companies, including Experian and Acxiom. Amerilist doesn’t sell data on users who have registered their names on a “do not mail” database, he said.

The experiment in Vermont is being closely watched at a time when regulators across the country are trying to address growing concerns over online privacy. A California law set to take effect at the beginning of next year will allow the state’s residents to opt out of having their data sold. Maine passed a law this month barring Internet service providers, including AT&T and Verizon, from selling broadband customers’ information. State legislatures in New York, Maryland and Massachusetts are all considering measures to give residents more control over data.

So far, Vermont is the only state to single out data brokers. All of the proposed measures, though, threaten to crack down on the most potent weapon in these companies’ arsenals. Third-party data, or information held by someone who didn’t obtain it directly from the user, can be mined from public records, such as DMVs, property records and voter rolls, as well as private databases filled with people’s magazine subscriptions and shopping records.

Data industry executives who have lobbied against the state laws say third-party data is vital to the businesses they serve. Among those customers are banks, which use data to detect financial fraud, and law enforcement agencies, which dig through databases to find criminals. Advertisers hone pitches to potential customers based on third-party data about their behaviors and interests.

But privacy advocates warn that the spread of data increases the risk of it being misused. A list of people who have Alzheimer’s disease could be purchased by bad actors who want to take advantage of mentally ill people. Two data brokers who advertise an Alzheimer’s patient list -- Experian and Amerilist -- say they vet the buyers of that data to make sure they are legitimate businesses.

Free websites that give anyone easy access to people’s current home addresses can be valuable tools for stalkers and abusers who are trying to locate their victims.

“Victims of domestic violence are trying to take control over their privacy,” said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence. “But the data broker companies are doing a significant amount of work to compile information about a person.”

It’s one thing for a user to willingly turn over their data to receive targeted advertisements, experts say. But the widespread sale of data, often taken without the explicit consent of users, gives data brokers broad latitude to do whatever they want with it, said Bob Gellman, an independent privacy consultant.

“A lot of what is going on here is hidden. No one knows,” Gellman said. “The notion they are only using the information to send you a coupon isn’t that bad. But they are building profiles of people.”

The privacy campaign in Vermont and other states could pave the way for more far-reaching data protections in the United States.

The Federal Trade Commission drew attention to the problems of an opaque data industry in a 2014 report, in which the agency called on Congress to pass legislation that would establish a nationwide registry of data brokers. A bill proposed the following year by four Senate Democrats, called the “Data Broker Accountability and Transparency Act,” never gained traction.

But renewed calls for U.S. privacy protections have followed Equifax’s massive data breach in 2017 and Facebook’s recent string of privacy scandals. Congress has been criticized for falling behind Europe’s regulators, who last year adopted sweeping online privacy rules.

Earlier this month, a group of 40 state attorneys general recommended the creation of a clearinghouse for all data brokers in the country. In public comments to the FTC, the state officials said a registry could help prevent the “loss of privacy that occurs when consumers are subject to increasingly extensive monitoring without increased public awareness or oversight.”

Recently, even industry groups have come around to supporting federal legislation.

“Clearly there was a market failure,” Randall Rothenberg, CEO of the Interactive Advertising Bureau. “We tried to do it ourselves. We tried to do it through self regulation. There’s a problem with that: We cannot enforce compliance.”

Read the full Washington Post article.

Data assembly line

Vermont’s new registry offers a peek inside the data broker economy. The more than 100 companies in the registry range in size from a one-man junk mail business operated out of a northern Vermont residence to Oracle, the 140,000-person software giant that sells some of the world’s most sophisticated data marketing services.

Many of the businesses work together in a kind of digital data assembly line.

Edvisors operates a collection of websites for college-bound students, including PrivateStudentLoans.com, HowToGetIn.com and GradLoans.com. Students who visit these sites are asked to enter their personal information on surveys for the chance to win scholarships of up to $10,000. The company’s privacy policy says it may sell data “to third parties whose products and services we think may be of interest to you.”

ALC, a data reseller, takes data from Edvisors and repackages it for marketers, according to an advertisement on ALC’s website.

ALC advertised a “College Bound Student MasterFile,” which includes the names and home addresses of up to three million students for a rate of $95 per 1,000 names. For a few extra dollars, marketers could also buy the name of the college each student plans to attend and his or her expected field of study.

ALC told marketers it used data from two additional companies to “overlay” the student data with more details about them: Experian and Ethnic Technologies.

Experian, one of the largest collectors of third-party data, compiles thousands of data points on each consumer and uses them to predict which products and services they will buy. When Experian can’t find a source of verified data, it uses statistical models to guess personal attributes, including political preferences, financial health and which types of products someone is likely to buy, according to a marketing brochure on the company’s website.

Experian uses these models to place consumers into 71 different marketing segments, including “American royalty,” “kids and cabernet” and “small town shallow pockets,” according to its site.