Vermont’s New Registry Highlights the Difficulties of Regulating Data Brokers
Tuesday, July 2, 2019
Posted by: Jeff Couture
By Douglas MacMillan
Until recently, Randy Koloski had never heard of Amerilist, a small business 25 miles north of Manhattan.
But for $150, Amerilist makes available a list of information on 5,000 people that includes Koloski’s name, home address, age, religion, education level and income.
Koloski, a school bus driver in Hartford, Vt., says he never agreed to turn over that data to Amerilist. “They shouldn’t have access to that,” he said upon learning of the database.
Lawmakers in Koloski’s home state are at the forefront of a national movement aiming to shine a light on companies such as Amerilist — data brokers that buy and sell the personal information of millions of Americans with whom they have no direct relationship. A state law passed last year required all businesses that trade data on Vermont’s residents to register publicly and share some basic information about how they operate.
Backerdan says Amerilist only resells data it obtains from other data companies, including Experian and Acxiom. Amerilist doesn’t sell data on users who have registered their names on a “do not mail” database, he said.
The experiment in Vermont is being closely watched at a time when regulators across the country are trying to address growing concerns over online privacy. A California law set to take effect at the beginning of next year will allow the state’s residents to opt out of having their data sold. Maine passed a law this month barring Internet service providers, including AT&T and Verizon, from selling broadband customers’ information. State legislatures in New York, Maryland and Massachusetts are all considering measures to give residents more control over data.
So far, Vermont is the only state to single out data brokers. All of the proposed measures, though, threaten to crack down on the most potent weapon in these companies’ arsenals. Third-party data, or information held by someone who didn’t obtain it directly from the user, can be mined from public records, such as DMVs, property records and voter rolls, as well as private databases filled with people’s magazine subscriptions and shopping records.
Data industry executives who have lobbied against the state laws say third-party data is vital to the businesses they serve. Among those customers are banks, which use data to detect financial fraud, and law enforcement agencies, which dig through databases to find criminals. Advertisers hone pitches to potential customers based on third-party data about their behaviors and interests.
But privacy advocates warn that the spread of data increases the risk of it being misused. A list of people who have Alzheimer’s disease could be purchased by bad actors who want to take advantage of mentally ill people. Two data brokers who advertise an Alzheimer’s patient list -- Experian and Amerilist -- say they vet the buyers of that data to make sure they are legitimate businesses.
Free websites that give anyone easy access to people’s current home addresses can be valuable tools for stalkers and abusers who are trying to locate their victims.
“Victims of domestic violence are trying to take control over their privacy,” said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence. “But the data broker companies are doing a significant amount of work to compile information about a person.”
It’s one thing for a user to willingly turn over their data to receive targeted advertisements, experts say. But the widespread sale of data, often taken without the explicit consent of users, gives data brokers broad latitude to do whatever they want with it, said Bob Gellman, an independent privacy consultant.
“A lot of what is going on here is hidden. No one knows,” Gellman said. “The notion they are only using the information to send you a coupon isn’t that bad. But they are building profiles of people.”
The privacy campaign in Vermont and other states could pave the way for more far-reaching data protections in the United States.
The Federal Trade Commission drew attention to the problems of an opaque data industry in a 2014 report, in which the agency called on Congress to pass legislation that would establish a nationwide registry of data brokers. A bill proposed the following year by four Senate Democrats, called the “Data Broker Accountability and Transparency Act,” never gained traction.
But renewed calls for U.S. privacy protections have followed Equifax’s massive data breach in 2017 and Facebook’s recent string of privacy scandals. Congress has been criticized for falling behind Europe’s regulators, who last year adopted sweeping online privacy rules.
Earlier this month, a group of 40 state attorneys general recommended the creation of a clearinghouse for all data brokers in the country. In public comments to the FTC, the state officials said a registry could help prevent the “loss of privacy that occurs when consumers are subject to increasingly extensive monitoring without increased public awareness or oversight.”
Recently, even industry groups have come around to supporting federal legislation.
“Clearly there was a market failure,” Randall Rothenberg, CEO of the Interactive Advertising Bureau. “We tried to do it ourselves. We tried to do it through self regulation. There’s a problem with that: We cannot enforce compliance.”
Read the full Washington Post article.