data collectionConsumers faced many cybersecurity-related setbacks this year, with a record number of data breaches being the highlight. Among all of these breaches, one stands out — the Equifax Breach — which will undoubtedly be analyzed for years and decades to come. Although there’s been a lot of attention on the Equifax Breach’s cybersecurity and financial implications, unfortunately, the privacy implications of the breach, as well as those of Equifax’s business model have been less explored. In this post, we’re going to take an in-depth look at businesses like Equifax and the growing multi-billion dollar industry that profits from collecting, storing and selling consumer data.

Mass data collection in the modern age

In an age of data breaches, government surveillance, social media and online public records, for many people, it’s likely a foregone conclusion that large swaths of their personal information exist somewhere just waiting to be found. What might be lesser known, though, is that there are companies interested in a lot more than just your name, address and other basic facts about your life. They want to know where you’ve traveled, if you’re expecting, how often you’ve been sick and much more. Although a lot of companies (especially Internet-based ones) are in the habit of collecting consumer data — often without consumers’ knowledge — there are certain companies, called data brokers, that solely exist to collect, aggregate, buy and sell consumer information. Data brokers concern consumer advocates for a number of reasons, but mostly because they make a profit off of buying and selling consumer data.

What are data brokers?

Data collection is nothing new given that the credit bureaus and other consumer reporting agencies have been doing it for over a century. In fact, many of the problems consumers have with consumer reporting agencies apply to data brokers. For example, just like with credit bureaus, consumers don’t opt into data brokers’ collection of their personal information, and a number of these firms don’t allow consumers to opt-out. The difference is that credit bureaus have direct regulation in the form of the Fair Credit Reporting Act (FCRA). Even though for many advocates, the FCRA doesn’t go far enough to police credit reporting agencies, there comparatively exists no legislation specifically regulating the activities of data brokers. Whenever applicable, the Federal Trade Commission has used the FCRA to reign in particularly egregious instances of abuse by some data brokers, but it’s clear to many that the FCRA alone is inept at addressing basic concerns about the industry. For example, if one of these firms aggregates misinformation about you, you’ll likely never know, and will simply experience the consequences of it in your life – possibly in the form of higher insurance premiums or higher pricing in other contexts. Sadly, even if you did know the data these companies had on you, you’d have little recourse because, for the most part, these companies have no consumer-facing presence. As was the case with Equifax, in this industry, businesses are the customers and people are the product.

Aside from the concerns listed above, the existence of these companies also begs the question of whether or not any of them have experienced a data breach. If one of these firms is breached, it’s not exactly clear whether or not there’s an obligation to report it to consumers. This is worth pondering because while breaches leaking social security numbers are financially devastating, the seemingly intimate details that data brokers collect are irreplaceable and can be used to identify or harass consumers for life. But even without data breaches, from what is known about some of these companies, it’s possible that access to this information might be readily available for anyone with enough time or money to find it.

Why is my data being collected?

Companies have always wanted consumer information, but it wasn’t until the advent of modern computing that computers have been able to generate and analyze large sets of data. The rise of personal computing, algorithms and large, complex Internet-based systems like the Internet of Things (IoT) have helped contribute to what experts are calling the age of big data. Both machines, like IoT devices, as well as humans are generating substantial amounts of data that will allow companies to make inferences for business decisions, design future technology platforms and encourage consumer spending.

Currently, information about consumers allows companies to personalize ads, assess the risk of interacting with certain customer populations in financial and insurance markets as well as identify individual consumers’ reservation prices — that’s economics jargon for the highest price a buyer is willing to pay a seller. Personal data is also important for Pattern of Life analysis, which allows companies to tailor goods and services around individuals’ lifestyles and habits as well as enhance technologies like Artificial Intelligence. Personalized data collection has other uses too, like bolstering fraud detection and background checking systems, but the reasons mentioned above are likely becoming the most salient.

Are there limits to what information is collected?

Because of the data brokering industry’s opaque nature, it’s not clear what limits, if any, exist on the information collected and sold. Some of these firms purportedly self-police or in some cases allow consumers to monitor collected data. Even in these circumstances, however, it’s not clear if consumers are being provided with all the information companies have on them. Attempts at creating laws that at the very least increase the transparency of data brokers’ operations have struggled to get traction, but this year, members of Congress are again raising the issue. Though it’s yet to be seen if progress will be made in the near future, like with other privacy issues, in lieu of federal lawmaking, states could provide consumers with some protections. In California, for example, certain victims of domestic abuse can demand their information be removed from Internet sites and services.

What else should I know?

As technologies like IoT systems, smart devices and Artificial Intelligence develop, the pervasiveness of data generation and personal data analysis will only continue to grow. This means that in order to opt out of data collection, you’ll have to be mindful about the products you purchase, the apps you download (and their permissions), your Internet usage and the privacy settings of your online accounts. It is possible that as these technologies become more prevalent, cybersecurity best practices and regulations will afford consumers more protections for their data, but as of now, it’s unclear exactly how these technologies will even be deployed. Until we know and understand the implications of all of these emerging technologies, consumers will have to play a very active role in protecting their privacy.

For more in-depth coverage and analysis of developments in the tech industry and how they affect you, keep reading our technology blog. Also, keep an eye out for our follow-up post to learn some in-depth ways you can manage your online and offline data.