[Senate Hearing 113-693]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 113-693
 
             WHAT INFORMATION DO DATA BROKERS HAVE 
             ON CONSUMERS, AND HOW DO THEY USE IT?

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           DECEMBER 18, 2013

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation
                             
                             
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                           U.S. GOVERNMENT PUBLISHING OFFICE
95-838 PDF                     WASHINGTON: 2015                           

________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected]  
       
       
       
       
       
       
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California            JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida                 ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington           ROY BLUNT, Missouri
MARK PRYOR, Arkansas                 MARCO RUBIO, Florida
CLAIRE McCASKILL, Missouri           KELLY AYOTTE, New Hampshire
AMY KLOBUCHAR, Minnesota             DEAN HELLER, Nevada
MARK WARNER, Virginia                DAN COATS, Indiana
MARK BEGICH, Alaska                  TIM SCOTT, South Carolina
RICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas
BRIAN SCHATZ, Hawaii                 DEB FISCHER, Nebraska
EDWARD MARKEY, Massachusetts         RON JOHNSON, Wisconsin
CORY BOOKER, New Jersey
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                     John Williams, General Counsel
              David Schwietert, Republican Staff Director
              Nick Rossi, Republican Deputy Staff Director
   Rebecca Seidel, Republican General Counsel and Chief Investigator
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on December 18, 2013................................     1
Statement of Senator Rockefeller.................................     1
    Staff report entitled ``A Review of the Data Broker Industry: 
      Collection, Use, and Sale of Consumer Data for Marketing 
      Purposes'' by the Office of Oversight and Investigations 
      Majority Staff.............................................     4
Statement of Senator Thune.......................................    54
    Prepared statement of Alicia Puente Cackley, Director 
      Financial Markets and Community Investment, U.S. Government 
      Accountability Office......................................    56
Statement of Senator Booker......................................   119
Statement of Senator Johnson.....................................   121
Statement of Senator Blumenthal..................................   123
Statement of Senator Markey......................................   126
Statement of Senator McCaskill...................................   129
Statement of Senator Fischer.....................................   135

                               Witnesses

Jessica Rich, Director, Bureau of Consumer Protection, Federal 
  Trade Commission...............................................    66
    Prepared statement...........................................    68
Pam Dixon, Executive Director, World Privacy Forum...............    72
    Prepared statement...........................................    73
Joseph Turow, Robert Lewis Shayon Professor of Communication, 
  Associate Dean for Graduate Studies, Annenberg School for 
  Communication, University of Pennsylvania......................   102
    Prepared statement...........................................   104
Tony Hadley, Senior Vice President of Government Affairs and 
  Public Policy, Experian........................................   105
    Prepared statement...........................................   107
Jerry Cerasale, Senior Vice President of Government Affairs, 
  Direct Marketing Assocation....................................   110
    Prepared statement...........................................   111

                                Appendix

Response to written question submitted to Jessica Rich by:
    Hon. John D. Rockefeller IV..................................   143
    Hon. Kelly Ayotte............................................   143
Response to written questions submitted to Jerry Cerasale by:
    Hon. Amy Klobuchar...........................................   145
    Hon. Kelly Ayotte............................................   145


                    WHAT INFORMATION DO DATA BROKERS.
               HAVE ON CONSUMERS, AND HOW DO THEY USE IT?

                              ----------                              


                      WEDNESDAY, DECEMBER 18, 2013

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:31 p.m., in 
room SR-253, Russell Senate Office Building, Hon. John D. 
Rockefeller IV, Chairman of the Committee, presiding.

       OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
                 U.S. ENATOR FROM WEST VIRGINIA

    The Chairman. The Committee will come to order.
    There are, at this point, two people sitting at the dais, 
and they are two wonderful people, but I would be pleased if 
there were more. Senator Blumenthal and Senator Pryor, Senator 
Markey, Senator Fischer, Senator Warner will be here.
    But this is the day that we almost vote on the budget, 
actually. We don't quite. We always find ways to do it. You 
have the motion to proceed to it, and then you have a motion 
to--whatever. And then tomorrow at some point we vote on the 
budget. Just be grateful you are in private life.
    [Laughter.]
    The Chairman. OK. You are all welcome.
    The disclosures about U.S. intelligence activities over the 
past few months have sparked a very public debate in this 
country about what kinds of information the government should 
be gathering and how we protect the privacy of Americans who 
have done nothing wrong.
    The Snowden disclosures have harmed our country's national 
security, but they have made Americans think more than they 
usually do about how their lives, both online and offline, can 
be tracked, monitored, and analyzed. People are aware of that, 
not to the extent that they are in Great Britain, where they 
are so accustomed to being videotaped in everything they do. We 
are still going through that adjustment period.
    I am glad we are talking about these important privacy 
issues, in general and today. We have all benefited from the 
rapid advances in computing technology, but we also cherish our 
personal freedoms. We always use that word, ``cherish'' our 
personal freedoms. But we do. And it is a complicated subject. 
And we want to be able to protect ourselves and our loved ones 
from the unwanted gaze of the government and our neighbors.
    What has been missing from this conversation so far is the 
role that private companies play in collecting and analyzing 
our personal information. A group of companies known 
collectively as ``data brokers'' are gathering massive amounts 
of data about our personal lives and selling this information 
to marketers. We don't hear a lot about the private-sector data 
broker industry, but it is playing a large and growing role in 
our lives.
    Let me provide a little perspective. In the year 2012, 
which you will recall was last year, the data broker industry 
generated $156 billion in revenues--that is more than twice the 
size of the entire intelligence budget of the United States 
Government--all generated by the effort to learn about and sell 
the details about our private lives. Whether we know it or like 
it or not, makes no difference.
    One of the largest data broker companies, Acxiom, recently 
boasted to its investors that it can provide, quote, ``multi-
sourced insight into approximately 700 million customers 
worldwide.''
    When government or law enforcement agencies collect 
information about us, they are restrained by our Constitution 
and our laws, and they are subject to the oversight of courts, 
inspectors general, and the United States Congress through the 
Intelligence Committee in the Senate and the House.
    And I have served on the Intelligence Committee since 
before 9/11, and I can declare to you absolutely without a 
single thought that the protection that NSA provides to 
security and secrecy is far better than what we are going to be 
talking about today. They have rules. They have all kinds of 
judges and hoops that you have to jump through. The FBI is 
involved, DOJ. It is all--it is very tight.
    And every day you read the paper, you would think it didn't 
exist, it is just the government gone wild. But particularly 
when it comes to domestic, which is called Section 215, it is 
very tightly monitored, and there is never content, there is 
never e-mail, and there is never a name--never a name. There is 
just a telephone number.
    But data brokers go about their business with little or no 
oversight. While there are laws on the books that protect the 
privacy of Americans' health and financial information, they do 
not cover data brokers' marketing activities.
    Collecting consumers' information for marketing purposes is 
not a new business. For decades before the Internet was 
invented, retailers, marketers, and, yes, political candidates 
compiled mailing lists that they used to send catalogs, coupon 
books, or other materials to their potential customers.
    But the data broker industry has been revolutionized in 
recent years by the tremendous advances in computing and data 
analysis. And as consumers spend more and more time socializing 
and shopping online, they are generating rich new streams of 
personal data to collect and analyze, on the part of the data 
brokers.
    These days, data brokers don't just know our address, our 
income level, our political affiliation, most probably, they 
probably know the weight of everybody in the family. They have 
collected thousands of data points about each one of us, and we 
are simply not aware of it, except in theory.
    They know if you have diabetes or suffer from depression. 
They know if you smoke cigarettes. They know your reading 
habits, your browsing habits. They know how much you and your 
family members weigh. And they may even know how many whiskey 
drinks you have consumed in the last 30 days.
    We wouldn't reveal that kind of information, would we?
    Senator Thune. Of course not.
    The Chairman. No.
    [Laughter.]
    The Chairman. Like the pieces of a mosaic, data brokers 
combine data points like these into startlingly detailed and 
intimate profiles of American consumers.
    Under current laws, we have no right to see these pictures 
of ourselves that these companies have created. We have no 
right. For the past year, this committee has been trying to 
bring some much-needed oversight to the data broker industry.
    Where is the copy of our report? Oh, it is under here. I 
have it.
    We have been pushing the data brokers to answer the same 
kinds of questions many Americans have been asking the 
government since the Snowden disclosures: What information are 
you collecting about us, and how are you using the information?
    Today's hearing is the first time we are publicly 
discussing what we are learning in this investigation. The 
Commerce Committee staff has also prepared a report for me and 
for the Ranking Member on the progress of this investigation. 
It is thus. More to come.
    I ask unanimous consent to put a copy of this report in the 
record of this hearing.
    [The report follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                           Table of Contents

Executive Summary
Background

        A. GAO Review of Privacy Laws Applicable to Data Brokers

        B. Voluntary Industry Guidelines

        C. Privacy and Consumer Protection Issues Regarding Data Broker 
        Practices

                Privacy Issues

                Potentially Harmful Uses of Data Broker Products

                Use of Predictive Scoring Products for Marketing

                Data Breaches

        D. Recent FTC and Congressional Reviews of the Data Broker 
        Industry
II. Committee Investigation
III. Committee Majority Staff Findings Regarding Industry Practices

        A. Data Broker Collection of Consumer Data

                1.  Nature of Data Collected

                2.  Sources of Consumer Data

                        a.  Government Records and Other Publicly 
                        Available Data

                        b.  Purchase or License

                        c.  Cooperative Arrangements

                        d.  Self-Reporting by Consumers

                        e.  Social Media

        B. Data Broker Products

                1.  How Data Brokers Package Consumer Information

                2.  Issues Regarding Data Broker Products

                        a.  Products that Identify Financially 
                        Vulnerable Populations

                        b.  Scoring Products that Mirror Tools 
                        Regulated under the Fair Credit Reporting Act

        C. Data Broker Customers and How They Use Data Broker Products

                1.  Who Buys the Data
                2.  New Mechanisms for Using Data

        D. Data Broker Transparency and Privacy Practices

                1.  Disclosure Limitations

                2.  Consumer Access and Control Rights

                3.  Opt-Out Rights
IV. Conclusion

Appendices and Exhibits

Appendix I: Federal Laws that May Be Applicable to Information 
        Collected by Data Brokers
Appendix II: Sample List of Targeting Products Identifying Financially 
        Vulnerable Populations
Appendix III: Sample List of Offline Elements Available for Online 
        Advertising

Exhibit A: Sample Consumer Surveys
Exhibit B: Sample Product Descriptions
Exhibit C: Experian ChoiceScore Marketing Description
                                 ______
                                 
Executive Summary
    Consumers are conducting more and more of their daily business 
online and through their mobile devices. They use the Internet and 
their smart phones and tablets to make purchases, research medical 
conditions, plan vacations, interact with friends and relatives, do 
their jobs, map travel routes, and otherwise pursue their interests. 
With these activities, consumers are creating a voluminous and 
unprecedented trail of data regarding who they are, where they live, 
and what they own.
    At the same time, the Internet and other technological advances 
have made consumer data easier to access, analyze, and share. 
Information that in years past was accessible only through a trip to 
the library or courthouse can now be readily available to millions 
online, as computing capabilities for storing and reviewing information 
continue to grow at exponential rates.
    These changes have fueled the growth of a multi-billion dollar 
industry that largely operates hidden from consumer view. Today, a wide 
range of companies known as ``data brokers'' collect and maintain data 
on hundreds of millions of consumers, which they analyze, package, and 
sell generally without consumer permission or input. Since consumers 
generally do not directly interact with data brokers, they have no 
means of knowing the extent and nature of information that data brokers 
collect about them and share with others for their own financial gain.
    Data brokers collect and sell information for a variety of purposes 
including for fraud prevention, credit risk assessment, and marketing. 
Their customer base encompasses virtually all major industry sectors in 
the country in addition to many individual small businesses. Some of 
the most well-known products sold by data brokers are credit reports 
that businesses use to make eligibility determinations for, among other 
things, credit, insurance, and employment--activities where consumers 
have detailed statutory consumer protections regarding the accuracy and 
sale of their information.
    This Committee Majority staff report focuses on data broker 
activities that are subject to far less statutory consumer protection: 
the collection and sale of consumer data specifically for marketing 
purposes. In this arena, data brokers operate with minimal 
transparency.
    One of the primary ways data brokers package and sell data is by 
putting consumers into categories or ``buckets'' that enable 
marketers--the customers of data brokers--to target potential and 
existing customers. Such practices in many cases may serve the 
beneficial purpose of providing consumers with products and services 
specific to their interests and needs. However, it can become a 
different story when buckets describing consumers using financial 
characteristics end up in the hands of predatory businesses seeking to 
identify vulnerable consumers, or when marketers use consumers' data to 
engage in differential pricing.
    Further, the data breaches that have repeatedly occurred in this 
industry and with others in the data economy underscore the public's 
need to understand the volume and specificity of data consumer 
information held by data brokers.
    In light of these issues and the Chairman's longstanding commitment 
to consumer protection and privacy matters, the Committee opened an 
inquiry last October to shine a light on how the data broker industry 
operates, with a specific focus on nine representative companies that 
sell consumer data for marketing purposes. The Committee's inquiry 
sought answers to four basic questions:

   What data about consumers does the data broker industry 
        collect?

   How specific is this data?

   How does the data broker industry obtain consumer data?

   Who buys this data and how is it used?

    In response to the Committee's inquiries, the companies queried 
provided documents and narrative explanations. While some of the 
companies have been completely responsive to this inquiry, several 
major data brokers to date have remained intent on keeping key aspects 
of their operations secret from both the Committee and the general 
public.
    Based on review of the company responses and other publicly 
available information, this Committee Majority staff report finds:

  (1)  Data brokers collect a huge volume of detailed information on 
        hundreds of millions of consumers. Information data brokers 
        collect includes consumers' personal characteristics and 
        preferences as well as health and financial information. Beyond 
        publicly available information such as home addresses and phone 
        numbers, data brokers maintain data as specific as whether 
        consumers view a high volume of YouTube videos, the type of car 
        they drive, ailments they may have such as depression or 
        diabetes, whether they are a hunter, what types of pets they 
        have; or whether they have purchased a particular shampoo 
        product in the last six months;

  (2)  Data brokers sell products that identify financially vulnerable 
        consumers. Some of the respondent companies compile and sell 
        consumer profiles that define consumers in categories or 
        ``score'' them, without consumer permission or knowledge of the 
        underlying data. A number of these products focus on consumers' 
        financial vulnerability, carrying titles such as ``Rural and 
        Barely Making It,'' ``Ethnic Second-City Strugglers,'' 
        ``Retiring on Empty: Singles,'' ``Tough Start: Young Single 
        Parents,'' and ``Credit Crunched: City Families.'' One company 
        reviewed sells a marketing tool that helps to ``identify and 
        more effectively market to under-banked consumers'' that the 
        company describes as individuals including ``widows'' and 
        ``consumers with transitory lifestyles, such as military 
        personnel'' who annually spend millions on payday loans and 
        other ``non-traditional'' financial products. The names, 
        descriptions and characterizations in such products likely 
        appeal to companies that sell high-cost loans and other 
        financially risky products to populations more likely to need 
        quick cash, and the sale and use of these consumer profiles 
        merits close review;

  (3)  Data broker products provide information about consumer offline 
        behavior to tailor online outreach by marketers. While 
        historically, marketers used consumer data to locate consumers 
        to send catalogs and other marketing promotions through the 
        mail, or contact via telephone, increasingly the information 
        data brokers sell marketers about consumers is provided 
        digitally. Data brokers provide customers digital products that 
        target online outreach to a consumer based on the dossier of 
        offline data collected about the consumer;

  (4)  Data brokers operate behind a veil of secrecy. Data brokers 
        typically amass data without direct interaction with consumers, 
        and a number of the queried brokers perpetuate this secrecy by 
        contractually limiting customers from disclosing their data 
        sources. Three of the largest companies--Acxiom, Experian, and 
        Epsilon--to date have been similarly secretive with the 
        Committee with respect to their practices, refusing to identify 
        the specific sources of their data or the customers who 
        purchase it. Further, the respondent companies' voluntary 
        policies vary widely regarding consumer access and correction 
        rights regarding their own data--from virtually no rights to 
        the more fulsome policy reflected in the new access and 
        correction database developed by Acxiom.
I. Background
    While there is no statutory definition for ``data brokers,'' the 
Federal Trade Commission (FTC) has defined this term to include 
``companies that collect information, including personal information 
about consumers, from a wide variety of sources for the purpose of 
reselling such information to their customers for various purposes, 
including verifying an individual's identity, differentiating records, 
marketing products, and preventing financial fraud.'' \1\ This report 
relies on the FTC definition of data broker, and focuses specifically 
on the collection and sale of consumer information for the purpose of 
marketing.
---------------------------------------------------------------------------
    \1\ Federal Trade Commission, Protecting Consumer Privacy in an Era 
of Rapid Change, at 68 (Mar. 2012) (hereafter ``FTC Privacy Report''). 
These companies may also be referred to as ``information resellers.'' 
See Government Accountability Office, Information Resellers: Consumer 
Privacy Framework Needs to Reflect Changes in Technology and the 
Marketplace, GAO-13-663 (Sept. 2013) (hereafter ``GAO Information 
Resellers Report'').
---------------------------------------------------------------------------
    The practice of collecting and selling consumer data to help 
businesses conduct marketing has existed for many decades. Long before 
the advent of the Internet, e-mail, or the mobile economy, data brokers 
developed expertise in compiling consumer data to facilitate targeted 
outreach to consumers through direct mail.\2\ Toward that end companies 
have for many years assembled information about consumers from public 
records, surveys and sweepstakes entries, to develop consumer lists for 
use by marketers in targeting mailings and phone calls.\3\
---------------------------------------------------------------------------
    \2\ For example, after the introduction of zip codes in 1963, 
direct mail marketing companies used zip code data to make assumptions 
about individuals, such as the kinds of magazines they read, the foods 
they ate, and political affiliations. In 1974, social scientist 
Jonathan Robbin created PRIZM (Potential Rating Index for Zip Markets), 
which combined ZIP Codes with census data and consumer surveys to help 
target direct mail marketing. Michael J. Weiss, The Clustering of 
America (1988).
    \3\ Financial Times, Data Brokers Compile Lists to Map Your Life 
before you Reach the Cradle (June 13, 2013).
---------------------------------------------------------------------------
    What is new in recent years, however, is the tremendous increase in 
the volume and quality of digitally recorded data--and the 
technological advances that have facilitated access to, storage, 
analysis, and sharing of this information.\4\ Information that was 
previously public but required a trip to places such as a library or 
courthouse to retrieve can now be instantaneously accessible to 
millions when posted on the Internet. At the same time, consumers 
increasingly are expanding their digital data footprint as they go 
about their daily routines.
---------------------------------------------------------------------------
    \4\ See Kenneth Cukier and Viktor Mayer-Schhoenberger, The Rise of 
Big Data: How It's Changing the Way We Think about the World, Foreign 
Affairs, at 28-40 (May/June 2013) (noting that while in 2000 ``only one 
quarter of all the world's stored information was digital'' and ``the 
rest was preserved on paper, film, and other analog media,'' by 2013 
``less than two percent of all stored information is non-digital''); 
Charles Duhigg, The Power of Habit: Why We Do What We Do in Life and 
Business, Chapter 7; Software & Information Industry Association, Data-
Driven Innovation: A Guide for Policymakers--Understanding and Enabling 
the Economic and Social Value of Data, at 1-9 (2013); Organization for 
Economic Co-operation and Development, The Evolving Privacy Landscape: 
30 Years After the OECD Privacy Guidelines, OECD Digital Economy 
Papers, No. 176, at 16-18 (2011) (online at http://dx.doi.org/10.1787/
5kgf09z90c31-en).
---------------------------------------------------------------------------
    For example, millions of consumers are now using computers, smart 
phones, and tablets to make purchases, plan trips, and research 
personal financial and health questions, among other activities.\5\ 
These digitally recorded decisions provide insights into the consumer's 
habits, preferences, and financial and health status. A wide and ever-
expanding variety of other routine activities also are becoming part of 
consumers' digital trail--from viewing decisions regarding video 
streaming services \6\ to online searches and mapping requests \7\ to 
personal fitness monitoring through wearable devices \8\ to stocking 
``smart'' refrigerators that record food purchases and monitor 
expiration dates.\9\
---------------------------------------------------------------------------
    \5\ See Pew Internet & American Life Project, Broadband and 
Smartphone Adoption Demographics (Aug. 27, 2013) (online at http://
www.pewinternet.org/Infographics/2013/Broadband-and-smartphone-
adoption.aspx) (``Today 56 percent of American adults own a smartphone 
or some kind, compared with 70 percent who have broadband at home''); 
Pew Internet & American Life Project, Cell Phone Activities 2012.
    \6\ Salon.com, How Netflix is Turning Viewers into Puppets (Feb. 1, 
2013).
    \7\ Time Magazine, Data Mining: How Companies Now Know Everything 
About You (Mar. 10, 2011).
    \8\ Entrepreneur, How Fitbit Is Cashing In on the High-Tech Fitness 
Trend (July 27, 2012).
    \9\ NPR, The Salt, The `Smart Fridge' Finds the Lost Lettuce, for A 
Price (May 4, 2012).
---------------------------------------------------------------------------
    Amid this continuing growth in consumers' digital records, there 
has been a ``vast increase'' in the number and types of companies that 
collect and sell consumer data.\10\ No comprehensive list of such 
companies currently exists, but estimates indicate the data broker 
industry consists of many hundreds of members.\11\ Media accounts and 
other reports in recent years have provided glimpses into some of the 
ways data brokers are obtaining, compiling, and sharing consumer 
data.\12\ However, data broker activities have remained largely 
obscured from public view because these companies generally do not 
collect data directly from consumers and many of their practices lie 
outside the ambit of Federal consumer protection laws.
---------------------------------------------------------------------------
    \10\ GAO Information Resellers Report, supra n.1, at 34.
    \11\ GAO Information Resellers Report, supra n.1, at 5 (noting: 
``Several privacy related organizations and websites maintain lists of 
data brokers--for example, Privacy Rights Clearinghouse lists more than 
250 on its website--but none of these lists claim to be comprehensive. 
The Direct Marketing Association, which represents companies and 
nonprofits that use and support data-driven marketing, maintains a 
proprietary membership list, which it says numbers about 2,500 
organizations (although that includes retailers and others that 
typically would not be considered information resellers)'').
    \12\ E.g., New York Times, You for Sale: Mapping, and Sharing, the 
Consumer Genome (June 16, 2012) (focusing on data broker Acxiom and 
reporting that the company maintains about 1,500 data points per 
consumer that include information on the size of home loans, household 
incomes, or whether a household is concerned about certain health 
conditions).
---------------------------------------------------------------------------
A. GAO Review of Privacy Laws Applicable to Data Brokers
    In light of these changes regarding the availability and sale of 
consumer information, Chairman Rockefeller requested that the 
Government Accountability Office (GAO) review the privacy laws 
applicable to consumer information collected and sold for marketing 
purposes.\13\ In response, in September 2013, GAO released a report 
concluding that there is no one comprehensive privacy law governing 
information collection and sale of consumer data by private sector 
companies \14\ and that further, existing privacy laws have ``limited 
scope'' regarding the collection, use, and sale of consumer data for 
marketing purposes.\15\
---------------------------------------------------------------------------
    \13\ GAO Information Resellers Report, supra n. 1 at 1. To address 
these objectives, GAO analyzed laws, studies and other documents, and 
interviewed representatives of Federal agencies, the date broker 
industries, consumer and privacy groups, and others. Id.
    \14\ GAO Information Resellers Report, supra n.1, at 7.
    \15\ GAO Information Resellers Report, supra n.1, at 16.
---------------------------------------------------------------------------
    Specifically, GAO found that under current law, consumers have no 
Federal statutory right to know what information data brokers have 
compiled about them for marketing purposes, or even which data brokers 
hold any such information. Further, with the exception of information 
used for pre-screened offers of credit and insurance,\16\ consumers 
generally do not have the right to control what personal information is 
collected, maintained, used, and shared about them--even where such 
information concerns personal or sensitive matters about an 
individual's physical and mental health. In addition, no Federal law 
provides consumers with the right to correct inaccuracies in the data 
or assumptions made by data brokers on their own profiles.\17\
---------------------------------------------------------------------------
    \16\ 15 U.S.C. Sec. 1681b(c). The Fair Credit Reporting Act 
provides consumers opt-out rights for such information. 15 U.S.C. 
Sec. 1681b(e).
    \17\ GAO Information Resellers Report, supra n.1, at 16-19.
---------------------------------------------------------------------------
    GAO does note that a ``more narrowly tailored'' set of laws 
concerning private sector use of consumer information exists which 
``apply for specific purposes, in certain situations, to certain 
sectors, or to certain types of entities.'' \18\ For example, the Fair 
Credit Reporting Act imposes a number of obligations on consumer 
reporting agencies (CRAs), which are entities that assemble consumer 
information into ``consumer reports,'' \19\ commonly referred to as 
credit reports, for use by issuers of credit and insurance, and by 
employers, landlords, and others in making eligibility decisions 
affecting consumers. The FCRA prohibits the sale of consumer reports 
for other than a permissible purpose. The FCRA does not allow the use 
of credit reports for marketing purposes, though marketing via pre-
screened offers of credit and insurance is allowed, where it is a firm 
offer of credit and consumers are provided the opportunity to opt-out 
of such offers in the future.\20\
---------------------------------------------------------------------------
    \18\ GAO Information Resellers Report, supra n.1, at 7.
    \19\ A ``consumer report'' means any written, oral, or other 
communication of any information by a consumer reporting agency bearing 
on a consumer's credit worthiness, credit standing, credit capacity, 
character, general reputation, personal characteristics, or mode of 
living which is used or expected to be used or collected in whole or in 
part for the purpose of making eligibility decisions. 15 U.S.C. 
Sec. 1681a (d).
    \20\ 15 U.S.C. Sec. 1681b (e). Pre-screened offers of credit or 
insurance--sometimes called ``pre-approved'' offers--are sent to 
consumers unsolicited, usually by mail. They are based on information 
in consumers' credit reports that indicates that the individuals 
receiving the offer meet the criteria set by the company making the 
offer. The FCRA limits the circumstances in which consumer reports can 
be used to make pre-screened offers, and provides that all such offers 
must include a notice of consumers' right to stop receiving future pre-
screened offers.
---------------------------------------------------------------------------
    GAO also found that current Federal law does not fully address the 
use of new technologies, despite the fact that social media, web 
tracking, and mobile devices allow for faster, cheaper and more 
detailed data collection and sharing among resellers and private-sector 
entities.\21\
---------------------------------------------------------------------------
    \21\ GAO Information Resellers Report, supra n.1, at 19.
---------------------------------------------------------------------------
    Appendix I at the end of this report provides a detailed summary of 
the FCRA, and other existing Federal privacy laws and their 
applicability to the collection and dissemination of consumer data by 
data brokers.
B. Voluntary Industry Guidelines
    The direct advertising and data broker industries have consistently 
asserted that Congress should defer to industry self-regulation rather 
than enacting broader consumer privacy legislation.\22\ Industry 
members assert that their interest in avoiding reputational harm 
motivates them to engage in strong self-regulation and provides 
consumers with meaningful privacy protections.\23\ Privacy advocates, 
on the other hand, have argued that self-regulation does not adequately 
addresses concerns regarding the potential for consumer abuse in this 
arena.\24\
---------------------------------------------------------------------------
    \22\ See, e.g., Senate Committee on Commerce, Science and 
Transportation, The Need for Privacy Protections: Is Industry Self-
Regulation Adequate, 112th Cong. (2012) (S. Hrg. 112-785).
    \23\ Id.
    \24\ Id.
---------------------------------------------------------------------------
    Industry trade associations that include data brokers have 
identified voluntary best practice guidelines for its members.\25\ For 
example, the Direct Marketing Association (DMA) issued Guidelines for 
Ethical Business Practice that include principles of conduct, including 
recommendations on how members should handle and protect consumer 
information. Specifically, these guidelines provide that the members 
should offer notice of its policy ``regarding the rental, sale, 
exchange or transfer of data about them'' and the ability to opt-out of 
inclusion on a mailing list or other marketing methods,\26\ as well as 
specific ways to handle health information.\27\ A number of the 
companies that are the subject of the Committee's inquiry are DMA 
members and have agreed to abide by the association's guidelines.
---------------------------------------------------------------------------
    \25\ Direct Marketing Association, Direct Marketing Association 
Guidelines for Ethical Business Practice (May 2011).
    \26\ Id. at 18-19.
    \27\ Id. at 20 (Article #33: Collection, Use, and Transfer of 
Health-Related Data).
---------------------------------------------------------------------------
    In addition, the Digital Advertising Alliance, the trade 
association of the online advertising industry, has implemented Ad 
Choice, a program that allows consumers some control over their online 
information as it is used for online behavioral advertising.\28\
---------------------------------------------------------------------------
    \28\ See AdChoices website at http://www.youradchoices.com/ 
(accessed Dec. 13, 2013).
---------------------------------------------------------------------------
C. Privacy and Consumer Protection Issues Regarding Data Broker 
        Practices
    Privacy and information experts have raised concerns regarding data 
broker practices. These include issues relating to consumer privacy 
rights with respect to the use of their own personal information; the 
potential harmful ways consumer profiles can be used; the extent to 
which data broker products categorize consumers based on financial 
characteristics are serving as substitutes or supplements for the 
consumer report products that are more highly regulated; and the 
vulnerability of data broker computer systems to a data breach.
    Privacy Issues. One major issue raised by privacy advocates is that 
data brokers operate without transparency to consumers. Since data 
brokers generally collect information without the consumers' knowledge, 
consumers have limited means of knowing how the companies obtain their 
information, whether it's accurate, and for what purposes they are 
using it.\29\
---------------------------------------------------------------------------
    \29\ See FTC Privacy Report, supra n.1, at 61-69.
---------------------------------------------------------------------------
    Privacy experts further point out that consumers currently lack 
control over the compilation and use of data that may contain intimate 
details about them. For example, the Financial Times reported one data 
broker is selling lists of addresses and names of consumers suffering 
from conditions including cancer, diabetes, and depression, and the 
medications used for those conditions; another is offering lists naming 
consumers, their credit scores, and specific health conditions.\30\ 
Citing these and other examples, FTC Commissioner Julie Brill recently 
raised the question: ``What damage is done to our individual sense of 
privacy and autonomy in a society in which information about some of 
the most sensitive aspects of our lives is available for analysts to 
examine without our knowledge or consent, and for anyone to buy if they 
are willing to pay the going price.'' \31\
---------------------------------------------------------------------------
    \30\ Financial Times, Companies Scramble for Consumer Data (June 
12, 2013).
    \31\ Keynote Address by Commissioner Julie Brill, Reclaim Your 
Name, 23rd Computers Freedom and Privacy Conference (June 26, 2013).
---------------------------------------------------------------------------
    Data brokers argue that the creation and use of consumer profiles 
for marketing does not pose substantial privacy issues for consumers 
because this information cannot be used in decisions affecting a 
consumer's eligibility for credit or insurance, or in employment or 
housing decisions. Rather, such profiling benefits consumers by 
facilitating targeted outreach about products and services that are 
relevant to consumers' specific interests, needs, or preferences.\32\
---------------------------------------------------------------------------
    \32\ See GAO Information Resellers Report, supra n.1, at 40-41 
(summarizing industry arguments on benefits of information sharing for 
consumers).
---------------------------------------------------------------------------
    However, an incident involving Target highlights how marketing 
based on consumer profiling may pose unintended privacy issues. 
According to a New York Times report, Target developed a pregnancy 
prediction model to enable the company to target marketing of certain 
products to expectant mothers. In one case, Target sent maternity and 
baby clothes coupons to the household of a teenage girl who, through 
use of this model, they predicted was pregnant. These mailings alerted 
the girl's father that she was pregnant--before she had told him the 
news herself.\33\
---------------------------------------------------------------------------
    \33\ Charles Duhigg, The Power of Habit, Chapter 7.
---------------------------------------------------------------------------
    Potentially Harmful Uses of Data Broker Products. Some consumer 
advocates also have noted that targeted marketing means consumers have 
unequal access to helpful information, offers, and benefits, and have 
questioned the fairness of this result when the basis for such 
targeting are consumer profiles constructed without the consumer's 
knowledge, input, or permission--and that in fact may not be accurate. 
World Privacy Forum Executive Director Pam Dixon has elaborated as 
follows:

        Two people going to one website or one retail store could 
        already be offered entirely different opportunities, services, 
        or benefits based on their modern permanent record comprised of 
        the previous demographic, behavioral, transactional, and 
        associational information accrued about them.\34\
---------------------------------------------------------------------------
    \34\ Testimony of Pam Dixon, Executive Director, World Privacy 
Forum, House Committee on Energy and Commerce, Subcommittee on 
Communications, Technology, and the Internet (Nov. 19, 2009). See also 
Dwork & Mulligan, It's Not Privacy, and It's Not Fair, 66 
Stan.L.Rev.Online 35 (Sept. 3, 2013) (arguing that increasing use of 
consumer profiles by marketers and others could inadvertently result in 
social discrimination where unfair or inaccurate profiles are created 
and reinforced without consumers' input).

    A related issue is whether ready access to increasingly detailed 
consumer data lends to differential pricing. Indeed, several recent 
media accounts have described cases where website retailers offered 
consumers different prices for the same product based on analysis of 
customer characteristics. For example, a Wall Street Journal report 
found that office supply retailers have varied prices displayed for the 
same product based on customers'geolocation and other factors.\35\ In 
another example the travel website Orbitz reportedly showed costlier 
travel options to visitors whose browsers indicated they were using Mac 
computers, because this brand was assumed to be used by more affluent 
consumers.\36\ While it does not appear from these news accounts that 
third party data broker products were involved with these particular 
examples, these reports underscore that targeting the most ``relevant'' 
information to consumers does not always equate to providing consumers 
information about the best deals.
---------------------------------------------------------------------------
    \35\ Wall Street Journal, Websites Vary Prices, Deals Based on 
Users' Information (Dec. 24, 2012).
    \36\ Wall Street Journal, On Orbitz, Mac Users Steered to Pricier 
Hotels (Aug. 23, 2012).
---------------------------------------------------------------------------
    A few recent cases also have highlighted the value of consumer 
profiles to predatory businesses seeking to target vulnerable 
consumers. In October of 2012, the FTC alleged that the credit 
reporting division of Equifax improperly sold more than 17,000 
``prescreened'' lists of consumers who were late on their mortgage 
payments to Direct Lending Source, Inc. and its affiliate companies. 
Direct Lending subsequently resold some of these lists to third 
parties, who ``used the lists to pitch loan modification and debt 
relief services to people in financial distress,'' including to 
companies that had been the subject of prior law enforcement 
investigations.\37\
---------------------------------------------------------------------------
    \37\ The FTC charged Equifax with a host of FCRA violations, 
including that it provided credit report information to entities that 
lacked a permissible purpose. The FTC further charged that Equifax's 
failure to employ appropriate measures to control access to sensitive 
consumer information was unfair, in violation of Section 5 of the FTC 
Act. Direct Lending was also charged with violating Section 5 and the 
FCRA for, among other reasons, obtaining pre-screened lists without 
having a permissible purpose and failing to maintain reasonable 
procedures to ensure that prospective users to whom it had resold the 
reports had a permissible purpose. Equifax and Direct Lending combined 
paid nearly $1.6 million to resolve charges that they violated the Fair 
Credit Reporting and the FTC Act. Press Release, FTC Settlements 
Require Equifax to Forfeit Money Made by Allegedly Improperly Selling 
Information About Millions of Consumers Who Were Late on Their 
Mortgages, Federal Trade Commission (Oct. 10, 2012) (available at 
http://www.ftc.gov/news-events/press-releases/2012/10/ftc-settlements-
require-equifax-forfeit-money-made-allegedly).
---------------------------------------------------------------------------
    In June 2011, Teletrack, Inc. paid a $1.8 million penalty to settle 
FTC charges that it sold lists of consumers who had previously applied 
for non-traditional credit products, including payday loans, to third 
parties--primarily pay day lenders and sub-prime auto lenders--that 
wanted to use the information to target potential customers. The FTC 
alleged that the information Teletrack sold constituted consumer 
reports and could not be sold for marketing.\38\
---------------------------------------------------------------------------
    \38\ Press Release, Consumer Reporting Agency to Pay $1.8 Million 
for Fair Credit Reporting Act Violations, Federal Trade Commission 
(June 27, 2011) (available at http://www.ftc.gov/news-events/press-
releases/2011/06/consumer-reporting-agency-pay-18-million-fair-credit-
reporting).
---------------------------------------------------------------------------
    Similarly, the New York Times reported in 2007 that data broker 
InfoUSA had sold lists of consumers with titles such as ``Suffering 
Seniors'' to individuals who then used the lists to target elderly 
Americans with fraudulent sales pitches.\39\
---------------------------------------------------------------------------
    \39\ New York Times, Bilking the Elderly, with a Corporate Assist 
(May 20, 2007).
---------------------------------------------------------------------------
    Use of Predictive Scoring Products for Marketing. Consumer 
advocates have suggested that that use of scoring products that predict 
consumer behavior merits further scrutiny. Companies reportedly are 
using predictive scoring products for a range of purposes, such as 
assessing which customers will receive special offers, or looking at 
credit risks associated with certain mortgage applications--but 
consumers are generally not aware of these products and do not have 
access to the data underlying them. The FTC plans to hold a hearing in 
the Spring to examine the use of these products, including the types of 
consumer protections that should be provided.\40\
---------------------------------------------------------------------------
    \40\ Press Release, FTC to Host Spring Seminars on Emerging 
Consumer Privacy Issues, Federal Trade Commission (Dec. 2, 2013) 
(available at http://www.ftc.gov/news-events/press-releases/2013/12/
ftc-host-spring-seminars-emerging-consumer-privacy-issues).
---------------------------------------------------------------------------
    Data Breaches. Finally, a series of incidents over recent years 
have underscored that data brokers--like others who collect and 
maintain sensitive consumer data--are vulnerable to data breaches.\41\ 
Privacy advocates emphasize the need to make sure appropriate 
protections against data breach are in place for consumer data.\42\
---------------------------------------------------------------------------
    \41\ Wall Street Journal, Breach Brings Scrutiny (April 5, 2011); 
United States v. ChoicePoint, Inc., No. 1 06-CV-0198 (N.D. Ga. filed 
Jan. 30, 2006); Press Release, Agency Announces Settlement of Separate 
Actions Against Retailer TJX, and Data Broker Reed Elsevier and Seisint 
for Failing to Provide Adequate Security of Consumer Data, Federal 
Trade Commission (Mar. 27, 2008) (available at http://www.ftc.gov/news-
events/press-releases/2008/03/agency-announces-settlement-separate-
actions-against-retailer-tjx).
    \42\ FTC Privacy Report, supra n.1, at 24-26.
---------------------------------------------------------------------------
D. Recent FTC and Congressional Reviews of the Data Broker Industry
    Several recent inquiries have explored data broker practices and 
related privacy and consumer protection issues. The FTC has held a 
series of workshops, opened a formal inquiry, written reports, and 
proposed principles for industry self-regulation on how companies 
collect, use and protect consumer data. In March of 2012, the 
Commission released a comprehensive report on protecting consumer's 
data privacy in light of the rapid advances of technological change. 
The Commission recommended that Congress consider enacting baseline 
privacy legislation across industry sectors. The report also called for 
greater transparency in the data broker and advertising industries.\43\
---------------------------------------------------------------------------
    \43\ FTC Privacy Report, supra n.1.
---------------------------------------------------------------------------
    The 2012 report identified the data broker industry as one of the 
Commission's main focuses in implementing an enhanced privacy 
protection framework.\44\ In examining the privacy implications of the 
data broker industry, the FTC has also noted how advances in 
technologies have rapidly allowed for the aggregating and selling of 
consumer information that combines data reflecting consumers' online 
activities as well as ``offline'' information that has been accessible 
since before the Internet.\45\
---------------------------------------------------------------------------
    \44\ FTC Privacy Report, supra n. 1, at 68, 72-73.
    \45\ FTC Privacy Report, supra n.1.
---------------------------------------------------------------------------
    In December 2012, the FTC opened an inquiry pursuant to its 
authority under Section 6(b) of the FTC Act to examine privacy 
implications of the data broker industry's collection and use of 
consumer data.\46\ This investigation is underway and will result in a 
study and recommendations on whether, and how, the data broker industry 
could improve its privacy practices.\47\
---------------------------------------------------------------------------
    \46\ Press Release, FTC to Study Data Broker Industry's Collection 
and Use of Consumer Data, Federal Trade Commission (Dec. 18, 2012) 
(available at http://www.ftc.gov/news-events/press-releases/2012/12/
ftc-study-data-broker-industrys-collection-use-consumer-data). Three of 
the nine companies the FTC is examining are included in this inquiry.
    \47\ Id.
---------------------------------------------------------------------------
    In addition to the FTC's ongoing work, in the summer of 2012, a 
bipartisan group of eight lawmakers led by Reps. Ed Markey (D-MA) and 
Joe Barton (R-TX) opened an inquiry into how data brokers collect and 
use consumer's personal data.\48\ In November 2012 the lawmakers 
concluded their inquiry, finding that, ``Many questions about how these 
data brokers operate have been left unanswered, particularly how they 
analyze personal information to categorize and rate consumers.'' \49\
---------------------------------------------------------------------------
    \48\ New York Times, Congress to Examine Data Sellers (July 24, 
2012).
    \49\ AdWeek, Lawmakers Come Up Short in Data Brokers Probe (Nov. 8, 
2012).
---------------------------------------------------------------------------
II. Committee Investigation
    In light of the gaps in public knowledge regarding data broker 
practices, in October 2012 the Committee opened an inquiry into the 
data broker industry to help the Committee better understand industry 
practices and the information data brokers collect and share about 
American consumers for marketing purposes. To obtain a snapshot of 
industry practices, the Committee focused on nine companies that 
collect and sell consumer information: Acxiom, Experian, Epsilon, Reed 
Elsevier, Equifax, TransUnion, Rapleaf, Spokeo, and Datalogix.
    The companies include the three major credit reporting companies--
Experian, Equifax, and TransUnion--each of which also sells consumer 
data for marketing purposes; and well-established targeted marketing 
companies--Acxiom, Epsilon, Reed Elsevier, and Datalogix--that maintain 
data on millions of consumers. In addition, the sample reflects 
companies with discrete focus on major data collection techniques and 
marketing uses: Rapleaf, which in 2010 specialized in collecting public 
data from social media sites, and Spokeo, which offers individual 
consumer look-up services.
    On October 9, 2012, Chairman Rockefeller sent letters to the nine 
data broker companies requesting information about each company's data 
collection and use practices.\50\ The letters highlighted four basic 
questions:
---------------------------------------------------------------------------
    \50\ Senate Committee on Commerce, Science, and Transportation, 
Rockefeller Seeks Information About Data Brokers' Practices (Oct. 10, 
2012).

---------------------------------------------------------------------------
   What data about consumers does the industry collect?

   How specific is the data the industry collects about 
        consumers?

   How does the industry obtain this data?

   Who buys the data and how is it used?

    All nine companies provided narrative and documentary responses to 
the Committee letter. Some of these companies were forthcoming 
regarding all questions. For example, Equifax's response included a 
list of the specific entities that are data sources and customers they 
provided after clearing this disclosure with each entity. However, 
several large data brokers--Acxiom, Experian, and Epsilon--to date have 
refused to identify to the Committee their specific data sources. 
Instead, they have described general categories of sources--such as 
``surveys'' and ``public records.''
    One of the main consumer-facing data sources identified in the 
company responses is websites.\51\ In an attempt to learn more about 
consumer information data brokers obtain from websites, on September 
24, 2013, Chairman Rockefeller sent letters to twelve popular personal 
finance, health, and family-focused websites whose privacy policies 
allowed for sharing with third parties and that also indicate they 
collected consumer data through ``surveys,'' ``sweepstakes,'' and 
``questionnaires,'' which were identified by data brokers to the 
Committee as sources of consumer information. The letters asked whether 
the websites shared information with third parties, and if so, with 
whom.
---------------------------------------------------------------------------
    \51\ For example, one company noted ``there are over 250,000 
websites who state in their privacy policy that they share data with 
other companies for marketing and/or risk mitigation purposes.'' Acxiom 
response to Chairman John D. Rockefeller IV (Mar. 26, 2013).
---------------------------------------------------------------------------
    On October 23, 2013, following press reports alleging that an 
Experian subsidiary sold data to an alleged identity theft 
operation,\52\ Chairman Rockefeller sent a second letter to Experian 
requesting information about the incident and the company's customer 
vetting practices, and pressing the company to provide the Committee a 
complete list of its data purchasers and sources.\53\ Experian to date 
has not provided the Committee either its specific data sources or its 
data purchasers.
---------------------------------------------------------------------------
    \52\ Krebsecurity.com, Experian Sold Consumer Data to ID Theft 
Service (Oct. 20, 2013); PCMag.com, Experian Confirms Subsidiary's Data 
Sold to Identity Theft Operation (Oct. 22, 2013).
    \53\ Senate Committee on Commerce, Science, and Transportation, 
Rockefeller's Latest Letter to Experian Requests Information on 
Reported Data Disclosures to Identity Theft Services (Oct. 24, 2013).
---------------------------------------------------------------------------
    In the course of the inquiry, Committee Majority staff reviewed 
thousands of pages of documents produced by respondent companies 
including narrative responses, company manuals and training materials, 
contracts, and marketing materials.
III. Committee Majority Staff Findings Regarding Industry Practices
    The responses received by the Committee during this inquiry provide 
a glimpse into the operations of a large and continually evolving 
industry. The nine data brokers queried by the Committee hold a vast 
and varied amount of consumer data. Acxiom alone has ``multi-sourced 
insight into approximately 700 million consumers worldwide,'' \54\ and 
Datalogix asserts its data ``includes almost every U.S. household.'' 
\55\ Some of the companies maintain thousands of data points on 
individual consumers, with one providing the Committee a list of 
approximately 75,000 individual data elements that are in its 
system.\56\ Data collected by these companies includes detailed and 
personal information including data on consumers' health and financial 
status.
---------------------------------------------------------------------------
    \54\ Acxiom Corp., 2013 10-K Annual Report for the Period Ending 
March 31, 2013 (filed May 29, 2013).
    \55\ http://www.datalogix.com/about/. The other companies queried 
by the Committee hold data on millions more. For example, Rapleaf 
claims to have at least one data point for over 80 percent of U.S. 
consumer e-mail addresses. http://www.rapleaf.com/why-rapleaf/.
    \56\ Equifax Response to the Committee (Aug, 23, 2013) (EFX PROD6 
000010-001361). Acxiom claims to have ``over 3,000 propensities for 
nearly every U.S. consumer.'' Acxiom Corporation (2013). Form 10K 2013.
---------------------------------------------------------------------------
    One of the main types of products offered for sale by respondent 
data brokers are ``modeled'' profiles of consumers that categorize 
consumers, or that ``score'' likelihood for certain behaviors, based on 
inferences drawn from consumer data. The respondent companies offer for 
sale a number of modeled products that group consumers based on their 
degree of financial vulnerability, such as ``Rural and Barely Making 
It,'' or ``Ethnic Second-City Strugglers.'' The Committee has no 
evidence that any of the specific queried companies are currently 
selling such products for inappropriate purposes. However, the creation 
and use of these types of products merits close scrutiny, particularly 
in light of their value to predatory businesses that seek to target 
consumers who are economically fragile.\57\
---------------------------------------------------------------------------
    \57\ See infra Section III.B.2(a) discussing consumer protection 
issues relating to such lists.
---------------------------------------------------------------------------
    Data brokers continue to develop new approaches to facilitate 
marketing outreach to consumers online. Some data brokers now offer 
products that enable marketers to tailor online advertisements based on 
off-line data about the consumer provided by the data broker.
    As they conduct these various activities, data brokers remain 
largely invisible to the consumers whose information populates their 
databases. Consumers have limited means of learning that these 
companies hold their data, and respondent companies provide consumers 
rights of access and control regarding their data that vary widely by 
companies. Several of the largest respondent companies have been 
similarly secretive with the Committee, refusing to identify specific 
sources of their data, and specific customers who purchase it. And 
provisions in company contracts with customers perpetuate this secrecy 
by placing restrictions on customer disclosures regarding data sources.
    Below is a detailed discussion of the Committee Majority Staff's 
findings regarding the information companies have provided to date 
regarding the collection, compilation, and sale of consumer data.
A. Data Broker Collection of Consumer Data
    The information the Committee obtained in this inquiry regarding 
the nature and specificity of information collected by data brokers 
paints a picture consistent with the following observation offered by 
one of the respondent companies: ``The amount of available data has 
created an unprecedented amount of information about consumers: Their 
attitudes and behaviors, perceptions about brands, what they're buying 
and even where they happen to be at the moment the data is captured.'' 
\58\
---------------------------------------------------------------------------
    \58\ Epsilon Targeting, Data Intelligence (EPS-COM-002026).
---------------------------------------------------------------------------
1. Nature of Data Collected
    Much of the information data brokers collect is demographic, such 
as consumers' names, addresses, telephone numbers, e-mail addresses, 
gender, age, marital status, presence of and ages of children in 
household, education level, profession, income level, political 
affiliation, and information about their homes and other property. In 
addition, data brokers collect many other categories of information 
about individuals. Some examples include:

   Consumer purchase and transaction information, including 
        whether a purchase was made through a catalog, online, or in-
        store, as well as the frequency of such purchases;\59\
---------------------------------------------------------------------------
    \59\ Experian Narrative Response to Senate Commerce Committee (Dec. 
14, 2013); Datalogix Narrative Response to Senate Commerce Committee 
(Nov. 16, 2013).

   Consumers' available methods of payment, including type of 
        credit card and bankcard issuance date;\60\
---------------------------------------------------------------------------
    \60\ Epsilon, TotalSource Plus Data Enhancement Element Listing 
(EPS-COM-5-25); Acxiom, The Power of Insight: Consumer Data Products 
Catalog (ACXM 190); Lexis Nexis, MarketView Demographic Data Dictionary 
(REP001397-1403).

   Purchase of automobiles, including makes and models of cars 
        purchased or whether a consumer prefers new or used cars;\61\
---------------------------------------------------------------------------
    \61\ Acxiom, The Power of Insight: Consumer Data Products Catalog 
(ACXM 173-226); Lexis Nexis, MarketView Demographic Data Dictionary 
(REP001397-1403).

   Health conditions. One company collects data on whether 
        consumers suffer from particular ailments, including Attention 
        Deficit Hyperactivity Disorder, anxiety, depression, diabetes, 
        high blood pressure, insomnia, and osteoporosis, among 
        others;\62\ another keeps data on the weights of individuals in 
        a household.\63\ An additional company offers for sale lists of 
        consumers under 44 different categories of health conditions, 
        including obesity, Parkinson's disease, Multiple Sclerosis, 
        Alzheimer's disease, and cancer, among others;\64\
---------------------------------------------------------------------------
    \62\ Epsilon, TotalSource Plus Data Enhancement Element Listing 
(EPS-COM-16). Epsilon has provided that it collects data about health 
ailments solely through its ``Shoppers Voice'' survey through which 
consumers ``self-report'' data, which is described in more detail in 
Section III.A.2.d.
    \63\ Acxiom, The Power of Insight: Consumer Data Products Catalog 
(ACXM 184).
    \64\ Experian, List Services Catalog (EXP002569). Experian provides 
its catalog, which contains more detail about element listings on its 
website (available at http://www.experian.com/assets/data-university/
brochures/ems-list-services-catalog.pdf).

   Social media activity, including the number of a consumer's 
        friends and followers, and whether they view YouTube 
        videos.\65\
---------------------------------------------------------------------------
    \65\ Acxiom, The Power of Insight: Consumer Data Products Catalog 
(ACXM 173-206); Acxiom Narrative Response to Senate Commerce Committee 
at 7 (Mar. 1, 2013); and Acxiom, Acxiom Predictive Scores for Social 
Media (ACXM 473).

    The specificity of consumer data that brokers collect, maintain, 
and share varies depending on the entity. For example, TransUnion 
reported that it maintains and offers for sale primarily demographic 
data.\66\ On the other hand, Equifax maintains approximately 75,000 
individual data elements for its use in creating marketing products, 
including information as specific as whether a consumer purchased a 
particular soft drink or shampoo product in the last six months,\67\ 
uses laxatives or yeast infection products;\68\ OB/GYN doctor visits 
within the last 12 months,\69\ miles traveled in the last 4 weeks,\70\ 
and the number of whiskey drinks consumed in the past 30 days.\71\ Some 
companies offer ``data dictionaries'' that include more than one 
thousand potential data elements, including whether the individual or 
household is a pet owner, smokes, has a propensity to purchase 
prescriptions through the mail,\72\ donates to charitable causes, is 
active military or a veteran, holds certain insurance products 
including burial insurance or juvenile life insurance, enjoys reading 
romance novels, or is a hunter.\73\
---------------------------------------------------------------------------
    \66\ Letter from TransUnion to Chairman John D. Rockefeller IV 
(Dec. 14, 2012).
    \67\ Equifax Response to Senate Commerce Committee (Aug, 23, 2013) 
(EFX PROD6 000010-001361). Equifax made clear in their response that 
the individual data elements are not sold as is, but are used to create 
their products and models. Individual-level data elements are 
aggregated for use in products sold to customers. Id.
    \68\ Id.
    \69\ Id.
    \70\ Id.
    \71\ Id.
    \72\ Acxiom, The Power of Insight: Consumer Data Products Catalog 
(ACXM 173-226).
    \73\ Epsilon, TotalSource Plus Data Enhancement Element Listing 
(EPS-COM-5-25).
---------------------------------------------------------------------------
2. Sources of Consumer Data
    The information the responding companies provided to the Committee 
suggests that these data brokers primarily obtain consumer data through 
five major avenues: government records and other public data; purchase 
or license from other data collectors; cooperative agreements with 
other companies; self-report by consumers, often through surveys, 
questionnaires, and sweepstakes; and social media.\74\
---------------------------------------------------------------------------
    \74\ In November 2013, the Attorney General of New Jersey settled a 
case that suggested web browsing activity is potentially an additional 
source of information for data brokers. The case alleged that Dataium, 
a data company, used software to track websites visited by consumers, a 
practice known as ``history sniffing,'' and then sold consumer 
preferences inferred from web browsing along with consumers' names, 
phone numbers, and e-mail addresses to Acxiom. See Office of New Jersey 
Attorney General, Acting Attorney General Announces Settlement 
Resolving Allegations Data Company Engaged in Online ``History 
Sniffing'' (Nov. 21, 2013) (available at http://nj.gov/oag/
newsreleases13/pr20131121a.html).
---------------------------------------------------------------------------
    Three companies--Acxiom, Experian, and Epsilon--declined to share 
specific data sources with the Committee, citing confidentiality 
clauses in their contracts, and concerns about putting themselves at a 
competitive disadvantage among the reasons. Instead, these companies 
provided general descriptions of the types of entities that are data 
sources.
a. Government Records and Other Publicly Available Data

    Many companies reported obtaining information from public records 
sources. These include: census data; property records; court filings, 
including criminal convictions, judgments, liens, and bankruptcies; 
driver's license records; voter registrations; telephone directories; 
real estate listings; and marriage and death certificates.\75\ Data 
brokers also obtain publicly available information from licensing 
filings including licenses for physicians and other medical 
professionals, attorneys, accountants, engineers, notaries, and real 
estate professionals, as well as hunting, fishing, and pilot 
licenses.\76\ License information can supply contact information and 
license issuance and expiration dates.\77\
---------------------------------------------------------------------------
    \75\ E.g., Acxiom Narrative Response to Senate Commerce Committee 
(Feb. 15, 2013).
    \76\ Id at 5.
    \77\ Id.
---------------------------------------------------------------------------
b. Purchase or License

    Companies reported that several types of entities either sell or 
license them data, including:

        Retailers. Retailers provide data brokers with consumers' 
        purchase information, which can include consumer name, postal 
        addresses, e-mail addresses, items purchased, transaction 
        history, and whether the purchase was made in a store, online, 
        or through a catalog.\78\ Often, the information provided does 
        not identify the specific item purchased, but rather the 
        category or type of product, such as ``collectibles'' or 
        ``ladies apparel.'' Retailers are able to collect this 
        information about consumers through many methods, among them 
        store or brand loyalty/rewards cards.\79\
---------------------------------------------------------------------------
    \78\ Datalogix Narrative Response to Senate Commerce Committee, at 
1 (Nov. 2, 2012).
    \79\ Consumers who use loyalty cards allow retailers to collect 
information about their purchases in exchange for discounts, coupons, 
or other perks such as discounts on gasoline purchases. In 2012, 
Americans had a collective total of 2.65 billion loyalty program 
memberships. See Bulking Up: The 2013 Colloquy Loyalty Census, Growth 
and Trends in U.S. Loyalty Program Activity, Colloquy (June 2013).

        Financial institutions. Responding companies reported receiving 
        information from a variety of financial institutions, such as 
        banks, credit unions, brokerage services, and online trading 
        platforms. Such sources provide information regarding bank 
        deposits, brokerage assets, annuities, and mutual funds. 
        Companies reported that the information obtained is not tied to 
        specific consumers, but is received in an anonymized or 
        aggregated form \80\ and used to create models and scoring 
        products.\81\
---------------------------------------------------------------------------
    \80\ Financial institutions provide anonymous financial data, 
meaning it does not include consumers name, house number or street 
name; and information aggregated at the ZIP+4 level. Letters from Paul 
Zurawski, Senior Vice President Government Affairs and Regulatory 
Management, Equifax, to Chairman John D. Rockefeller IV (Feb. 13, 2013) 
and (Jan. 23, 2013).
    \81\ See Section III.B for a discussion of modeling and scoring.

        Other data brokers. All of the responding companies reported 
        obtaining information from other data brokers either by 
        purchasing or under sharing arrangements. Some have specified 
        which other data brokers provide such information, while others 
        refused to specify other data broker sources beyond generic 
        descriptions such as ``third-party partners.'' \82\
---------------------------------------------------------------------------
    \82\ Experian Narrative Response to Senate Commerce Committee (May 
24, 2013).
---------------------------------------------------------------------------
c. Cooperative Arrangements

    Another way data brokers obtain information is through cooperative 
arrangements in which companies provide information about their 
customers in exchange for information to enhance their existing 
customer lists or identify new customers. Examples described by 
responding companies include:

   Epsilon operates a cooperative consisting of over 1,600 
        participating companies, which include catalog and retail 
        companies, non-profits, and publishers.\83\ Participants 
        contribute household purchase information in exchange for 
        information about prospective customers. Epsilon organizes this 
        data into 22 ``primary purchase categories,'' such as 
        children's apparel and merchandise.\84\
---------------------------------------------------------------------------
    \83\ Letter from Jeanette Fitzgerald, Senior Vice President and 
General Counsel, Epsilon, to Chairman John D. Rockefeller IV (Nov. 2, 
2012); Epsilon, Abacus Cooperative Overview (EPS-COM-002114).
    \84\ Letter from Jeannette Fitzgerald, Senior Vice President and 
General Counsel, Epsilon, to Chairman John D. Rockefeller IV, at 5-6 
(Nov. 2, 2012).

   Experian manages a database open to catalog sellers as well 
        as brick and mortar and e-commerce retailers. Participants 
        provide customer transactional records, which may include 
        consumer's name, address, gender, e-mail address, phone number, 
        channel of purchase (e.g., online or in-store), dollar amount, 
        payment method, transaction date, and transaction product 
        category.\85\ Experian summarizes the information to describe 
        buying behaviors at the household level within general product 
        categories--such as ``Kitchen and Tabletop,'' ``Books,'' or 
        ``Vitamins/Health Products.'' \86\ For example, ``if a high-end 
        retailer of men's business suits reports a customer purchase of 
        approximately $500, Experian would maintain a record showing 
        only that the household engaged in a transaction involving 
        Men's High-End Apparel.'' \87\
---------------------------------------------------------------------------
    \85\ Experian, Z-24 Catalog Database File Information (EXP001665).
    \86\ Experian Narrative Response to Senate Commerce Committee, at 5 
(Dec. 14, 2012). Experian breaks purchase information into 64 different 
categories. Experian (EXP001667).
    \87\ Experian Narrative Response to Senate Commerce Committee, at 5 
(Dec. 14, 2012).

   Equifax runs a cooperative for financial institutions that 
        contribute data at least twice per year about consumer and 
        small business investments and bank accounts. According to the 
        company, this information is anonymized, often including only 
        zip code and year of birth;\88\ it does not include information 
        that could be used to individually identify consumers. 
        Participants have access to certain information and products 
        available only to members, including products that estimate 
        total outstanding credit and that track assets.\89\
---------------------------------------------------------------------------
    \88\ Equifax, Member Data Submissions (EFX PROD3 0143).
    \89\ Letter from Paul Zurawski, Senior Vice President Government 
Affairs and Regulatory Management, Equifax to Chairman John D. 
Rockefeller, at 3 (Feb. 13, 2013); Equifax Corporation, IXI Services 
Core Products for Network Members (EFX PROD3 0191).

   Datalogix offers a cooperative arrangement that allows 
        retailers to share information including customers' names, 
        mailing addresses, e-mail addresses, purchase transaction 
        histories, and transaction channel, such as Internet, catalog, 
        or retail purchase. In return for supplying information, 
        participants can receive mailing lists, or access to online 
        audiences to identify new customers.\90\
---------------------------------------------------------------------------
    \90\ Datalogix Narrative Responses to Senate Commerce Committee 
(Nov. 2, 2012) and (Nov. 16, 2012).
---------------------------------------------------------------------------
d. Self-Reporting by Consumers

    The responses to the Committee's inquiries indicate that data 
brokers obtain information directly from consumers through warranty 
cards, sweepstakes entries, and other types of surveys. Some of the 
data brokers conduct their own marketing surveys, both on-and off-line, 
and shared examples with the Committee.\91\ These surveys ask detailed 
questions about household demographics, income levels, shopping 
preferences, and other personal matters such as health and insurance 
related information. For example, some surveys ask whether anyone in 
the household suffers from diabetes, or what types of insurance the 
household currently has or plans to obtain.\92\ Surveys provided to the 
Committee disclose to consumers that the information they provide may 
be shared for marketing purposes in exchange for entry into a 
sweepstakes or other chances at prizes. However, the surveys do not 
generally indicate that they are affiliated with a specific data 
broker.
---------------------------------------------------------------------------
    \91\ E.g. Experian Narrative Response to Senate Commerce Committee 
(Feb. 8, 2013); and Letter from Jeanette Fitzgerald, Senior Vice 
President and General Counsel, Epsilon, to Chairman John D. Rockefeller 
(Nov. 2, 2012).
    \92\ Epsilon, Shopper'sVoice Consumer Product Survey of America 
(2012) (EPS-COM-000001-000004).
---------------------------------------------------------------------------
    For example, Epsilon obtains consumer data through its ``Shopper's 
Voice'' survey. The survey contains several pages of specific questions 
about the household, including demographic information, hobbies and 
interests, products purchased, and ailments. The survey includes 
questions about a range of health-related matters. For example, one 
category, titled ``Heart Health,'' asks whether anyone in the household 
has a family history of heart disease, heart attack, high blood 
pressure or high cholesterol, whether anyone suffers from angina, 
atrial fibrillation, and whether these ailments are treated with a 
prescription.\93\ The survey also asks the respondent to indicate 
whether they personally or another member of the household suffer from 
other listed ailments, such as depression, Bipolar disorder or other 
major depressive disorder, Lupus, or Parkinson's disease.\94\ The 
Shopper's Voice survey is mailed to approximately 36 million households 
each January; approximately 5.2 million households complete and return 
it to Epsilon.\95\ Consumers are encouraged to respond to the survey by 
being offered an opportunity for savings via coupons and a chance to 
win $10,000.\96\ See Exhibit A for a complete example of the survey 
questions.
---------------------------------------------------------------------------
    \93\ Id. at 2.
    \94\ Epsilon, Shopper's Voice Survey (EPS-COM-003757).
    \95\ Epsilon, TargetSource Survey Data, at 3 (EPS-COM-003150).
    \96\ Epsilon, TargetSource Survey Data, at 5 (EPS-COM-003152).
---------------------------------------------------------------------------
    Experian collects data through the ``Simmons National Consumer 
Surveys,'' which over 30,000 consumers fill out each year.\97\ 
Questions cover subjects including demographic, hobbies and interests, 
military experience, participation in the lottery, and product 
preferences.\98\ Consumer responses are aggregated and used to create 
models that assign a shared set of characteristics to all households 
within a particular zip code. Simmons surveys include the Simmons 
National Consumer Survey; the Simmons National Kids and Teens Studies; 
the National Hispanic Consumer Survey; and the Simmons Lesbian, Gay, 
Bisexual and Transgender Study.\99\ Adults may be paid $25 for their 
participation in the survey and teens receive $14 in addition to a 
keychain.\100\
---------------------------------------------------------------------------
    \97\ Experian, Simmons National Consumer Studies (online at http://
www.experian.com/simmons-research/national-consumer-studies.html).
    \98\ Experian, Simmons National Consumer Survey (EXP001785-1923).
    \99\ Experian Narrative Response to Senate Commerce Committee (Feb. 
8 2013).
    \100\ Sample letters that accompany Simmons National Consumer 
Survey (EXP002099) and (EXP002100).
---------------------------------------------------------------------------
    According to narrative responses from Acxiom and Experian, 
consumers report personal information to them by completing surveys, 
entering sweepstakes, registering to receive coupons, or filling out 
other forms on Internet sites. The websites either directly feed this 
information to data brokers or provide it to other ``data compilers'' 
who then pass it to data brokers.\101\
---------------------------------------------------------------------------
    \101\ Experian Narrative Responses to Senate Commerce Committee 
(May 24, 2013) (July 26, 2013); and Acxiom Narrative Response to Senate 
Commerce Committee (Apr. 5, 2013).
---------------------------------------------------------------------------
    Experian uses survey results in products including Experian's 
``BehaviorBank.'' As Experian explained:

        BehaviorBank is a database of self-reported information 
        provided by consumers with the clear understanding of the 
        consumer that the responses will be used for marketing. . 
        .Experian acquires all such information from third-party 
        partners. Such third parties typically either recruit consumers 
        for their own surveys or obtain data from companies that have 
        surveyed their own customers. In some cases, consumers are 
        offered an incentive, such as an opportunity to win a prize, 
        for participation in the survey.\102\
---------------------------------------------------------------------------
    \102\ Experian Narrative Response to Senate Commerce Committee, at 
2-3 (May 24, 2013).

    Experian refused to identify to the Committee the third-party 
website sources of data for the company.
    Similarly, Acxiom said consumer-facing websites are a source of 
their consumer data, but declined to provide the Committee the specific 
identities of these websites except for six self-selected samples 
websites. Instead the company stated generally, ``there are over 
250,000 websites who state in their privacy policy that they share data 
with other companies for marketing and/or risk mitigation purposes.'' 
\103\
---------------------------------------------------------------------------
    \103\ Acxiom Narrative Response to Senate Commerce Committee (Apr. 
5, 2013).
---------------------------------------------------------------------------
    Of the six websites provided by Acxiom, one was not functional when 
Committee majority staff attempted to access it. The remaining five 
asked consumers for varying levels of personal information in exchange 
for benefits such as coupons and discounts, or the opportunity to 
compare health insurance quotes. The general counsel for the company 
that maintains the health insurance quote website, when contacted by 
Committee majority staff, said the company had no information sharing 
agreement with Acxiom, and that the entities that contract to receive 
the website's information are contractually prohibited from sharing 
that data with third parties such as Acxiom.\104\ Acxiom represented 
that this website data source was provided by one of Acxiom's data 
aggregators.\105\
---------------------------------------------------------------------------
    \104\ Committee staff interview with website general counsel (Dec. 
3, 2013).
    \105\ Acxiom Narrative Response to Senate Commerce Committee (April 
5, 2013). It is unclear at this point whether or how information from 
this website flowed to Acxiom.
---------------------------------------------------------------------------
    To explore the issue of website data sources further, Chairman 
Rockefeller queried 12 popular health and financial focused websites 
whose privacy policies appeared to allow for the sharing of consumer 
data obtained through surveys, sweepstakes, and questionnaires. In 
response, several websites acknowledged collecting personal information 
from consumers through surveys or sweepstakes entries. However, they 
largely denied sharing that data with third parties except in limited 
circumstances, including for their own advertising purposes, 
sweepstakes prize fulfillment, or with other third-party vendors to 
perform services on the websites' own behalf.
    Two of the website companies reported relationships with Acxiom, 
but those relationships were for the benefit of the websites: one 
retained Acxiom's services to store consumer information solely for its 
own marketing efforts, and the other to perform services such as 
collecting additional information about visitors to its website. While 
neither arrangement allowed for Acxiom to share or use the data 
provided for Acxiom's own purposes, one company did share with 
Committee majority staff that Acxiom had approached them to become a 
data supplier, a request it declined.\106\
---------------------------------------------------------------------------
    \106\ Website responses to Senate Commerce Committee (Oct. 2013).
---------------------------------------------------------------------------
e. Social Media

    Social media is a source of consumer information for many of the 
queried data brokers. For example, Acxiom says it obtains data about 
consumers' social media interests and usage to predict the likelihood 
that a consumer would fall into one of the following categories: 
``business fan,'' ``heavy social media user '' (including Facebook, 
LinkedIn, Twitter, and YouTube), ``mobile social networker,'' ``text 
messaging user,'' ``poster'' (including poster of photos, texts, and 
responders), ``video sharer,'' ``social influencer,'' and ``social 
influenced.'' \107\
---------------------------------------------------------------------------
    \107\ Acxiom Narrative Response to Senate Commerce Committee at 7 
(Mar. 1, 2013). Acxiom asserts that they ``do not collect specific 
activity from social media sites, such as individual postings, lists of 
friends or any data that is not public.'' (ACXM 1422).
---------------------------------------------------------------------------
    In 2010, the Wall Street Journal and other media outlets reported 
that Rapleaf was collecting information about consumers' social media 
accounts and selling that information to other companies.\108\ Rapleaf 
had been ``crawling'' publicly available data consumers placed on 
social media sites such as Facebook, MySpace, LinkedIn, and others, to 
gather information including consumers' names, age, gender, location, 
colleges and universities attended, and occupations, information about 
membership on social media sites such as Facebook, Flickr, LinkedIn, 
Twitter, CafeMom, Amazon Wishlist, Pandora, Photobucket, and 
Dailymotion, number of friends and followers, and the URL of consumers' 
profiles.\109\
---------------------------------------------------------------------------
    \108\ See Wall Street Journal, Facebook in Privacy Breach (Oct. 18. 
2010), and Wall Street Journal, A Web Pioneer Profiles Users by Name 
(Oct. 25, 2010).
    \109\ Rapleaf, Report Data Dictionary, (RAP-SEN-001-00121-RAP-SEN-
001-00125).
---------------------------------------------------------------------------
    Following public backlash and requests by Facebook, Rapleaf deleted 
most of the information it collected through webcrawling.\110\ However, 
companies that purchased this data before Rapleaf ceased this activity 
were not required to delete the information that they had previously 
purchased.\111\
---------------------------------------------------------------------------
    \110\ Letter from Phil Davis, Chief Executive Officer, Rapleaf, to 
Chairman John D. Rockefeller IV (Nov. 21, 2012). According to Rapleaf, 
the information it maintained was non-sensitive data consisting of age 
range, gender, zip code, and marital status. Id.
    \111\ Letter from Kenneth M. Dreifach, Counsel to Rapleaf, to 
Melanie Tiano, Counsel to the Senate Commerce Committee (Dec. 28, 
2012); Committee staff conversation with Rapleaf Counsel (Dec. 5, 
2012).
---------------------------------------------------------------------------
B. Data Broker Products
    Data brokers compile and analyze consumer data to create products 
and services that provide customers with data that has varying degrees 
of specificity about individual consumers. Most of the products 
described by respondent companies are essentially lists of consumers 
grouped by shared characteristics or predicted behaviors. The companies 
also provide data on individual consumers to supplement data customers 
may already have on the consumer.
    Data broker products can consist of ``actual'' or ``modeled'' 
elements. Actual data includes factual information about individuals, 
such as their date of birth, contact information, and presence of 
children in a household. ``Modeled'' data results from drawing 
inferences about consumer characteristics or predicted behavior based 
on actual data. For example, a company may infer a consumer's marital 
status based upon use of the prefix ``Mrs.''; characterize an 
individual as having an interest in golf based on the fact that an 
individual subscribes to a golf magazine; \112\ or characterize an 
individual as having a health interest in allergies based on the fact 
that the individual made a non-prescription purchase of over the 
counter allergy medication.\113\
---------------------------------------------------------------------------
    \112\ Acxiom Narrative Response to Senate Commerce Committee (Feb. 
15, 2013).
    \113\ Id.
---------------------------------------------------------------------------
    The companies also use actual data to create ``look-a-like'' 
models. Look-a-like models use known information--such as living within 
a particular zip code and having children in the household--to predict 
characteristics such as the likelihood that an individual drives an 
SUV. With this model, a data broker could create a list of consumers 
likely to drive an SUV that a customer could purchase for targeted 
marketing.
    Two prominent means by which data brokers provide consumer data to 
customers are ``original lists'' and ``data appends.'' Original lists 
are sold to customers seeking a list of consumers who fit certain 
criteria--for example, women who live in Cleveland and have an interest 
in cooking.\114\ Typically, customers purchase this information in 
large quantities, hundreds or thousands of names at a time.\115\
---------------------------------------------------------------------------
    \114\ Except in instances where a company offers some type of 
individual look-up product, ``original list'' information is not 
generally available to be purchased on an individual consumer basis. 
Spokeo, for example, offers consumers an individual look-up service 
that provides the ability to search for information about specific 
individuals. Products offered by Spokeo allow customers to search for 
people by name or address or through a ``reverse search'' service--
where customers may enter a telephone number or e-mail address to 
identify the individual associated with that number or address. 
Customers are able to obtain a ``person's name, address, phone number, 
e-mail address, occupation, property value, family relations, and 
social media accounts.'' Letter from Angela Saverice-Rohan, General 
Counsel, Spokeo, Inc., to Chairman John D. Rockefeller IV (Nov. 2, 
2012).
    \115\ Committee staff conversations with respondent companies; 
several companies reported that segments are priced and sold by the 
thousand.
---------------------------------------------------------------------------
    ``Data append,'' on the other hand, occurs when a customer has some 
information about specific consumers, but they want to create more 
complete profiles. In that case, the customer provides some identifying 
information about their customers, such as a list of names and zip 
codes or e-mail addresses, to a data broker company to purchase 
additional information about the specific consumers on the list.
    The products companies described to the Committee include consumer 
profiles characterizing consumers based on degree of financial 
vulnerability and propensity to use payday loans and other non-
traditional financial products. These types of data broker products 
merit close scrutiny as they appear tailor made for businesses that 
profit from taking advantage of consumers. Following is a discussion of 
major types of data broker products, methods for sharing these 
products, and questions raised by certain products described by 
respondent companies.
1. How Data Brokers Package Consumer Information
    One product data brokers offer is ``segments,'' or groupings of 
consumers defined by shared characteristics and likely behaviors. Many 
data brokers offer some variation of segmenting products, and several 
of the large data brokers included in the Committee's review offer 
dozens of different segment choices.
    The idea of segmenting consumers for marketing purposes is not a 
novel concept. In the 1970s, Claritas--which merged with Nielsen in 
2001--developed a segmenting product called PRIZM, which defined groups 
of consumers based on demographics and behaviors.\116\ PRIZM is now 
advertised as ``the industry-leading lifestyle segmentation system that 
yields rich and comprehensive consumer insights to help you reveal your 
customer's preferences.'' \117\ When clustering first began, companies 
generally relied on census data to predict the behavior of consumers. 
Today, however, there are endless avenues to obtain consumer data.
---------------------------------------------------------------------------
    \116\ Wall Street Journal, Placing Products: Marketing Firm Slices 
U.S. into 240,000 Parts to Spur Clients' Sales (Nov. 3, 1986).
    \117\ Nielsen, My Best Segments (online at http://www.claritas.com/
MyBestSegments/Default.jsp?ID=70&pageName=Learn 
percent2BMore&menuOption=learnmore).
---------------------------------------------------------------------------
    Another type of product described by data brokers involves 
``scoring,'' a form of analytics that utilizes data to make predictions 
about likely consumer behavior. Scoring products are designed to 
provide marketers insight about existing and prospective customers by 
assigning a number or range that signifies each consumer's likelihood 
to exhibit certain characteristics or perform certain actions. For 
example, Acxiom offers a product that can provide marketers with 
predictive indicators of consumers' social media behaviors, assigning a 
number from 1-20 on the basis of whether they are likely to be a 
``social influencer'' or are ``socially influenced,'' and whether they 
are a frequent ``text poster'' or ``business fan.'' \118\
---------------------------------------------------------------------------
    \118\ Acxiom, Precision Targeting and Messaging in Social Networks: 
Acxiom Predictive Scores for Social Media (ACXM 473-474).
---------------------------------------------------------------------------
2. Issues Regarding Data Broker Products
a. Products that Identify Financially Vulnerable Populations

    A number of products described by data brokers focus on 
characterizing a consumer's economic status. For example, some of the 
consumer profiles they sell identify economically comfortable 
consumers. Consumers in clusters titled ``Established Elite,'' ``Power 
Couples,'' ``American Royalty,'' and ``Just Sailing Along,'' indicate a 
level of affluence that might be used to identify a likely audience for 
luxury products or investments. Data broker descriptions of such 
products provide further detail. For example, Experian describes 
``American Royalty'' as ``[w]ealthy, influential and successful couples 
and families living in prestigious suburbs.'' \119\
---------------------------------------------------------------------------
    \119\ Experian, Mosaic USA New Segment and Group Names (EXP002634-
002678).
---------------------------------------------------------------------------
    Understanding the financial circumstances of consumers is important 
for assessing how to best the reach those most likely to purchase 
particular goods or products. However, some of the targeting products 
described by the companies appear to focus specifically on identifying 
financially vulnerable populations. The table below represents a sample 
of the segments offered for sale by the queried companies:
Table I: Company Product Names


    Source: Company Responses \120\
---------------------------------------------------------------------------
    \120\ Experian, Mosaic USA New Segment and Group Names (EXP002634-
2636); Acxiom, Personicx Classic, (Mar. 1, 2013); Epsilon, Niches 3.0 
(EPS-COM-003484--003496); Equifax, Economic Cohorts: Economic-based 
Household Segmentation (EFX Prod4 0002-0292); Equifax, Financial 
Cohorts: Direct-Measured Asset-Based Household Segmentation (EFX PROD4 
0293-0543). See Appendix II.

    The product descriptions that data brokers provide to potential 
customers further elaborate on such vulnerability.\121\ For example, 
``Hard Times'' is described by Experian as, ``Older, down-scale and 
ethnically-diverse singles typically concentrated in inner-city 
apartments.'' \122\ The description continues: ``This is the bottom of 
the socioeconomic ladder, the poorest lifestyle segment in the Nation. 
Hard Times are older singles in poor city neighborhoods. Nearly three-
quarters of the adults are between the ages of 50 and 75; this is an 
underclass of the working poor and destitute seniors without family 
support. . . . One-quarter of the households have at least one resident 
who is retired.'' \123\
---------------------------------------------------------------------------
    \121\ See Exhibit B for sample product descriptions.
    \122\ Experian, Mosaic USA Segment Descriptors (EXP002946).
    \123\ Experian, Mosaic USA Segment Descriptors (EXP002947). In 
another example, ``Resilient Renters'' is described as ``singles with 
high-school and vocational/technical educations. At a mean age of 39, 
they are renters in the second-tier cities and, if employed, earn wages 
in service and clerical positions.'' Acxiom Narrative Response to 
Senate Commerce Committee, Acxiom Personicx Classic (Mar. 1, 2013).
---------------------------------------------------------------------------
    A number of scoring products similarly focus on consumers' 
financial vulnerabilities. One example is Experian's ``ChoiceScore,'' 
which the company asserts ``helps marketers identify and more 
effectively market to under-banked consumers.'' \124\ According to the 
company's marketing materials for this product, ``each year, under-
banked consumers alone spend nearly $11 billion on non-traditional 
financial transactions like payday loans and check-cashing services.'' 
\125\ These consumers include ``new legal immigrants, recent graduates, 
widows, those with a generation bias against the use of credit, 
followers of religions that historically have discouraged credit,'' and 
``consumers with transitory lifestyles, such as military personnel.'' 
\126\
---------------------------------------------------------------------------
    \124\ Experian, ChoiceScore: Improve Targeting and Customer 
Acquisition in the Untapped Under-banked Population (EXP002353). See 
Exhibit C for ChoiceScore Marketing description.
    \125\ Id.
    \126\ Id.
---------------------------------------------------------------------------
    The ChoiceScore options include a ``Confidence Score'' that 
``identifies and assigns a score, determining the propensity for a 
consumer to be in the under-banked population,'' and a ``Risk Score,'' 
a ``non-credit based score used to identify the most and least 
desirable consumers.'' \127\ Suggested applications of the product 
include: ``target under-marketed new prospect segments eager to accept 
direct-marketing offers; target invitation-to-apply credit card offers, 
secured card, prepaid debit and other non-traditional financial service 
offerings; and suppress records of those less likely to get approved.'' 
\128\
---------------------------------------------------------------------------
    \127\ Experian, List Services Catalog: ChoiceScore (EXP002601).
    \128\ Id.
---------------------------------------------------------------------------
    This Committee inquiry did not review whether any of the specific 
identified lists that designate financially vulnerable consumers have 
been used in a harmful manner. However, precedent underscores the value 
of such products to unscrupulous businesses that seek to take advantage 
of consumers. For example, the New York Times has reported on 
telemarketing criminals that succeeded in raiding the banking account 
of a 92-year old Army veteran.\129\ Data broker InfoUSA sold his name 
and contact information to a scam artist. As detailed in the Times' 
account, InfoUSA advertised lists such as ``Elderly Opportunity 
Seekers,'' described as older people ``looking for ways to make 
money;'' ``Suffering Seniors,'' older people with cancer or Alzheimers 
disease; and ``Oldies but Goodies,'' people described as ``gullible . . 
. [who] want to believe their luck can change.''
---------------------------------------------------------------------------
    \129\ The New York Times, Bilking the Elderly, with Corporate 
Assist (May 20, 2007).
---------------------------------------------------------------------------
    InfoUSA was not one of the companies examined in this Committee 
inquiry, but the concerns raised by lists identifying financially 
vulnerable customers are illustrated by this example. The names, 
descriptions and characterizations in these products--all generated by 
the data brokers--likely appeal to companies that sell high-cost loans 
and other financially risky products to populations more likely to need 
quick cash, such as payday and installment lenders.
    Most of the companies provided to the Committee customer vetting 
and oversight policies that they assert ensure that information is used 
properly.\130\ Further, several of the contracts reviewed by the 
Committee include provisions that prohibit resale of consumer data to 
certain types of businesses such as ``debt repair'' \131\ and one 
specifically prohibits resale for ``payday or short-term lending.'' 
\132\ However, because data brokers operate in the shadows, with little 
oversight or regulation, companies in this industry have discretion 
regarding their voluntary enforcement of such restrictions. Indeed, an 
investigation into InfoUSA showed that employees routinely ignored 
rules about selling data to known fraudsters.\133\ Unfortunately, three 
of the largest companies--Acxiom, Experian, and Epsilon--to date have 
declined to disclose their customers to the Committee. As a result, the 
precise range and nature of their customer base remains unknown.
---------------------------------------------------------------------------
    \130\ The procedures range from a very basic requirement that each 
new customer agree to Terms of Service to a thorough vetting process of 
each new customer. While several data brokers report that customers 
must agree to abide by the companies' terms of service or use, other 
companies described a stricter vetting process that include additional 
screening components. Company Narrative Responses to Senate Commerce 
Committee (2012).
    \131\ Acxiom Narrative Response to Senate Commerce Committee (Feb. 
15, 2013).
    \132\ Sample Equifax Contract (EFX SUPP 008).
    \133\ The New York Times, Bilking the Elderly, with Corporate 
Assist (May 20, 2007).
---------------------------------------------------------------------------
    One recent incident involving Experian's credit services arm 
underscored that customer vetting and oversight practices are not 
always failsafe. In October 2013, media accounts reported that an 
alleged identity theft operation had purchased consumer data from Court 
Ventures, a company Experian acquired in March 2012, and that sales of 
data to the operation went on ``for almost a year after Experian did 
their due diligence'' and purchased the company.\134\ Concerned about 
implications of these reports regarding Experian's customer vetting 
processes, Chairman Rockefeller wrote Experian asking the company to 
confirm whether such sales had occurred, how long such sales had 
continued after Experian had acquired Court Ventures, and Experian's 
vetting of Court Ventures customers prior to and after acquisition. He 
also pressed the company for a complete customer list.\135\
---------------------------------------------------------------------------
    \134\ Krebsecurity.com, Experian Sold Consumer Data to ID Theft 
Service (Oct. 20, 2013); PCMAG.com, Experian Confirms Subsidiary's Data 
Sold to Identity Theft Operation (Oct. 22, 2013).
    \135\ Letter from Chairman John D. Rockefeller to Mr. Don Robert, 
Chief Executive Officer, Experian (Oct. 23, 2013).
---------------------------------------------------------------------------
    Experian's response acknowledged that a person possibly engaged in 
criminal activity had been a Court Ventures customer before and after 
Experian's acquisition of the company, and underscored that Experian 
stopped sales to this customer immediately after notification by 
authorities that this customer was under investigation. However, the 
company did not make clear how long the sales occurred undetected by 
Experian after acquisition of Court Ventures. The company further 
refused to provide specific customers to the Committee.\136\
---------------------------------------------------------------------------
    \136\ Letter from Tony Hadley, Senior Vice President of Government 
Affairs and Public Policy, Experian, to Chairman John D. Rockefeller IV 
(Nov. 8, 2013).
---------------------------------------------------------------------------
    Given that identifying vulnerable consumers is critical to the 
business of predatory lenders and fraudfeasors, and precedent where 
such entities have turned to data brokers for consumer data, the sale 
and use of data broker products segmenting financially vulnerable 
consumers merits close scrutiny.
b. Scoring Products that Mirror Tools Regulated under the Fair Credit 
        Reporting Act

    Some of the scoring products the respondent companies sell for 
marketing purposes resemble credit scoring tools that, under the Fair 
Credit Reporting Act, cannot be used for marketing. In materials 
describing one such product, ``Summarized Credit Statistics,'' Experian 
emphasizes the distinction between the aggregated credit related 
information offered by the product and individual credit information, 
explaining: ``because individual credit information may not be used for 
marketing purposes without a pre-approved offer, Experian developed 
Summarized Credit Statistics to characterize a neighborhood's consumer 
credit activity.'' \137\
---------------------------------------------------------------------------
    \137\ Experian, Summarized Credit Statistics (EXP002109-EXP002110). 
This credit product includes the following:

       Median equivalency score--assesses the potential risk 
for seriously derogatory behavior. The scores range from 360 to 840 
(high score equals low risk) to accommodate the industry standard use 
of credit scores,

       Median risk score--similar to median equivalency score, 
this option also characterizes neighborhoods or market segments based 
on their likelihood of having future derogatory credit activity. This 
score range (0-1000) has a direct correlation, where a low score equals 
a low risk, and,

       Median bankruptcy score--pinpoints neighborhoods or 
market segments that may be more likely to file for bankruptcy or 
become seriously delinquent over the next 12 months. This score is a 
leading indicator of potential derogatory impacts. Scores range from 
108 to 1257, with a high score indicating great likelihood. Id.
---------------------------------------------------------------------------
    Similarly, Equifax offers ``Aggregated FICO Scores,'' which Equifax 
distinguishes from FICO scores which are generally prohibited for use 
in marketing under the Fair Credit Reporting Act. In its marketing 
materials for this product, the company states that ``FICO Scores are 
no longer only for credit approvals: With aggregated FICO Scores, 
[customers] can leverage the basis of FICO scores for non-FCRA 
marketing applications such as prospecting and ITA [invitations to 
apply].'' \138\ The company further explains that ``for the first time, 
marketers now have access to an aggregated, non-FCRA measure derived 
from the FICO Score.\139\
---------------------------------------------------------------------------
    \138\ Equifax, Aggregated FICO Scores: Utilize Aggregated FICO for 
Marketing Applications (EFX PROD3 0258-0260).
    \139\ Equifax, Aggregated FICO Scores from IXI Services (EFX SUPP 
168-169).
---------------------------------------------------------------------------
    This Committee inquiry did not focus on FCRA compliance 
issues.\140\ However, the emergence of marketing products that closely 
resemble credit scoring tools underscores the need for additional 
review of key questions including:
---------------------------------------------------------------------------
    \140\ Contracts that respondent data brokers provided the Committee 
make clear they require customers to comply with FCRA's prohibition 
against using marketing information for eligibility determinations.

   whether there are privacy concerns surrounding the use of 
---------------------------------------------------------------------------
        these tools

   whether additional consumer protections should be provided, 
        and

   whether use of some of these scores might be considered 
        eligibility determinations that should be scrutinized under the 
        Fair Credit Reporting Act.\141\
---------------------------------------------------------------------------
    \141\ See discussion at part I.C regarding consumer protection 
issues relating to scoring products.
---------------------------------------------------------------------------
C. Data Broker Customers and New Mechanisms for Using Data Broker 
        Products
    Responding data brokers told the Committee they sell their 
marketing products to a range of customers for a variety of types of 
marketing. These customers use data broker products for traditional 
mailing lists and increasingly to tailor outreach to individual 
consumer computers or mobile devices. Following is a discussion of the 
types of customers with whom data brokers share marketing products and 
what companies told the Committee about how their products are shared 
and used.
1. Who Buys the Data
    The respondent companies told the Committee they sell consumer data 
to a wide range of customers. The types of customers included financial 
institutions, hotel chains, wireless telephone service providers, cable 
companies, and jewelry stores, as well as other data brokers or 
resellers. While, some companies provided identities of specific 
customers, others instead provided only general descriptions of the 
types of customers that purchase their data. For example, Acxiom's 
customers include ``47 Fortune 100 clients; 12 of the top 15 credit 
card issuers; seven of the top 10 retail banks; eight of the top 10 
telecom/media companies; seven of the top 10 retailers; 11 of the top 
14 automotive manufacturers; six of the top 10 brokerage firms; three 
of the top 10 pharmaceutical manufacturers; five of the top 10 life/
health insurance providers; nine of the top 10 property and casualty 
insurers; eight of the top 10 lodging companies; two of the top three 
gaming companies; three of the top five domestic airlines; six of the 
top 10 U.S. hotels.'' \142\
---------------------------------------------------------------------------
    \142\ Acxiom, Fact Sheet: Consumer Insight Products (ACXM 458). 
Acxiom also provided several examples of specific publicly identified 
clients. E.g., Acxiom Response to Senate Commerce Committee (Nov. 2, 
2012).
---------------------------------------------------------------------------
    Experian's customers include ``retailers, including online, 
storefront, and catalog sellers; consumer products manufacturers; 
charities and other nonprofit organizations; advertising agencies; 
media placement agencies; government agencies; Internet service 
providers; Internet portals; businesses offering services, especially 
local businesses; direct mail service providers; real estate agents; 
local, state, and Federal politicians; and colleges and universities.'' 
\143\
---------------------------------------------------------------------------
    \143\ Experian Narrative Response to Senate Commerce Committee, at 
19 (Nov. 2, 2012).
---------------------------------------------------------------------------
    Epsilon provided a list of the industries associated with their 
customers, which includes ``business to business, broker, consumer 
packaged goods, direct to consumer, emerging markets, finance, 
healthcare, high tech--telco, insurance, multichannel marketers 
(catalog), not for profit, publishing, research, retail, strategic 
partners, tobacco, and travel and entertainment.'' \144\ The company 
further elaborated on several of these categories, explaining that list 
brokers are ``buying agents for companies that send direct mail,'' that 
``research the types of available lists that a mailer could use for 
their offer.'' Emerging markets are ``a collection of types of clients 
that are new to using direct marketing to reach customers,'' and 
strategic partners are ``companies that license data as inputs for 
models they create and resell to other companies.'' \145\
---------------------------------------------------------------------------
    \144\ Letter from Lydia Parnes, Counsel to Epsilon, to Erik Jones, 
Deputy General Counsel to the Senate Commerce Committee, at 10 (Feb. 
13, 2013).
    \145\ Letter from Lydia Parnes, Counsel to Epsilon, to Melanie 
Tiano, Counsel to Senate Commerce Committee (July 24, 2013). An example 
is a company that specializes in in serving not-for-profit clients on 
fund-raising matters, which then uses marketing data furnished by 
Experian to help their clients refine fund-raising mailing campaigns. 
Id. Epsilon also described to the Committee several examples of 
specific publicly identified clients. Epsilon Response to Senate 
Commerce Committee, (Feb. 13, 2013) (EPS-COM-003612-003650).
---------------------------------------------------------------------------
2. New Mechanisms for Using Data
    In their responses to the Committee, data brokers described client 
uses of their data in general terms such as fraud detection, identity 
authentication, and marketing. Specific customers named in some 
responses of the queried data brokers provided Committee staff with 
additional detail regarding their use of data broker products.
    For example, one retail bank noted if it were seeking to determine 
ideal locations of new branches it may be interested in examining 
predicted borrowing and spending behaviors of their existing customers. 
Such information also might help banks when they are setting goals 
based upon the likely needs of their clientele, such as whether one 
branch should give more loans while another should open more new 
accounts.\146\
---------------------------------------------------------------------------
    \146\ Committee staff telephone interview with retail bank 
purchaser of segmenting buckets (Nov. 21, 2013).
---------------------------------------------------------------------------
    Further, the data broker responses made clear that customers are 
using data broker products to reach consumers both through on-line and 
off-line outreach. While American consumers are beginning to 
understand, and even expect, that their online activities will be 
tracked in order to send them online advertisements,\147\ it is unclear 
whether they understand the extent to which data concerning their 
offline activities also may be collected and used to tailor online 
advertisements.\148\
---------------------------------------------------------------------------
    \147\ Joseph Turow, The Daily You, at 185 (2011) (citing a 2005 
survey that showed 80 percent of respondents ``believed that `companies 
today have the ability to follow my activity across many sites on the 
web.'')
    \148\ See Appendix III for a sampling of some of the data elements 
one company reported offering for online targeting.
---------------------------------------------------------------------------
    Historically, data about consumers was used to locate consumers to 
send catalogs and other marketing promotions through the mail or 
contact via telephone. Increasingly, the information that data brokers 
make available about consumers--including demographic characteristics, 
financial information, and offline purchases and interests--is provided 
to clients digitally such that it informs the client's ability to 
target consumers online.\149\
---------------------------------------------------------------------------
    \149\ As Datalogix explained its digital product offerings:

    The DLX Digital Display Media product is a direct and natural 
evolution of Direct Mail product for the digital era, in virtually 
every way. In the traditional mail world, the data was and is used to 
deliver catalogues and marketing promotions through the mail channel to 
the personal address of a family or individual. In the display 
business, the data is used to deliver an advertisement via a banner 
advertisement. If the consumer clicks on the advertisement, the 
consumer is taken to a company-sponsored website that provides detail 
about the product or service in an analogous way to a catalog. Websites 
have replaced or augmented catalogues as a preferred method of consumer 
shopping in the last decade.

    Letter from Eric Roza, Chief Executive Officer, Datalogix, to 
Chairman John D. Rockefeller IV (Nov. 16, 2012).
---------------------------------------------------------------------------
    The primary method for achieving online data sharing described by 
respondent companies is through the use of ``cookies,'' \150\ and other 
technical means, such as ``cookie syncing,'' or ``cookie matching.'' 
\151\ However, as Internet browser companies take steps to block cookie 
traffic, other technology to track consumers is developing rapidly, and 
some data broker companies appear to be finding new ways to follow 
consumers across different channels such as mobile devices. For 
example, in September 2013, Acxiom announced its ``Audience Operating 
System (AOS).'' AOS will combine data from multiple sources and enable 
digital marketers to segment and target audiences across channels and 
devices and would eliminate the need for third-party cookies, the 
current technology used to track consumers across the Internet.\152\
---------------------------------------------------------------------------
    \150\ A cookie is a text file that a website's server places on a 
consumer's web browser. Cookies can be used to transmit information 
back to the website's server about the browsing activities on the site 
as well as be used to track a computer across different sites. See 
Federal Trade Commission, FTC Staff Report: Self-Regulatory Principles 
for Online Behavioral Advertising (Feb. 2009).
    \151\ Cookie syncing is the process of mapping user id's from one 
system to another. See AdMonsters, Cookie Syncing (Apr. 20, 2010) 
(online at http://www.admonsters.com/blog/cookie-synching).
    \152\ Gartner, Acxiom's Audience Operating System Could Reinvent 
Data-Driven Marketing (Sep. 26, 2013).
---------------------------------------------------------------------------
    Data brokers are increasingly focused on using their offline 
consumer profiles for the purposes of serving online advertisements. 
Acxiom, for example, currently offers approximately 47 percent of its 
1,500 data elements to help marketers target consumers online by 
personalizing websites for individual consumers or serving 
advertisements.\153\ Similarly, Equifax offers many of its products 
digitally, including modeled FICO scores and the Ability to Pay 
Index.\154\ Experian's Hitwise product enables marketers to obtain 
aggregate reports on the online behavior of their existing consumers by 
anonymously matching Experian offline marketing data with website 
traffic pattern analysis.\155\
---------------------------------------------------------------------------
    \153\ Committee staff conversation with Jennifer Barrett Glasgow, 
Chief Privacy Officer, Acxiom (Dec. 10, 2013).
    \154\ For use online, the Ability to Pay Index assigns consumers a 
score from one to four. A score of one represents consumers with the 
highest likelihood of being able to pay. Equifax, Ability to Pay 
Digital (EFX SUPP 164); Equifax, Aggregated FICO Digital Targeting 
Segments (EFX PROD3 0294).
    \155\ Experian Narrative Response to Senate Commerce Committee, at 
10-11 (Feb. 26, 2013). The marketing materials suggest that customers 
can identify and track consumer groups based upon a variety of 
elements, including visits to specific websites; online searches for 
specific terms; demographics, including age, income, gender, race, and 
ethnicity; summarized credit scores; presence of children; hobbies; 
ailments and prescriptions; and life events, such as new parents, 
movers, or new homeowners. Experian, AudienceView (EXP002472-2473).
---------------------------------------------------------------------------
    Data brokers have asserted that digital products offer more privacy 
protections for consumers than traditional mail marketing because the 
data on consumers used in this context is not ``personally 
identifiable'' as that term is commonly understood. They point out that 
for marketing online, information about a consumer is often associated 
with a code instead of the consumer's name.\156\ However, some privacy 
and information experts have expressed concerns that re-identification 
techniques may be used with such data,'' \157\ and questioned whether 
data that identifies specific computers and devices can truly be 
considered ``anonymous.'' As marketing scholar Joseph Turow wrote:
---------------------------------------------------------------------------
    \156\ Letter from Eric Roza, Chief Executive Officer, Datalogix, to 
Chairman John D. Rockefeller IV (Nov. 16, 2013).
    \157\ See How Anonymous Is Your Data? So, Should You Be Worried 
That We're on a Fast Track to Mass Privacy Invasions?, Advertising Age 
(Mar. 18, 2013) (discussing the re-identification of online data that 
has been anonymized).

        Industry claims of anonymity surrounding all these data may 
        soften the impact of the sorting and labeling processes. But in 
        doing so, it seriously undermines the traditional meaning of 
        the word. If a company can follow and interact with you in the 
        digital environment--and that potentially includes the mobile 
        phone and your television set--its claim that you are anonymous 
        is meaningless, particularly when firms intermittently add 
        offline information to the online data and then simply strip 
        the name and address to make it ``anonymous.'' \158\
---------------------------------------------------------------------------
    \158\ Joseph Turow, The Daily You, supra n. 146, at 190; see also 
Paul Ohm, Broken Promises of Privacy, 57 UCLA Law Review 1701, 1704 
(2010) (``Data can either be useful or perfectly anonymous, but never 
both.'').
---------------------------------------------------------------------------
D. Data Broker Transparency and Privacy Practices
    Data brokers generally are not consumer facing, therefore, most 
consumers have no way of knowing that data brokers may be collecting 
their data. Further, a number of companies have contracts with their 
customers that limit customer disclosures regarding their data sources. 
And since consumers generally do not have Federal statutory rights of 
access, correction, or control with respect to the information data 
brokers maintain on them for marketing, companies can establish privacy 
protections for this data largely at their own discretion.
    Industry representatives continue to support self-regulation as the 
best approach for protecting the privacy of consumer data used for 
marketing, and many of the data broker responses to the Committee 
highlighted the importance of self-regulation. In fact, Acxiom cited a 
company philosophy--``just because you can doesn't mean you should'' 
\159\--as a guiding principle for how to handle the mass quantities of 
consumer data available to them.
---------------------------------------------------------------------------
    \159\ Acxiom Narrative Response to Senate Commerce Committee, at 3 
(Apr, 15, 2013).
---------------------------------------------------------------------------
    Most company responses indicated they have incorporated many of the 
best practices set forth in the Guidelines for Ethical Business 
Practices issued in 2009 by the Direct Marketing Association.\160\ 
These guidelines provide ``generally accepted principles of conduct'' 
for ``database compilers'' that cover subjects including consumer 
choice and privacy notices, handling sensitive and specifically health-
related information, oversight of customer data use, and information 
security. The guidelines also provide for a consumer right to opt out 
of the marketing process but do not provide for consumer access and 
correction rights with respect to their own data.\161\
---------------------------------------------------------------------------
    \160\ For discussion of these guidelines see Part I.B.
    \161\ DMA Guidelines, supra n.25, Article 31.
---------------------------------------------------------------------------
    This section discusses respondent company practices relevant to 
transparency and privacy.
1. Disclosure Limitations
    Although DMA Guidelines recommend that members ``not prohibit an 
end-user marketer from divulging the database compiler as the source of 
the marketer's information,'' \162\ a number of the companies have 
contracts with customers that place restrictions on customer disclosure 
of their data source. For example, one company's contract language 
provides: ``All marketing communications used in connection with any 
list or data element provided to client shall . . . be devoid of any 
reference to . . . the source of the recipient's name and address.'' 
\163\ Similarly, another company's contracts provide that the company 
``may not be advertised, or otherwise disclosed to any third party, as 
the source of the Licensed Data unless Client first obtains the 
express, written permission'' of the company.'' \164\
---------------------------------------------------------------------------
    \162\ DMA Guidelines, supra n.25, Article 36.
    \163\ Sample contract provided to the Senate Commerce Committee.
    \164\ Sample contract provided to the Senate Commerce Committee.
---------------------------------------------------------------------------
    The contracts reviewed by the Committee do, however, provide 
exceptions to such restrictions where a consumer makes a direct inquiry 
to the data broker's customer.\165\
---------------------------------------------------------------------------
    \165\ E.g., Sample Contract provided to the Senate Commerce 
Committee.
---------------------------------------------------------------------------
2. Consumer Access and Control Rights
    The respondent data brokers varied widely with respect to access 
and correction rights. For example, Experian and Equifax provide 
consumers no right to view their own data or correct it. Rapleaf 
provides consumers access to their data, and allows them to correct 
data that Rapleaf originates, but the company does not provide 
correction rights to data originating from others.
    Equifax states that a large percentage of the products it offers 
are aggregated or modeled scores that are then attributed to every 
household or individual sharing a particular ZIP+4 Code. Equifax 
asserts that because the consumer data obtained is de-identified and 
therefore not about a particular consumer, Equifax does not provide an 
opportunity for consumer notice, access, or correction.\166\ Similarly, 
Experian does not provide consumers the ability to access or correct 
the data maintained because the company ``does not maintain sufficient 
personal information to allow adequate authentication of an individual 
who requests access,'' \167\ and much of the information is modeled or 
inferred or provides general information, such as income ranges, rather 
than details, such as exact income, making correction rights 
unnecessary.\168\
---------------------------------------------------------------------------
    \166\ Response Letter from Robert W. Kamerschen, U.S. Chief Counsel 
and Senior Vice President, Equifax to Chairman John D. Rockefeller IV, 
at 5 (Nov. 2, 2012).
    \167\ Experian Narrative Response to Senate Commerce Committee, at 
16 (Nov. 2, 2013).
    \168\ Id.
---------------------------------------------------------------------------
    Acxiom in September 2013 unveiled a new website--Aboutthedata.com--
that allows consumers to see and correct certain information that 
Acxiom has collected about them. In order to access information, 
consumers must enter their full name, address, date of birth, last four 
digits of their social security number, and e-mail address. Once a 
consumer's information has been authenticated, the consumer can view, 
and correct or delete broad categories of what Acxiom calls ``core'' 
data.
    While the new Acxiom database marks a step forward in promoting 
transparency, it does not provide consumers a complete view of the data 
the company holds on consumers for marketing purposes. First, consumers 
do not have access to data to which Acxiom has applied analytics. For 
example, a consumer could see data points showing their occupation and 
that they have children, but if Acxiom inferred from those two data 
points that the consumer is a ``working parent,'' the consumer would 
not have access to that inferred element. Second, the database includes 
only those data points that are currently incorporated into Acxiom's 
digital--as opposed to offline--products. According to Acxiom 
representatives, as of early December, about 47 percent of Acxiom's 
offline data was included in the digital products, and the company is 
aiming to have complete overlap of the two data sets within a few 
years.\169\
---------------------------------------------------------------------------
    \169\ See Section III.C.2. According to documents provided to the 
Committee, as of June 2012, Acxiom had 160 elements available in the 
digital products. The 160 elements include some modeled data that would 
not be available for access and correction. This is out of Acxiom's 
over 1,500 data elements currently listed as available in their data 
catalog. Acxiom Narrative Response to Senate Commerce Committee (Mar. 
1, 2013). Conversations with Acxiom suggest that this number may now be 
as high as 47 percent of the available 1,500 data elements. Committee 
staff conversation with Jennifer Barrett Glasgow, Chief Privacy 
Officer, Acxiom (Dec. 10, 2013).
---------------------------------------------------------------------------
3. Opt-Out Rights
    Several companies reported that they provide an avenue for 
consumers to opt out of having their information shared for marketing 
purposes. The companies that provide these options typically give 
notice to consumers of this option via their privacy policies and 
company websites. They can also entirely opt out of having any of their 
data collected.
    Acxiom's policy is to permanently delete the records of consumers 
who choose to opt out. However, a number of other respondent companies 
provide that, when a consumer opts out of having their information 
shared, the companies do not delete the consumer's information. Rather, 
as Epsilon describes:

        When a consumer opts-out with Epsilon, Epsilon marks the 
        consumer's information as ``Do Not Share,'' rather than 
        deleting the information. Epsilon does this to preserve the 
        consumer's preference; if the consumer's information is 
        deleted, in the future, Epsilon would have no way to know that 
        the consumer requested that their information not be shared. 
        When a consumer is marked as ``Do Not Share,'' Epsilon will 
        know that the consumer did not want their information shared in 
        case the consumer's information is later resubmitted. Epsilon 
        adheres to this policy to ensure that consumers' opt-out 
        requests are persistent and honored.\170\
---------------------------------------------------------------------------
    \170\ Epsilon Narrative Response to Senate Commerce Committee (Nov. 
2, 2012).

    Similarly, when a consumer requests that Experian suppress the use 
of their information for marketing purposes, ``Experian does not 
completely eliminate data in response to a suppression request. 
[Experian] must continue to internally maintain a record pertaining to 
the suppressed household in order to properly manage consumer records, 
such as the consumer's choice for suppression.'' \171\
---------------------------------------------------------------------------
    \171\ Experian Narrative Response to Senate Commerce Committee, at 
16 (Nov. 2, 2012).
---------------------------------------------------------------------------
    It is worth noting that since consumers are often not aware that 
data brokers hold their information, it is not clear how they would be 
aware that they have opt-out rights, or how to exercise them.
IV. Conclusion
    The responses the Committee received in its inquiry into the data 
broker industry provide a snapshot of how data brokers collect, use, 
and share consumer data for marketing purposes. This information makes 
clear that consumers going about their daily activities--from making 
purchases online and at brick-and-mortar stores, to using social media, 
to answering surveys to obtain coupons or prizes, to filing for a 
professional license--should expect that they are generating data that 
may well end up in the hands of data brokers. They should expect that 
this data may well be amassed with many other details about them data 
brokers already have compiled. And they should expect that data brokers 
will draw on this data without their permission to construct detailed 
profiles on them reflecting judgments about their characteristics and 
predicted behaviors.
    The responses also underscore that consumers have minimal means of 
learning--or providing input--about how data brokers collect, analyze, 
and sell their information. The wide variety of consumer access and 
control policies provided by the representative companies show that 
consumer rights in this arena are offered virtually entirely at the 
companies' discretion. The contractual limitations imposed by companies 
regarding customer disclosures of their data sources place additional 
barriers to consumer transparency. And the refusal by several major 
data broker companies to provide the Committee complete responses 
regarding data sources and customers only reinforces the aura of 
secrecy surrounding the industry.
    This Committee inquiry has been conducted at a time when sources of 
consumer data and technological capabilities for storage and speedy 
analysis of data continue to expand. As data brokers are creating 
increasingly detailed dossiers on millions of consumers, it is 
important for policymakers to continue vigorous oversight to assess the 
potential harms and benefits of evolving industry practices and to make 
sure appropriate consumer protections are in place.
                                 ______
                                 
                               Appendix I

     Federal Laws That May Be Applicable To Information Collected 
                            By Data Brokers

    In its September 2013 Information Resellers Report, GAO found that 
no single comprehensive Federal privacy law governs the collection, 
use, and sale of personal information maintained and sold by data 
brokers.\1\ Instead, a ``more narrowly tailored'' set of laws 
concerning private sector use of consumer information exists which 
``apply for specific purposes, in certain situations, to certain 
sectors, or to certain types of entities.'' \2\ The Fair Credit 
Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), Section 5 of 
the Federal Trade Commission Act (FTC Act), and to some extent the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA), 
and the Children's Online Privacy Protection Act (COPPA) are the 
primary laws that govern the collection and use of consumer 
information. A brief summary of the applicable portions of each of 
these laws follows below.
---------------------------------------------------------------------------
    \1\ Government Accountability Office, Information Resellers: 
Consumer Privacy Framework Needs to Reflect Changes in Technology and 
the Marketplace, GAO-13-663 (Sept. 2013) (hereafter ``GAO Information 
Reseller Report'').
    \2\ Id..
---------------------------------------------------------------------------
I. Fair Credit Reporting Act
    The Fair Credit Reporting Act (FCRA) \3\ imposes a number of 
obligations on consumer reporting agencies (CRAs), which are entities 
that assemble consumer information into ``consumer reports'' for use by 
issuers of credit and insurance, and by employers, landlords, and 
others in making eligibility decisions affecting consumers.\4\ Whether 
the obligations and protections of the FCRA apply to consumer data 
depends largely on the purpose for which the information is collected, 
and the intended and actual use of the information, rather than the 
origin or nature of the information itself. The FCRA does not apply to 
the collection and use of information for the purpose of marketing, 
except it allows marketing of pre-screened offers of credit and 
insurance where consumers are provided the opportunity to opt out of 
future such offers.\5\
---------------------------------------------------------------------------
    \3\ Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970) 
(codified as amended at 15 U.S.C. Sec. Sec. 1681-1681x).
    \4\ 15 U.S.C. Sec. 1681a.
    \5\ 15 U.S.C. Sec. 1681b(e). Pre-screened offers of credit or 
insurance--sometimes called ``pre-approved'' offers--are sent to 
consumers unsolicited, usually by mail. They are based on information 
in consumers' credit reports that indicates that the individuals 
receiving the offer meet the criteria set by the company making the 
offer. The FCRA limits the circumstances in which consumer reports can 
be used to make pre-screened offers, and provides that all such offers 
must include a notice of consumers' right to stop receiving future pre-
screened offers.
---------------------------------------------------------------------------
    The FCRA requires that CRAs make reasonable efforts to assure the 
``maximum possible accuracy'' \6\ of the information they provide to 
data users, and further requires they maintain procedures through which 
consumers can dispute and correct inaccurate information in their 
consumer reports.\7\ CRAs also must take reasonable measures to ensure 
that they provide credit reports only to those entities that have a 
statutorily-specified ``permissible purpose'' to receive them.\8\ The 
FTC has recently taken actions against a number of companies for 
allegedly violating the FCRA.\9\
---------------------------------------------------------------------------
    \6\ 15 U.S.C. Sec. 1681e(b).
    \7\ 15 U.S.C. Sec. 1681i(a)-(d)
    \8\ 15 U.S.C. Sec. 1681b(a), (c). Permissible purposes under the 
FCRA include, but are not limited to, the use of a consumer report in 
connection with a determination of eligibility for credit, insurance, 
or a license; in connection with the review of an existing account; and 
for certain employment purposes. Other typical uses that are subject to 
FCRA protections include tenant screening, and check cashing services.
    \9\ See, e.g., Press Release, ``Certegy Check Services to Pay $3.5 
Million for Alleged Violations of the Fair Credit Reporting Act and 
Furnisher Rule,'' Federal Trade Commission (Aug. 15, 2013) (available 
at www.ftc.gov/news-events/press-releases/2013/08/certegy-check-
services-pay-35-million-alleged-violations-fair); Press Release 
``Marketers of Criminal Background Screening Reports To Settle FTC 
Charges They Violated Fair Credit Reporting Act'' Federal Trade 
Commission, (Jan. 10, 2013) (available at www.ftc.gov/news-events/
press-releases/2013/01/marketers-criminal-background-screening-
reportsto-settle-ftc); Press Release,``Spokeo to Pay $800,000 to Settle 
FTC Charges Company Allegedly Marketed Information to Employers and 
Recruiters in Violation of FCRA,'' Federal Trade Commission,(June 7, 
2012) (available at www.ftc.gov/news-events/press-releases/2012/06/
spokeo-pay-800000-settle-ftc-charges-company-allegedly-marketed).
---------------------------------------------------------------------------
II. Gramm Leach Bliley Act
    The Gramm Leach Bliley Act (GLBA) \10\, also known as the Financial 
Services Modernization Act of 1999, imposes privacy and security 
obligations on nonpublic personal information that consumers provide to 
``financial institutions,'' which GLBA defines as businesses that are 
engaged in ``financial activities,'' including traditional banking, 
lending, and insurance functions, as well as other activities such as 
providing investment advice, brokering loans, credit reporting, and 
real estate settlement services.\11\ Financial institutions subject to 
GLBA must comply with two key provisions of the Act--the ``Financial 
Privacy Rule,'' and ``Safeguards Rule.'' The Financial Privacy Rule 
governs the collection and disclosure of consumers' personal 
information.\12\ The ``Safeguards Rule,'' requires that financial 
institutions design, implement and maintain safeguards to protect 
consumers' nonpublic information.\13\
---------------------------------------------------------------------------
    \10\ Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as 
amended in scattered sections of 12 and 15 U.S.C.).
    \11\ 15 U.S.C. Sec. 6809(3)(A).
    \12\ 15 U.S.C. Sec. 6801(a).
    \13\ 15 U.S.C. Sec. 6801(b).
---------------------------------------------------------------------------
    The GLBA Privacy Rule generally prohibits covered financial 
institutions from disclosing nonpublic personal information about 
consumers to non-affiliated third parties without first providing 
consumers with notice and the opportunity to opt out of the 
disclosure.\14\ However, the GLBA provides a number of statutory 
exceptions under which disclosure is permitted without specific notice 
to the consumer, including consumer reporting (pursuant to the FCRA), 
fraud prevention, law enforcement and regulatory or self-regulatory 
purposes, compliance with judicial process, and public safety 
investigations.\15\
---------------------------------------------------------------------------
    \14\ 15 U.S.C. Sec. 6802(b).
    \15\ 15 U.S.C. Sec. 6802(e).
---------------------------------------------------------------------------
    Entities that receive information under an exception to the GLBA 
are subject to reuse and re-disclosure restrictions, even if those 
entities are not themselves financial institutions.\16\ In particular, 
the recipients may only use and disclose the information ``in the 
ordinary course of business to carry out the activity covered by the 
exception under which . . . the information [was received].'' \17\ 
Thus, for example, if a data broker obtains ``credit header 
information''--which includes a consumer's name, address, and social 
security number--from a financial institution pursuant to the GLBA 
exception ``to protect against or prevent actual or potential fraud,'' 
then that data broker may not reuse and re-disclose that information 
for marketing purposes.
---------------------------------------------------------------------------
    \16\ 16 C.F.R. Part 313.
    \17\ 16 C.F.R. Part 313.11(a).
---------------------------------------------------------------------------
III. Federal Trade Commission Act
    Section 5 of the Federal Trade Commission (FTC) Act provides the 
Commission with broad jurisdiction to regulate unfair or deceptive 
practices in competition and consumer protection.\18\ Section 5 forms 
the basis of the FTC's substantial body of law that covers advertising, 
marketing, certain financial practices, and privacy, among other areas. 
In the privacy space, section 5 applies to both deceptions and 
violations of written privacy policies and statements made to consumers 
about how they will safeguard or use consumer information.\19\ The 
Commission's Section 5 authority extends to the sale of data for 
marketing purposes.\20\
---------------------------------------------------------------------------
    \18\ 15 U.S.C. Sec. 45. Banks, savings and loans, credit unions, 
common carriers, and air carriers are exempt from the FTC's Section 5 
jurisdiction.
    \19\ See, e.g, Press Release, Google Will Pay $22.5 Million to 
Settle FTC Charges it Misrepresented Privacy Assurances to Users of 
Apple's Safari Internet Browser, Federal Trade Commission (Aug.9, 2012) 
(available at www.ftc.gov/news-events/press-releases/2012/08/google-
will-pay-225-million-settle-ftc-charges-it-misrepresented); Press 
Release, Online Data Broker Settles FTC Charges Privacy Policies were 
Deceptive, (Sept. 22, 2010) (available at http://www.ftc.gov/news-
events/press-releases/2010/09/online-data-broker-settles-ftc-charges-
privacy-pledges-were) (charging that U.S. Search, Inc.'s promises that 
they would prevent consumers' personal information from appearing in 
their reverse lookup database in exchange for a $10 fee were false); 
Press Release, Agency Announces Settlement of Separate Actions Against 
Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to 
Provide Adequate Security for Consumers Data, Federal Trade Commission 
(Mar. 27, 2008) (available at http://www.ftc.gov/news-events/press-
releases/2008/03/agency-announces-settlement-separate-actions-against-
retailer-tjx).
    \20\ In October of 2012, the FTC alleged that the credit reporting 
division of Equifax improperly sold more than 17,000 ``prescreened'' 
lists of consumers who were late on their mortgage payments to Direct 
Lending Source, Inc. and its affiliate companies. Direct Lending 
subsequently resold some of these lists to third parties, who used the 
lists to pitch loan modification and debt relief services to people in 
financial distress, including to companies that had been the subject of 
prior law enforcement investigations. See Press Release, FTC 
Settlements Require Equifax to Forfeit Money Made by Allegedly 
Improperly Selling Information about Millions of Consumers Who Were 
Late on Their Mortgages, Federal Trade Commission (Oct. 10, 2012) 
(available at http://www.ftc.gov/news-events/press-releases/2012/10/
ftc-settlements-require-equifax-forfeit-money-made-allegedly).
---------------------------------------------------------------------------
IV. Health Insurance Portability and Accountability Act
    The Health Insurance Portability and Accountability Act (HIPAA) 
\21\ protects certain personal health information from use and 
disclosure. HIPAA applies to individually identifiable health 
information \22\ held by ``covered entities,'' which include health 
insurers, health care providers--if they transmit any information in an 
electronic form for certain covered transactions--and health care 
clearinghouses, as well as their vendors, subcontractors, and business 
associates.\23\ The HIPPA Privacy Rule governs the use and disclosure 
of personal health information and, with some exceptions, requires an 
individual's written authorization prior to using consumers' protected 
health information for marketing and sale.\24\ However, HIPPA affords 
fairly narrow protections and its restrictions on sharing do not apply 
to health information held by non-covered entities, including data 
brokers.
---------------------------------------------------------------------------
    \21\ Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as 
amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
    \22\ 45 C.F.R. Part 160.103. Individually identifiable health 
information is information which can be linked to a particular person. 
This information can relate to the individual's past, present or future 
physical or mental health or condition, or, the past, present, or 
future payment for the provision of health care to the individual.
    \23\ 45 C.F.R. Part160.103.
    \24\ Exceptions include refill reminders or otherwise communicate 
about a drug or biologic that is currently being prescribed for the 
individual, only if any financial remuneration received by the covered 
entity in exchange for making the communication is reasonably related 
to the covered entity's cost of making the communication. 45 CFR 
164.501
---------------------------------------------------------------------------
V. Children's Online Privacy Protection Act
    The Children's Online Privacy Protection Act \25\ (COPPA) applies 
to the online collection and use of personal information from children 
under age 13. Websites and online services, including mobile apps, 
covered by COPPA are required to post privacy policies, provide parents 
with direct notice of their information practices, and get verifiable 
consent from a parent or guardian before collecting personal 
information from children. Personal information is defined as 
information that would allow someone to identify or contact a child. It 
includes, among other things, name, physical or e-mail address, 
geolocation, and ``persistent identifier'' which can be used to 
recognize a user over time and across different websites or online 
services.\26\ The law specifies what information must be included in 
the notice provided to parents and how and when to acquire parental 
consent.\27\
---------------------------------------------------------------------------
    \25\ 15 U.S.C. Sec. Sec. 6501-6506 (Pub.L. 105-277, 112 Stat. 2581-
728, enacted October 21, 1998).
    \26\ 16 C.F.R. Part 312.2.
    \27\ 16 C.F.R. Part 312.5.
---------------------------------------------------------------------------
    COPPA's restrictions and protections could apply to this 
investigation because websites have been identified as one of the 
sources from which data brokers obtain consumer information. COPPA does 
not restrict the collection of a child's information from the child's 
parent or other adult.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    The Chairman. One of the things that we have learned in 
this investigation is that data brokers engage in many 
unobjectionable activities. They do what marketers have always 
done: They help businesses find potential customers.
    But we have also found some practices that raise some 
serious consumer protection concerns. In particular, I am 
disturbed by the evidence showing that the data brokers segment 
Americans, categorize them into categories, name those 
categories, based on their incomes, and then they sort 
economically vulnerable customers into groups with names like 
``rural and barely making it''--not making it up, that is one 
of their categories--``tough start: young single parents''; 
``rough retirement: small-town and rural seniors''; and ``zero 
mobility.''
    I want to know how and why data brokers are putting 
American consumers into categories like these, and I want to 
know which companies are buying these lists to target their 
marketing to these groups. Maybe it is totally innocuous and 
benign. I don't start out accepting that, but maybe it is. That 
is why we are doing this investigation.
    Some companies in the data broker industry have responded 
positively to our oversight efforts.
    When I became Chairman here several years ago, we went over 
to Henry Waxman and stole a couple of his best people and set 
up an investigations unit, which for some reason we had never 
had. And we gave ourselves subpoena power; for some reason, we 
had never done that. It is a powerful tool when you are doing 
investigations, which is what we tend to do in here.
    I want to know which companies are buying these lists to 
target their marketing to those groups.
    Some companies in the data broker industry have responded 
very positively to our oversight efforts. Over the past year, 
they have provided complete answers to my questions, even the 
tough ones.
    But several of the largest data brokers--specifically, 
Acxiom, Epsilon, and Experian--are continuing to resist 
oversight, just resist it. To date, they have not given me 
complete answers about where they get their customer data on 
consumers and to whom they sell it.
    I am putting these three companies on notice today that I 
am not satisfied with their responses and I am considering 
further steps--and I have steps that I can use--that I can take 
to get this information. We have oversight over this activity 
in American commerce. And if you do oversight, whether it is 
over intelligence or whether it is over this, you do it 
seriously and you do it with a purpose and you want to get the 
truth.
    So I am putting these companies on notice that I am not 
satisfied and I have further steps that I can take to get this 
information. And I want to assure them that the oversight 
efforts in this committee that we have started will continue.
    I call now on my distinguished friend from a similar urban 
state----
    Senator Thune. That is right.
    [Laughter.]
    The Chairman.--Senator John Thune.

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Well, thank you, Mr. Chairman, for holding 
this hearing.
    And thank you also to the witnesses for coming here today.
    Our economy is increasingly data-driven, and data brokers 
play a growing role in facilitating the provision of goods and 
services to consumers. Data or information brokers are 
companies that collect data, including personal information, 
about consumers from a wide variety of sources, such as public 
records, websites, and retailers, and then resell such 
information for purposes that range from verifying an 
individual's identity to preventing fraud to marketing 
products.
    As the Chairman noted in his initial letters to several 
data brokers in 2012, the purpose of his inquiry has been to 
better understand the industry and I look forward to today's 
hearing as we focus on how the information collected by data 
brokers is used for marketing purposes.
    Without question, data-driven marketing can provide 
benefits and greater convenience to consumers. It can lower the 
cost of products and services because businesses can target 
marketing more precisely. It also can help businesses create 
and sell products that consumers actually want, lowering start-
up costs for new businesses.
    Data-driven marketing is one important reason that many of 
us are able to use search engines and our e-mail accounts for 
free. It also allows consumers to receive frequent-shopper 
benefits and coupons. And it promotes the targeting of 
resources to reduce the amount of junk mail and catalogs that 
aren't tailored to a consumer's particular interests--at least, 
that is the goal.
    Put simply, this industry is at the center of something the 
Commerce Committee cares about: commerce. In today's economy, 
data-driven marketing is widely used across all sectors of the 
economy: financial, insurance, automotive, retail, technology, 
health care. It is even used by nonprofits, governments, and 
political campaigns. In fact, many media outlets have noted how 
the use of commercial data resources helped the president's 
reelection campaign in 2012.
    As we will hear from the Direct Marketing Association, the 
marketing data industry is also helping to fuel job creation 
and technical innovation in our slowly recovering economy.
    While the industry creates many benefits, this hearing will 
also explore important questions about the privacy implications 
of data brokers' activities, including issues of transparency, 
profiling, and concerns about allegations of differential 
pricing.
    Questions have also been raised about whether consumers are 
aware of the instances in which their personal information may 
be collected, bought, and sold, resulting in calls for more 
transparency into data broker practices.
    Advocates have also raised concerns that data brokers 
create profiles of individual consumers based on the 
aggregation of sensitive and sometimes personal data, including 
health conditions.
    These are important issues, and I look forward to the 
discussion today.
    In a rapidly changing marketplace, the Federal Trade 
Commission has done important work concerning data brokers and 
related privacy issues, including developing educational 
efforts. They have also brought enforcement actions under the 
FTC Act and the Fair Credit Reporting Act. The FTC is also 
completing a study about practices in the data broker industry 
and will provide recommendations to Congress based on their 
findings next year. I look forward to their testimony.
    The Government Accountability Office has recently produced 
a report on the data broker industry, which I understand will 
be submitted as part of the record for this hearing as well as 
to help inform this committee.
    [The report follows:]

                             GAO Highlights
Why GAO Did This Study
    Members of Congress and others have raised privacy concerns about 
information resellers (data brokers) and consumer information. In part, 
their concerns stem from consumers not always knowing the nature and 
extent of the information collected and how it is used. Growing use of 
the Internet, social media, and mobile applications has intensified 
privacy concerns because these media greatly facilitate gathering of 
personal information, tracking of online behavior, and monitoring of 
individuals' locations and activities. This statement for the record 
discusses: (1) existing Federal laws and regulations on the privacy of 
consumer information held by information resellers, (2) any gaps that 
may exist in this legal framework, and (3) views on approaches for 
improving consumer data privacy.
    This statement draws from a September 2013 report (GAO-13-663), 
which focuses on information used for marketing. GAO analyzed relevant 
laws and regulations; interviewed representatives of Federal agencies, 
trade associations, consumer and privacy groups, and resellers; and 
identified and reviewed approaches for improving consumer data privacy.
What GAO Recommends
    In September 2013, GAO suggested that Congress should consider 
strengthening the consumer privacy framework and review issues such as 
the adequacy of consumers' ability to access, correct, and control 
their personal information; and privacy controls related to new 
technologies such as web tracking and mobile devices.
                         Information Resellers
Consumer Privacy Framework Needs to Reflect Changes in Technology 
        and the Marketplace
What GAO Found
    No overarching Federal privacy law governs the collection and sale 
of personal information among private-sector companies, including 
information resellers. Instead, laws tailored to specific purposes, 
situations, or entities govern the use, sharing, and protection of 
personal information. For example, the Fair Credit Reporting Act limits 
the use and distribution of personal information collected or used to 
help determine eligibility for such things as credit or employment, but 
does not apply to information used for marketing. Other laws apply 
specifically to health care providers, financial institutions, or to 
the online collection of information about children.
    The current statutory framework for consumer privacy does not fully 
address new technologies--such as tracking of online behavior or mobile 
devices--and the vastly increased marketplace for personal information, 
including the proliferation of information sharing among third parties. 
No Federal statute provides consumers the right to learn what 
information is held about them for marketing and who holds it. In many 
circumstances, consumers also do not have the legal right to control 
the collection or sharing with third parties of sensitive personal 
information (such as health information) for marketing purposes. As a 
result, although some industry participants have stated that current 
privacy laws are adequate, GAO found that gaps exist in the current 
statutory framework for information privacy. The framework also does 
not fully reflect the Fair Information Practice Principles, widely 
accepted principles for protecting the privacy and security of personal 
information that have served as a basis for many privacy 
recommendations Federal agencies have made.
    Views differ on the approach that any new privacy legislation or 
regulation should take. Some privacy advocates have argued that a 
comprehensive privacy law would provide greater consistency and address 
gaps in law left by the current sector-specific approach. Others have 
stated that a comprehensive, one-size-fits-all approach would be 
burdensome and inflexible. Some privacy advocates also cited the need 
to provide consumers with greater ability to access, control the use 
of, and correct information about themselves, particularly for data 
being used for purposes different than those for which they originally 
were provided. Industry representatives have asserted that restrictions 
on the collection and use of personal data would impose compliance 
costs, inhibit innovation, and reduce consumer benefits. Nonetheless, 
the rapid increase in the amount and type of personal information that 
is collected and resold warrants reconsideration of how well the 
current privacy framework protects personal information. The challenge 
will be providing appropriate privacy protections without unduly 
inhibiting the benefits to consumers, commerce, and innovation that 
data sharing can accord.
                                 ______
                                 
Prepared Statement of Alicia Puente Cackley, Director Financial Markets 
    and Community Investment, U.S. Government Accountability Office
    Chairman Rockefeller, Ranking Member Thune, and Members of the 
Committee:

    I am pleased to submit this statement on our recent work on 
privacy, personal information, and information resellers.\1\ As you 
know, information resellers (also known as data brokers) offer several 
types of products to customers that include retailers, advertisers, 
individuals, nonprofit organizations, law enforcement, and government 
agencies. This statement is based on a report we issued this September 
in response to a request from this committee to review privacy issues 
related to the consumer data that information resellers collect, use, 
and sell. Others also have raised privacy concerns about resellers and 
consumer information. In part, their concerns stem from consumers not 
always knowing the nature and extent of the information collected and 
how it is used. Moreover, growing use of the Internet, social media, 
and mobile applications has intensified privacy concerns because these 
media greatly facilitate the gathering of personal information, 
tracking of online behavior, and monitoring of individuals' locations 
and activities.
---------------------------------------------------------------------------
    \1\ GAO, Information Resellers: Consumer Privacy Framework Needs to 
Reflect Changes in Technology and the Marketplace, GAO-13-663 
(Washington, D.C.: Sep. 25, 2013).
---------------------------------------------------------------------------
    Our September report examined: (1) existing Federal laws and 
regulations related to the privacy of consumer information held by 
information resellers, (2) any gaps that may exist in this legal 
framework, and (3) views on approaches for improving consumer data 
privacy. We focused on privacy issues related to information used for 
marketing and individual reference services (look-up or people-search); 
we did not focus on information used for other purposes such as 
determining credit or employment eligibility.\2\
---------------------------------------------------------------------------
    \2\ In a 2006 report, we examined financial institutions' use of 
information resellers, focusing on consumer information used for 
eligibility determinations, compliance with legal requirements, and 
fraud prevention. GAO, Personal Information: Key Federal Privacy Laws 
Do Not Require Information Resellers to Safeguard All Sensitive Data, 
GAO-06-674 (Washington, D.C.: June 26, 2006).
---------------------------------------------------------------------------
    For our September 2013 report, we reviewed and analyzed relevant 
laws, regulations, and enforcement actions. We interviewed 
representatives of Federal agencies, trade associations, consumer and 
privacy groups, and resellers to obtain their views on data privacy 
laws related to resellers. We identified and reviewed approaches 
(legislative, regulatory, or self-regulatory) for improving consumer 
data privacy that Federal entities--such as the White House, Federal 
Trade Commission (FTC), and Department of Commerce (Commerce)--or 
representatives of industry, consumer, and privacy groups advocated. We 
interviewed representatives of these entities and reviewed relevant 
studies, hearings, position papers, public comments, and other sources. 
Further details of our scope and methodology can be found in our 
published report.
    We conducted the performance audit on which this statement is based 
from August 2012 through September 2013, in accordance with generally 
accepted government auditing standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate evidence 
to provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives.
Background
    Resellers maintain large, sophisticated databases with consumer 
information that can include credit histories, insurance claims, 
criminal records, employment histories, incomes, ethnicities, purchase 
histories, and interests. Resellers largely obtain their information 
from public records, publicly available information (such as 
directories and newspapers), and nonpublic information (such as from 
retail loyalty cards, warranty registrations, contests, and web 
browsing). Characterizing the precise size and nature of the reseller 
industry can be difficult because of limited publicly known information 
about the industry.
    In 1972, a U.S. government advisory committee first proposed the 
Fair Information Practice Principles (FIPP) for protecting the privacy 
and security of personal information. While FIPPs are not legal 
requirements, they provide a framework for balancing privacy with other 
interests. The Organisation for Economic Co-operation and Development 
(OECD) developed a revised version of the FIPPs that has been widely 
adopted (see table 1).\3\
---------------------------------------------------------------------------
    \3\ Organisation for Economic Co-operation and Development, 
Guidelines on the Protection of Privacy and Transborder Flow of 
Personal Data (Paris, France: Sept. 23, 1980). OECD's 30 member 
countries include the United States. OECD has been considering whether 
to revise or update its privacy guidelines to account for changes in 
the role of personal data in the economy and society.

 
 
------------------------------------------------------------------------
 


             Table 1.--Fair Information Practice Principles
------------------------------------------------------------------------
         Principle                           Description
------------------------------------------------------------------------
Collection limitation        The collection of personal information
                              should be limited, obtained by lawful and
                              fair means, and, where appropriate, with
                              the knowledge or consent of the
                              individual.
------------------------------------------------------------------------
Data quality                 Personal information should be relevant to
                              the purpose for which it is collected, and
                              should be accurate, complete, and current
                              as needed for that purpose.
------------------------------------------------------------------------
Purpose specification        The purposes for the collection of personal
                              information should be disclosed before
                              collection and upon any change to those
                              purposes, and the use of the information
                              should be limited to those purposes and
                              compatible purposes.
------------------------------------------------------------------------
Use limitation               Personal information should not be
                              disclosed or otherwise used for purposes
                              other than a specified purpose without
                              consent of the individual or legal
                              authority.
------------------------------------------------------------------------
Security safeguards          Personal information should be protected
                              with reasonable security safeguards
                              against risks such as loss or unauthorized
                              access, destruction, use, modification, or
                              disclosure.
------------------------------------------------------------------------
Openness                     The public should be informed about privacy
                              policies and practices, and individuals
                              should have ready means of learning about
                              the use of personal information.
------------------------------------------------------------------------
Individual participation     Individuals should have the following
                              rights: to know about the collection of
                              personal information, to access that
                              information, to request correction, and to
                              challenge the denial of those rights.
------------------------------------------------------------------------
Accountability               Individuals controlling the collection or
                              use of personal information should be
                              accountable for taking steps to ensure the
                              implementation of these principles.
------------------------------------------------------------------------
Source: OECD.

    FIPPs served as the basis for the Privacy Act of 1974--which 
governs the collection, maintenance, use, and dissemination of personal 
information by Federal agencies.\4\ The principles also were the basis 
for many FTC and Commerce privacy recommendations and for a framework 
for consumer data privacy the White House issued in 2012.\5\
---------------------------------------------------------------------------
    \4\ Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified as amended 
at 5 U.S.C. Sec. 552a). The act generally prohibits (with a number of 
exceptions) the disclosure by Federal entities of records about an 
individual without the individual's written consent and provides U.S. 
persons with a means to seek access to and amend their records.
    \5\ The framework includes a consumer privacy bill of rights and 
encourages Congress to provide FTC with enforcement authorities for the 
bill of rights. The White House, Consumer Data Privacy in a Networked 
World: A Framework for Protecting Privacy and Promoting Innovation in 
the Global Digital Economy (Washington, D.C.: Feb. 23, 2012).
---------------------------------------------------------------------------
Several Laws Apply in Specific Circumstances to Consumer Data That 
        Resellers Hold
    No comprehensive Federal privacy law governs the collection, use, 
and sale of personal information by private-sector companies. More 
narrowly tailored laws govern the use, sharing, and protection of 
personal information--they apply for specific purposes, in certain 
situations, to certain sectors, or to certain types of entities. The 
primary laws include the following:

        Fair Credit Reporting Act (FCRA).\6\ FCRA protects the security 
        and confidentiality of personal information collected or used 
        to help make decisions about individuals' eligibility for 
        credit, insurance, or employment.\7\ It applies to ``consumer 
        reporting agencies'' (such as credit bureaus) that provide 
        ``consumer reports.'' \8\
---------------------------------------------------------------------------
    \6\ Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970) 
(codified as amended at 15 U.S.C. Sec. Sec. 1681-1681x).
    \7\ See 15 U.S.C. Sec. 1681.
    \8\ For the definition of ``consumer reporting agency'', see 15 
U.S.C. Sec. 1681a(f). For the definition of ``consumer report'', see 15 
U.S.C. Sec. 1681a(d).

        Gramm-Leach-Bliley Act (GLBA).\9\ GLBA protects nonpublic 
        personal information that individuals provide to ``financial 
        institutions'' or that such institutions maintain.\10\ GLBA 
        sharing and disclosure restrictions apply to financial 
        institutions or entities that receive nonpublic personal 
        information from such a financial institutions.\11\ For 
        example, a third party that receives nonpublic personal 
        information from a financial institution to process consumers' 
        account transactions may not use the information or resell it 
        for marketing purposes.
---------------------------------------------------------------------------
    \9\ Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended 
in scattered sections of 12 and 15 U.S.C.).
    \10\ See 15 U.S.C. Sec. Sec. 6801-6802. Subtitle A of Title V of 
the act contains the privacy provisions relating to the disclosure of 
nonpublic personal information. 15 U.S.C. Sec. Sec. 6801-6809.
    \11\ 15 U.S.C. Sec. 6802. A ``financial institution'' is any 
institution the business of which is engaging in financial activities 
as described in section 4(k) of the Bank Holding Company Act (12 U.S.C. 
Sec. 1843(k)). 15 U.S.C. Sec. 6809(3)(a).

        Health Insurance Portability and Accountability Act 
        (HIPAA).\12\ HIPAA establishes a set of national standards to 
        protect certain health information. The HIPAA privacy rule 
        governs the use and disclosure of an individual's health 
        information for purposes including marketing.\13\ With some 
        exceptions, the rule requires an individual's written 
        authorization before a covered entity--a health care provider 
        that transmits health information electronically in connection 
        with covered transactions, health care clearinghouse, or health 
        plan--may use or disclose the information for marketing.\14\ 
        The act does not directly restrict the use, disclosure, or 
        resale of protected health information by resellers or others 
        not considered covered entities under the act.
---------------------------------------------------------------------------
    \12\ Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as 
amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
    \13\ 45 C.F.R. Parts 160, 164.
    \14\ For the definition of ``marketing'', including exceptions, 
see. 45 C.F.R. Sec. 164.501.

        Children's Online Privacy Protection Act (COPPA).\15\ COPPA and 
        its implementing regulations apply to the collection of 
        information--such as name, e-mail, or location--that would 
        allow someone to identify or contact a child under 13.\16\ 
        Covered website and online service operators must obtain 
        verifiable parental consent before collecting such information. 
        COPPA may not directly affect information resellers, but the 
        covered entities are potential sources of information for 
        resellers.
---------------------------------------------------------------------------
    \15\ Pub. L. No. 105-277, Div. C, Tit. XIII, 112 Stat. 2681-728 
(1998) (codified at 15 U.S.C. Sec. Sec. 6501-6506).
    \16\ FTC issued regulations implementing COPPA, 16 C.F.R. Part 312.

        Electronic Communications Privacy Act (ECPA).\17\ ECPA 
        prohibits the interception and disclosure of electronic 
        communications by third parties unless an exception applies 
        (such as one party to the communication consenting to 
        disclosure). For example, the act would prevent an Internet 
        service provider from selling the content of its customers' e-
        mails to a reseller for marketing purposes, unless the 
        customers had consented to disclosure. However, ECPA provides 
        more limited protection for information considered to be ``non-
        content,'' such as a customer's name and address.
---------------------------------------------------------------------------
    \17\ Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended 
in scattered sections of 18 U.S.C.).

        Federal Trade Commission Act (FTC Act), Section 5.\18\ The FTC 
        Act prohibits unfair or deceptive acts or practices in or 
        affecting commerce. Although the act does not explicitly grant 
        FTC the specific authority to protect privacy, it has been 
        interpreted to apply to deceptions or violations of written 
        privacy policies. For example, if a retailer's written privacy 
        policy stated customers' personal information would not be 
        shared with resellers and the retailer later sold information 
        to such parties, FTC could bring an enforcement action against 
        the retailer for unfair and deceptive practices.
---------------------------------------------------------------------------
    \18\ 15 U.S.C. Sec. 45. Section 5 of the FTC Act, as originally 
enacted, only related to ``unfair methods of competition.'' The 
Wheeler-Lea Act, passed in 1938, expanded the Commission's jurisdiction 
to include ``unfair or deceptive acts or practices.'' Wheeler-Lea 
Amendments of 1938, Pub. L. No. 75-447, 52 Stat. 111.

    As they relate to specific types of consumer services or records, 
other Federal privacy laws also may apply to information resellers' 
practices and products. For instance, while not specifically a privacy 
law, the Computer Fraud and Abuse Act (CFAA) can restrict a third party 
from collecting personal information from a website when the collection 
would violate the site's terms of service.\19\ The Telecommunications 
Act requires telecommunications carriers to protect the confidentiality 
of proprietary information of customers.\20\
---------------------------------------------------------------------------
    \19\ Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified as amended 
at 18 U.S.C. Sec. 1030). Courts have held that CFAA prohibits access to 
websites when that access exceeds the sites' terms of use or end-user 
license agreements. See, e.g., Snap-On Bus. Solutions Inc. v. O'Neil & 
Assoc., Inc., 708 F.Supp. 2d 669 (N.D. Ohio 2010); Southwest Airlines 
Co. v. Farechase, Inc., 318 F.Supp. 2d 435 (N.D. Tex. 2004); America 
Online, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444 (E.D. Va. 1998).
    \20\ Pub. L. No. 104-104, 110 Stat. 56 (1996) (codified as amended 
in scattered sections of 15 and 47 U.S.C.).
---------------------------------------------------------------------------
Laws Have Limited Scope over Personal Data Used for Marketing
    Privacy protections under Federal law have been limited for 
consumer data used for marketing. The scope of protections is narrow in 
relation to individuals' ability to access, control, and correct their 
personal data; collection methods and sources and types of information 
collected; and new technologies.
Laws Provide Individuals Limited Ability to Access, Control, and 
        Correct Their Personal Data
    No Federal statute that we examined generally requires resellers to 
allow individuals to review personal information (intended for 
marketing purposes), control its use, or correct it. The FIPPs (for 
collection limitation and openness) state that individuals should be 
able to know about and consent to the collection of their information, 
while the individual participation principle states they should have 
the right to access the information, request correction, and challenge 
the denial of those rights.
    No Federal statute provides consumers the right to learn what 
information is held about them and who holds it for marketing or look-
up purposes. FCRA provides individuals with certain access rights, but 
only when information is used for credit eligibility purposes.. And 
GLBA's provisions allowing consumers to opt out of having their 
personal information shared with third parties apply only in specific 
circumstances. Otherwise, individuals cannot require that their 
personal information not be collected, used, and shared. Also, no 
Federal law provides correction rights (the ability to have resellers 
and others correct or delete inaccurate, incomplete, or unverifiable 
information).
Laws Largely Do Not Address Data Collection Methods, Sources, and Types
    Federal privacy laws are limited in addressing the methods by 
which, or the sources from which, resellers collect and aggregate 
personal information, or the types of information collected for 
marketing or look-up purposes. FIPPs (for data quality, purpose 
specification, and collection limitation) state that personal 
information should be relevant, limited to the purpose for which it was 
collected, and collected with the individual's knowledge or consent.
    Federal laws generally do not govern the methods resellers may use 
to collect personal information. An example of such a method is ``web 
scraping,'' in which resellers, advertisers, and others use software to 
search the web for information about individuals and extract and 
download bulk information from websites with consumer information. 
Resellers or retailers also may collect information indirectly (by 
combining information from transactions).
    Current law generally allows resellers to collect personal 
information from sources including warranty registration cards, 
surveys, and online sources such as discussion boards, social media 
sites, blogs, and web browsing histories and searches. Current law does 
not require disclosure to consumers when their information is collected 
from these sources.
    The Federal laws that address the types of consumer information 
that can be collected and shared are not comprehensive. Under most 
circumstances, information that many people may consider very personal 
or sensitive can be collected, shared, and used for marketing. This can 
include information about physical and mental health, income and 
assets, political affiliations, and sexual habits and orientation. For 
health information, HIPAA provisions apply only to covered entities.
Current Law Does Not Directly Address Some Privacy Issues New 
        Technology Raises
    The current privacy framework does not fully address new 
technologies such as social media, web tracking, and mobile devices. In 
a 2013 report, FTC noted that mobile technologies present unique 
privacy challenges (for instance, mobile devices identify a user's 
geographical location).\21\ As shown in figure 1, the original 
enactment of several Federal privacy laws predates these trends and 
technologies.
---------------------------------------------------------------------------
    \21\ Federal Trade Commission, Mobile Privacy Disclosures: Building 
Trust through Transparency (Washington, D.C.: February 2013).


---------------------------------------------------------------------------
    Source: GAO.

    Note: The most recent amendments to the Federal laws referenced in 
figure 2 are as follows:

        Federal Trade Commission Act of 1914: last amended July 
21, 2010 (Pub. L. 111-203).

        Fair Credit Reporting Act of 1970: last amended Dec. 
18, 2010 (Pub. L. No. 111-319).

        Family Educational Rights and Privacy Act of 1974: last 
amended Jan. 14, 2013 (Pub. L. No. 112-278).

        Electronic Communications Privacy Act of 1986: last 
amended Oct. 19, 2009 (Pub. L. No. 111-79).

        Video Privacy Protection Act of 1988: last amended Jan. 
10, 2013 (Pub. L. No. 112-258).

        Driver's Privacy Protection Act of 1994: last amended 
Oct. 23, 2000 (Pub. L. No. 106-346).

        Health Insurance Portability and Accountability Act of 
1996: last amended Mar. 23, 2010 (Pub. L. No. 111-148).

        Children's Online Privacy Protection Act of 1998: has 
not been amended.

        Gramm-Leach-Bliley Act of 1999: last amended July 21, 
2010 (Pub. L. No. 111-203).

    Because these laws were enacted to protect the privacy of 
information involving specific sectors rather than to address specific 
technologies, some have been interpreted to apply to new technologies. 
For example, FTC has taken enforcement actions under COPPA and revised 
the statute's implementing regulations to account for smartphones and 
mobile applications.
Online Tracking

    No Federal privacy law explicitly addresses the full range of 
practices to track or collect data from consumers' online activity. 
Cookies--text files placed on a computer by the website that the 
computer user visits--allow website operators to recall information 
such as user name and address, credit card number, and purchases in a 
shopping cart. Resellers can match information in cookies and their 
databases to augment consumer profiles. Third parties also can 
synchronize their cookie files with resellers' files. Advertisers can 
use third-party cookies--placed on a computer by a domain other than 
the site being visited--to track visits to the websites on which they 
advertise. Consumers' ability to prevent such tracking can be 
restricted. For example, flash cookies--cookies which do not expire at 
the end of a browsing session--cannot be erased.\22\
---------------------------------------------------------------------------
    \22\ Shannon Canty, Chris Jay Hoofnagle, et al., ``Flash Cookies 
and Privacy'' (Aug. 10, 2009), available at http://papers.ssrn.com/
sol3/papers.cfm?abstract_id=1446862.
---------------------------------------------------------------------------
    While current law does not explicitly address web tracking, FTC has 
taken enforcement actions related to web tracking under its authority 
to enforce the prohibition on unfair or deceptive acts. For example, in 
2011, FTC settled charges with Google for $22.5 million after alleging 
that Google violated an earlier privacy settlement with FTC when it 
misrepresented to users of Apple's Safari web browser that it would not 
track and serve targeted advertisements to Safari users.\23\ Google 
agreed to disable its advertising tracking cookies.
---------------------------------------------------------------------------
    \23\ United States v. Google Inc., No. CV 12-04177-SI, 2012 WL 
5833994 (N.D. Cal. Nov. 16, 2012).
---------------------------------------------------------------------------
    Federal law also does not expressly prohibit ``history sniffing,'' 
which uses code on a webpage to record visitors' browsing history. 
However, in 2012, FTC took an enforcement action against Epic 
Marketplace, a large online advertising network, for deceptively 
failing to disclose its use of history-sniffing technology.\24\ Epic 
Marketplace used the data it collected to target advertising.
---------------------------------------------------------------------------
    \24\ FTC alleged that Epic Marketplace's use of history-sniffing 
was deceptive because it collected data about sites outside of its 
network that consumers had visited, contrary to Epic's privacy policy, 
which represented that it would collect information only about 
consumers' visits to websites in its network. In the Matter of Epic 
Marketplace, Inc., and Epic Media Group, LLC, FTC File No. 112 3182, 
decision and order (Mar. 13, 2013).
---------------------------------------------------------------------------
Mobile Technologies

    In relation to collection and use of consumer data for marketing, 
no Federal privacy laws that we identified specifically govern mobile 
applications and technologies.

        Mobile applications. No Federal law specifically governs mobile 
        applications--software downloaded onto mobile devices for uses 
        such as providing information and online banking and 
        shopping.\25\ Application developers, mobile carriers, 
        advertisers, and others may collect an individual's information 
        through services provided on a mobile device. However, FTC has 
        taken enforcement action against companies for use of mobile 
        applications that violate COPPA and FCRA.\26\ The agency also 
        has taken action under the FTC Act.\27\ And CFAA, which bans 
        unauthorized access to computers, has been found to apply to 
        mobile phones.\28\
---------------------------------------------------------------------------
    \25\ On July 25, 2013, Commerce released a draft of a voluntary 
code of conduct for mobile applications, including guidelines for 
notices to consumers about collection and sharing of information with 
third parties. See Department of Commerce, National Telecommunications 
and Information Administration, Short Form Notice Code of Conduct to 
Promote Transparency in Mobile App Practices, redline draft (July 25, 
2013), available at http://www.ntia.doc.gov/files/ntia/publications/
july_25_code_draft.pdf.
    \26\ FTC settled charges that a social networking service deceived 
consumers when it collected information from children under 13 through 
its mobile application in violation of COPPA. See United States v. 
Path, Inc., No. C13-0448 (N.D. Cal. Jan. 31, 2013). FTC also settled 
charges that a company compiled and sold criminal record reports 
through its mobile application and operated as a consumer reporting 
agency in violation of FCRA. See In the Matter of Filiquarian 
Publishing, LLC, FTC File No. 112 3195 (Apr. 30, 2013).
    \27\ For example, in addition to the alleged COPPA violation, Path 
allegedly deceived users by collecting personal information from their 
mobile address books without their knowledge and consent. See United 
States v. Path, Inc., No. C13-0448 (N.D. Cal. Jan. 31, 2013).
    \28\ In 2011, the U.S. Court of Appeals for the Eighth Circuit held 
that a basic cellular telephone--used only to place calls and send text 
messages--was a computer for CFAA purposes. The judicial decision did 
not address more advanced devices such as smartphones in the CFAA 
context. See U.S. v. Kramer, 631 F.3d 900 (8th Cir. 2011).

        Location tracking. No Federal privacy laws, except COPPA, 
        expressly address location data, location-based technology, and 
        consumer privacy. We and others have reported that the 
        capability of mobile devices to provide consumer's location 
        engenders privacy risks, particularly if companies use or share 
        location data without consumers' knowledge.\29\ ECPA might not 
        apply if location data were not deemed content and would not 
        govern entities such as developers of location-based 
        applications that are not covered by ECPA. But FTC could pursue 
        enforcement action if a company's collection or use of the 
        information violated COPPA.
---------------------------------------------------------------------------
    \29\ Risks included disclosure to third parties for unspecified 
uses, tracking of consumer behavior, and identity theft. See GAO, 
Mobile Device Location ID: Additional Federal Actions Could Help 
Protect Consumer Privacy, GAO-12-903 (Washington, D.C.: Sept. 11, 
2012). A Federal Communications Commission report also noted privacy 
risks. See Federal Communications Commission, Location-Based Services: 
An Overview of Opportunities and Other Considerations (Washington, 
D.C.: May 2012).

        Mobile payments. No Federal privacy laws expressly address 
        mobile payments (for example, by smartphone). An FTC report 
        noted that although mobile payment can be an easy way for 
        individuals to pay for goods and services, privacy concerns 
        have arisen because of the number of companies in the mobile 
        payment marketplace and the large amount of detailed personal 
        and purchase information collected and consolidated.\30\
---------------------------------------------------------------------------
    \30\ Federal Trade Commission, Paper, Plastic or Mobile? An FTC 
Workshop on Mobile Payments (Washington, D.C.: March 2013).
---------------------------------------------------------------------------
Stakeholders Diverge on Adequacy of Legal Framework and Need for 
        Legislation
    Stakeholder views diverge on whether significant gaps in the legal 
framework for privacy exist, whether more legislation is needed, or 
whether self-regulation can suffice. The marketing and information 
reseller industries generally have argued that the current framework of 
sector-specific laws and regulations has not left significant gaps in 
consumer privacy protections. Privacy advocates and others stated that 
the current privacy scheme leaves significant gaps. Industry and 
privacy advocates also disagreed on the need for more legislation or 
regulation and the efficacy of self-regulatory approaches to protect 
privacy. Industry representatives acknowledged the importance of 
consumer privacy protections, but argued that voluntary industry 
measures and self-regulation mitigated the need for additional 
legislation. Some privacy advocates and others argued that voluntary 
compliance or self-regulation was not sufficient to uniformly protect 
consumer privacy rights.
Views Differ on Approaches to Privacy Law and Consumer Interests
    Debate also has focused on appropriate approaches for new privacy 
legislation or regulation. This debate can be framed around three sets 
of issues: a comprehensive versus sector-specific approach to privacy 
legislation; how to address consumers' interests in accessing, 
controlling, and correcting their data; and the potential impact of new 
regulation on consumers and commerce.
Comprehensive versus Sector-Specific Approaches
    Ongoing debate centers on what kind of legislative approach--
sectoral or comprehensive--would best effect enhanced consumer privacy 
protections. Industry stakeholders have argued a comprehensive privacy 
law would amount to a one-size-fits-all approach and could be overly 
burdensome. Stakeholders also said that the current sector-specific 
system was flexible and well-suited to addressing any gaps. In 
contrast, some consumer and privacy groups and academic experts cited 
advantages to comprehensive privacy legislation such as filling gaps in 
existing privacy protections and providing comprehensive and consistent 
protections. Privacy advocates and some business representatives also 
argued that comprehensive legislation would benefit businesses 
internationally and help reduce compliance costs.
    While not recommending a comprehensive Federal privacy statute as 
such, in 2010 Commerce's Internet Policy Task Force recommended the 
adoption of a baseline commercial data privacy framework built on an 
expanded FIPPs. The 2012 White House privacy framework called for 
enacting baseline legislation while preserving existing sector-specific 
laws. The Administration supported exempting companies from consumer 
data privacy legislation to the extent their activities were subject to 
existing data privacy laws.
Views on How to Address Consumers' Interests in Use and Control of 
        Their Data
    Other debate on privacy protections has focused on the third-party 
market for and usage of consumer data, whether or how consumers can 
access and control such usage or correct data, and how or if limits 
should apply to web tracking.
Use of Consumer Data

    Consumer and privacy advocates have noted that consumers often were 
not aware of, and had not always consented to, personal information 
being repurposed for marketing and other uses. Changes in the 
marketplace for consumer data include a vast increase in recent years 
in the number and types of companies that collect and share such data 
with third parties. The Administration noted that consumers have a 
right to expect that companies will collect, use, and disclose their 
information in ways consistent with the context in which the 
information was provided.\31\ FTC articulated a ``context of the 
interaction'' standard for determining when a practice required 
consumer choice.\32\
---------------------------------------------------------------------------
    \31\ The White House, A Framework for Protecting Privacy (2012).
    \32\ Federal Trade Commission, Protecting Consumer Privacy in an 
Era of Rapid Change, pp. 38-39.
---------------------------------------------------------------------------
    Representatives of information resellers, marketers, and other 
industries that use consumer data have argued that repurposing 
generally is not inappropriate or harmful. One reseller argued that 
personal information on unrestricted websites--such as blogs--becomes 
publicly available and can be used by a third party, without legal or 
ethical limitations on its use.
Access and Correction

    Stakeholders' views differed on the extent to which consumers 
should be able to access data held about them. FTC said that companies 
should provide reasonable access to consumer data they maintain, a 
position many privacy groups echoed. FTC called on information 
resellers that compile data for marketing purposes to explore creating 
a centralized website on which resellers would identify themselves, 
describe how they collect and use the data, and consumers' access 
rights and choices.
    Debate also developed on consumers' right to correct information 
held about them. Some privacy advocates and members of Congress have 
argued that consumers should have the right to correct inaccurate 
information. One advocate noted that data not covered by FCRA also can 
be used for fraud prevention and identity verification, and that 
inaccuracies in this context could harm a consumer. Another advocate 
noted that companies may base some individual product pricing on a 
consumer's profile, so inaccurate data could affect the price offered. 
But FTC and the Direct Marketing Association said that special measures 
were not needed to ensure the accuracy of data maintained and used for 
marketing.\33\ The Administration expressed a similar view in its 
privacy framework. Some resellers also said that because they acquire 
information from many sources, giving consumers the opportunity to 
correct information would not be effective unless consumers also could 
have information corrected at the sources from which it had been drawn.
---------------------------------------------------------------------------
    \33\ Federal Trade Commission, Protecting Consumer Privacy in an 
Era of Rapid Change, pp. 38-39; and letter from Direct Marketing 
Association to members of Congress on August 13, 2012, available at 
http://the-dma.org/news/August-13-2012-DMALetter.pdf.
---------------------------------------------------------------------------
Web Tracking

    Some of the most publicized debate on privacy and new technologies 
has centered on consumers' ability to control tracking of their web 
activity. Areas of disagreement include the effectiveness of voluntary 
initiatives that allow consumers to exert some control over tracking 
and the use of information collected during tracking. For example, the 
Digital Advertising Alliance developed an icon to let web page users 
know that their visit was being tracked and their actions used to infer 
their interests and target future advertising. Users can click on the 
icon to learn more about behavioral advertising and control whether 
they receive such advertising and from which companies.\34\ Some 
privacy advocates have pointed to limitations to this mechanism (for 
example, the opt-out option only applies to companies in the Digital 
Advertising Alliance).
---------------------------------------------------------------------------
    \34\ According to the Digital Advertising Alliance, in 2012 more 
than 5.2 million unique users accessed the resources at 
www.aboutads.info, and nearly 1 million exercised a choice using the 
site's opt-out mechanism.
---------------------------------------------------------------------------
    Debate also has developed about the implementation of ``do not 
track.'' Under this approach, consumers would be able to choose whether 
to allow the collection and use of data about their online searching 
and browsing. FTC supported the concept of a universal do-not-track 
mechanism in its 2010 and 2012 privacy reports.\35\ On the self-
regulatory side, some Internet browsers, including Mozilla Firefox, 
have introduced do-not-track features. The World Wide Web Consortium 
has been developing a universal web protocol for do not track.\36\ But 
disagreements on different issues (such as scope and technological 
specifications) have delayed widespread adoption or standardization of 
do not track.\37\
---------------------------------------------------------------------------
    \35\ Federal Trade Commission, Protecting Consumer Privacy in an 
Era of Rapid Change (2012) and Protecting Consumer Privacy in an Era of 
Rapid Change: A Proposed Framework for Businesses and Policymakers; 
preliminary staff report (Washington, D.C.: December 2010).
    \36\ In the World Wide Web Consortium, member organizations and the 
public work together to develop web protocols and standards. The 
consortium's Tracking Protection Working Group proposes recommendations 
and technologies to improve user privacy and control. See http://
w3.org/2011/tracking-protection/.
    \37\ Senate Committee on Commerce, Science, and Transportation, A 
Status Update on the Development of Voluntary Do-Not-Track Standards, 
113th Cong., 1st sess., April 24, 2013; see testimony of Justin 
Brookman, Director, Consumer Privacy, Center for Democracy and 
Technology.
---------------------------------------------------------------------------
    Proposals in Congress and elsewhere would require FTC to promulgate 
regulations for a do-not-track mechanism.\38\ Proponents of such 
proposals noted that the use of third-party cookies greatly increased 
in recent years--for example, the Wall Street Journal identified more 
than 3,000 tracking files the top 50 websites placed on a test 
computer.\39\ Advocacy organizations argued that Internet users may not 
be fully aware of the extent of third-party tracking and that users 
should affirmatively consent to tracking. Some members of Congress 
raised concerns about flash cookies and whether the FTC Act's 
prohibition of unfair or deceptive acts or practices would cover them. 
Representatives of the advertising and other industries have cautioned 
against many of the proposals.
---------------------------------------------------------------------------
    \38\ For example, see Do-Not-Track Online Act of 2013, S. 418, 
113th Cong.
    \39\ Julia Angwin, ``The Web's New Gold Mine: Your Secrets,'' Wall 
Street Journal, July 30, 2010.
---------------------------------------------------------------------------
Views on Potential Impacts of New Regulation on Consumers and Commerce
    Representatives of the marketing and reseller industries argued 
that regulatory restrictions on using consumer data could reduce the 
benefits consumers get. Advertising representatives noted that targeted 
marketing and advertising helps underwrite applications and services 
available free to consumers. Some resellers said that targeted 
behavioral advertising gives consumers information relevant to their 
specific interests, needs, or preferences. However, some privacy 
advocates believe that consumer benefits have been overstated. Some 
advocates also raised concerns that the profiling and scoring 
techniques used to deliver specific advertisements to specific 
consumers might have discriminatory effects because they present 
information, sales, or opportunities only to consumers with certain 
characteristics.
    Stakeholder views also diverged on the potential economic effects 
of strengthened privacy regulations. Industry representatives said that 
new restrictions on the use of consumer information could inhibit 
innovation and increase compliance costs for businesses. Privacy and 
consumer groups said that the industry's claims that increased privacy 
protections would be too burdensome and stifle innovation have not been 
accompanied by convincing evidence. And in public comments solicited by 
Commerce in 2010 on information privacy and innovation in the Internet 
economy, online businesses and advertisers noted the importance of 
respecting customers' privacy if they wanted to retain their business 
or encourage individuals to adopt new devices and services.\40\
---------------------------------------------------------------------------
    \40\ Department of Commerce, Notice of Inquiry, Information Privacy 
and Innovation in the Internet Economy (Privacy and Innovation NOI), 75 
Fed. Reg. 21226, Apr. 23, 2010, available at http://ntia.doc.gov/
frnotices/2010/FR_PrivacyNOI_04232010.pdf.
---------------------------------------------------------------------------
    Views vary on the economic effects of greater harmonization of U.S. 
and foreign privacy rules. Commerce's Internet Policy Task Force noted 
that a significant number of comments they received concerned 
difficulties and costs in complying with foreign data protection rules 
and regulations. For example, the European Union's 1995 Data Protection 
Directive states that personal information of European Union citizens 
may not be transmitted to nations not deemed to have ``adequate'' data 
protection laws.\41\ The United States does not have an adequacy 
finding from the European Commission.\42\
---------------------------------------------------------------------------
    \41\ European Union, Directive 95/46/EC of the European Parliament 
and of the Council on the Protection of Individuals with Regard to the 
Processing of Personal Data and the Free Movement of Such Data (Oct. 
24, 1995).
    \42\ However, companies participating in the U.S.-EU Safe Harbor 
Framework are deemed to provide adequate data protections and may 
transfer personal data from the European Union. FTC has the authority 
to enforce the substantive privacy requirements of the U.S.-EU Safe 
Harbor Framework.
---------------------------------------------------------------------------
    The task force recommended the U.S. government work toward mutual 
recognition of other commercial data privacy frameworks.\43\ Many 
commenters also advocated for greater harmonization of privacy rules. 
In contrast, some industry observers warned against enacting a stricter 
privacy regime like the European Union's. A reseller representative 
said moving to a stricter regime would hinder commerce and innovation.
---------------------------------------------------------------------------
    \43\ Department of Commerce, Internet Policy Task Force, Commercial 
Data Privacy and Innovation in the Internet Economy: A Dynamic Policy 
Framework (Washington, D.C.: 2010).
---------------------------------------------------------------------------
    New technologies have enormously changed the amount of personal 
information private companies collect and how they use it. But our 
current privacy framework does not fully address these changes. Laws 
protecting privacy interests are tailored to specific sectors and uses. 
And, consumers have little control over how their information is 
collected, used, and shared with third parties for marketing purposes. 
As a result, current privacy law is not always aligned with the Fair 
Information Practice Principles, which Commerce and others have said 
should serve as the foundation for commercial data privacy. Thus, the 
privacy framework warrants reconsideration in relation to consumer 
interests, new technologies, and other issues. In our September report, 
we suggested that Congress consider strengthening it and review issues 
such as the adequacy of consumers' ability to access, correct, and 
control their personal information; and privacy controls related to new 
technologies. The challenge will be providing appropriate protections 
without unduly inhibiting the benefits to consumers, commerce, and 
innovation that data sharing can accord.
    This concludes my statement for the record.

    Senator Thune. I will be asking our witnesses how data 
broker practices for marketing purposes may impact consumers, 
both positively and negatively. I am also interested in hearing 
from our witnesses how the industry can work to balance the 
privacy concerns of individuals with the information needs of 
businesses and our economy.
    Finally, Mr. Chairman, while I have expressed my thanks to 
all of our witnesses being here today, I do want to add a 
special note of thanks to Tony Hadley from Experian. This 
inquiry began with letters sent to nine companies, and over 
time it has also included letters to several consumer-facing 
websites. Having only one of those companies testify is a good 
way to keep the number of witness manageable in light of the 
busy Senate schedule.
    Mr. Hadley, I am sure that many of the other companies are 
also grateful for your willingness to testify and help advance 
our understanding----
    [Laughter.]
    Senator Thune.--of the data broker industry. I know I 
certainly am.
    So I want to thank you again, Mr. Chairman, for having this 
hearing, and I do look forward to hearing from our witnesses.
    The Chairman. Thank you, Senator Thune, very much.
    We have--well, I will just do one by one--Jessica Rich. Ms. 
Rich is the Director of the Bureau of Consumer Protection at 
the Federal Trade Commission. And I will go down the line.
    Could you give your testimony, please?

    STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER 
              PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Rich. Chairman Rockefeller, Ranking Member Thune, and 
members of the Committee----
    The Chairman. You have to push a little button.
    Ms. Rich. That would be a good start.
    The Chairman. It is called ``technology.''
    Ms. Rich. Yes.
    [Laughter.]
    Ms. Rich. I assure you I know something about technology.
    I am Jessica Rich, director of the Bureau of Consumer 
Protection at the Federal Trade Commission. And I really 
appreciate this opportunity to present the Commission's 
testimony on data brokers.
    This is a highly opportune time to examine the practices of 
data brokers, as technological developments have allowed for 
the dramatic increase in the collection and use of consumers' 
information.
    Data brokers collect consumers' personal information from a 
wide variety of sources and resell it for a variety of purposes 
without most consumers ever knowing of their existence, much 
less the variety of practices in which they engage. And many of 
these practices, as you noted, fall outside of the scope of 
existing laws.
    I know this committee is well aware of the lack of 
transparency of data broker practices. Chairman Rockefeller, we 
commend you for your leadership on this issue and stand ready 
to work with the Committee and with Congress on ways to improve 
the transparency of data broker practices. The report you 
released today is a key initiative in this effort, as is the 
study you requested from GAO.
    At the FTC, our work on data broker practices goes back to 
the 1970s. For decades, policymakers have expressed concerns 
about the transparency of companies that buy and sell consumer 
data. Indeed, the existence of companies selling consumer data 
for credit and other eligibility determinations, invisibly and 
behind the scenes, led to the enactment in 1970 of the Fair 
Credit Reporting Act.
    Since then, the Commission has been active in examining the 
practices of data brokers. We have used three primary tools in 
this effort.
    First, we bring enforcement actions when company practices 
violate the law. Perhaps our most well-known data broker case 
involved ChoicePoint, in which we obtained $10 million in civil 
penalties and $5 million in redress for consumers. We alleged 
that ChoicePoint implemented lax privacy and security 
procedures, resulting in sensitive consumer report information 
ending up in the hands of known identity thieves.
    More recently, we entered into a consent decree with online 
data broker Spokeo. According to our complaint, Spokeo 
collected personal information from hundreds of online and 
offline sources, including social networks, and combined that 
data into detailed personal profiles. We allege that Spokeo 
marketed these profiles for use by human resource departments 
in hiring, which made it a consumer reporting agency subject to 
the Fair Credit Reporting Act, but that it failed to abide by 
the FCRA's accuracy and privacy requirements. The order 
contains strong injunctive relief and an $800,000 civil 
penalty.
    Second, the Commission conducts research and issues reports 
addressing data broker issues. For example, our 2012 privacy 
report made best practices and legislative recommendations for 
consumer privacy, including specific recommendations regarding 
data brokers. Among other things, the report reiterated a 
longstanding Commission recommendation that data brokers 
provide consumers with access to the data they maintain and, 
depending on how the data is used, the ability to correct it.
    More recently, in order to shine a light on the industry, 
we issued orders requiring nine data brokers to provide us with 
information regarding how they collect and use consumer data. 
The Commission is close to completing a report based on this 
information and expects to release it in the coming months.
    And in the spring of next year, we plan to host a series of 
privacy workshops, including a seminar on what is called 
``alternative scoring products'' offered by data brokers--that 
is, products that companies use to predict consumer behavior 
and shape how they market to particular consumers.
    Our final tool is educating businesses and consumers on 
privacy issues in the practices of data brokers. For example, 
we recently sent letters to multiple data brokers that provide 
tenant and background screening services, warning them about 
their duty to comply with the Fair Credit Reporting Act. And 
for consumers, we recently produced a video on data brokers and 
have published frequent blog posts and updates on issues 
related to the data broker industry.
    In closing, as the collection and use of consumer data 
continues to explode, we share the Committee's commitment to 
continue to examine data brokers, and we stand ready to work 
with the Committee on this critical issue.
    Thank you.
    [The prepared statement of Ms. Rich follows:]

           Prepared Statement of the Federal Trade Commission
I. Introduction
    Chairman Rockefeller, Ranking Member Thune, and members of the 
Committee, I am Jessica Rich, Director of the Bureau of Consumer 
Protection of the Federal Trade Commission (``FTC'' or 
``Commission'').\1\ I appreciate the opportunity to present the 
Commission's testimony on data brokers.
---------------------------------------------------------------------------
    \1\ This written statement presents the views of the Federal Trade 
Commission. My oral statements and responses to questions are my own 
and do not necessarily reflect the views of the Commission or any 
Commissioner.
---------------------------------------------------------------------------
    Data brokers collect and aggregate consumers' personal information 
from a wide range of sources and resell it for an array of purposes, 
such as marketing, verifying an individual's identity, and preventing 
financial fraud. Because data brokers generally never interact directly 
with consumers, consumers are typically unaware of their existence, 
much less the variety of ways they collect, analyze, and sell consumer 
data.
    This Committee, by investigating the privacy practices of data 
brokers, has helped call attention to the lack of transparency 
surrounding data broker privacy practices. We look forward to reviewing 
the Committee's report on its examination of the data broker industry. 
We commend Chairman Rockefeller's leadership on this issue and stand 
ready to work with this Committee and Congress on ways to improve the 
transparency of data broker practices. As the Committee is aware, the 
Commission is developing its own report on the data broker industry 
(discussed further below), which the Commission expects to release in 
the coming months.
    This testimony begins by describing the Commission's longstanding 
work in this area. It then lays out our strategy for addressing the 
privacy practices of the data broker industry through enforcement, 
research and reports, and business and consumer education.
II. Background on FTC Initiatives Concerning Data Broker Privacy 
        Practices
    Concerns about the privacy practices of companies that buy and sell 
consumer data are not new. Indeed, in 1970, the existence of companies 
selling consumer data with little transparency for credit and other 
eligibility determinations led Congress to enact the Fair Credit 
Reporting Act (FCRA)\2\, which it gave the Commission authority to 
enforce.
---------------------------------------------------------------------------
    \2\ 15 U.S.C. Sec. 1681 et seq.
---------------------------------------------------------------------------
    In the late 1990s, the Commission began to examine the privacy 
practices of data brokers that fall outside the FCRA.\3\ Notably, in 
1997, the Commission held a workshop to examine database services used 
to locate, identify, or verify the identity of individuals, referred to 
at the time as ``individual reference services.'' The workshop prompted 
industry members to form the self-regulatory Individual Reference 
Services Group (IRSG).\4\ The Commission subsequently issued a report 
on the workshop and the IRSG. The report commended the progress made by 
the industry's self-regulatory programs, but one of the report's 
conclusions was that the industry's efforts did not adequately address 
the lack of transparency of data broker practices. Although industry 
ultimately terminated the IRSG, a series of public breaches--including 
one involving ChoicePoint--led to renewed scrutiny of the practices of 
data brokers.\5\
---------------------------------------------------------------------------
    \3\ See, e.g., FTC Workshop, The Information Marketplace: Merging & 
Exchanging Consumer Data (Mar. 13, 2001), available at http://
www.ftc.gov/bcp/workshops/infomktplace/index
.shtml; Prepared Statement of the FTC, Identity Theft: Recent 
Developments Involving the Security of Sensitive Consumer Information: 
Hearing Before the S. Comm. on Banking, Housing, and Urban Affairs, 
109th Cong. (Mar. 10, 2005), available at http://www.ftc.gov/public-
statements/2005/03/prepared-statement-federal-trade-commission-
identity-theft-recent; see also FTC Workshop, Information Flows: The 
Costs and Benefits to Consumers and Businesses of the Collection and 
Use of Consumer Information (June 18, 2003), available at http://
www.ftc.gov/news-events/events-calendar/2003/06/information-flows-
costs-and-benefits-related-collection-and-use.
    \4\ See FTC, Individual Reference Services, A Report to Congress 
(1997), available at http://www.ftc.gov/reports/individual-reference-
services-report-congress.
    \5\ This scrutiny included an FTC investigation that resulted in 
the FTC's largest FCRA civil penalty to date. See United States v. 
ChoicePoint, Inc., No. 1:06-cv-00198 (N.D. Ga. Feb. 15, 2006) 
(stipulated final order imposing $10 million fine and $5 million in 
consumer redress), available at http://www.ftc.gov/sites/default/files/
documents/cases/2006/01/stipfinaljudge
ment.pdf.
---------------------------------------------------------------------------
    Most recently, in its 2012 report Protecting Consumer Privacy in an 
Era of Rapid Change: Recommendations for Businesses and Consumers 
(Privacy Report),\6\ the Commission specifically addressed the privacy 
practices of data brokers. The Commission described three different 
categories of data brokers: (1) entities subject to the FCRA; (2) 
entities that maintain data for marketing purposes; and (3) non-FCRA 
covered entities that maintain data for non-marketing purposes that 
fall outside of the FCRA, such as to detect fraud or locate people.\7\ 
The report noted that, while the FCRA gives consumers a variety of 
rights with regard to companies that sell data for credit, employment, 
and insurance purposes, data brokers within the other two categories 
operate without much transparency.
---------------------------------------------------------------------------
    \6\ FTC, Protecting Consumer Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers (Mar. 2012), available 
at http://ftc.gov/os/2012/03/120326privacy
report.pdf. Commissioner Wright's term as Commissioner began in January 
2013 and he was not at the Commission when the Privacy Report was 
issued. While he may not necessarily endorse all the views in that 
Report, he agrees with the substance of this testimony.
    \7\ Id. at 65.
---------------------------------------------------------------------------
    Building on the agency's prior work, the Commission's Privacy 
Report made recommendations to improve the transparency of the 
practices of data brokers and to give consumers greater control over 
how their information is used. Among other things, the Report proposed 
that data brokers provide consumers with reasonable access to the data 
they maintain. The Report also noted that the Commission had long 
supported legislation that would give access rights to consumers for 
information held by data brokers.\8\ The Report stated that the 
Commission continues to support legislation in this area to improve the 
transparency of industry practices.\9\
---------------------------------------------------------------------------
    \8\ Id. at 69.
    \9\ Id.
---------------------------------------------------------------------------
III. The Commission's Ongoing Initiatives Regarding Data Brokers
    The Commission's ongoing initiatives to address the privacy 
practices of the data broker industry build on this body of prior work. 
The Commission is pursuing a three-pronged strategy to ensure consumer 
interests are protected in the data broker context. First, the 
Commission takes aggressive enforcement action to ensure that data 
brokers comply with the FCRA where it applies. Second, as data broker 
business models expand beyond traditional credit reporting, the FTC 
continues to conduct research and issue reports examining the practices 
of the data broker industry. Third, the Commission educates businesses 
about their legal responsibilities, especially small data brokers that 
may be unaware of their legal obligations, and consumers regarding how 
their data is disseminated. These three initiatives are discussed 
below.
A. Enforcement
    The Commission maintains an aggressive FCRA enforcement program. To 
date, it has brought almost 100 cases and obtained in excess of $30 
million in civil penalties. FCRA enforcement is a vital priority for 
the agency, particularly as companies that are not traditional credit 
reporting agencies venture into territory covered by the FCRA.\10\
---------------------------------------------------------------------------
    \10\ The FCRA provides basic consumer protections when consumer 
reporting data is used to make eligibility determinations for credit, 
insurance, employment and similar purposes.
---------------------------------------------------------------------------
    For example, last year the Commission entered into a consent decree 
with online data broker Spokeo to resolve allegations that the company 
violated the FCRA.\11\ As set forth in the Commission's complaint, 
Spokeo assembled personal information from hundreds of online and 
offline data sources, including social networks, and merged that data 
to create detailed personal profiles, including name, address, age 
range, hobbies, ethnicity, and religion. Spokeo marketed these profiles 
for use by human resources departments in hiring decisions. The FTC 
alleged that Spokeo, which marketed profiles for employment purposes, 
was a consumer reporting agency subject to the FCRA. The Commission 
charged Spokeo with violating the FCRA by, among other things, failing 
to (1) take reasonable steps to ensure the accuracy of information; and 
(2) tell its clients about their obligations under the FCRA, including 
the requirement to send adverse action notices to people denied 
employment on the basis of information obtained from Spokeo. The order 
contained strong injunctive relief and an $800,000 civil penalty.
---------------------------------------------------------------------------
    \11\ United States v. Spokeo, Inc., No. CV12-05001 (C.D. Cal. June 
12, 2012), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2012/06/spokeo-inc-united-states-america-federal-
trade; see also Press Release, FTC, Spokeo to Pay $800,000 to Settle 
FTC Charges Company Allegedly Marketed Information to Employers and 
Recruiters in Violation of FCRA (June 12, 2012), available at http://
www.ftc.gov/news-events/press-releases/2012/06/spokeo-pay-800000-
settle-ftc-charges-company-allegedly-marketed.
---------------------------------------------------------------------------
    The Commission also recently took action against a mobile 
application developer that compiled and sold criminal record reports 
without complying with the FCRA.\12\ The app developer, Filiquarian, 
claimed that consumers could use its mobile apps to access hundreds of 
thousands of criminal records and conduct searches on potential 
employees. The FTC charged that Filiquarian failed to take reasonable 
steps to ensure that the information it sold was accurate and would be 
used solely for permissible purposes, as required by the FCRA. In 
addition, Filiquarian failed to inform users of its reports of their 
obligations under the FCRA, including the requirement to notify 
consumers if an adverse action was taken against them based on a 
report. In both the Spokeo and Filiquarian cases, the companies' terms 
of service included disclaimers stating that the information they 
provided should not be used for FCRA purposes. Despite these 
disclaimers, the companies specifically advertised that their reports 
could be used for employment purposes.
---------------------------------------------------------------------------
    \12\ Decision and Order, Filiquarian Publishing, LLC, FTC File No. 
112-3195 (May 1, 2013), available at http://www.ftc.gov/enforcement/
cases-and-proceedings/cases/2013/05/filiquarian-publishing-llc-choice-
level-llc-and; see also Press Release, FTC, FTC Approves Final Order 
Settling Charges Against Marketers of Criminal Background Screening 
Reports (May 1, 2013), available at http://www.ftc.gov/news-events/
press-releases/2013/05/ftc-approves-final-order-settling-charges-
against-marketers.
---------------------------------------------------------------------------
    Most recently, the Commission entered into a consent decree with 
Certegy Check Services, one of the Nation's largest check authorization 
service companies.\13\ Certegy compiles consumers' personal information 
and uses it to help retail merchants determine whether to accept 
consumers' checks. The Commission's complaint alleged that, among other 
things, when a merchant denied a consumer's check, and the consumer 
contacted Certegy to dispute the denial, the company failed to follow 
proper dispute procedures, as required by the FCRA. As a result, 
Certegy's denials may have been in error, and consumers may not have 
been able to pay for essential goods and services. Certegy agreed to 
pay $3.5 million, the agency's second largest FCRA fine, to resolve the 
Commission's allegations.
---------------------------------------------------------------------------
    \13\ U.S. v. Certegy Check Servs., Inc., No. 1:13-cv-01247 (D.D.C. 
Aug. 15, 2013), available at http://www.ftc.gov/enforcement/cases-and-
proceedings/cases/2013/08/certegy-check-services-inc; ; see also Press 
Release, FTC, Certegy Check Services to Pay $3.5 Million for Alleged 
Violations of the Fair Credit Reporting Act and Furnisher Rule (Aug. 
15, 2013), available at http://www.ftc.gov/news-events/press-releases/
2013/08/certegy-check-services-pay-35-million-alleged-violations-fair.
---------------------------------------------------------------------------
B. Research and Reports
    The Commission is devoting significant resources to research and 
reports addressing the privacy practices of data brokers. As described 
above, the Commission's Privacy Report discussed the data broker 
industry specifically and recommended steps data brokers should take to 
improve the transparency of data broker practices and give consumers 
greater control over their information.\14\
---------------------------------------------------------------------------
    \14\ Protecting Consumer Privacy in an Era of Rapid Change, supra 
note 6, at 68-70.
---------------------------------------------------------------------------
    To undertake a more detailed examination of the data broker 
industry, the Commission issued orders requiring nine data brokers to 
provide the agency with information regarding how they collect and use 
consumer data. The orders, issued pursuant to the Commission's 
authority under Section 6(b) of the FTC Act, mandated production of 
detailed information regarding company practices, including the nature 
and sources of consumer data the companies collect, how they use, 
maintain, and disseminate the information, and the extent to which the 
data brokers allow consumers to access and correct their information or 
to opt out of having their personal information sold. These orders were 
directed to companies providing three basic non-FCRA services--
marketing services, risk mitigation services, including identity 
verification and fraud detection, and people search or look-up 
services. The Commission is expects to release a report on this 
examination of the data broker industry in the coming months.
    We also continue to examine emerging practices in the data broker 
industry. Just this month, we announced a series of seminars for early 
2014 that will address a number of consumer privacy issues, including 
alternative scoring products offered by data brokers. Many data brokers 
offer companies scores to predict trends and the behavior of their 
customers. Companies are using predictive scores for a variety of 
purposes, ranging from identity verification and fraud prevention to 
marketing and advertising. Consumers are largely unaware of these 
scores and have little to no access to the underlying data from which 
they are derived. The program will explore a number of issues, 
including what scores are currently available, how companies are using 
them, how accurate the scores and underlying data are, privacy concerns 
surrounding the use of predictive scoring, how consumers can benefit 
from use of these scores, and what sort of consumer protections should 
exist for them.\15\
---------------------------------------------------------------------------
    \15\ Press Release, FTC, Spring Privacy Series: Alternative Scoring 
Products (Mar. 19, 2014), available at http://www.ftc.gov/news-events/
events-calendar/2014/03/spring-privacy-series-alternative-scoring-
products.
---------------------------------------------------------------------------
C. Education
    In addition to its enforcement and policy work on data broker 
issues, the agency also focuses on educating businesses and consumers 
about these issues. An important method for educating businesses is to 
publicize Commission complaints and orders and issue public letters 
warning companies of legal requirements and/or potential violations. In 
this vein, the Commission sent staff warning letters to a number of 
data brokers that provided tenant-screening services, and to marketers 
of six mobile apps that provide employment background screening 
services.\16\ The FTC warned the companies and app developers that, if 
they have reason to believe the reports they provide are being used for 
employment screening, housing, credit, or other similar purposes, they 
must comply with the FCRA.\17\
---------------------------------------------------------------------------
    \16\ Press Release, FTC, FTC Warns Data Brokers That Provide Tenant 
Rental Histories They May Be Subject to Fair Credit Reporting Act (Apr. 
3, 2013), available at http://www.ftc.gov/opa/2013/04/tenant.shtm; 
Press Release, FTC, FTC Warns Marketers that Mobile Apps May Violate 
Fair Credit Reporting Act (Feb. 7, 2012), available at http://
www.ftc.gov/opa/2012/02/mobileapps.shtm.
    \17\ The Commission made no determination as to whether the 
companies were violating the FCRA, but encouraged them to review their 
apps and their policies and procedures to ensure they comply with the 
Act.
---------------------------------------------------------------------------
    More recently, Commission staff conducted an undercover effort to 
determine if data brokers that disclaimed FCRA liability were willing 
to sell information for credit, insurance, employment, or housing 
decisions. As a result of this ``test shopping'' operation, Commission 
staff found ten data brokers who appeared to offer data for these 
purposes. Commission staff then sent warning letters to these 
companies, advising them that their practices could violate the 
FCRA.\18\
---------------------------------------------------------------------------
    \18\ Press Release, FTC, FTC Warns Data Broker Operations of 
Possible Privacy Violations (May 7, 2013), available at http://
www.ftc.gov/opa/2013/05/databroker.shtm.
---------------------------------------------------------------------------
    The FTC also hosts a Business Center blog,\19\ which frequently 
includes consumer privacy and data security topics; currently, 
approximately 3,500 attorneys and business executives subscribe to 
these e-mail blog updates. The Business Center blog consistently 
features the Commission's enforcement actions and warning letters.
---------------------------------------------------------------------------
    \19\ See generally http://business.ftc.gov/blog.
---------------------------------------------------------------------------
    Finally, the FTC has developed materials designed to educate 
consumers about the ways in which their data may be disseminated to 
companies with which they do not interact. For example, the FTC 
produced a video called Sharing Information: A Day in Your Life, that 
describes how everyday activities by consumers--shopping in retail 
stores with loyalty cards, buying good online, and using social 
networking services--can lead to wide dissemination of personal 
information.\20\
---------------------------------------------------------------------------
    \20\ FTC, Sharing Information: A Day in Your Life, available at 
http://www.consumer.ftc.gov/media/video-0022-sharing-information-day-
your-life.
---------------------------------------------------------------------------
IV. Conclusion
    These enforcement, policy, and education efforts demonstrate the 
Commission's continued commitment to understanding and addressing 
consumer privacy issues posed by the data broker industry. We 
appreciate the leadership of Chairman Rockefeller and this Committee on 
these issues and look forward to continuing to work with Congress, 
industry, and other critical stakeholders on these issues in the 
future.

    The Chairman. Thank you very much, Ms. Rich.
    Pam Dixon. Ms. Dixon is the Executive Director at the World 
Privacy Forum.
    You are on.

          STATEMENT OF PAM DIXON, EXECUTIVE DIRECTOR, 
                      WORLD PRIVACY FORUM

    Ms. Dixon. Chairman Rockefeller, members of the Committee, 
thank you for the opportunity to share what I have learned 
about the data broker industry today. I appreciate it very 
much.
    As a moderate in the privacy debate and in the privacy 
world, I have come to a troubling conclusion: The data broker 
industry, as it is today, does not have constraints and does 
not have shame. It will sell any information about any person, 
regardless of sensitivity, for 7.9 cents a name, which is the 
price of a list of rape sufferers which was recently sold.
    Lists of rape sufferers, victims of domestic violence, 
police officers' home addresses, people who suffer from genetic 
illnesses, complete with names, home addresses, ethnicity, 
gender, and many other factors--this is what is being sold and 
circulated today. It is a far cry from visiting a website and 
seeing an ad. What it is is the sale of the personally 
identifiable information and highly sensitive information of 
Americans.
    So, Senators, I would like to make three points.
    First, scoring. There are now pseudo scores which are 
comprised of factors that are non-financial or, I should say, 
non-credit-report-based. These pseudo credit scores are used in 
lieu of actual credit scores because they completely circumvent 
the Fair Credit Reporting Act. So a business or an employer or 
an insurer can purchase these scores and use them with no ill 
consequence or any consequence at all. This needs to change.
    Second, health. There are lists of millions of people that 
are categorized by the diseases that they have, ranging from 
cancer to bedwetting, Alzheimer's--terrible diseases, some of 
them benign, some of them relating to mental illness. There are 
lists of millions of people and what prescription drugs they 
take. And these lists exist entirely outside of HIPAA.
    The Chairman. Outside of what?
    Ms. Dixon. HIPAA.
    The Chairman. OK.
    Ms. Dixon. The----
    The Chairman. I understand.
    Ms. Dixon. Any kind of Federal--yes--health protection. 
Unless the data is held by a provider or, you know, a covered 
entity under HIPAA, forget it, HIPAA doesn't apply.
    This industry that is selling these lists--there has been a 
lot of mention made of marketing purposes for these lists. 
These lists are being sold without constraint. We don't know if 
employers are buying them, if insurers are buying them. We 
don't know who is buying them. But the lists are being sold for 
apparently billions of dollars, which suggests to me that we 
need to find out who is buying these lists.
    In terms of solutions, my third and final point, we need to 
expand the Fair Credit Reporting Act so that when there are 
consumer scores that are pseudo credit scores that this is 
brought under the Fair Credit Reporting Act so that consumers 
can exercise the same rights they would have if a credit score 
had been pulled. If the information is statistically as 
accurate and has the same effect as a credit score, then why 
isn't it regulated under the Fair Credit Reporting Act? This 
should be a bright line here, and I don't think that that is 
too terribly difficult to draw.
    There needs to be, and actually there is an urgent need 
for, a national data broker requirement for an opt-out. We 
favor an opt-out that is highly granular so that consumers 
don't always have to take the nuclear option and get entirely 
off of every list. We favor consumers having the ability to 
make their own choices. Maybe a consumer wants her name and 
phone number on a list but nothing else, certainly nothing 
about her weight, certainly nothing about the number of 
children she has, or maybe she does, but the point is consumers 
need to know when they are on a list and need to make choices 
about what appears on those lists.
    We need to reexamine HIPAA and decide if health information 
that is not held by healthcare providers deservers healthcare 
protections in privacy. I believe they do.
    This is going to be the beginning of an important public 
dialog that is going to be incredibly important for all of us 
to engage in. Because if we have an industry that has not 
curtailed the sale of names of anyone with highly sensitive 
information for 7.9 cents a name, then we haven't done enough.
    Thank you for this opportunity, and I look forward to your 
questions.
    [The prepared statement of Ms. Dixon follows:]

         Prepared Statement of Pam Dixon, Executive Director, 
                          World Privacy Forum
    Chairman Rockefeller and Members of the Committee, thank you for 
the opportunity to testify today about data brokers, an industry that 
is often hidden from public view, and the impact of data brokers on 
consumers' lives. My name is Pam Dixon, and I am the founder and 
Executive Director of the World Privacy Forum.\1\ The World Privacy 
Forum is a 501(c)(3) non-partisan public interest research group based 
in California. We focus on conducting in-depth research on emerging and 
contemporary privacy issues as well as on consumer education.
---------------------------------------------------------------------------
    \1\ For more information and to read many of the research studies 
and publications, see http://www.worldprivacyforum.org.
---------------------------------------------------------------------------
    I have been conducting privacy-related research for more than since 
1998, first as a Research Fellow at the Denver University School of 
Law's Privacy Foundation where I researched privacy in the workplace 
and employment environment, as well as technology-related privacy 
issues such as online privacy. While a Fellow, I wrote the first 
longitudinal research study benchmarking data flows in employment 
online and offline, and how those flows impacted consumers.
    After founding the World Privacy Forum, I wrote numerous privacy 
studies and commented on numerous regulatory proposals impacting 
privacy as well as creating useful, practical education materials for 
consumers on a variety of privacy topics. A few months ago, we 
published a report on data brokers and the Federal Government, Data 
Brokers and the Government, which examined current law and practices in 
regards to the eligibility use of data brokers in particular. I have 
published many additional studies. Previously, in 2005 I discovered 
previously undocumented consumer harms related to identity theft in the 
medical sector. I coined a termed for this activity: medical identity 
theft. In 2006 I published a groundbreaking report introducing and 
documenting the topic of medical identity theft, and the report remains 
the definitive work in the area.\1\ In 2010 I also published the first 
report on digital and retail privacy, The One Way Mirror Society: 
Privacy Implications of Digital Signage Networks. I have also written 
several well-known reports on self-regulation, and in 2012-2013, was a 
lead drafter in the NTIA MultiStakeholder Process for Mobile App Short 
Form Notices.
    Beyond my research work, I have published widely, including a 
reference book on privacy, Online Privacy, and seven books on 
technology issues with Random House, Peterson's and other large 
publishers, as well as more than one hundred articles in newspapers, 
journals, and magazines.
    I appreciate the dedication and work of Senator Rockefeller in 
bringing much-needed attention to the issue of data brokers, which 
prior to his attention, was languishing on legislative backburners.
Introduction & Summary
    What do a retired librarian in Wisconsin in the early stages of 
Alzheimer's, a police officer, and a mother in Texas have in common? 
The answer is that all were victims of consumer data brokers. Data 
brokers collect, compile, buy and sell personally identifiable 
information about who we are, what we do, and much of our ``digital 
exhaust.''
    We are their business models. The police officer was ``uncovered'' 
by a data broker who revealed his family information online, 
jeopardizing his safety. The mother was a victim of domestic violence 
who was deeply concerned about people finder websites that published 
and sold her home address online. The librarian lost her life savings 
and retirement because a data broker put her on an eager elderly buyer 
and frequent donor list. She was deluged with predatory offers.
    These people--and 320 million others in the United States--are not 
able to escape from the activities of data brokers. Our research shows 
that only a small percentage of known consumer data brokers offer a 
voluntary opt out. These opt outs can be incomplete, extremely 
difficult, and must typically be done one-by-one, site-by-site. Often, 
third parties are not allowed to opt individual consumers out of data 
brokers.
    This state of affairs exists because no legal framework requires 
data broker to offer opt out or suppression of consumer data. Few 
people know that data brokers exist, and beyond that, few know what 
they do. There are about 4,000 data brokers. Despite the large and 
growing size of the industry, until this Committee started its work, 
this entire industry largely escaped public scrutiny.
    Privacy laws apply to credit bureaus and health care providers, but 
data broker activity generally falls outside these laws. Even a 
knowledgeable consumer lacks the tools to exercise any control over his 
or her data held by a data broker. It doesn't matter that the data is 
about the consumer. The data broker has all the rights, and the 
consumer has none.
    Consumers have no effective rights because there is no legal 
framework that requires data brokers to offer consumers an opt out or 
any other rights. Privacy laws apply to credit bureaus and health care 
providers, but data broker activity generally falls outside these laws. 
Even a knowledgeable consumer lacks the tools to exercise any control 
over his or her data held by a data broker. It doesn't matter that the 
data is about the consumer. The data broker has all the rights, and the 
consumer has none.
    In my testimony, I will discuss consumer data brokers, businesses 
that traffic in consumer data. The data broker industry is complex, and 
I can only focus on a few aspects of it.
    There are consumer list brokers that sell lists of individually 
identifiable consumers grouped by characteristics. To our knowledge, it 
is not practically possible for an individual to find out if he or she 
is on these lists. If a consumer learns that he or she is on a list, 
there is usually no way to get off the list. Some exceptions exist, but 
the rule is that the lists are circulated far from consumers' eyes.
    Lists reveal information that would surprise most people. Data 
brokers sell lists of people suffering from mental health diseases, 
cancer, HIV/AIDS, and hundreds of other illnesses. Data brokers sell 
lists of people who live in or near trailer parks so that these 
undesirable consumers can be targeted for suppression. Data brokers 
sell lists of people who are late on payments, often to those who make 
predatory offers to those in financial trouble. Data brokers sell lists 
of people who are impulse buyers or ``eager senior buyers.'' All in 
all, there are millions of lists.
    In addition to list brokers, there are people finder services that 
sell consumer demographic information online. The hundreds of ``people 
finder'' websites online are also part of the data broker industry. 
Statistically, few of these sites give individuals a meaningful 
opportunity to have their information removed from their databases. A 
handful do offer a partial or complete opt out or suppression, but to 
exercise the opt out, consumers have to first find the site, then go 
through what can be an incredibly frustrating series of hoops. Scanning 
drivers' licenses, sending the opt-out through postal mail, and 
sometimes paying as much as $1,000.00 to opt out. A consumer who 
successfully negotiates an opt-out at one data broker faces the 
challenge of doing the same thing at dozens or hundreds of other data 
brokers. There is always the risk that a name removed today will be 
added back tomorrow.
    I will also discuss consumer scores, a growing area of data broker 
activity. Consumer scores are not well-known yet, but their influence 
on consumers is profound. One important example is the modeled consumer 
credit score. The modeled consumer credit score consists entirely of 
non-credit elements. Why? Because this allows the consumer data broker 
industry to avoid giving consumers the rights that the Fair Credit 
Reporting Act provides.
    I will offer some solutions focused on addressing the problems 
identified in my testimony. The solutions I propose are practical and 
possible. The solutions are designed to bring fairness and rights to 
consumers. The data broker industry has not shown restraint. Nothing is 
out of bounds. No list is too obnoxious to sell. Data brokers sell 
lists that allow for the use of racial, ethnic and other factors that 
would be illegal or unacceptable in other circumstances. These lists 
and scores are used everyday to make decisions about how consumers can 
participate in the economic marketplace. Their information determines 
who gets in and who gets shut out. All of this must change. I urge you 
to take action.
The Structure of the Data Broker Industry and Why it Matters
    The data broker industry is complex, layered and multi-faceted, and 
it is evolving rapidly. The industry cannot readily be described as 
just consumer information being sold on flat lists. There is much, much 
more than that.
    A way to start approaching an understanding is to look at some key 
aspects of the industry.

        Size: The data broker industry, by its own estimation, numbers 
        in the neighborhood of 3,500 to 4,000 companies. Most data 
        brokers engage in multiple activities and have a range of core 
        expertise.

        Scope: Data brokers range in scope from multi-national 
        corporations with revenues in the billions to small sole 
        proprietors operating locally. Some data brokers operate 
        offshore.

        Shape of the long tail: This industry has a relatively small 
        number of very large name brand companies, and many more small 
        to mid-size companies. The tail of this industry is very long, 
        and the end of the tail works its way down from large companies 
        to small affiliates selling data online.

        Activities: These include list brokering, data analytics, 
        predictive analytics and modeling, scoring, CRM, online, 
        offline, APIs, cross channel, mailing preparation, campaigns, 
        and database cleansing.

        Data flows: Some data brokers host their own data and are 
        significant purchasers of original data. Acxiom is an example 
        of this kind of company. Some primarily analyze data and come 
        up with scoring and Return on Investments proofs. Datalogix is 
        an example of this kind of company. Some sell or resell 
        consumer information online. Intelius is an example of this 
        kind of company. There are many other models in addition. Some 
        data moves from online to offline and back; some through social 
        media and back. The point is that the business models and data 
        flows are complex, use many sources, and differ between types 
        of data brokers.

        Affiliate Storms: One common model results in the flow of 
        information from the largest name-brand companies to the 
        smaller companies, who then turn around and resell the data to 
        a third tier of ``affiliates'' who then market the information 
        themselves, or to another downstream affiliate. The term I use 
        for this is ``affiliate storm.'' A consumer at the end of all 
        of the data reselling has difficulty finding the original 
        compiler and seller of the data.

        Regulation: The 2013 GAO report on data resellers outlined the 
        lack of regulatory oversight regarding data brokers.\2\ There 
        are additional concerns that some existing regulations are 
        being circumvented in some cases.
---------------------------------------------------------------------------
    \2\ Information Resellers: Consumer Privacy Framework Needs to 
Reflect Changes in Technology and the Marketplace, http://www.gao.gov/
products/GAO-13-663. Sept. 25, 2013.

    My comments today address the consumer-focused aspects of data 
brokers. Some activities of data brokers do not affect consumers in a 
negative or unfair way. Some list cleansing or compliance activities to 
bring the data broker in line with the Do Not Call list are 
unobjectionable. My testimony is about the other consequences of the 
data broker business today.
Sources for Data Broker Data
    The sources for data broker data have become more complex as the 
industry has grown, and as the information systems have become more 
digitized. Consumers sometimes have a choice about whether they give 
data; other times, they do not. Even if a consumer paid mainly cash and 
lived very quietly, using shredders for their mail and records and 
keeping their SSN to themselves, the likelihood that the consumer could 
totally avoid landing on a data broker list is quite small. Most people 
in the U.S. are in many data bases and on many lists.
    Some of the most common sources of consumer data include: 
(marketing, not credit data)

   Retailers and merchants via Cooperative Databases and 
        Transactional data sales & customer lists

   Financial sector non-credit information (PayDay loan, etc.)

   MultiChannel direct response

   Survey data, especially online

   Catalog/phone order/Online order

   Warranty card registrations

   Internet sweepstakes

   Kiosks

   Social media interactions (dependent on data broker 
        interactions/agreements)

   Loyalty card data (retailers)

   Public record information

   Website interactions, including specialty or knowledge-based 
        websites

   Lifestyle information: Fitness, health, wellness centers, 
        etc.

   Non-profit organizations' member or donor lists

   Subscriptions (online or offline content)

    Following are some source examples from data broker cards, these 
examples are not surprising or out of the ordinary.
    On a Baby Boomers data card, Adrea Rubin gave this source data:

        Source: Multichannel Direct Response, Survey Data, and Public 
        Record Information \3\
---------------------------------------------------------------------------
    \3\ DEFINING MOMENTS REACTIVE BABY BOOMERS Data Card, http://
datacardhub.ad
rearubin.com/market?page=research/datacard&id=255914. Last accessed 
Dec. 17, 2013.

    On a data card for a Transaction Database, the company listed the 
---------------------------------------------------------------------------
source as:

        Source: 79 percent catalog/phone order/Online, 21 percent 
        retail.\4\
---------------------------------------------------------------------------
    \4\ Adrea Rubin, Action Network Transaction Database, http://
datacardhub.adrearubin.com/market?page=research/datacard&id=257898, 
last accessed Dec. 15, 2013.
---------------------------------------------------------------------------
    On a data card describing extreme mail order buyers, the source for 
gender, age, income, number of purchases, and number of credit cards 
was cited as

        Source: Multi-source, consolidated from a variety of sources, 
        overlaid with co-op/transactional data[1]

    A data card listing seniors listed the source as warrantee cards.

        Source: Warrantee card registrations \5\
---------------------------------------------------------------------------
    \5\ Warranty IT Seniors, Adrea Rubin, http://
datacardhub.adrearubin.com/market?page=
research/datacard&id=123434, last accessed Dec. 15, 2013.

    Of the sources, a disturbing source is retail purchases both online 
and off. Cooperative databases allow retailers to append copious data 
about consumers to retail transaction files. This is the basis of the 
Pineda vs. Williams Sonoma case in California which Williams Sonoma 
took a consumer's e-mail and added home address information. Below is 
an example of the use of retail transactional/cooperative databases, 
this one from KBM Group.\6\
---------------------------------------------------------------------------
    \6\ http://www.kbmg.com/privacy-policy/.
    
    
    Later in this testimony, I include this company as an exemplar of 
good opt out practices.
Sensitive Information and Lists That Should Not Exist
    One of the key characteristics of modern data brokers is a lack of 
restraint. The degree to which no piece of data is sacred is evident in 
the reams of sensitive consumer data compiled, scored, circulated, and 
sold.
    I do not oppose the selling of lists entirely. There is a 
reasonable center to be found. I agree that some lists are probably 
always going to exist that one or another person deems sensitive. 
Selling lists of doctors, nurses, teachers, and so forth are not among 
my favorite business models. But I understand the need for these lists 
and how they can be used in an unobjectionable way. I think of these 
lists as the center of the bell curve. These lists are of professional 
people.
    However, some lists should not exist at all. This is where I urge 
Congress to take action. Highly sensitive data are the frayed and ugly 
ends of the bell curve of lists, far from the center. This is where 
lawmakers can work to remove unsafe, unfair, and overall just 
deplorable lists from circulation. There is no good policy reason why 
unsafe or unfair lists should exist.
    I give you some examples: police officers home addresses, rape 
sufferers, domestic violence shelters, genetic disease sufferers, among 
others, below:

   A list of police officers at home addresses. This list can 
        threaten the safety of police officers and their families.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A list of rape sufferers. This is an unjustifiable outrage 
        that sacrifices a rape victim's privacy for 7.9 cents per name.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A list of domestic violence shelters. Existing laws allow 
        domestic violence shelters to keep their location secret so 
        that abusers cannot find their victims. The commercial sale of 
        lists of these shelters is unjustifiable.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A list of genetic disease sufferers. This list identifies 
        people suffering from genetic diseases. This information will 
        apply to these people--and their progeny--for their lifetime. 
        Congress and the States have passed laws to protect the privacy 
        of genetic information, but these laws do not stop data brokers 
        from selling genetic information to anyone for any purpose.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A list of seniors who are currently suffering from dementia. 
        These unfortunate people are often targeted for highly 
        predatory offers. A list of caregivers would not have the same 
        potential for deleterious consequences.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A list of HIV/AIDs sufferers.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

   A list of people with addictive behavior, alcohol and drugs. 
        Alcohol and drug treatment information about patients is the 
        subject of extra protections under existing law, but no law 
        stops data brokers from profiting by selling the information.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
   A massive list of people identified by disease and 
        prescription taken. Diseases include everything from A to Z, 
        from cancer to mental illness, to bedwetting to gambling and 
        much more.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
    These lists speak for themselves. Can we agree that some lists 
should not be circulated? Can we agree that the people named and 
pinpointed and targeted by these lists should be protected from the 
harm that can come from simply the inclusion on the list? I hope this 
is the case.
    I also would put derogatory credit lists on the firing line for if 
not removal, then special treatment. These lists abound,
   Hispanic payday loan responders


   Derogatory credit consumers. These millions of consumers 
        fall into a low credit category.
        [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
        
    In the Solutions section of this testimony I discussion ways that 
this negative list situation can be improved. It is important to note 
that the lists are just the obvious outgrowth of other data broker 
activity, such as scoring.
Geography is Destiny: Trailer Parks and Zip+4
    Where a person lives counts. A lot. Unfortunately, or fortunately, 
depending on where you live, geography is marketing destiny. And 
marketing destiny can now affect what opportunities come your way by 
virtue of savings, discounts, or receiving financial offers.
    For example, people who either live in a trailer park or within a 
certain radius, usually a couple of miles of a trailer park, are often 
candidates for list suppression. They will not receive opportunities 
that their neighbors do solely because of their type of shelter. Or 
conversely, people who are in a trailer park may be specifically 
targeted for ads for low-income products or services. Is this trailer 
park redlining?
    DMDatabases offers, for example, a suppression list that includes 
trailer parks as an option, among others:

                        OTHER SUPPRESSION OPTIONS 
                        NURSING HOMES
                        TRAILER PARKS
                        MILITARY BASES
                        COLLEGE DORMORTORIES
                        BANKRUPTCIES, TAX LIENS, JUDGEMENTS \7\
---------------------------------------------------------------------------
    \7\ DMDatabases, Suppression, http://dmdatabases.com/data-
processing/suppression, last accessed Dec. 17, 2013. Screen shot 
available.

    It can be reasonable and fair or a local business to use Zip+4 to 
target a geographical area nearby. This makes a lot of sense. But I am 
not persuaded that it is fair to use detailed census tract data and 
Zip+4 to unfairly exclude people who may be living in or near the edge 
of poverty.
Inferences and Categorization
    Data brokers categorize consumers into tightly defined boxes 
sourced by retail transactions, number of credit cards, ethnicity, 
marital status, gender, education, and many other factors, including 
neighborhood. There are a number of products sold by data brokers that 
accomplish this. One product in this category is Personix, sold by 
Acxiom. There are 70 Personix Clusters, each one identifying a type of 
consumer. Another product is Prizm, sold by Claritas.\8\ ``P$ycle'' by 
Dataman Group \9\ is another product. However, I do not know of a 
single company that allows consumers to view the clusters they are put 
in. I do not know of a single data broker that will allow consumers to 
permanently opt out of the cluster definitions attached to them.
---------------------------------------------------------------------------
    \8\ http://www.claritas.com/MyBestSegments/Default.jsp.
    \9\ http://www.datamangroup.net/PycleFinancialMarkets.php.
---------------------------------------------------------------------------
    At Acxiom's It's About The Data Portal, entering various zipcodes, 
salaries, and characteristics such as presence of child, marriage, and 
so forth allows one to explore the clusters.
    Here are two sample Acxiom clusters:
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    These clusters come attached to average ages and proximal 
information to guide marketers. The clusters are purchased by other 
data brokers and are used to overlay other data they already have. In 
many ways, the clusters shape the ads we see online, the deals we get 
in the mail, and in some cases, unwanted targeting both at the high and 
low end of the clusters.
    Take for example the following data card, which is described as Low 
End Credit Prospects. The source for the data is multi-source, and 
includes Acxiom data. The data card specifically identifies low-end 
credit prospects by their inclusion in the Acxiom Personixs clusters. 
In this case, these consumers were not described by being assigned a 
modeled credit score, rather, the cluster does the work of 
characterization. The category profiles are then combined with recent 
transactions, which in turn landed these consumers on this data broker 
list.\10\
---------------------------------------------------------------------------
    \10\ Adrea Rubin, Activity Tracker Low End Credit Prospects Data 
Card, Card ID 310015, http://datacardhub.adrearubin.com/
market?page=research/datacard&id=310015 last accessed Dec. 15, 2013.


    What is most objectionable is that many products like Acxiom's 
exist without consumers having any rights with respect to the data 
about themselves that is being compiled, bought, and sold. Errors may 
significantly alter the cluster a person is in, therefore altering the 
quality and type of offers a consumer receives. Life looks very 
different for cluster 1 and cluster 70.
    Consumers need more rights over the use of their personal 
information by data brokers.
Modern Eligibility
    Eligibility has expanded and, with it, the uses of marketing data 
for eligibility purposes and for suppression purposes. In the 
traditional credit world, the FCRA still regulates the use of credit in 
strictly-defined eligibility situations, such as employment and 
insurance. The Equal Credit Opportunity Act also places limits on data 
use. So does the Health Insurance Portability and Accountability Act's 
(HIPAA) health privacy rule.
    Modern eligibility has evaded, avoided, and overrun these laws, 
creating an unfair situation for consumers. When health data is held by 
a covered entity, HIPAA protections and rights apply. However, the 
exact same data, used for purposes outside of strictly-defined FCRA, 
ECOA or HIPAA limits and when not held by a health care provider, 
escape the bounds of regulation. The definition of eligibility needs to 
be expanded to encompass how data is now used. Consumers need more 
rights with respect to these activities:

   Authentication: using public and behavioral data to 
        authenticate consumers to use a service.

   Anti-fraud: using transactional and behavioral data to 
        determine whether fraud is occurring.

   Identity verification: Running quasi-background checks to 
        verify aspects of a consumer's identity.

   Lifestyle: Background checks for dating websites, for 
        schools, for clubs.

   Offers or suppression based on proxy credit scores: data 
        broker-generated financial offers based on non-credit 
        information, but just as accurate as a traditional credit 
        score. Or the inverse: people are excluded from a list based on 
        this information, but without associated FCRA or ECOA rights.

   Offers or suppressions based on medical data: Consumer 
        health information that has escaped from the boundaries of 
        HIPAA--a significant amount--needs new rules that data brokers 
        must follow. Health-related analytics that have an impact on 
        consumer's health care prices, health care, credit, or 
        employment need controls To protect consumers. Certain lists 
        should not exist, and certain data should not be used in lists, 
        in analytics, or anywhere. Even lists that data brokers deem 
        non-sensitive such as lifestyle lists identifying smokers or 
        other patterns need controls.

    Consumers who fail authentication tests, ID verification, or get 
identified as a fraud risk will show up with different scores, will 
wind up on different consumer data broker lists, and may have 
difficulty conducting their daily business. Consumers who are painted 
as fraudsters may find themselves locked out of their own bank, credit 
cards, and even phones. Consumers who are identified as having very low 
or derogatory credit by non-traditional analysis and scoring may find 
themselves deluged with predatory offers. Consumers who are marked by a 
data broker as having cancer, previous trauma, a chronic disease, 
including genetic diseases, and even lifestyle markers, can have that 
data sold to the wrong party and find themselves on the short end of 
the health care stick and deeply stigmatized in many areas.
Circumventing the FCRA
    While my testimony is not focused on the FCRA, it is important to 
state for the public record that many data brokers are engaging in 
behaviors that circumvent of the FCRA. I leave it to the Committee to 
decide if these activities are already illegal or if they should be 
brought within the FCRA and regulated in the same way as traditional 
credit records.
    Proxy credit scores relate to circumventing the FCRA.\11\ There is 
another issue related to circumventing the FCRA. Many of the websites 
selling consumer background check data and other data state in a 
disclaimer that they are not a consumer reporting agency and therefore 
are not regulated under the FCRA. They adjure their customers to not 
violate the terms. The restrictions are not meaningful, and we suspect 
the violations of terms are routine.
---------------------------------------------------------------------------
    \11\ Selling Consumers Not Lists: The New World of Digital 
Decision-Making and the Role of the Fair Credit Reporting Act, Ed 
Mierzwinski and Jeff Chester. November, 2013.
---------------------------------------------------------------------------
    There need to be meaningful checks and balances to keep improper 
uses from occurring. Given the sheer numbers of affiliate websites 
selling consumer data, this will require some affiliate oversight and 
reform. We found some affiliates without a privacy policy, much less an 
opt out.
    From http://www.peoplesearchnow.com/default.aspx:
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Just because there is a paragraph stating that a website is not 
operating as a consumer reporting agency doesn't make it so. We 
strongly suspect that the disclaimed is offered with a wink, safe in 
the knowledge that no regulatory agency will be able to look at 
hundreds of small sites for violations of the law.
Data Broker Opt Out: The Grim Choices Consumers Face
    Consumers face bad options and scant choice when it comes to data 
broker opt out. Leaving aside rights conferred under the FCRA for 
strict FCRA-defined eligibility purposes for the moment, consumers are 
in fact left largely to fend for themselves with few tools and no clear 
rights. Some opt outs exist, but the landscape is difficult--so much so 
that it is improbable that consumers can wend their way through the opt 
out process successfully
How many allow opt out?
    The World Privacy Forum compiled a list of 352 consumer-focused 
data broker sites and lists. Our list is available at http://
www.worldprivacyforum.org/2013/12/data-brokers-opt-out/. A study of the 
data broker industry conducted by Dr. John Deighton for the Direct 
Marketing Association in 2013 found that the universe of data brokers 
was approximately 3,500.\12\ Our data broker list, then, comprises at 
ten-percent rough sample of this universe. Included on the list are 
various people finder websites, data brokers that this Committee or the 
FTC has sent letters of inquiry to, consumer list brokers, and others. 
Of 352, 128 offered a data opt out. Some of those were full opt outs, 
some partial or unclear, some of them cost as much as $1,799.00, and 
one opt out promised that the site reserved the right to ``publish the 
request'' if someone decided to opt out.
---------------------------------------------------------------------------
    \12\ Panel comments by Dr. John Deighton, National Press Club, The 
Value of Data: Consequences for Insight, Innovation and Efficiency in 
the U.S. Economy, A Symposium Hosted by DMA's Data-Driven Marketing 
Institute, October 29, 2013. Dr. Deighton was commenting on his 
sampling for the study, The Value of Data: Consequences for Insight, 
Innovation and Efficiency in the U.S. Economy, John Deighton and Peter 
Johnson, DDMI, 2013.
---------------------------------------------------------------------------
Opting out of Data Broker Scores and Lists
    To remove a consumer's name and information from all data broker 
lists appears to be an almost impossible task right now. If a mailing 
list is held by a DMA member, the DMA opt out can be effective. 
However, not every data broker is a DMA member, which poses an 
immediate problem. For scores, there is no known score opt out. After a 
consumer is assigned a score by a data broker, a consumer will find it 
nearly impossible to find that score or to opt-out of its use to 
describe or characterize the consumer.
    In our research, we have found one exemplar company that is 
allowing an opt out of their databases and lists, KBM Group. A screen 
shot of the relevant portion of the policy is below; note that the 
policy allows for internal database opt out as well as linking to the 
DMA opt out. The policy is located at http://www.kbmg.com/privacy-
policy/. This is a best practice, and is seldom seen.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Suppression vs opt out
    It is important to note that when consumers opt out of data broker 
websites or lists, most often what is happening is that their 
information is being suppressed. The information remains, but it is 
removed from circulation. Delete is not a word that is used very often 
in data broker opt out.
    For consumers who want to get off of data brokers marketing lists, 
the primary mechanism for removal is to use the DMA Choice opt-out 
mechanism. This will put the consumer on a suppression list, which 
means the data brokers will still have the consumer information, but no 
further sales or marketing will occur within a given time frame via the 
lists that allow opt out or suppression.
    When data brokers allow for a DMA Choice opt out to influence all 
of their list and brokering activity, this is a good thing. But this is 
not nearly as common as it needs to be. Only some lists adhere to the 
DMA Choice program. One significant problem is that not all data 
brokers are DMA members, and thus escape the self-regulatory program. 
For those that are DMA members, we do not know how effective the DMA 
Choice program is.
Policy Issues in Current Opt Out/Suppression Practices
    Of data brokers that allow opt out, additional policy issues 
include the following:

   Incomplete: Most opt outs are incomplete, and often require 
        consumers to have a safety reason for the opt out.

   Suppression not deletion. Many opt outs are suppression-
        based. This may be difficult to change.

   No Third Parties: Consumers are usually required to ask for 
        the opt out directly on their own. Requests through third 
        parties are not allowed. This makes opt out an impossible 
        proposition for consumers, who have to go to each individual 
        site to effectuate the opt outs that are available to them. It 
        is clear that the policy deliberately seeks to make it as hard 
        as possible for consumers to exercise the ability to opt-out.

   No Guarantee: An opt out is not guaranteed, no matter why 
        the consumer is conducting the opt out. Thus, the opt out may 
        not work or may only be effective for a short period of time.

   Fees: Some data brokers charge fees ranging from annoying 
        (less than $30) to exorbitant (in excess of $1,000).

   Hunting for the opt out: Finding the opt outs on many 
        consumer data broker sites is an exercise in extreme patience 
        and persistence. Opt outs are seldom indicated by a prominent 
        opt out button labeled as such. While some data brokers do play 
        nicely with consumers and provide this, fair play is the 
        exception, not the rule. Typically, opt outs are buried deep 
        within a privacy policy, terms of use, or FAQ.

   Opt out requirements non-standardized: Opt out requirements 
        non-standardized: A bewildering array of choices face the 
        person who wants to opt out of data broker lists. Some opt outs 
        are fair. DMA Choice is a reasonable opt out. But many are not 
        reasonable or fair. Some require a privacy-concerned consumer 
        to send a scanned copy of a driver's license or to jump through 
        other hoops. We would be reluctant to recommend that a consumer 
        share a copy of a driver's license. Many consumers do not have 
        a driver's license or other government-issued form of 
        identification, and these consumers may find it impossible to 
        opt out.

   Marketing use of opt -out information: No regulation stops 
        data brokers from selling or otherwise using the information 
        given in an opt out application.

   Negotiating the opt out: There is no controlling legal 
        standard for data broker opt out. As a result, consumers have 
        to dig through complex privacy policies and language and figure 
        out each opt out.

   Partial Opt Outs Only: Some data brokers allow for partial 
        opt outs, meaning that it is available only if there is a 
        safety issue, or if an individual is a member of law 
        enforcement. However, there are concerns even with this. There 
        are no rules that say that information about the request to opt 
        out will not be sold or shared.

   No opt out: Many data brokers do not allow any opt out. 
        Consumers are left with no recourse.
Examples of challenging opt outs
    Here is an example of a privacy policy with an opt out notice, this 
is from a consumer-facing data broker site called SortedbyName.com. 
Note the last sentence, where consumers who opt out may be treated 
punitively for doing so (emphasis in yellow is mine).:

   This webmaster reviews stats, including IP addresses of site 
        visitors from time to time.

   Third party vendors, including Google, use cookies and web 
        beacons to serve ads based on a user's prior visits to the 
        website.

   Google's use of the DART cookie enables it and its partners 
        to serve ads to users based on their visit to the site and/or 
        other sites on the Internet.

   Users may opt out of the use of the DART cookie by visiting 
        the advertising opt-out page. (You can opt out of a third-party 
        vendor's use of cookies by visiting the Network Advertising 
        Initiative opt-out page.)

   With the Firefox browser, use Ctrl+Shift+P for private 
        browsing. Use Tools--Options--Privacy to set preferences. Use 
        Shift+Ctrl+Delete to clear your history so remote servers 
        cannot access it.

   By sending a request for removal of names from the site, you 
        give us permission to publish the request, including your e-
        mail address and all headers.\13\
---------------------------------------------------------------------------
    \13\ http://sortedbyname.com/privacy.html, last accessed Dec. 17, 
2013. Screen shot available.

    Here is an example of a complicated opt out, this at from 
---------------------------------------------------------------------------
waatp.com:

        How do I remove or update my data on waatp.com? waatp.com 
        investigates for live data reached by public on a regular 
        basis. Because this information is not contented on our 
        hosting, we cannot give any guarantees these data will be 
        removed until the change has been occurred at the source of the 
        data. To update or remove this information, we advise: Our site 
        will provide the certain source for the information the applier 
        would have changed or removed. Approval that applier is the 
        individual specified in the Public Profile is an obligatory 
        condition, therefore we may ask that appliers faxes or e-mails 
        it:

        1--a written application asking for the database source or a 
        change application;

        2--a screenshot of a page, with marked information that you ask 
        to change or to search in the source;

        3--a legal proof of ID like State/Federal ID card that points 
        your name, full address, date of birth (you can remove your 
        personal photo an/or ID#);
        4--any pseudonyms;

        5--ex-addresses, including str.name, town, zip.

        You should fax this information to 800 861 9713 (please attach 
        an e-mail so that we are able to contact you regarding any 
        questions) or e-mail to Profile-Remove/at/waatp.com.com. 
        Changes might take up to 6 weeks to come into effect and are 
        only constant if the info has been previously edited or removed 
        at the original source. Without a constant change at the 
        original source, the process of deletion of any info stored in 
        a Public Profile is NOT guaranteed.\14\
---------------------------------------------------------------------------
    \14\ http://waatp.com/faq.html. Last accessed Dec 17, 2013. Screen 
shot available.

    An example of the No third Party policy can be found at People 
Smart, http://www.peoplesmart.com:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


The Scoring of Americans
    Americans face a future that is increasingly being shaped in 
significant ways by their consumer scores. A consumer score provides a 
way of evaluating an individual or a household. The best-known consumer 
scoring activity is credit scoring. Credit scores date back to the 
1950s, and replaced human judgment about credit granting by relying on 
standardized criteria. While most people are familiar with credit 
scoring, consumer scoring encompasses a broader category of activities 
that uses scores to assess consumers for one or more purposes.
    The World Privacy Forum offers consumer scoring as a generic term 
for these scoring methods. A consumer score derives from an algorithm 
that typically employs objective criteria. The score relies on 
demographic, health, consumption, transactional data, marketing, 
credit, or other personal characteristics. Companies and governments 
use the resulting score to make a decision about an individual or 
household.
    By itself, consumer scoring is not necessarily good or bad. Scoring 
orders a population along a mathematically defined scale. However, 
scoring has the prospect of being used to affect individuals in 
significant ways that may not be fair. If a score becomes the way that 
consumers are treated, then the results may not be acceptable to the 
American public. The quality and relevance of the data used, the 
transparency of the methodology, and the reasonableness of the 
application are the major factors that determine the fairness of any 
scoring activity. These issues are likely to be the central focus on 
the policy debate about consumer scoring.
    Consumer scoring is already more widespread than most people 
realize. A significant segment of the data broker industry already 
focuses on scoring and predictive analytics, and as such, is 
intricately interwoven into the scoring business.\15\ Known consumer 
scoring activities include assessments and predictions relating to 
insurance, bankruptcy, identity, fraud, consumption, health, propensity 
to purchase, ``consumer value estimation,'' and more. A dozen 
categories of consumer scoring have been identified so far, each 
containing numerous scores. There may be hundreds or thousands of 
consumer scores already in use. The Federal Government uses scoring for 
some purposes, an activity beyond the scope of this testimony but 
something that may be worthy of more attention by the Congress. It 
might be useful, for example, to ask the Government Accountability 
Office to identify all of the consumer scoring used by Federal 
agencies.
---------------------------------------------------------------------------
    \15\ The Direct Marketing Association's publicly searchable Vendor 
Database contained 377 companies stating an expertise specifically in 
scoring as of Dec. 15, 2013. Some examples of companies listed include 
Datalogix, Analytics IQ, FICO, iKnowtion, and others.
---------------------------------------------------------------------------
    The use of consumer scoring is expanding rapidly because scores 
provide an easy analytics shorthand for measuring consumer behavior, 
risk, and potential for future success or spending. Companies and 
government will use scores to make more decisions about a consumer's 
access to markets, price for goods and services, ability to travel, and 
other social and economic opportunities. Schools will use scores beyond 
academic measurement scores to determine the viability of candidates.
Policy issues around consumer scoring
Secrecy

    Most consumer scores today are secret--consumers cannot see most 
scores even if they know about them. Beyond the numeric value of the 
scores themselves, a complete lack of transparency surrounds consumer 
scores. Citing proprietary claims, the factors that make up consumer 
scores are secret. The procedures and algorithms are secret. Often, 
even the full numeric range and context are secret.
    Credit scores were unknown to most consumers through the 50s, 60s, 
70s, and 80s. Trickles of a score that was not disclosed to consumers 
but that could be used to deny a person credit began to leak out slowly 
to some policymakers, particularly around the time ECOA passed. In May 
1990, the Federal Trade Commission wrote commentary indicating that 
risk scores (credit scores) did not have to be made available to 
consumers. But when scoring began to be used for mortgage lending in 
the mid 90s,\16\ many consumers finally began hearing about a ``credit 
score,'' most of them for the first time, and mostly when they were 
being turned down for a loan.\17\ A slow roar over the secrecy and 
opacity of the credit score began to build.
---------------------------------------------------------------------------
    \16\ In 1995 Freddie Mac and Fannie Mae endorsed the use of credit 
scores as part of the mortgage underwriting process. This had a 
substantial impact on the use of credit scores in the mortgage loan 
industry. See for example Kenneth Harney, The Nation's Housing Lenders 
might rely more on credit scores, The Patriot Ledger, July 21 1995.
    \17\ See for example, comments of Peter L. McCorkell, Senior 
Counsel to Wells Fargo, to the Federal Trade Commission, August 16, 
2004 in response to FACT Act Scores Study.
---------------------------------------------------------------------------
    By the late 90s, the secrecy of credit scores and the fact that 
people could not see the underlying methodology or factors that went 
into the score or the range of the score to determine how the number 
should be interpreted was a full-blown policy issue. Beginning in 2000, 
a rapid-fire series of events--particularly the passage of legislation 
in California that required disclosure of credit scores--eventually 
dismantled credit score secrecy and non-disclosure. Now, credit scores 
must be disclosed to consumers, and the context, range, and key factors 
are now known.\18\
---------------------------------------------------------------------------
    \18\ As of December 2004, the Fair Credit Reporting Act as modified 
by the Fair and Accurate Credit Transactions Act, or FACTA, ended score 
secrecy formally, and required consumer reporting agencies to provide 
consumers with more extensive credit score information, upon request. 
Also made available to the public was the context of the score (its 
numeric range), the date the score was created, some of the key factors 
that adversely affected the score, and some other items.
---------------------------------------------------------------------------
    Credit scores are no longer secret, and this was and still is the 
right policy decision. Why are other scores secret, when they are being 
used for important decisions about consumers? Why are other score 
factors and numeric ranges secret, when the risk of marketing data 
comprising the score of a factor used in modern eligibility practices 
is very high?
    There should be no secret scores, and no hidden factors.
Unfairness

    Of significant concern regarding scoring are the factors that go 
into the creation of a score. A single score is often created from the 
admixture of more than 600 to 1,000 individual factors. These factors 
can include race, religion, age, gender, household income, zip code, 
presence of medical conditions, zip code + 4, transactional data from 
retailers, and hundreds more. Therefore, one individual score can 
contain hidden factors that range from non-sensitive to quite 
sensitive. A score that is designed to assess or assign consumer value 
to a business could also include factors that would be entirely 
unacceptable or that, in the context of either the Equal Credit 
Opportunity Act (ECOA) or the Fair Credit Reporting Act, would be 
flatly illegal.
    In a description of its sets of scores that can be purchased, one 
company described how it creates its scores:

        Aspects Life Choices system

        Our Database at the Core

        Our proprietary set of data that allows us to produce powerful 
        scored solutions. It is created from over 100 sources, updated 
        quarterly, and contains 1,500 proprietary demographic, 
        psychographic, attitudinal, econometric and summarized credit 
        attributes.

        Clear Benefits to Users

   Can be used to enhance any list   Applied at the 
        Zip+4 level

   Data can be custom modeled \19\
---------------------------------------------------------------------------
    \19\ AnalyticsIQ, http://analytics-iq.com/download/Aspects.pdf, 
last accessed Dec. 16, 2013.

    This particular company, like most companies selling consumer 
scores, does not publish its 100 sources nor its 1,500 attributes that 
it is using to develop the score for consumers' perusal, nor does it 
summarize even the categories of information used for consumers. It is 
unlikely that consumers can purchase or see these scores for 
themselves,\20\ and like other consumer scores, this score is opaque. 
If ECOA factors are present, no one but the company employees would 
know.
---------------------------------------------------------------------------
    \20\ One exception to this is ID Analytics' Identity Score, which 
consumers are able to see.
---------------------------------------------------------------------------
    Notably, the ECOA requires that credit scoring systems may not use 
race, sex, marital status, religion, or national origin as factors 
comprising the score. The law provides the opportunity for creditors to 
use age, however, also requires that seniors are treated equally.\21\ 
Marital status is commonly used as a consumer score factor, as are 
other factors either directly or inferentially connected to factors 
that would be protected under ECOA but are not in broader consumer 
scores, even if those scores are being used for other eligibility 
decisions.
---------------------------------------------------------------------------
    \21\ For more information, see http://www.consumer.ftc.gov/
articles/0152-how-credit-scores-affect-price-credit-and-insurance.
---------------------------------------------------------------------------
Lack of Rights in Consumer Scoring
    After a consumer has been scored, the factors (behaviors, 
characteristics, etc.) that went into the score do not typically 
disappear. After the score have been recorded into a data broker's host 
database, there is not a way for consumers to remove themselves from 
this activity. A discussion of how this impacts proxy credit scores is 
below.
Exemplar: Modeled Credit Scores
    The privilege of marketing information based on credit report data 
comes with the requirement that consumers can opt out of that 
marketing. Marketing targeted to credit reports is strictly limited to 
credit and insurance.\22\ But analytics are at such a sophisticated 
level now that accurate ``modeled credit scores'' are being created and 
used as a proxy for traditional credit scores. These modeled scores are 
made of consumer information drawn from beyond the traditional credit 
bureau score to create an entirely new score. Because these scores 
contain no direct credit information, they are seen by some as outside 
of either ECOA or the FCRA. Therefore, information closely mimicking 
credit data is now being used for broad marketing purposes, and there 
is no requirement for opt out.
---------------------------------------------------------------------------
    \22\ A significant lawsuit on this issue is FTC v. Transunion which 
is definitive. From the press release: ``The Federal Trade Commission 
has ordered the Trans Union Corporation to stop selling consumer 
reports in the form of target marketing lists to marketers who lack an 
authorized purpose for receiving them under the Fair Credit Reporting 
Act (``FCRA''). In a unanimous opinion authored by Commissioner Mozelle 
W. Thompson, the FTC determined that ``Trans Union's target marketing 
lists are . . . consumer reports under the FCRA'' and concluded that 
Trans Union is violating the FCRA by selling this information to target 
marketers who lack one of the ``permissible purposes'' enumerated under 
the Act. The Commission's decision applies to a number of Trans Union's 
target marketing list products including its Master File/Selects 
products, its modeled products and its TransLink/reverse append 
products.'' http://www.ftc.gov/news-events/press-releases/2000/03/
trans-unions-sale-personal-credit-information-violates-fair. Full case: 
http://www.ftc.gov/enforcement/cases-and-proceedings/cases/2000/03/
trans-union-corporation-matter.
---------------------------------------------------------------------------
    A good modeled credit score predicts financial risk comparable to 
the traditional credit score. Fair Isaac's Expansion Score draws 
consumer information from non-traditional sources, that is, sources 
other than the big three credit bureaus. Although Fair Isaac does not 
disclose its data sources except directly to the individual consumer 
being scored, industry publications state that Fair Isaac is using 
deposit account records and pay-day loan cashing as predictive factors 
in its Expansion Score.\23\ The Expansion Score is regulated, so 
consumers who have an Expansion Score are entitled to knowing certain 
information about that score, including the factors. Fair Isaac is 
playing by the rules, but data broker data cards indicate that not all 
companies (or data brokers) are when it comes to inferred credit data 
or scores.
---------------------------------------------------------------------------
    \23\ Ann McDonald, High Points for Credit Scoring: With generic 
scores becoming antiquated, credit-scoring providers are focusing on 
new offerings. Collections and Credit Risk, April 1 2006, 46 Vol. 10, 
No.4.
---------------------------------------------------------------------------
    Companies can now build score cards with very little or even no 
data by taking advantage of the new generic credit bureau scores to 
create a baseline of information. In these cases, the score card is 
typically monitored and evaluated closely to see if it is viable.\24\ 
In this way, the equivalent of consumer credit scores that would be 
otherwise regulated under the FCRA end up being used for all sorts of 
purposes that would not be allowed had they been traditional credit 
scores. The end score could be something like a churn score, or 
customer loyalty score. In other situations, behavioral clues allow 
people to be targeted just as precisely as if their scores were known.
---------------------------------------------------------------------------
    \24\ LC Thomas, RW Oliver, DJ Hand, A Survey of Issues in Consumer 
Credit Modeling Research, The Journal of the Operational Research 
Society, Sept. 2005, Vol. 56, Iss. 9.
---------------------------------------------------------------------------
    People, for example, who have a low Beacon score (an Equifax credit 
score) and are subsequently turned down for the purchase of a phone, 
show up on a data broker mailing list called ``Cell Phone Turndowns.'' 
\25\ The data card says: ``These consumers are ready and eager to 
receive offers and opportunities in the following categories: secured 
and sub-prime credit, Internet, legal and financial service, health 
insurance offers, home equity loans, money making opportunities, and 
pre-approved credit with a catalog purchase.'' The Beacon score is not 
given--it does not need to be in order for data brokers to infer the 
credit score of these individuals. If a generalized credit score is 
known with certainty, as it is in this case, then why is it OK to then 
sell this information without limiting the data to FCRA constraints?
---------------------------------------------------------------------------
    \25\ Cell Phone Turndowns Mailing List, NextMark List ID #188161. 
http://lists.nextmark.com/market?page=order/online/datacard&id=188161, 
last accessed Dec. 12, 2013.
---------------------------------------------------------------------------
    The use of the modeled credit score is well understood by data 
brokers. DMDatabases wrote this on its website, discussing its modeled 
credit score:

        IMPORTANT NOTE: The Fair Credit Reporting Act (FCRA) does NOT 
        allow the release of actual credit data to any party that lacks 
        a permissible purpose, such as the evaluation of an application 
        for a loan, credit, service, or employment. Before requesting 
        information on a credit score mailing list or credit score e-
        mail list, make sure your offer is in compliance with FCRA 
        guidelines. For details on FCRA compliance requirements--CLICK 
        HERE.

        GOOD NEWS/BAD NEWS: The bad news is that 90+ percent of offers 
        do not meet the strict FCRA compliance requirements for using 
        actual credit score data. The good news is that marketers have 
        a very effective alternative . . . The Premier Modeled Credit 
        Score Database.-CLICK HERE and read more.\26\
---------------------------------------------------------------------------
    \26\ http://dmdatabases.com/databases/consumer-mailing-lists/
consumer-lists-by-credit-score. More information about the DMDatabases 
modeled credit score is at http://dmdatabases.com/databases/specialty-
lists/modeled-credit-score-direct-mail-e-mail-list.

    Experian sells ChoiceScore, a financial risk score built entirely 
of non-credit factors.\27\ Experian explains in its description of the 
score that it is created from consumer demographic, behavioral, and 
geo-demographic information. One data broker selling a list of 
consumers who had been segmented by the ChoiceScore said this in its 
data card description, which can be seen in the screen shot below:\28\
---------------------------------------------------------------------------
    \27\ Experian ChoiceScore, http://www.experian.com/marketing-
services/data-digest-choicescore
.html.
    \28\ http://datacardhub.adrearubin.com/market?page=research/
datacard&id=268601.
---------------------------------------------------------------------------
ChoiceScore by Experian UnderBanked and Emerging Consumers
ChoiceScore helps marketers identify and effectively target under-
banked and emerging consumers. Using the most comprehensive array of 
non-credit data available from Experian. A financial risk score 
(indicating the potential risk of future nonpayment) provides marketers 
with an additional tool for more precise targeting.\29\ The data card 
also indicated that the ChoiceScore could be used to suppress some 
consumers from getting information.
---------------------------------------------------------------------------
    \29\ CHOICESCORE BY EXPERIAN UNDER BANKED AND EMERGING CONSUMERS, 
http://datacardhub.adrearubin.com/market?page=research/
datacard&id=268601.


    Based on Experian's website, it appears that the ChoiceScore is 
apparently not available for sale to consumers. The score appears to be 
available for non-FCRA uses.\30\ What factors go into these and other 
scores? How is ChoiceScore used in eligibility decisions? The score's 
factors are not defined, so it is difficult to know what kind of 
marketing data is included, if at all, in the score. It is also 
difficult if not impossible to determine how or if or when the score is 
being used in modern eligibility decisions.
---------------------------------------------------------------------------
    \30\ According to the data broker's data card, two entities 
purchased this data: Achievecard, and Figi's Incorporated. Figi's 
Incorporated appears to be a food gift retailer. (http://www
.fbsgifts.com/about.html#figis).
---------------------------------------------------------------------------
    Are credit factors bundled into any base scores? Are credit factors 
used for non-credit marketing? Are any ECOA factors in the scores? How 
are credit and ECOA factors weighted in the algorithms? We do not know.
    Modern data analytics have made child's play of mimicking 
traditional credit scores and unearthing people who are in various 
credit score brackets. Congress acted to protect the use of this 
information with good reason. The change in technologies that give us 
new modeled scores of great accuracy does not change the underlying 
principles that still need to be at work here: fairness, accuracy, 
transparency, and some reasonable limits in use.
    My question is this: if a modeled credit score is as good as a 
traditional credit score, shouldn't it come under the FCRA? I believe 
the answer to this is yes. Congress needs to draw a bright line around 
this issue in particular and ensure that for fairness reasons it does 
not get entrenched any further. I predict that when consumers learn of 
data broker activity in the scoring area, they will not be happy.
Exemplar: Heath Scores
    Another category to consider is the area of health. Health scores 
are now in circulation, which brings concerns, not the least of which 
is that consumers care deeply about their health privacy and decisions 
made about them regarding their health, insurance policy pricing, and 
prescription pricing. The same questions raised above about 
transparency, secrecy, factors, and use are relevant here. Other 
questions come into play as well. For example: can employers purchase 
health scores? Are health scores shared with debt collectors? Of note 
in the area of health and in other areas is the issue that companies 
increasingly either
Frailty Scores
    Regarding the Frailty Score, in 2011, a rather spectacular medical 
data breach revealed that a company called Accretive was collecting 
detailed and sensitive health information about hospital patients in 
Minnesota via contract with those hospitals, and then using that data 
to develop scores. A lawsuit revealed the extent of the information 
gathering by this company. The company was collecting the following 
information and developing the following scores:

   Patient's full name

   Gender

   Number of dependents

   Date of birth

   Social Security number

   Clinic and doctor

   A numeric score to predict the ``complexity'' of the patient

   A numeric score to predict the probability of an inpatient 
        hospital stay

   The dollar amount ``allowed'' to the provider

   Whether the patient is in ``frail condition''

   Number of ``chronic conditions'' the patient has

   Fields to denote whether the patient has:

     Macular degeneration

     Bipolar disorder

     Depression

     Diabetes

     Glaucoma

     HIV

     Metabolism disorder

     Hypertension

     Hypothyroidism

     Immune suppression disorder

     Ischemic heart disease

     Osteoporosis

     Parkinson's Disease

     Asthma

     Arthritis

     Schizophrenia

     Seizure disorder

     Renal failure

     Low back pain

    The screenshot below is a screenshot of a patient's data that had 
been revealed in the breach, redacted for the lawsuit.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    One of the complaints in the lawsuit was that patients had no 
knowledge of this scoring activity.

        ``Upon information and belief, the hospitals' patient admission 
        and medical authorization forms do not identify Accretive by 
        name or disclose the scope and breadth of information that is 
        shared with it. Upon information and belief, patients are not 
        aware that Accretive is developing analytical scores to rate 
        the complexity of their medical condition, the likelihood they 
        will be admitted to a hospital, their ``frailty,'' or the 
        likelihood that they will be able to pay for services, among 
        other things.'' \31\
---------------------------------------------------------------------------
    \31\ United States District Court, District of Minnesta. State of 
Minnesota vs. Accetive Health, Inc.

    This was a complex case that illustrates the complex nature of what 
constitutes data broker activities. The company, Accretive, wore many 
hats, from debt collector to data analytics. Data analytics such as 
complex scoring is one form of data broker activity. However, Accretive 
in this case did not fit the traditional mold of data broker as list 
seller. No outsider can tell if the company is internally violating 
restrictions in existing law.
FICO's Medication Adherence Score
    FICO's Medication Adherence Score was launched in June, 2011, 
According to FICO, it is using variables from the marketing world: ``. 
. . those variables include age, gender, family size and asset 
information--such as the likelihood of car ownership--data also used by 
direct marketing companies. FICO says that with only a patient's name 
and address, it can pull the remainder of the necessary information 
from publicly available sources.'' \32\ FICO states that the score is 
used to determine reminder mailings for consumers. It is unknown if the 
uses for the score have expanded since its introduction. Historically, 
prescription reminder activity has been controversial. Those chosen for 
reminders have not always not been very happy about it.\33\ We suspect 
that prescription reminders are sent only to patients who have high-
quality health plans and then only for high-priced, patent-protected 
drugs. That may be the type of information included in a score.
---------------------------------------------------------------------------
    \32\ Jeremy M. Simon, New medical FICO score sparks controversy, 
questions, Yahoo Finance, July 28, 2011. http://finance.yahoo.com/news/
New-medical-FICO-score-sparks-creditcards-1400
615100.html?x=0.
    \33\ Weld v. CVS Pharmacy Inc., No. CIV. A. 98-0897, 1999 WL 
1565175 (Mass. Super. Nov. 19, 1999), aff'd, Weld v. Glaxo Wellcome, 
Inc., 746 N.E.2d 522 (Mass. 2001).
---------------------------------------------------------------------------
General Conclusions about Consumer Scoring and Data Brokers
    I have mentioned above that the data business is changing and is 
becoming much more sophisticated. Consumer scores are a significant 
contributor to the change. Consumer scoring has substantial potential 
to become a major policy issue as scores with unknown factors and 
unknown uses and unknown legal constraints move into broader and 
broader use.
    Secrecy, fairness of the factors, accuracy of the models, the 
inclusion of sensitive information--these are some of the key issues 
that must be handled. It is exquisitely unlikely that self-regulation 
will solve the dilemmas consumer scoring introduces. However, the path 
for what could constitute fair regulation in this area is already 
established via the history of the credit score.
Solutions
    To bring fairness, accuracy, and transparency to consumers 
regarding data broker activities, a multi-prong approach which 
addresses multiple aspects of the problems needs to be pursued.
National data broker list

    The Federal Trade Commission or the Consumer Finance Protection 
Bureau should require the industry to maintain a current list of all 
data brokers, with full identification, description, and contact 
information. If industry cannot provide the needed transparency, the 
agencies should create the list on their own.
National consumer data broker opt out requirement

    There is an urgent need for a national consumer data broker opt-out 
requirement. Consumers should be able to opt out at a central portal. 
Data brokers should be allowed to download the list of those who have 
opted out. Data brokers would then be responsible for scrubbing their 
lists.
    The opt out needs to be standardized, and could operate like 
Prescreen Opt Out. Consumers would opt out at a central portal, 
consumer data brokers would be able to download the list of those who 
had opted out, then data brokers would be responsible for using this 
dated list to scrub their lists.
    National opt out standards:

   No use of opt out data for marketing purposes

   Standardized language around opt out

   Prominent placement on home page of a button or link that 
        says opt out

   Notice to consumers that an opt-out request has been 
        received and acted upon

   Due process rights for consumers denied an opt out

   Consequences for data brokers that do not comply

   Opt outs for all without cost or prerequisites and with 
        simple procedures

    Reform and oversight of affiliate marketing of consumers' 
personally identifiable data. Affiliate marketing of consumer 
information creates very significant challenges for consumers. The 
businesses selling the data should exercise appropriate and reasonable 
oversight.
    List brokers who are selling PII of consumers must allow consumers 
to see the lists they are on and opt out. If a consumer is on a list, 
why can't the consumer be made aware of that? The list could be 
incorrect, and could have consequences if sold to an insurer or 
employer.
    The sale of lists that endanger lives or safety or wellness should 
be stopped. There are lists all of us should be able to agree should 
not exist. The lines can be drawn by regulatory agencies after 
consulting with consumers and industry
    No secret consumer scores, no unfair factors. There should full 
publication of data elements (but not weights) used in consumer scores, 
and all data elements used must be reasonable.
    The expansion of the FCRA to include modern eligibility options. 
Eligiblity uses of data have expanded. The law may need to be expanded 
so that proxy credit scoring or modeled credit scoring clearly fall 
under the law. There should also be limits on the use of sensitive 
information in scoring and on the sale of health data in all contexts. 
In addition, data brokers should be subject to strict disposal 
requirements and time limits for all data held. Fair Information 
Practices should be applied to consumer data broker practices and 
lists.
    Better Enforcement: Civil and in some cases criminal penalties when 
there is a breach of the law. Private rights of action for aggrieved 
consumers should be allowed, togegther with effective enforcement and 
oversight by the FTC and CFPB.
Conclusion
    I agree that the data broker industry is complex, as is our digital 
world, as are the lives of all of us who live in this world. But that 
is no excuse for avoiding the necessary discussions that will need to 
take place between all stakeholders.
    In this testimony, I have said many things. It can be summed up in 
this way:

        Individuals should have the right to stop harmful collection 
        and categorization activity and to force the permanent and 
        immediate expungement of all data that is factually incorrect, 
        data that arrives at an incorrect conclusion about them, or 
        data that influences decisions about a consumer in a negative 
        way.

    This was the idea behind the Fair Credit Reporting Act of 1974. It 
was a good idea then, and the fundamental values remain the same today.
    Thank you for your attention to these matters. I welcome your 
questions, and will be happy to provide further research or input.

    The Chairman. Thank you, Ms. Dixon. And you are exactly 
right; this is the beginning of a dialog. And we need to probe 
deeply, without fear of consequence, and then we need to do 
something about it. That will be a judgment that we will have 
to make, but you have already suggested a change in HIPAA, 
which is, you know, it used to be very sacred and still is but 
not in all cases. So I thank you for your testimony.
    Professor Joseph Turow. Now, Dr. Turow is the Associate 
Dean for Graduate Studies, the Annenberg School for 
Communications at the University of Pennsylvania.

         STATEMENT OF JOSEPH TUROW, ROBERT LEWIS SHAYON

         PROFESSOR OF COMMUNICATION, ASSOCIATE DEAN FOR

             GRADUATE STUDIES, ANNENBERG SCHOOL FOR

           COMMUNICATION, UNIVERSITY OF PENNSYLVANIA

    Mr. Turow. Thank you, Chairman Rockefeller, members of the 
Committee.
    In a bit of a different tack, I would like to address two 
key questions about data brokers and their collection of 
information about Americans for marketing purposes.
    First, if we take sensitive topics like health and 
employment out of the equation, what possible harm can come 
from using people's data for marketing purposes? After all, 
what we are talking about is simply targeting for product 
advertising.
    Second, haven't data brokers and their lists been around 
for over a century? And if so, what makes them today any 
different from the past?
    Let's start with the history question. It is true that 
marketers compiled and bought lists of prospects way back into 
the 19th century. These lists became more detailed in the 20th 
century. But the differences between the lists of even 35 years 
ago and those of today is extreme. The biggest distinction is 
the amount of information brokers have now and how they deal 
with it.
    Lists of the old days were pretty static. The numbers of 
data points companies had about us was rather small. It was 
difficult to interconnect pieces of data, and the data didn't 
change all that quickly. Today, data brokers can collect huge 
amounts of information about tens of millions, even hundreds of 
millions of people. They update that information frequently. 
And they use high-speed computers and advanced statistics to 
draw conclusions in ways previous generations of data brokers 
could hardly imagine.
    Consider Acxiom's recent data catalog. It contains 41 pages 
of information about individual Americans that Acxiom sells to 
marketers. That information ranges from the amount of money 
people make to the kinds of vacations they take, to the number 
of friends they have on social media, to the value of 
neighborhoods they live in, to diseases they have an interest 
in, to how tall they are, to whether they gamble, to their 
media uses and much more. Axiom sells any number of these items 
about individuals, as well as packages of these data, tailored 
to marketers from different industries.
    In addition, through its Acxiom Operating System, the data 
broker has created a kind of universal cookie to find and 
follow people across desktops, laptops, mobile phones, and 
tablets, as well as to collect yet more information about them 
from these media.
    Like Acxiom, other data brokers continually run programs 
that connect our dots for marketers and then attach them to 
other ideas the marketers have about us. The brokers often 
bring together pieces of information that people did not expect 
would be merged when they disclosed them separately to various 
online and offline entities. The results are buckets of 
descriptions and interpretations, stories of our lives, our 
economic value, and our potential that we don't know exist and 
may not agree with.
    The consequences of their use in marketing can be profound 
and disturbing. For example, merchants can charge you more than 
others for products based on features they tag you with that 
you don't even know you have shared. Say a data broker's 
knowledge you regularly buy antacids blends into a complex 
algorithm to predict that you are inclined to accept higher 
prices for recreation than most people. That is great news to 
travel companies searching online for those types of people.
    Using apps and personalized coupons, physical and virtual 
stores can change their prices based on what they know about 
you. Data brokers can add information about your lifetime value 
to retailers' understanding of you from receipts. The results 
can dictate the kinds of items you see at discount and how much 
that discount will be.
    Negative data broker signals about you can mean having to 
wait longer than others for customer service, being rejected as 
a valued customer, and being offered coupons for non-nutritious 
foods.
    Based on predictions of your engagement with the digital or 
addressable ads, media firms can change the news and 
entertainment offerings you receive compared to news and 
entertainment offerings your neighbor or coworkers get. The 
result: you systematically see different worlds from your 
friends or work colleagues because of the stories brokers tell 
about you.
    Now, many of these examples already are taking place. All 
of them are quite plausible. Data brokers trumpet that they 
often make the individuals they sell to marketers for ads 
anonymous so there is no problem. But anonymity of this sort is 
not reassuring. If I am followed online and offline by buckets 
of data that tell particular stories about me, it doesn't 
matter if my name is Joe Turow or 2588704.
    Anonymously and with our full personal information, data 
brokers are encouraging a world of data-driven social 
discrimination that is becoming widespread precisely because it 
comes with all sorts of advertising.
    Surveys I have conducted since 1999 consistently suggest 
Americans worry about what firms learn and think about them. 
Poignantly, I have heard people say they will change their 
activities or how they talk about themselves online to be 
treated better by marketers. The difficulty, of course, is that 
it is often impossible to know whether and how that is going to 
work.
    We are only at the beginning of a data-driven century. Data 
brokers will be central to how we think of ourselves and lead 
our lives. For the sake of democratic ideals and relationships, 
let's limit what and how much data brokers can collect and 
share until, as a society, we know how to create regimes of 
data respect, where people have control over the most important 
elements of their identity.
    Thank you.
    [The prepared statement of Mr. Turow follows:]

 Prepared Statement of Joseph Turow, Robert Lewis Shayon Professor of 
   Communication, Annenberg School for Communication, University of 
                              Pennsylvania
    I would like to address two key questions about data brokers and 
their collection of information about Americans for marketing purposes:

    First, haven't data brokers and their lists been around for over a 
century and if so what makes today any different from the past? Second, 
if we take sensitive topics like health treatments and employment 
issues out of the equation--which many agree should be done--what 
possible harm can come by using people's data for marketing purposes? 
After all, what we're talking about is simply targeting for product 
advertising.
    Let's start with the history question. It is true that marketers 
compiled and bought lists of prospects way back into the 19th century. 
These lists became more detailed into the 20th century. But the 
difference between list of even 35 years ago and those of today is 
extreme. The biggest distinction is the amount of information brokers 
have and how they deal with it. Lists of the old days were pretty 
static. The numbers of data points companies had about us was rather 
small, it was difficult to interconnect pieces of data, and the data 
did not change all that quickly. Today's data brokers can collect huge 
amounts of information about tens of millions, even hundreds of 
millions, of people. They update that information frequently, and they 
use high-speed computers and advanced statistics to draw conclusions in 
ways previous generation of data brokers could hardly imagine.
    Consider Acxiom's recent data catalog, which was available online 
until the company abruptly took it off a number of months ago. It 
contains 41 pages of information about individual Americans that Acxiom 
sells to marketers. That information ranges from the amount of money 
the people make, to the kinds of vacations they take, to the number of 
friends they have on social media, to the value of the neighborhoods 
they live in, to diseases they have an interest in, to how tall they 
are, to whether they gamble, to their media usage, and much more. Axiom 
sells any number of these items about individuals as well as packages 
of these data tailored to marketers from different industries. In 
addition, through its Axiom Operating System the data broker has 
created a kind of universal cookie to find and follow people across 
desktops, laptops, mobile phones, and tablets as well as to collect yet 
more information about them from these media.
    Like Acxiom, other data brokers continually run programs that 
connect our dots for marketers--and then attach them to other ideas the 
marketers have about us. The brokers often bring together pieces of 
information that people did not expect would be merged when they 
disclosed them separately to various online and offline entities. The 
results are buckets of descriptions and interpretations--stories--of 
our lives, our economic value, and our potential that we don't know 
exist and may not agree with. The consequences of their use in 
marketing can be profound and disturbing. For example:

   Merchants can charge you more than others for products based 
        on features they tag you with that you don't even know you've 
        shared. Say a data broker's knowledge you regularly buy 
        antacids blends into a complex algorithm to predict that you 
        are inclined to accept higher prices for recreation than most 
        people. That's great news to travel companies searching online 
        for those types of people.

   Using apps and personalized coupons, physical and virtual 
        stores can change their prices based on what they know about 
        you. Data brokers can add information about your ``lifetime 
        value'' to retailers' understanding of you from receipts. The 
        result can dictate the kinds of items you will see at discount 
        and how much that discount will be.

   Negative data broker signals about you can mean having to 
        wait longer than others for customer service, being rejected as 
        a valued customer, and being offered coupons for non-nutritious 
        foods.

   Based on predictions of your ``engagement'' with the digital 
        or ``addressable'' ads, media firms can change the news and 
        entertainment offerings that you receive compared to the news 
        and entertainment neighbors or coworkers get. The result: you 
        systematically see different worlds from your friends or work 
        colleagues because of the stories brokers tell about you.

    Many of these examples are already taking place. All of them are 
quite plausible. Data brokers trumpet that they often make the 
individuals they sell marketers for ads anonymous, so there is no 
problem. But anonymity of this sort is not reassuring. If I am followed 
online and offline by buckets of data that tell particular stories 
about me, it doesn't matter if my name is Joe Turow or 2588704. 
Anonymously and with our full personal information, data brokers are 
encouraging a world of data-driven social discrimination that is 
becoming widespread precisely because it comes with all sorts of 
advertising. Surveys I have conducted since 1999 consistently suggest 
Americans worry about what firms learn and think of them. Poignantly, I 
have heard people say they will change their activities or how they 
talk about themselves online to be treated better by marketers. The 
difficulty, of course, is that it's often impossible to know what will 
work.
    We're only at the beginning of a data-driven century. Data-brokers 
will be central to how we think of ourselves and lead our lives. For 
the sake of democratic ideals and relationships, let's limit what and 
how much data brokers can collect and share until as a society we know 
how to create regime of data respect where people have control over the 
most important elements of their identity.

    The Chairman. Thank you very much.
    Mr. Hadley, Tony Hadley, is Experian's Senior Vice 
President of Government Affairs and Public Policy.
    Please. We welcome you.

 STATEMENT OF TONY HADLEY, SENIOR VICE PRESIDENT OF GOVERNMENT 
              AFFAIRS AND PUBLIC POLICY, EXPERIAN

    Mr. Hadley. Thank you, and good afternoon, Chairman 
Rockefeller and members of the Committee. My name is Tony 
Hadley, and I am Experian's Vice President of Government 
Affairs and Public Policy.
    Experian is a leading provider of data and information 
services that bring significant value to consumers and the 
economy. We welcome the Committee's interest and dialog in the 
marketing data industry and this opportunity to describe how 
Experian collects and uses data.
    I have submitted a fuller statement, but I am going to 
summarize just a couple points.
    First, Experian truly believes that responsible 
information-sharing significantly enhances economic 
productivity in the United States and provides many benefits to 
consumers. Economists have called the manner in which U.S. 
companies collect and share consumer information among 
affiliated companies and third parties the secret ingredient to 
our productivity, innovation, and ability to compete in the 
global marketplace.
    Experian shares data to help make consumers and small-
business lending more efficient. We share to help facilitate 
access to fair and affordable credit; to help protect consumers 
from fraud, including identity theft; to help consumers gain 
greater financial literacy; and to help companies reach 
consumers with timely and relevant communications and marketing 
offers. Marketing data, in particular, brings lowers prices and 
greater convenience to consumers by strengthening competition.
    Nonprofit organizations and government agencies also depend 
upon consumer data to efficiently serve the needs of people and 
citizens. And just as important, Experian's data allows small 
companies, including many in the state of West Virginia and the 
other states around the nation, to compete with larger 
companies who maintain very sizable customer data bases. So 
Experian provides small businesses with the same data sets that 
their larger competitors have so that they can compete and grow 
their companies.
    A significant point I would like to make also is that the 
operations of Experian Marketing Services and the data it 
collects and uses and shares is completely separate from 
Experian's operations as a consumer credit bureau. No 
eligibility determinations relating to credit, insurance, 
employment, housing, or any other decision under the FCRA is 
ever made with Experian marketing data. Experian has in place 
strict policies as well as technological, management, and 
procedural controls to ensure there is complete separation.
    Experian shares data responsibly by carefully safeguarding 
compliance with all privacy and consumer protection laws and 
industry self-regulatory standards. We even promote new 
industry self-regulatory standards and best business practices.
    The Committee has also sought specific information about 
our clients and our data sources. Experian provides marketing 
data to a wide variety of client organizations in the private, 
government, and nonprofit sectors that market to consumers 
through multiple channels, both online and offline. The largest 
sectors we serve are retail, media, and financial services, but 
our products are used by nearly all sectors of the economy.
    Experian uses include the sources for specific products in 
which the Committee has expressed interest. Most of our data 
comes from public records and publicly available information 
such as ZIP-code-level census information, local property 
records, and telephone directories. Added to this, many people 
voluntarily provide data to Experian by filling out surveys and 
questionnaires.
    These multiple sources of data are aggregated at the 
household level, then analyzed and modeled to predict household 
preferences and propensities. Such methods result in a group of 
consumers receiving messages and advertising that they are more 
likely interested in responding to. When all is said and done, 
we help marketers make the best guess about what messages and 
marketing solicitations a group of consumers may be most 
interested in responding to.
    Finally, I want to emphasize that Experian has made every 
effort to be forthcoming and cooperative throughout the inquiry 
launched by the Committee this year. We have spent considerable 
time and resources to ensure that the information and documents 
we have provided are helpful to the Committee's work in 
understanding the marketplace. To date, Experian has provided 
the Committee with eight submissions, totaling over 3,000 
pages. And we believe this provides a full description of our 
products, services, and consumer protections.
    We are here today as the only corporate representative in 
that spirit of cooperation to help the Committee better 
understand our role in data services and the role we play in 
the economy and the lives of consumers.
    We thank you for your attention and for inviting us to 
appear here, and we look forward to continuing to work with 
you. And I will answer any questions the Committee might have. 
Thank you.
    [The prepared statement of Mr. Hadley follows:]

Prepared Statement of Tony Hadley, Senior Vice President of Government 
                  Affairs and Public Policy, Experian
    Good afternoon, Chairman Rockefeller, Ranking Member Thune, and 
members of the Committee. My name is Tony Hadley and I am Experian's 
Senior Vice President of Government Affairs and Public Policy. Experian 
is a leading provider of data and information services that bring 
significant benefits to individual consumers, the economy and society 
as a whole. We welcome the Committee's interest in the marketing data 
industry and this opportunity to describe to the Committee how Experian 
obtains and uses data. I would like to raise a few key points at the 
outset of my testimony today.
    First, Experian believes responsible information sharing 
significantly enhances economic productivity in the United States and 
provides many benefits to consumers. Economists have called the manner 
in which U.S. companies collect and share consumer information among 
affiliated entities and third parties the ``secret ingredient'' to our 
productivity, innovation and ability to compete in the global 
marketplace. One needs only to look at data-intensive industries like 
telecommunications, information technology, online services, financial 
services, retail and health care to see this innovation at work. 
Indeed, Experian data products and services are central to countless 
transactions within these vital business sectors.
    Experian also shares data to help make consumer and small business 
lending more efficient; to help facilitate access to fair and 
affordable credit; to help protect consumers from fraud, including 
identity theft; to help facilitate greater financial literacy among 
consumers; and to help companies reach consumers with timely and 
relevant communications and marketing offers.
    A second significant point I would like to make is that the 
operations of Experian Marketing Services and the data that it 
collects, uses and shares are completely separate from Experian's 
operations as a consumer credit bureau. No eligibility determinations 
relating to credit, insurance, employment, housing or other decisions 
covered by the Fair Credit Reporting Act are made with Experian 
marketing data. Experian has in place strict policies, as well as 
technological and procedural controls, to ensure this complete 
separation.
    At the Committee's request, and in recognition that credit data 
differs from marketing data, Experian's responses to the Committee's 
inquiry have focused on our operations involving data for marketing 
purposes. That is what I will speak to for the remainder of my 
testimony.
    Marketing data, in particular, brings lower prices and greater 
convenience to consumers by strengthening competition. Both large and 
small businesses rely on data to make their marketing efforts more 
efficient and to identify new customers. Nonprofit organizations and 
government agencies also depend upon consumer data to efficiently serve 
the needs of people and citizens and to enable e-government. For the 
Internet, this has meant providing more and improved content to 
consumers. Consumers also benefit from receiving relevant advertising 
offers that they are more likely to value and use. Marketing data is a 
critical driver behind the growth and efficiency of e-commerce.
    Importantly, Experian's data allows small companies, including many 
in the state of West Virginia and throughout the country, to compete 
with larger companies that maintain sizeable customer data assets of 
their own. Experian Marketing Services helps small businesses to 
successfully identify new customers, thereby establishing and fueling 
successful businesses.
    Experian shares data responsibly--by carefully safeguarding 
compliance with all privacy and consumer protection laws and industry 
self-regulatory standards, advancing and observing industry best 
practices, and establishing and monitoring adherence to our own 
corporate policies and practices. These ``best practices'' help balance 
the benefits to consumers that result from information sharing while 
responding to legitimate concerns consumers may have about how 
information about them is collected, shared, used and protected.
    Marketing data differs in important ways from consumer credit data. 
Experian's marketing data is drawn primarily from public records and 
other publicly available sources and includes data that is ``modeled'' 
or predicted rather than actual, raw data from consumers. In addition, 
we strive for the highest standards of data quality. It is also 
important to recognize that the only negative consequence to consumers 
of inaccurate marketing information would be the possibility of 
uninteresting advertising and marketing. For this and other reasons, 
the Federal Trade Commission has recommended that it is not necessary 
to require consumer disclosure and correction for consumer data used 
only for marketing purposes.
    As described in our materials provided to the Committee, Experian 
has a robust internal compliance program designed to ensure that 
marketing data is only used for marketing purposes. Experian's 
marketing data assets are regulated under many different authorities 
such as Section 5 of the Federal Trade Commission Act, the Controlling 
the Assault of Non-Solicited Pornography and Advertising (CAN-SPAM) 
Act, the National Do Not Call Registry, the Children's Online Privacy 
Protection Act (COPPA), and comparable state laws and regulations. The 
Direct Marketing Association's Guidelines for Ethical Business Practice 
provide an additional foundation for our compliance approach to 
marketing data. Further, Experian's global corporate information 
values--balance, accuracy, security, integrity and communication--
formally guide our data collection and use practices. Our global 
information values align with the fair information practices and 
principles embraced by the FTC and other international organizations, 
including the OECD, the European Union and APEC.
    Finally, I want to emphasize that Experian has made every effort to 
be forthcoming and cooperative throughout the inquiry launched by the 
Committee over a year ago. We have consistently been assured that this 
inquiry aims to build a general understanding within the Committee of 
the marketing data ecosystem. We have also been active in policy 
dialogues promoting effective data security and privacy principles for 
all data. We have spent considerable time and resources to ensure that 
the information and documents we have provided are helpful to the 
Committee's work in understanding the marketplace. To date, Experian 
has provided the Committee with eight submissions totaling over three 
thousand pages, which we believe should provide a full description of 
our products, services and consumer protections. We have also met with 
the offices of the Senators on the Committee to describe our practices 
and respond to any questions about our company, products and services. 
We are here today, in the spirit of cooperation, to help the Committee 
better understand the role our data services play in the economy and in 
the lives of consumers.
    The Committee has also sought specific information about our 
clients and our data sources, so I would like to provide a few details 
about the categories and nature of each. As I just mentioned, Experian 
has already provided a great deal of information and internal 
documents, some of which we regard as competitively sensitive, to 
explain the types and categories of clients we serve.
    These include client organizations in the private, government and 
non-profit sectors that communicate and market to consumers through 
multiple channels including direct mail, catalog, telephone, e-mail, 
mobile, Internet display ads, social media, highway billboards, 
newspapers and other publications. The largest sectors we serve are 
retail, media and financial services. We also provide marketing 
services to clients involved in automotive, professional services, 
telecommunications, consumer goods, healthcare, travel, insurance, 
utilities, education and politics. In total, Experian's data and 
services are used by all sectors of the economy.
    We have also provided to the Committee details on the categories of 
data sources we use, including the sources for specific products in 
which the Committee has expressed interest. As I previously stated, a 
good deal of our data comes from public records and publicly available 
information such as ZIP-code level Census information that does not 
identify specific individuals, local property records, and telephone 
and similar directories. Added to this, many people voluntarily provide 
data to Experian by filling out surveys and questionnaires, both online 
and offline, which contain clear disclosures of the fact that 
information that the individual provides will be used for marketing 
purposes. Some selected business partners also provide Experian 
consumer information after they have gained appropriate consent from 
the consumer or have de-identified or modeled customer data at the ZIP-
code level.
    These multiple sources of data are often aggregated at the 
household level, then analyzed and modeled to predict household 
preferences and propensities. The analysis is aimed largely at helping 
marketers understand key segmentation factors such as approximate age, 
gender, education level, family size and estimated family income. 
Marketers can then use these key demographic segments and propensity 
models in combination with their own customer data to tailor relevant 
messages to existing or potential customers. Such age-old methods 
result in a group of consumers receiving messages and advertising that 
they are more likely interested in and will respond to--benefiting the 
consumer and the business. When all is said and done, we help marketers 
make the ``best guess'' about what messages and marketing solicitations 
a group of consumer may be most interested in responding to at the time 
they are interested.
    Finally, Experian has shared materials on our range of marketing 
products and services, on how we assure the quality and integrity of 
our data, and on numerous other topics. In particular, we have informed 
the Committee about the robust privacy framework that Experian has in 
place to ensure that regulated data is used only for permissible 
purposes, while marketing data is used only for marketing purposes. To 
maintain this strict division, Experian uses a combination of measures 
such as dedicated compliance teams, employee training, and contractual 
restrictions including audit rights. With respect to marketing products 
in particular, Experian's compliance team uses auditing steps such as 
mail piece review and list ``seeding'' to monitor how data is used by 
clients.
    We have also shared with the Committee information about the 
consumer protections we provide for marketing data, including offering 
consumers transparency about our practices through privacy statements 
and the option to suppress the use of their data for various types of 
marketing solicitations.
    Thank you for your attention, and for inviting me to appear before 
the Committee. I look forward to answering any questions the Committee 
may have.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    The Chairman. Thank you, Mr. Hadley, very much.
    I want to get this right: Jerry Cerasale. Did I do it 
right?
    Mr. Cerasale. You did it correctly. Thank you. I appreciate 
it.
    The Chairman. I am thrilled.
    You are the Senior Vice President of Government Affairs for 
the Direct Marketing Association, DMA. We welcome your 
testimony.

     STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT OF 
        GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCATION

    Mr. Cerasale. Thank you. Senator Rockefeller, members of 
the Committee, DMA appreciates the opportunity to be here today 
and to talk about this important subject.
    On a personal note, I want to say that I have testified 
before this committee many times, I have testified before other 
committees before Congress, and today, on my last day of work 
before I retire, I want to thank Congress for the opportunities 
they have given me to participate in dialog here before the 
Congress. And I appreciate it.
    Senator Rockefeller, I will not be here when you retire at 
the end of this Congress, so I want to say personally we thank 
you for your service to the United States.
    Now back to why I am here today, talking about data. Data--
--
    The Chairman. Are we allowed to ask you questions, or is 
your----
    [Laughter.]
    Mr. Cerasale. Yes, you can ask questions. Sadly, they know 
where to find me to get the questions to me. They say I am a 
phone call away, and I have promised that they can call me. I 
didn't promise I would answer the phone, but that is beside the 
point.
    [Laughter.]
    Mr. Cerasale. Anyway, data. Every consumer-facing business 
in the United States uses data today. It is important, it 
drives our economy, it is driving our current recovery. And it 
is very, very important to us and to our members.
    And in that light, DMA has created the Data-Driven 
Marketing Institute, and it has commissioned a study to take a 
look at the value of data and the uses of data in the American 
economy. And we used a professor from Harvard Business School 
and a professor from Columbia University, and they conducted 
this value-of-data study and found that data is worth $156 
billion a year to the American economy, 675,000 jobs, and 70 
percent of that influence is related to sharing of data by 
companies.
    But even more importantly, this data-sharing helps small 
businesses. It helps break down the barriers to entry so small 
businesses can come in and compete with the big boys. And it 
keeps them, once they get a foothold, it keeps them on a level 
playing field.
    But this is not new. This has been happening for a long 
time. I will give you a couple of examples. L.L. Bean started 
with a list of nonresident Maine hunters, and that is how that 
started. The Discover card, which is one of the first credit 
cards that was a reward credit card, began with a list of Sears 
credit holders. Without those lists, those companies wouldn't 
have started, those benefits from those two companies would not 
have been realized. So it is important.
    It is personal information that is used. And the United 
States has some strong privacy laws: Fair Credit Reporting Act, 
Children's Online Privacy Protection Act, CAN-SPAM, HIPAA, GLB, 
Data Pass, and so forth. And those laws are complemented by 
self-regulation by the industry.
    And I can speak only for DMA here. DMA has a peer ethics 
committee that meets monthly, handles complaints from consumers 
and other businesses that are brought to it against members and 
non-members. Most of them comply with our guidelines. Those 
that don't, we publicize them on the webpage. If there is a 
violation of law, we turn it over to the state AGs, to the 
Federal Trade Commission, to the Postal Inspection Service, to 
law enforcement.
    And as we have looked at this, the Federal Trade Commission 
has said that they support this complementary effort by self-
regulation, and we want to continue that. And we continually at 
DMA update these guidelines so that they are alive and meet 
today's real-world efforts.
    One of the things that we can talk about, however, that all 
of this is, in fact, working. The American consumers are voting 
with their pocketbooks and their feet, and e-commerce is 
growing, growing multiple times the rest of the economy, 
because they have trust in this process. And think about it; 
they need trust. They are purchasing something without having 
it on hand and paying for it before they receive it. They need 
to have that trust. And this economy, this data-driven economy 
is, in fact, working.
    Think about the great American success story, and I mean 
really great American success story, Amazon. On Cyber Monday, 
it sold 300 items per second. That shows that Americans have 
confidence in this. Their needs as American consumers are being 
met in this data-driven economy.
    There are clearly concerns. There are concerns about what 
is happening. You have heard them; it is in the report and 
others. We have heard them today. We should focus on the 
improper use of data and figure out how to prevent the improper 
use of data.
    But one of the things we can't do is pull away and stop 
responsible uses of data that are driving this economy. That is 
something that we have to be very careful of as part of this 
dialog we are having today. The American economy, small 
businesses, American workers, and American consumers rely on 
and benefit from responsible data use. And America leads the 
world in that category, and we hope to keep it that way.
    Thank you very much for this opportunity. I look forward to 
answering any of your questions.
    [The prepared statement of Mr. Cerasale follows:]

    Prepared Statement of Jerry Cerasale, Senior Vice President of 
            Government Affairs, Direct Marketing Association
I. Introduction
    Chairman Rockefeller, Ranking Member Thune, and members of the 
Committee, good afternoon and thank you for the opportunity to testify 
before you today.
    My name is Jerry Cerasale. I am the Senior Vice President of 
Government Affairs for the Direct Marketing Association (``DMA''), the 
world's largest trade association dedicated to advancing and protecting 
responsible data-driven marketing. Today, I am pleased to testify on 
behalf of the DMA and to discuss with the Committee the important role 
that marketing data and database compilers play in aiding consumers and 
fueling the United States economy.
    Founded in 1917, the DMA (www.thedma.org) represents thousands of 
companies and nonprofit organizations that use and support data-driven 
marketing practices and techniques. On behalf of its member companies, 
the DMA advocates industry standards for responsible marketing; 
promotes relevance as the key to reaching consumers with desirable 
offers; and provides cutting-edge research, education, and networking 
opportunities to improve results throughout the end-to-end direct 
marketing process.
    My testimony today will describe the value that marketing data has 
across the U.S. economy and affords to consumers. I will also explain 
how marketing data is collected and how DMA members, including data 
compilers, responsibly use and share this data to serve consumers. 
Lastly, I will explain how DMA and its member companies are subject to 
our longstanding and enforceable self-regulatory framework, the DMA 
Guidelines for Ethical Business Practice (``DMA Guidelines'').
II. The Value of Data
    Responsible collection and sharing of marketing data is critical to 
today's information economy. When data is used to fuel data-driven 
marketing, these practices provide many benefits for job growth, 
entrepreneurship and innovation, as well as to individual consumers.
A. The Value of Data to the U.S. Economy and American Workforce
    A recent study entitled, The Value of Data: Consequences for 
Insight, Innovation & Efficiency in the U.S. Economy (``Value of 
Data''), quantifies the critical role that the use and sharing of 
marketing data plays in fueling economic growth.\1\ Commissioned by 
DMA's Data-Driven Marketing Institute and conducted independently by 
Professors John Deighton of Harvard Business School and Peter Johnson 
of Columbia University, the study revealed that the Data Driven 
Marketing Economy (``DDME'') generated $156 billion in revenue to the 
United States economy and fueled more than 675,000 jobs in 2012 alone. 
Further, the study found that an additional 1,038,000 people owe their 
employment to these DDME jobs.\2\ The study estimated that 70 percent 
of the value of the DDME--$110 billion in revenue and 475,000 jobs 
nationwide--depends on the ability of firms to share data across the 
DDME. If this ability to share data were curtailed, those jobs and 
revenue would be impacted and the U.S. economy would be much less 
efficient.
---------------------------------------------------------------------------
    \1\ Deighton and Johnson, The Value of Data: Consequences for 
Insight, Innovation & Efficiency in the U.S. Economy (2013), available 
at http://ddminstitute.thedma.org/#valueofdata (hereinafter ``The Value 
of Data'').
    \2\ The Value of Data at 74.
---------------------------------------------------------------------------
    The DDME is a uniquely American creation, and today data-driven 
marketing is an important U.S. export. Just as the United States led 
the world when Montgomery Ward developed the first mail order catalog 
in 1872, and created digital market-making media by commercializing the 
Internet browser in the 1990s, today the United States is at the 
forefront of data-driven market growth. The Value of Data study found 
that the United States leads the world in data science applied to the 
marketplace, with DDME firms deriving up to 15 percent of their revenue 
overseas, while employing nearly all of their workers inside the United 
States.\3\
---------------------------------------------------------------------------
    \3\ The Value of Data at 21.
---------------------------------------------------------------------------
    The Value of Data study also found that database compilers are an 
important piece of the DDME. For instance, list services and database 
marketing input providers added $7 billion and 31,000 jobs to the 
United States economy.\4\ They were able to do this by combining data 
that they receive from various sources to create marketing 
opportunities. Database compilers derive most of their economic effect 
from their ability to share this data with marketers that, in turn, can 
provide consumers with more relevant advertisements.
---------------------------------------------------------------------------
    \4\ The Value of Data at 53-54.
---------------------------------------------------------------------------
B. The Value of Data to Entrepreneurship and Innovation
    The use of data inspires new technological designs and fosters 
entrepreneurship in the process. According to the Value of Data study, 
the bridge between an idea and its implementation at scale is 
considerably shorter in an information economy than in an industrial 
economy.\5\
---------------------------------------------------------------------------
    \5\ The Value of Data at 78.
---------------------------------------------------------------------------
    The DDME, and the services offered by database compilers, are 
essential to the success of start-up companies and other small 
businesses. The Value of Data study found that the sharing of data 
across the DDME enables small and innovative businesses to compete 
effectively with big players, launching innovative offerings using 
data. Data gives all companies, and especially small businesses, the 
ability to effectively match products to customers both online and 
offline, thereby lowering barriers to market entry for specialized or 
niche offerings that previously could not have succeeded.
C. The Value of Data to Individual Consumers and Companies
    Consumers demand personalization, and enterprises that know their 
customers better can also serve them better. Data-driven marketing is 
about discerning what customers want and need and engineering the 
company to provide it. Consumers benefit from companies' responsible 
collection and analysis of user data by receiving timely and relevant 
offerings through the marketplace and products designed to meet their 
needs. In this way, consumers enjoy a more informed and effective 
shopping experience, which saves them both time and money.
    According to the Value of Data study, the efficiency that data 
brings to the practice of marketing also bears directly on consumer 
welfare. Marketing absorbs a significant percentage of manufacturer 
revenues, meaning that marketing costs can increase the price that 
consumers pay for food and household products by up to $25 in every 
$100 spent. When marketing is informed by data, it is more efficient 
and some of this value flows back to consumers in the form of lower 
prices.\6\
---------------------------------------------------------------------------
    \6\ The Value of Data at 75.
---------------------------------------------------------------------------
    In short, the flow of data throughout the DDME is creating 
consumer-driven companies. Data sharing promotes competition and 
entrepreneurship. In the process, jobs are created across the United 
States and consumers are exposed to an array of new products and 
services that would be unavailable or unknown to them absent data-
driven marketing.
III. The Responsible Collection and Use of Consumer Data
    Marketing data comes through a variety of sources. It is analyzed 
by marketers to make predictions about likely consumer preferences to 
guide marketing campaigns.
A. Marketing Data Collected Directly from Consumers
    A common source of marketing data is data obtained by businesses 
from direct interaction with customers. When a customer purchases goods 
in a local store or shops online, data about that purchase is gathered 
by the marketer. Marketers use data from other sources, including 
information from public records and other publicly-available sources, 
such as U.S. Census data. Marketing data may also include self-reported 
information that consumers choose to provide through surveys. Marketing 
data does not include the types of information that create a risk of 
identity theft or fraud to consumers, such as financial account numbers 
or social security numbers.
B. Responsible Uses of Marketing Data
    Marketers use marketing data to understand their existing customers 
better or to identify prospective new customers, in order to predict 
what types of offers are most likely to be valued by them. For example, 
a local hardware store would want to send a coupon for a discount on a 
lawnmower to a new home buyer with a lawn and a different coupon for 
paint to a condominium buyer. Data will help this small business to be 
more efficient in its advertising and provide more value to consumers. 
Marketers may also use data to make other decisions related to their 
businesses, such as what products to develop and offer in the future or 
where to locate new retail outlets.
    Data used for marketing is also ``modeled'' or inferred information 
that represents a statistical prediction about consumers and does not 
necessarily reflect the actual characteristics of one consumer or 
household. For example, based on public property records and U.S. 
Census data that is aggregated at the Zip Code or census tract level, 
database compilers may estimate the average age of a dwelling in a 
certain ZIP code. Marketers, such as a local roofing company, can then 
use this information to make offers that are more likely to be valuable 
to households in that ZIP code.
C. Marketing Data is Not Used for Eligibility Purposes
    It is important to note that there is a difference between using 
data for marketing purposes and using data for eligibility purposes. 
The use of data for eligibility decisions related to credit, insurance, 
and employment is regulated by the Fair Credit Reporting Act 
(``FCRA''). The FCRA requires companies that make such decisions to 
offer consumers certain disclosures about, and access to, the data used 
to make those decisions.
    In contrast, the use of data for marketing purposes is not used to 
make decisions that impact whether a consumer can obtain credit. The 
Federal Trade Commission (``FTC'') agrees that entities that maintain 
data for marketing purposes do not need to provide consumers with 
individualized access to marketing data, unlike consumer report 
data.\7\ Instead of determining a consumer's ability to receive a loan 
or get a job, the use data for marketing purposes determines which 
coupon or advertisement he or she receives. The FCRA recognizes the 
difference in these uses, which is why marketing is not included in the 
types of activity that require increased levels of disclosure and 
access.
---------------------------------------------------------------------------
    \7\ Protecting Consumer Privacy at 65-66.
---------------------------------------------------------------------------
    In addition, some policymakers have raised concerns that data 
collected for advertising purposes could be used as a basis for 
employment, credit, health care treatment, or insurance eligibility 
decisions. In fact, these are hypothetical concerns that do not reflect 
actual business practices. Nevertheless, industry has stepped forward 
to address these concerns by expanding its codes of conduct to clarify 
and ensure that such practices are prohibited and will never occur.\8\ 
This prohibition will help to ensure that consumers' browsing histories 
will not be used against them when applying for a mortgage, job, or 
insurance, or when seeking health care.
---------------------------------------------------------------------------
    \8\ See Digital Advertising Alliance's Self-Regulatory Principles 
for Multi-Site Data (2011), available at http://www.aboutads.info/
resource/download/Multi-Site-Data-Principles.pdf.
---------------------------------------------------------------------------
IV. The Value of Self-Regulation in the Data-Driven Marketing Economy
    The DMA and its members are firmly committed to advancing 
responsible data practices across the DDME. Our members deeply value 
consumer trust and understand that responsible data practices are 
critical to building and maintaining customer relationships. To that 
end, the DMA believes that self-regulation and education are important 
components for addressing consumer privacy while ensuring that data 
flows continue to benefit consumers and the economy.
A. The DMA Guidelines for Ethical Business Practice
    The DMA has a longstanding and enforceable self-regulatory 
framework. The DMA, working with its members, implements and enforces a 
set of best practices known as the Guidelines for Ethical Business 
Practice (``DMA Guidelines''). The DMA Guidelines, which have been in 
place for more than four decades and are a condition of membership in 
the DMA, provide DMA member companies with standards for responsible 
marketing practices by explaining how companies should provide 
transparency, choices, and other protections to consumers. The DMA 
regularly updates its guidelines to adapt to new technologies and 
marketing practices.
    There are more than 50 code sections in the DMA Guidelines that 
regulate marketing data practices. I would like to focus on a few key 
examples relevant to the subject of this hearing, and to database 
compilers in particular.
1. Transparency

    Transparency around data practices is a core principle of the DMA 
Guidelines. For example, privacy policies are the primary way that 
companies provide consumers with information about their data 
practices. These polices typically provide consumers with detailed 
information regarding what data is collected, how it is used, and the 
choices that may be available to consumers. The DMA Guidelines require 
that these policies be made accessible via online and offline channels, 
and be easy to read and understand. The DMA Guidelines also require 
members to periodically keep existing customers aware of the nature of 
the use of their data, and how that use may have changed.
2. Choice

    DMA members have long offered consumers the ability to opt out of 
marketing. The DMA Guidelines require data-driven marketers to honor 
within 30 days any request by a consumer to opt out of any use or 
sharing of their data for marketing purposes.
    In addition to the choices available from individual member 
companies, the DMA offers a centralized choice tool for consumers at 
DMAchoice.org. This service allows consumers to opt out of direct 
mailings and to refine what categories of mail they receive. Also at 
this website, consumers can remove their e-mail address from national 
mailing lists. Through these programs, the DMA provides consumers with 
an easy way to make informed choices about the marketing they wish to 
receive.
    The DMA's commitment to consumer choice also extends to online 
interest-based advertising. The DMA Guidelines require third party data 
collectors to provide consumers with the ability to exercise choice 
with respect to the collection, use and transfer of information for 
online interest-based advertising purposes. This choice must be 
provided online and made available to consumers as specified in the DMA 
Guidelines.
3. Access

    Consistent with the FTC's views on individualized access to 
marketing databases, the DMA Guidelines do not require members to allow 
consumers to access individual records within marketing databases. The 
DMA agrees with the FTC that the costs of providing such access would 
outweigh the consumer benefits. The DMA is also concerned that in order 
to allow consumers the ability to access and correct data, marketers 
would have to collect and store additional personally identifying data 
needed to authenticate consumers prior to access. In addition, as 
noted, much marketing data is actually modeled or predicted data that 
would not be meaningful to consumers. The DMA therefore believes that 
its current guidelines around transparency and choice strike the 
correct balance between consumer control and marketing needs to 
encourage the continued growth and success of the DDME.
4. Guidelines Specific to Database Compliers

    The DMA Guidelines include a section outlining specific 
requirements for database compilers that assemble and share personally 
identifiable information about consumers but do not have direct 
relationships with those consumers.\9\ For example, these compilers 
must, when requested by a consumer, suppress that consumer's data from 
marketing databases. They must also disclose the nature and sources of 
a consumer's data upon request, and they must allow their marketing 
customers to divulge the compiler as the source of their marketing 
data. The database compiler must additionally monitor the use of their 
databases to assure compliance with the law and the DMA Guidelines. A 
database compiler that discovers a violation of the law or the DMA 
Guidelines may not ``turn a blind eye'' but should stop providing data 
to that customer and either require compliance and/or refer the matter 
to the DMA or law enforcement.
---------------------------------------------------------------------------
    \9\ Direct Marketing Association, DMA Guidelines for Ethical 
Business Practice at Article 36, available at http://thedma.org/
compliance/.
---------------------------------------------------------------------------
B. Enforcement
    The DMA has a long history of proactive and robust enforcement. The 
DMA Guidelines have been applied to hundreds of direct marketing cases 
concerning deception, unfair business practices, personal information 
protection, and other ethics issues. The DMA enforces compliance with 
the DMA Guidelines upon both DMA member and nonmember organizations 
across the DDME. In addition, companies that represent to the public 
that they are DMA members but fail to comply with the DMA Guidelines 
may be liable for deceptive advertising under Section 5 of the FTC Act 
and comparable state laws.
    The DMA receives matters for review in a number of ways: from 
consumers, member companies, non-members, and consumer protection 
agencies. Complaints referred to the DMA's Ethics Operating Committee 
are reviewed against the DMA Guidelines and if a potential violation is 
found to exist, the company will be contacted, investigated, and 
advised on how it can come into full compliance. Most companies work 
with the Ethics Operating Committee voluntarily to cease or change the 
questioned practice.
    However, if a member company does not cooperate and the Ethics 
Operating Committee believes there are ongoing violations of the DMA 
Guidelines, it can recommend that action be taken by the Board of 
Directors and can make case results public. For example, in the period 
spanning February 2012 through June 2013, the DMA Corporate & Social 
Responsibility Committee reviewed 55 cases and 12 of these were made 
public. Additional Board actions could include public censure, 
suspension or expulsion from DMA membership. The DMA also refers cases 
to Federal and state law enforcement authorities for review when 
appropriate.
C. Business and Consumer Education
    To help educate marketing professionals, regulators, and other 
interested parties about the DMA Guidelines, the DMA regularly issues a 
case report that summarizes questioned direct marketing promotions and 
how enforcement cases were administered.\10\ The DMA also provides 
member education regarding the DMA Guidelines through webinars, in-
person seminars, and regular written communications to members.
---------------------------------------------------------------------------
    \10\ Direct Marketing Association, DMA Annual Ethics Compliance 
Report 2012-2013 (2013), available at http://thedma.org/compliance/.
---------------------------------------------------------------------------
    In addition to educating member companies about their 
responsibilities under the DMA Guidelines, the DMA frequently offers 
conferences, webinars, courses, seminars, and written materials to keep 
companies up to date about new legal and policy developments. These 
efforts help companies, especially small businesses, to comply with the 
host of restrictions that govern data-driven marketing.
    Finally, the DMA commits resources to educating consumers directly 
about marketing practices and the choices available to consumers. A 
section of our website is dedicated to ``Consumer Help'' and provides 
consumers with access to the centralized DMAChoice.org tool for 
managing their direct mail and e-mail preferences as well as a wealth 
of information about how marketing works.
    The Value of Data has helped us to quantify what marketers have 
long known--the use and sharing of data for marketing provides 
tremendous benefits for the U.S. economy and the American workforce, 
for small and large businesses, and for individual consumers and 
society as a whole.
    Thank you again for inviting me to testify today, and I look 
forward to answering questions from the Committee.

    The Chairman. Thank you very much, sir.
    I will start out the questioning, and then we will do it 
according to order of arrival.
    Mr. Hadley, one of the products that your company sells to 
marketers is called ``ChoiceScore.'' This product targets what 
you call ``underbanked'' consumers. Let me read your 
description of the underbanked consumers: new legal immigrants, 
recent graduates, widows, those with a generation bias against 
the use of credit, followers of religions that historically 
have discouraged credit, and consumers with transitory 
lifestyles, such as military folks.
    Mr. Hadley, the populations in this group are very 
vulnerable to financial scams. We have experienced that in this 
committee because we have done hearings about that, 
particularly near military bases, where people take--you know, 
these are relatively young people, they are overseas, they are 
back for a while, and they are very vulnerable because they 
need cash, and people could come in and really clean their 
clocks, and do, and we have the testimony to prove that.
    Last month in this committee, we held a hearing about 
companies that target fraudulent financial products to our 
military servicemembers. And military personnel are 
unfortunately vulnerable to scams because of their financial 
inexperience and their steady paychecks.
    So, Mr. Hadley, why does your company single out and sell 
lists of economically vulnerable groups like immigrants, 
widows, and military personnel?
    That is a very important question to me, because if you set 
the probable response to whom your questions are aimed, your 
marketing is aimed at, you can fairly well predict the type of 
product they are going to get. I mean, you will be offering 
them a nicer vacation, a less nice vacation, et cetera. But 
when you put people in categories and they are vulnerable, that 
is not called the L.L. Bean model.
    So I would like you to respond to that question.
    Mr. Hadley. Thank you, Senator.
    We would be very concerned if lenders were using that 
information for scamming purposes too. And we have processes 
and procedures in place to ensure that nobody gains access to 
that score for that purpose. Now----
    The Chairman. And how does that work?
    Mr. Hadley. We have an onboarding system by which we take 
on a client that gets our information to know who they are. And 
we also have a mail-piece review process to know what they are 
going to offer the consumer. And if it is anything that looks 
discriminatory or predatory, we will not provide our list to 
them.
    Now----
    The Chairman. And this is your self-regulation?
    Mr. Hadley. This is our self-regulation under DMA 
standards. So if we were to violate that, we would be in 
violation of our self-regulatory standards as well as our 
contractual standards with our clients.
    Now, what is important here is that there are somewhere 
between 45 million and 50 million Americans who are outside the 
mainstream of the credit markets in the United States. These 
are underbanked, underserved consumers who financial 
institutions cannot reach through credit scoring and credit 
report. They don't have financial identities or a big enough or 
even the presence of a credit file in order to bring them into 
the mainstream of financial markets.
    But that doesn't mean that they don't need access to 
financial services. So banks use this data to try to reach out 
to consumers who they can help to empower them, not to scam 
them. We don't want to do business with financial institutions 
who are trying to scam people, only to empower them.
    And this is their best way to find those individuals who 
are outside the mainstream--immigrants; new to credit, like 
recent college graduates, exactly what we are talking about 
here--to give them an offer, an invitation to apply, so that 
then they can make an eligibility determination regarding that 
application under the Fair Credit Reporting Act.
    But this is marketing literature, not eligibility 
determination.
    The Chairman. Who----
    Mr. Hadley. Did I add to that for you?
    The Chairman. Not entirely. Can you tell me, which are the 
companies that buy this ChoiceScore product from you? We have 
asked you that.
    Mr. Hadley. Yes, they would be banks and financial 
institutions and members of the financial community.
    The Chairman. That is what is called a general answer.
    Mr. Hadley. Yes. I can't tell you who our clients are. That 
is a proprietary list of ours. It is like our secret 
ingredient; the ones who would want that most are our 
competitors.
    And our counsel has informed me that they don't believe 
that our ability to give that to you can be shielded from 
disclosure through the rules of the Senate. If we thought they 
could be--for example, under a law enforcement action, where it 
could be shielded and protected from FOIA or other disclosures, 
we could do that, but not under the rules of the Senate. And we 
are very sorry about that, but we just simply can't do that. 
Our counsel won't let us.
    The Chairman. Oh. Well, there are a lot of counsels out 
there looking for work.
    [Laughter.]
    The Chairman. My point is that--you have to keep up with 
your competitors, and my point to you would be I am not 
necessarily approving of what your competitors are doing. I 
mean, maybe you want to keep up with them, but maybe they are 
doing exactly what you are doing but on a larger scale. And----
    Mr. Hadley. We don't want to keep up with most of our 
competitors.
    The Chairman.--a lot of those other companies, 
incidentally, gave us the precise information which I want from 
you.
    Mr. Hadley. I would hope that the focus of the Committee 
and FTC and others interested in these types of uses of data 
would focus on those data brokers, because it is not Experian 
that is doing that. We wouldn't have that within our business 
model.
    The Chairman. All right. Can you please provide the names 
of the companies that buy lists of economically vulnerable 
consumers from Experian?
    Mr. Hadley. I can tell you the types of categories. And 
there is a really good story----
    The Chairman. But don't you understand how that doesn't 
work up here?
    Mr. Hadley. Yes.
    The Chairman. The types of categories?
    Mr. Hadley. But let me tell you----
    The Chairman. It is very hard to pass the Tax Code with----
    Mr. Hadley. Yes, let me tell you who buys them, and I can 
name a few because they are public, right?
    Our Mosaic segmentation system, it reflects the entirety of 
the economic range of our economy. We don't leave out low-
income individuals. They exist within the economy and need 
products and services, too. But the most frequent users of that 
segmentation, the economically disadvantaged, Senator, are 
typically government agencies and public policymakers who are 
trying to get a view into them so that they can deliver them 
messages and marketing materials about public services they are 
eligible for.
    Among the users of those are the West Virginia Department 
of Health and Human Services, the Massachusetts Department of 
Health and Human Services, the New Jersey Department of Health 
and Human Services. They want to reach those people, let them 
know what benefits they are eligible for so that they can come 
and get them. They also use this data to update address lists 
for their clients.
    The Chairman. You will admit, won't you, that if a state 
HHS, so to speak, will use that information, that is quite a 
different kettle of fish from a for-profit, bottom-line-
oriented company?
    Mr. Hadley. And we would put the departments of HHS through 
the same review of who they are and what they want that 
information for, because we wouldn't want them to use our 
information to disadvantage those consumers, only to empower 
them. So they would go through the same review.
    The Chairman. All right. My time has expired. And you 
happily engaged in an interesting process; you selectively 
named some of your clients. If you can selectively do it, you 
can broadly do it.
    Mr. Hadley. Those are a matter of public record.
    The Chairman. Well, that is the point.
    Mr. Hadley. Right.
    The Chairman. What should be a matter of public record is 
what you do. This is an oversight committee. This is a serious 
subject. We have the feeling people are getting scammed or 
screwed by this feeling. It is up to you to talk us out of 
that.
    Mr. Hadley. But not by Experian. And I can assure you, Mr. 
Rockefeller, the Experian executives are watching this right 
now and they are hearing what you are saying. We respect your 
point of view.
    The Chairman. You think they are all glued to their TV 
sets?
    Mr. Hadley. No, to their monitors----
    The Chairman. Oh, OK.
    Mr. Hadley.--right? And so we want to be responsive to you, 
seriously. And so we look forward to the dialog.
    The Chairman. All right. Well, anyway, my time has expired.
    And Senator Booker--it is going to be Senator Booker, then 
Senator Johnson, then Senator Blumenthal, then Senator Markey. 
That is just so I can hold everybody here.

                STATEMENT OF HON. CORY BOOKER, 
                  U.S. SENATOR FROM NEW JERSEY

    Senator Booker. Good afternoon, and thank you very much for 
your rich testimony.
    You know, the Internet now--the ability for big data to be 
used is actually a service to many consumers. It serves me 
every time I go online, every time I am shopping.
    And I love the fact that I can use this little device and 
things will be pushed to me that are very valuable. And that is 
how data-sharing helps to fuel our economy, is a service to 
customers. There are so many great advantages of it.
    I do have worries on the back end of that, which I think my 
chairman, Senator Rockefeller, is making a point, and those are 
the concerns of consumers.
    And so, just one quick question about, you know, what 
frustrates me when I am--you know, that I know my browser 
history, these cookies are on my computer that are sort of 
tracking and tracing what I am doing, and I understand the 
upside and the benefit of it, but that is a little problematic 
to me.
    Could you--Mr. Cerasale?
    Mr. Cerasale. Sure, Senator Booker.
    There is a group that DMA is part of and started, the 
Digital Advertising Alliance, on the online--following where 
people are. And we have created an icon and a process to allow 
consumers to opt out, totally or selectively, for any cookies 
that are used to track their surfing, their browsing activity, 
across unaffiliated websites. And that icon is a little 
triangle with an----
    Senator Booker. So you are saying--I am sorry to interrupt 
you, just because I have so little time.
    Mr. Cerasale. No problem.
    Senator Booker. So you are saying that the industry is 
trying to self-regulate----
    Mr. Cerasale. Yes.
    Senator Booker.--and find a way because you recognize that 
this is a problem.
    Mr. Cerasale. Yes. And approximately a little over a 
million people have opted out. Over 10 million people have gone 
to the website----
    Senator Booker. I am a pretty tech-savvy, X-Gen guy; I 
never heard of this. So----
    Mr. Cerasale. OK.
    Senator Booker.--that is problematic to me, just because I 
am very engaged in the world of tech. So I didn't know there 
was even an opt-out function. And I am concerned about my--so 
the industry is trying to correct what they know is a problem, 
true?
    Mr. Cerasale. Right, to give consumers a choice, 
absolutely.
    Senator Booker. OK.
    So, Ms. Rich, I am just curious, there is so much positive 
here. I mean, the opportunity for big data to enrich our lives 
gets me excited about what the future is. And so these 
businesses, in some ways, have a wonderful public purpose. But 
I do worry about the darker side in the way that my Chairman is 
discussing.
    And I really want to know--it is not as simple as saying 
more transparency or--it is difficult to create a regulatory 
framework that is nimble. I mean, this is such a changing 
environment.
    So, really, I just want to know for you, like, how are you 
planning on using your 6(b) authority under the FTC Act to 
study and stay abreast of this industry and see if there are 
needs or opportunities, like in this one, where the industry is 
not correcting or self-regulating, where we can get them to the 
point where we are balancing all of these incredible positives 
of big data with the obvious downsides?
    Ms. Rich. We think about this every day, balancing the 
positive but also protecting consumers. In this case, though, I 
think the first step is pretty simple, as there is really very 
little transparency about data brokers. And providing that 
transparency is pretty basic. It is not a technological issue.
    In more complex circumstances, the way we balance is we 
engage in a constant learning process. We do workshops, we are 
always learning about industry, we meet with consumer groups, 
we meet with business groups. And we also, in everything we do, 
we are always trying to develop flexible standards. We are 
thinking about, you know, what about 20 years from now 
especially in the orders we get, will this last, will this be 
able to grow with innovation? And we make a lot of effort in 
that regard.
    But I do want to bring it back to--you know, we have some 
basic steps here to bring about some transparency that 
shouldn't undermine the data-driven economy. And, in fact, 
there is nothing in that study that DMA did that addresses how 
privacy would undermine the data-driven economy.
    Senator Booker. Right. And because so much of what I am 
doing for free on the Internet is made free because folks are 
shooting ads at me that are targeted to my interests or needs 
or what have you. But you are saying that there is just a 
tremendous larger degree of transparency that needs to be given 
to the public.
    Ms. Rich. And we think that transparency--and we were 
talking about this a few minutes ago--is completely consistent 
with the growing economy. I mean, consumers are increasingly 
demanding more information about how their data is being used. 
When you give them information, they often develop more trust 
in the businesses they are engaging with. And we think it is in 
both consumers' interests and businesses' interests to provide 
more information.
    Senator Booker. I would love to hear what Mr. Hadley or Mr. 
Cerasale have, if they have any resistance to that increased 
transparency, but I am trying to stay on the good side of the 
Chairman. I am the new kid on the block. So I will yield.
    The Chairman. Senator Booker, you are always on the good 
side of the Chairman so you can charge right ahead, but you 
have blown that opportunity.
    [Laughter.]
    The Chairman. And so we are going to go to Senator Johnson, 
to be followed by Senator Blumenthal, Senator Markey, and the 
invincible Senator McCaskill.
    Senator McCaskill. Did you say invisible?
    The Chairman. Invincible.

                STATEMENT OF HON. RON JOHNSON, 
                  U.S. SENATOR FROM WISCONSIN

    Senator Johnson. Invincible.
    Well, thank you, Mr. Chairman.
    By the way, this is an excellent discussion, this is a very 
good hearing. I appreciate Senator Booker's good questioning. I 
kind of want to pick up where he left off, talking a little bit 
about transparency, because it is a great term.
    I want to know exactly what the FTC wants to do in terms 
of, what is your fix? What is transparency to you?
    Ms. Rich. Well, in this context, what we have recommended 
is that data brokers allow consumers access to the kind of 
information that they maintain about consumers.
    Senator Johnson. How?
    Ms. Rich. Either through some sort of centralized--what we 
recommended in a privacy report we did last year was either 
through--possibly through some centralized website where 
consumers can go. DMA has something like that for opt-out. DAA 
has developed a centralized website for online tracking. And so 
we have recommended that for data brokers.
    Senator Johnson. So what would be on this centralized 
information thing? What would be on there?
    Ms. Rich. The names of data brokers, and then you would be 
able to find out what kind of information they collect, and you 
would be able to potentially opt out of the use of their data.
    Senator Johnson. Mr. Hadley, can you tell me what that 
sounds like to you and what problems the industry would have 
with that and how restrictive that would be?
    Mr. Hadley. Well, first, we want to be responsive and be 
more transparent, although we, too, are trying to figure out 
what that means in a meaningful way to consumers.
    Regarding an opt-out website, here is the problem as I see 
it: I don't know how to define ``data broker.'' I have never 
seen a definition of ``data broker'' that wouldn't sweep in 
tens of thousands of companies, because everyone exchanges data 
and shares data and sells data within the Internet ecosystem. 
That is how the business model of the Internet is.
    So would we have a website with an entire industry on it? 
And how would that really be meaningful to a consumer if you 
throw that many companies up? Of course Experian would be on 
that, but so would 10,000 other companies. That is not a 
meaningful way of providing transparency.
    Instead, what we are trying to explore is how can we make 
the exchange and sharing of information responsibly more 
meaningful to consumers. And we think one of the steps could be 
working with the users of data brokers----
    Senator Johnson. OK. Well, let me stop you, because I have 
limited time.
    With mailing lists, for example, you get a one-time use. 
And I was trying to follow what you are talking about, because 
it sounds like you have a system where you are making sure that 
this material is not misused, because that is the real problem. 
The violation is the misuse, the improper use of the 
information.
    For every time you sell data, is that restricted to a one-
time use that you already have determined is not a misuse?
    Mr. Hadley. It is----
    Senator Johnson. Or do you sell the data and they can use 
it for years?
    Mr. Hadley. No. It is sold pursuant to a contract, in some 
cases one time, in some cases as a license over numerous times. 
But we always have audit procedures in all of those situations 
to know how they are using that data and what they are using it 
for. And it is strictly limited to marketing purposes.
    Senator Johnson. The information, you are saying it is, you 
know, from public records, sometimes surveys. But is it also 
from those cookies, and are you also getting it from all the 
other Internet applications? And do you have agreements with 
different people that gather all these cookies? I mean, is it a 
much larger data-gathering than what we were kind of talking 
about earlier?
    Mr. Hadley. We do collect information online in that realm, 
but it is all aggregated, anonymized data. There is no 
personally identifiable information attached to it.
    So, for example, we might be able to know what type of 
consumer is visiting X website versus another website so that 
we can share that in competitive intelligence for the industry. 
So Macy's might want to know what Nordstrom shoppers look like, 
in the aggregate, de-identified, so they can compete against 
one another and vice versa.
    Senator Johnson. Mr. Cerasale, again, as Senator Booker 
talked about, there are incredible benefits by people using the 
Internet, and of course we always take a look at, do you agree 
to use this website? And I would say most people just say, yes, 
I want to use this website, hit ``agree''; they don't really 
read the, what, 300 pages of all the information saying, hey, 
we are going to share this information. If you want to use this 
phenomenal, free application, you are subjecting yourself to a 
certain lack of privacy.
    How do you get--is there any way of getting around that?
    Mr. Cerasale. There is. I think that icon I was expressing 
to Senator Booker is an easy--it says ``AdChoices,'' and I can 
click on it; it tells you about what is happening of following 
your web browsing across websites. And then there is a link 
right to AboutAds.info, a website where you can opt out. That 
type of--is how we are looking at it.
    We have worked with NTIA in looking at mobile apps and the 
small screen, and how do you let people know what type of 
information you are collecting. So we need quick links from----
    Senator Johnson. So, like, on a do-not-call list, can it be 
one time and you are covered? Or is this application after 
application after application?
    Mr. Cerasale. On the DAA, it is one time and you are 
covered, and it probably affects about 96 percent of the 
targeted ads and so forth. That many people have signed up for 
it, so it is pretty close.
    Senator Johnson. And that icon is located where?
    Mr. Cerasale. That icon is usually located right around the 
ad that is targeted. And we have contracts with Canada, with 
EU. We are working on Australia, starting with Latin America, 
to try to make that icon worldwide.
    Senator Johnson. OK. Thank you.
    Thank you, Mr. Chairman.
    The Chairman. Thank you. And that was good questioning.
    Senator Blumenthal?

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thank you, Mr. Chairman. And thank you 
for having this hearing. Thank you for pursuing this profoundly 
important issue with such far-ranging consequences for both 
good and ill in our society.
    And thank you to the staff for this truly remarkable study. 
For anyone who doubts how to define a data broker, I recommend 
the report, ``A Review of the Data Broker Industry: Collection, 
Use, and Sale of Consumer Data for Marketing Purposes.'' There 
is now an industry involved in this very far-reaching and far-
ranging collection, use, and marketing of data.
    And one of the ironies is that almost every day in the 
headlines and in the news we read about what the NSA is doing 
in the collection and use of data about citizens in this 
country who are protected by the Fourth Amendment. One of our 
justices once defined the right of privacy as the right to be 
left alone. Obviously, consumers do not have that same right 
against this industry because it is not the government. And yet 
their privacy interests may be just as much at risk and abused 
as they are by the government.
    And that is really what brings us here today, not only the 
vast potential for good but also the downsides and the dark 
side and the danger of the collection and use.
    And I, quite honestly, did not expect anybody to come here 
today and say, we are using this data to exploit people. You 
know, I am not the naive. But I think you need to recognize 
that others could use it for that purpose. And all you need to 
do is turn to page 24 of this report and see the categories 
that are sometimes used for marketing purposes.
    And let me give you two very concrete examples of why I 
think that people ought not to be compelled to surrender 
personal privacy as the price of admission for the use of the 
Internet. And that is really what we are talking about, the 
sacrifice of privacy as the price of admission to the Internet.
    In December 2012, the Wall Street Journal ran a story 
entitled, ``Websites Vary Prices, Deals Based on Users' 
Information.'' And it stated, in part, quoting, ``Websites are 
adopting techniques to glean information about visitors to 
their sites in real-time and then deliver different versions of 
the web to different people. Prices change, products get 
swapped, wording is modified, and there is little way for the 
typical website user to spot it when it happens.''
    So if you prefer Hilton hotels over Marriott hotels and the 
wrong company gets its hands on that information, you could be 
charged more for staying at one hotel or another than a person 
just walking in off the street.
    Now, I assume, Mr. Hadley, that you would join me in 
feeling that such marketing practices and pricing practices 
would be offensive and should be made illegal, perhaps.
    Mr. Hadley. I would agree with you that that shouldn't be 
happening. And Experian is not involved in dynamic----
    Senator Blumenthal. I am not asking you about Experian. I 
am not expecting that you will tell us that Experian is 
involved in these kinds of----
    Mr. Hadley. But dynamic pricing does exist. All you have to 
do is look at the hotel and airline industry, and they have 
variable pricing.
    We don't provide products and services to allow them to 
undertake that dynamic pricing. That is their choice, because 
they are marketing their product or service.
    Senator Blumenthal. Do you think it is fair to the 
consumer?
    Mr. Hadley. I wouldn't want it to happen to me, but I know 
that it does. If I go to Las Vegas and there is a----
    Senator Blumenthal. Well, the fact that it does is why we 
are here today, right?
    Mr. Hadley. I am not sure that it is illegal. It is just a 
factor of----
    Senator Blumenthal. Let me ask you, Mr. Cerasale----
    Mr. Hadley.--the economics, right?
    Senator Blumenthal. I am not asking you for your legal 
opinion.
    Mr. Cerasale, what do you think about that practice?
    Mr. Cerasale. Dynamic pricing and changes in pricing are 
there all the time, and you have--frequent flyers get different 
prices. Grocery stores, people who have the card have different 
prices. It is part of where we are today.
    I think if it is discriminatory and so forth, you look at 
it. It goes back to what I said. You want to look at use, not 
the data itself or the collection of it, but use. If there is 
an improper use----
    Senator Blumenthal. Well, you would agree with me that 
discriminatory pricing that charges people more because they 
are regarded as more vulnerable, and without their knowing it, 
would be, at best, unethical?
    Mr. Cerasale. Yes--I--yes. And I believe there are laws----
    Senator Blumenthal. Let me ask you another question.
    Mr. Cerasale.--on that, as well.
    Senator Blumenthal. And I am rushed for time. I am going to 
use my last 4 seconds to ask you a question----
    Mr. Cerasale. Sure.
    Senator Blumenthal.--about a second area where I think 
discrimination, the prospect of discrimination and exploitation 
is raised. And that is in terms of job postings and screening 
of job applicants.
    I don't need to tell anybody in this building about the 
devastating impact of long-term unemployment in this country. 
And I have joined Senator Warren in a bill that would prohibit 
the use of credit scores of job seekers in a discriminatory way 
during the hiring process.
    Let me ask you whether an employer could buy information 
from your company, Mr. Hadley, for example, and use it to 
target job postings in a way that discriminates against certain 
job applicants, using the information that might be obtainable 
from your company.
    Mr. Hadley. Marketing data cannot be used for employment 
screening and job eligibility. That is a case under the Fair 
Credit Reporting Act. So they would have to obtain a credit 
report, and all of the consumer rights would accrue to that 
marketing----
    Senator Blumenthal. Well, let me ask you, what would 
prevent an employer from asking for information from your 
company and then, on its own, using it in a discriminatory way?
    Mr. Hadley. We would know who that company is and why they 
were asking us for marketing information.
    Senator Blumenthal. And you would----
    Mr. Hadley. And we would know what----
    Senator Blumenthal.--refuse to sell to them?
    Mr. Hadley.--they were going to use it for, and we would 
forbid them in our contract with them from using it for any 
purpose under the Fair Credit Reporting Act, including 
employment purposes.
    Senator Blumenthal. If it is a violation of the Fair Credit 
Reporting Act. What if they said to you it is not a violation?
    Mr. Hadley. We would disagree with them, and we wouldn't 
give them the----
    Senator Blumenthal. Is that true of other companies in your 
industry?
    Mr. Hadley. I think it is a pretty standard practice among 
those that belong to DMA and practice good standards.
    I can't vouch for all of them, but it certainly is with 
Experian. We know the bright line between those.
    Mr. Cerasale. It would violate our----
    Senator Blumenthal. Your company does, but from the 
information that has been provided to my office, not all 
companies do. Do you----
    Mr. Hadley. Then it is a violation of law, and the FTC 
should take action against those companies.
    Mr. Cerasale. It is unethical, it violates our guidelines 
to use marketing data----
    Senator Blumenthal. It is unethical, it violates your 
guidelines, but maybe the law----
    Mr. Cerasale. That is correct.
    Senator Blumenthal.--ought to be clarified so that 
everybody understands it is illegal.
    Mr. Chairman, I apologize for exceeding my time. I tried to 
move as quickly--I want to apologize to the witnesses for 
perhaps interrupting you.
    Unlike Senator Booker, although I am still a new guy on the 
block, I didn't say at the outset I was going to stop when I 
should have. So----
    The Chairman. Well----
    Senator Blumenthal.--I know I am on your bad side now.
    The Chairman. No, you are not on my bad side, but, you 
know, you are clearly just sort of settling into this role of 
being a licensed lawyer.
    [Laughter.]
    The Chairman. He was attorney general for 29 years.
    Senator Blumenthal. I am a recovering lawyer.
    [Laughter.]
    The Chairman. Yes.
    Senator Blumenthal. I apologize, Mr. Chairman, and----
    The Chairman. No.
    Senator Blumenthal.--thank you.
    The Chairman. Senator Booker will learn from you.
    [Laughter.]
    The Chairman. Senator Markey?

               STATEMENT OF HON. EDWARD MARKEY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Markey. Thank you, Mr. Chairman, very much.
    So the bottom line is that there are digital dossiers being 
collected on every American right now by the companies 
represented at this table. And there is a lot of promise from 
that: services that can be provided. There is a lot of peril 
from that: the compromise of the privacy and the most intimate 
secrets of families that can go out and on sale across the 
country and across the world.
    And the bottom line is no company should be allowed to do 
that. If the individual doesn't want that information 
compromised, they should have a right to be able to control 
that data. And no company should be allowed to play fast and 
loose with the information which they have gathered about 
Americans.
    So I had a caucus meeting over on the House side last year, 
and we had some of the gentlemen here today over there for 
that. And we began to talk about propensity scores--propensity 
scores. And that is a practice of attaching a propensity score 
to individuals, hundreds of thousands, millions of Americans. 
And the scores are created without the consumers' knowledge, 
without the consumers' consent.
    And then they become the basis for targeting offers, 
benefits, products to certain consumers. And as a result of 
these e-scores, high-value prospects may receive marketing 
details and discounts regularly, but others may not. They may 
be dismissed as low-value people, characterized as ``waste'' in 
industry slang.
    So, Ms. Dixon, what are the dangers attached to an industry 
that engages in those kinds of practices, in terms of its 
impact upon tens of millions of Americans?
    Ms. Dixon. The real problem with the propensity scores and 
the propensity values that are attached to consumers is that, 
unlike a credit score that would be pulled, that would be 
covered under the Fair Credit Reporting Act, but these scores 
are not covered under the Fair Credit Reporting Act.
    If they are health scores, they are not covered under 
HIPAA, they are not being held by a healthcare provider.
    So, therefore, you can be tagged with these 
characteristics, and these characteristics are not under any 
regulation. There is no law that says that an employer cannot 
use these to determine job eligibility. There is no law that 
says that an insurer cannot use these scores to determine 
rates, because these are not regulated scores. So the 
propensity scores are of great concern.
    And, of course, consumers do not have the opportunity to 
learn about these scores. These are secret scores. And 
consumers do not have the opportunity to opt out of this, as 
they would if the scores were covered under the Fair Credit 
Reporting Act.
    Senator Markey. Great.
    So we have to do something about that, Mr. Chairman. You 
know, we are hearing language about, well, that might not be 
illegal, so we can actually pass a law and make it illegal. So 
that is what this committee is all about.
    And now let me go back to you again, Ms. Dixon. Thank you 
for that.
    We know that data brokers categorize people into market 
segments, so-called ``suffering seniors,'' ``burdened by 
debt,'' singles,'' ``credit crunch,'' ``city families.'' And 
these are the real labels that actual data brokers use to 
describe all these different segments out there as they are 
trying to decide who they are going to be talking to.
    But that categorization can cause real economic harm, 
including profiling, redlining, and racial discrimination. And, 
in fact, there is actually a term for it: not redlining, but 
``web-lining.'' We are just going to use the web to kind of 
segment people out. They are in the wrong income group, the 
wrong racial group, the wrong sex, the wrong whatever. And they 
just can do it. And there probably aren't enough laws on the 
books to protect people against that.
    Ms. Dixon, can you talk about that and what the need is to 
fill in that vacuum, as well?
    Ms. Dixon. There is an interesting situation that is going 
on. And, interestingly enough, the DMA report came to the 
conclusion that offline information and online information are 
now thoroughly merged. And as a result, web-lining is real-
life-lining, as well, so what happens on the web now happens in 
real life.
    So if there is a discriminatory problem there, we are going 
to be experiencing it elsewhere. It is a circular process now. 
We can't just go online and block our cookies.
    Any reasonable consumer who is shredding their Social 
Security number, blocking cookies, and surfing the web 
responsibly, they can still not evade being put on a list of 
data brokers according to their health condition.
    Senator Markey. So let's go to that line, that kind of 
blurry line that has been allowed to be created, and what the 
consequences are for consumers, kind of that line between 
credit reporting agencies and data brokers that market 
financial products. That is an atmosphere of ambiguity, and 
some fraudsters could do some real harm to people, huh?
    So if you could talk about that a little bit, Ms. Dixon.
    Ms. Dixon. So the pseudo credit scores, or pseudo scores, 
they are made up of about 1,500 factors. They are all non-
credit-file factors, so they don't fall under the Reporting 
Act. They can include factors that would be prohibited under 
the Equal Credit Opportunity Act. This is troubling, deeply 
troubling.
    So we don't know everything that goes into these scores. We 
need to. We need to know how the scores are being used, and we 
certainly don't want these scores being used to target 
underserved Americans with predatory offers.
    Senator Markey. And let's just move on to the next 
category. You know, we can talk about the sale of lists of 
people with particular diseases, huh? And just kind of 
circulate those lists around to people, just so that, you know, 
marketers know who not to even get anywhere near, huh? I am 
going to get all the people with these different diseases that 
we have been able to compile and just make a list of it and 
make sure they are over here and they are walled off.
    Talk a little bit about that and what that means for our 
country.
    Ms. Dixon. I was stunned, in doing my research, when I 
found lists of people who were rape sufferers, people who were 
genetic disease sufferers, people who were victims of domestic 
violence. This was deeply troubling to me, and I was just 
shocked.
    So what is happening is that through survey instruments 
that are operated online and through other methods that are 
typically consumer-generated, people will volunteer this 
information to websites, thinking they are getting help, you 
know, from a website, and they will volunteer. And they have no 
idea that this information is going to be attached to not just 
a cookie but their name, their home address, their phone 
number.
    Senator Markey. And I am a lawyer but I have never had any 
clients, so I am going to be careful in how I rule here. But it 
just seems to me that it is kind of, on its face, a violation 
of Section 5 of the Federal Trade Commission Act, violation of 
unfair and deceptive practices.
    So, Ms. Rich, back over there at that Federal Trade 
Commission, what can you do about this?
    Ms. Rich. I think--well, for all of these scenarios that 
you described, especially the particularly disturbing ones 
involving discrimination, we would obviously, if we had 
specific targets we were looking at, take a close look to see 
if it did violate the Fair Credit Reporting Act or the FTC Act. 
We wouldn't give up on that.
    But one thing I want to say about--you know, our laws are 
limited, as I mentioned in my opening statement. For the Fair 
Credit Reporting Act to apply, the data has to be collected and 
used for certain purposes. And the FTC Act allows us to go 
after deceptive practices, meaning affirmative false statements 
or omissions need to be made, or unfair practices, and we have 
a lot of hoops to jump through to prove those.
    But there is nothing in our laws that would require the 
entities amassing those lists to tell consumers about it or to 
allow them access to the data they have on them. Those are the 
limitations of our laws.
    Senator Markey. Yes. Thank you. And, again, there is 
nothing like a little Section 5 action, you know? But when you 
are saying it is even beyond the penumbra of that, then we have 
a real issue here.
    And it is a real invitation for us to act, Mr. Chairman, so 
that, you know, we put on the books the----
    The Chairman. I am going to act----
    Senator Markey.--actual specific language. Excuse me?
    The Chairman.--since you have just gone through your second 
round of questions.
    [Laughter.]
    Senator Markey. No, I know that, Mr. Chairman. I have now 
taken your graciousness, your beneficence, and I have stretched 
it, you know, to a point that----
    The Chairman. Claire McCaskill is very unhappy. But she is 
going to be even more----
    Senator McCaskill. No, I am not.
    The Chairman.--even more unhappy when I call on Senator 
Thune, who----
    Senator McCaskill. I am not unhappy at all.
    The Chairman.--he and I were the first two to come.
    And then you.

              STATEMENT OF HON. CLAIRE McCASKILL, 
                   U.S. SENATOR FROM MISSOURI

    Senator McCaskill. No, I think it is terrific to have 
Senator Markey on this committee. And he obviously has worked 
on this issue in the House, and I think we will all benefit 
from the amount of time and effort he has spent at it.
    I want to try to home in on a couple of things.
    The case, Mr. Hadley, of Experian and Superget. You 
purchased the company Court Ventures in 2012, in the spring of 
2012. For more than a year after the time you purchased this 
company that had all this data, you were taking monthly wire 
transfers from Singapore, and your company did nothing. And as 
it turns out, those wire transfers were coming from a man in 
Vietnam who specialized in identity theft and was marketing the 
information that you owned to criminals to ruin people's lives.
    So my first question to you is, you were quoted as saying, 
``We would know who was buying this.'' You were getting wire 
transfers from Singapore on a monthly basis, and no one 
bothered to check to see who that was?
    Mr. Hadley. Now, I want to be clear that this was not 
Experian marketing data; this was Experian authentication data. 
So it is under a different company, a different use. So I just 
want you to know that it is not part----
    Senator McCaskill. I don't understand the distinction.
    The Chairman. Nor do I.
    Senator McCaskill. I think it is a distinction without a 
difference. I believe it was data that you owned, Experian 
owned. You had purchased this data from Court Ventures, and 
they had, in fact----
    Mr. Hadley. No. Let me clarify.
    Senator McCaskill.--sold it to someone else.
    Mr. Hadley. Yes, let me clarify that for you, because we 
have provided a full response to that question to the 
Committee, and it is part of the eight submissions that we have 
given.
    And I do have to say that it is an unfortunate situation. 
And the incident is still under investigation by law 
enforcement agencies, so I am really extremely limited in what 
I can say publicly about it, but I do want to say this.
    The suspect in the case obtained data controlled by a third 
party--that was U.S. Info Search, that was not an Experian 
company--through a company we bought, Court Ventures----
    Senator McCaskill. OK. Let me----
    Mr. Hadley.--prior to the time that we acquired that 
company. And to be clear, no Experian data was ever accessed in 
that deal.
    Senator McCaskill. I understand what you are saying. Here 
is what happened. You had U.S. Info Search----
    Mr. Hadley. No, we did not----
    Senator McCaskill. No, no, I am--U.S. Info Search existed, 
and Court Ventures existed. They decided----
    Mr. Hadley. And they had a partnership.
    Senator McCaskill.--for commercial reasons, to make more 
money, to combine their information. And so they had a sharing 
agreement, those two companies, correct?
    Mr. Hadley. Right.
    Senator McCaskill. OK. So these two companies had a sharing 
agreement. Then you bought one of those companies.
    Mr. Hadley. Court Ventures.
    Senator McCaskill. Correct. So now you owned it. Now you 
stood in their place. Are you a lawyer?
    Mr. Hadley. I am not a lawyer, but I understand we stood in 
their place, right.
    Senator McCaskill. Are there any lawyers on the panel?
    OK. She will back me up.
    [Laughter.]
    Senator McCaskill. You stand in their place when you buy 
this. So now you are there.
    Now, you said in your earlier testimony, we would know who 
was buying this. So you now are part of their transactions.
    Mr. Hadley. During----
    Senator McCaskill. And you were receiving the benefit of 
these monthly wires.
    Mr. Hadley. So, during the due diligence process, we didn't 
have total access to all the information we needed in order to 
completely vet that. And by the time we learned about the 
malfeasance, I think 9 months had expired. The Secret Service 
came to us, told us of the incident, and we immediately began 
cooperating with the Secret Service to bring this person to 
justice.
    Senator McCaskill. OK.
    Mr. Hadley. And we are continuing to cooperate with law 
enforcement in that realm. This was--we were a victim and 
scammed by this person.
    Senator McCaskill. Well, I would say the people who had all 
their identity stolen were the----
    Mr. Hadley. And we know who they are, and we are going to 
make sure that they are protected. There has been no allegation 
that any harm has come, thankfully, in this scam.
    [The Committee received the following letter regarding Mr. 
Hadley's previous statement. The author of the letter requested 
that the statement be removed from this hearing record.]

                                                Venable LLP
                                     Washington, DC, March 18, 2014
Via e-mail:

Peter Curtin
U.S. Senate Committee on Commerce, Science, and Transportation
254 Russell Senate Office Building
Washington, DC.

Re: Correction to Transcript on Hearing Titled, ``What Information Do 
Data Brokers Have on Consumers, and How Do They Use It?''

Dear Mr. Curtin,

    Lines 12-14 in the attached document are crossed out. In reviewing 
the testimony, we checked with the Experian lawyers that are directly 
involved in handling this matter, and they have indicated that these 
lines are not accurate. In actuality, Experian does not know the 
identities of the individuals as the data was owned and controlled by 
U.S. Infosearch.
            Sincerely,
                                              Stuart Ingis,
                                                           Venable LLP.

    Senator McCaskill. OK.
    Mr. Hadley. And we have closed that down, and----
    The Chairman. Let Senator McCaskill----
    Mr. Hadley.--we have modified our process----
    The Chairman. Let Senator McCaskill continue.
    Senator McCaskill. OK. So let's talk about that process. 
This person who got this man who they lured to Guam to arrest 
and who is now facing criminal charges in New Hampshire, they 
posed as an American-based private investigator.
    What is your vetting process when people want to buy your 
stuff?
    Mr. Hadley. That would have been Court Ventures who would 
have vetted that prior to our----
    Senator McCaskill. OK, but I am talking about now, you. 
What is your vetting process?
    Mr. Hadley. Right now, before we would allow access--first, 
let me say that that person would have not gained access to 
Experian or this data if they had gone through our vetting 
processes prior to the acquisition.
    Senator McCaskill. And what would have stopped him?
    Mr. Hadley. We would have known who that company is. We 
would have had a physical onsite inspection of that company. We 
would have known who that business is and what that business's 
record is. We would have known exactly why they wanted that 
data and for what purposes. And that would have been enshrined 
in our contract. And we would have known the kinds of systems 
they have in place to protect the data that they gained.
    Those are all incumbent upon us under the Gramm-Leach-
Bliley Act and the FCRA.
    Senator McCaskill. Well, listen, I understand that this was 
not a crime that began under your watch.
    Mr. Hadley. Thank you.
    Senator McCaskill. But you did buy the company, and you did 
keep getting the wire transfers from Singapore. And the only 
reason you ever questioned them is because the Secret Service 
knocked on your door. I don't know how long those wire 
transfers from Singapore would have gone on until you caught 
them. I don't have confidence that it would have stopped at 
all.
    So I guess what my point is here, I maybe do not feel as 
strongly as others on this panel that behavioral marketing is 
evil. I believe behavioral marketing is a reality, and, 
frankly, the only reason we have everything we have on the 
Internet for free is because of behavioral marketing. So I 
don't see behavioral marketing as an evil unto itself.
    What I do see is some desperate need for Congress to look 
at how consumers can get this information, what kind of 
transparency is there, and whether or not companies that allow 
monthly wire transfers into their coffers from Singapore from a 
criminal who is trying to rip off identity theft, whether or 
not they should be held liable for no due diligence on checking 
those wire transfers from Singapore until the Secret Service 
knocked on their door.
    And that is what I think we need to be looking at. And I 
don't think there is enough--I mean, I know that some of my 
friends on the other side of the aisle, you say trial lawyers, 
and they break out in a sweat. But the truth is that if there 
were some liability in this area, it would be amazing how fast 
people could clean up their act. And, unfortunately, in too 
many instances there is not clear liability because we haven't 
set the rules of the road.
    So I didn't mean to pick on you, Mr. Hadley, but this is a 
great example. And you are not a fly-by-night company.
    Mr. Hadley. No, we are not.
    Senator McCaskill. If this is happening under your watch, 
can you imagine what is going on with companies that are not as 
established as yours? I think it is----
    Mr. Hadley. Cybersecurity is a huge problem.
    Senator McCaskill. It is serious and significant, and we 
need to look at it.
    Thank you all very much.
    The Chairman. Thank you, Senator McCaskill.
    Senator Thune, to be followed by Senator Fischer.
    Senator Thune. Thank you, Mr. Chairman.
    Mr. Hadley, one of the big users of your service is the 
Federal Government, correct?
    Mr. Hadley. Yes.
    Senator Thune. OK. Are there some areas in which you can 
identify how the Federal Government uses your services?
    Mr. Hadley. Certainly.
    The biggest users of Experian data in the Government are 
the Department of Health and Human Services. Right now, we 
operate on HealthCare.gov to authenticate the identities of 
individuals signing up for health care to make sure that fraud 
is eliminated on that, to make sure that Tony is getting an 
account, establishing the account, and not an imposter in his 
name.
    We also have a contract with the Social Security 
Administration as they move persons for online accounts from 
paper-based accounts. We all get our Social Security statement 
in the mail; they want people to move online to get those. So 
we authenticate individuals to have online accounts with the 
Social Security Administration.
    We, too, believe that HHS could be a good user of our 
marketing data, particularly in the lower economic echelons, to 
reach out to people to see if they are eligible for health care 
and try to determine how to market that process to them. They 
haven't done that yet, but the state agencies are far ahead of 
them in that way, of using these economic segments to reach out 
and inform consumers of benefits that are available to them.
    Senator Thune. So for purposes of Obamacare implementation, 
they are using you to authenticate people who are applying but 
not, at this moment, to market, the Federal Government. The 
state----
    Mr. Hadley. That is exactly right.
    Senator Thune.--exchanges are.
    Mr. Hadley. Right.
    Senator Thune. OK.
    Some have concerns about the profiles that data brokers 
compile on consumers, that they will have a long-lasting impact 
and put these consumers at a disadvantage, especially if that 
information is incorrect. And I would like to have you respond 
to that incorrect-information issue or concern.
    Mr. Hadley. Yes. Our data is highly accurate. It comes from 
very reputable sources. We know what sources they are, and we 
check those sources to make sure of the integrity of that data.
    Marketing profiles are not static. This is very important. 
They change. When I was a young man with young children, I used 
to get a lot of ads for diapers. Then my sons grew up, and I 
got solicitations and they got solicitations for college. Soon, 
I got solicitations for home equity loans because they knew 
that I might want to finance my sons' college education. Now I 
am getting solicitations for retirement planning and for 
vacations. So my marketing profile has changed with my age and 
my family status and my interests that I have expressed to data 
brokers.
    I want to make one point that is very clear here, with 
health information. Experian has health information from 
consumers, but only--only--on an opt-in basis, if they have 
said and clearly opted into telling us what their ailments are 
and saying, I am an arthritis sufferer, I want to know about 
new products and services coming onto the market to help me; or 
I suffer from migraines.
    These are not used, though, never used, for healthcare 
eligibility. They are used so that consumer product companies 
can offer solicitations and coupons for over-the-counter drugs, 
for the most part.
    Senator Thune. Yes.
    Mr. Hadley. So it is always opt-in with health for 
Experian, clear and conspicuous opt-in.
    Senator Thune. Mr. Cerasale, there have also been concerns 
raised that consumers should not only have the ability to see 
what information is collected about them for marketing purposes 
but also have the ability to correct it. And I am wondering 
what your thoughts are on that.
    Mr. Cerasale. On first look, that sounds like a great idea. 
However, as you delve deeper into it, as you look at access and 
then correction for marketing data--this is data that, as Mr. 
Hadley has said, is not used for eligibility purposes. But as 
you look into access to marketing data, it requires you to 
authenticate who is coming in. In other words, is it Jerry 
Cerasale or is it an imposter? And in order to have that data, 
in order to be able to authenticate, you need more data.
    So in the essence of access and then correction, it is 
going to require more data, more accurate data, because you can 
have inaccuracies in marketing data. Tony says that it is 
great, but it is not as precise as Fair Credit Reporting data 
because it is not for eligibility; it determines what ad I will 
receive, what type of offer I will receive. And if a marketer 
is off, it is 95 percent correct, that is OK because it is not 
worth the expense to go to 100 percent, whereas in Fair Credit 
Reporting you need it.
    So having access and correction requires more data. And, of 
course, it is, therefore, more expensive, as well. So, I mean, 
let's be truthful here. But I think it goes against the idea 
you are worried about with data because you are going to create 
more data on the marketing side and requiring it to be more 
precise, and therefore that is an issue. You need to have one 
bit of information more than the imposter in order to prevent 
that kind of fraud in that area. So it raises that problem.
    Senator Thune. Ms. Rich, the FTC released a report on 
consumer privacy in 2012 that recommended, and I quote, 
``companies should provide reasonable access to the consumer 
data they maintain; the extent of access should be 
proportionate to the sensitivity of the data and the nature of 
its use,'' end quote.
    The report continued that, for marketing data, the 
commission believes that the cost of providing individualized 
access to consumers would likely outweigh the benefits.
    Can you comment on that statement, expand on what the costs 
and benefits would be to have individualized access to 
marketing data?
    Ms. Rich. What we said in the report was that, you know--
and, obviously, the report was a prelude to further discussion 
and potentially Congress acting, because at the time we were 
recommending legislation.
    But what we said in the report is that we saw a difference 
between marketing data and, for example, fraud mitigation and 
identity verification products, and that for marketing data it 
might be appropriate to not only give consumers access to the 
categories of data that is collected about them but to allow 
them to suppress use of the data, but not necessarily to give 
them individualized access.
    But we didn't say there shouldn't be access at all. We said 
there should be access to the categories of data and an ability 
to suppress use of the data. And then, for other products, it 
may be appropriate to give individualized information about the 
data.
    Senator Thune. OK. But the calculation you made, according 
to this at least, is that the individualized access to 
consumers would likely outweigh the benefits for marketing 
purposes.
    Ms. Rich. Yes. Yes. But for further consideration also by 
Congress. But, yes, we did see a difference, we did see a 
distinction between marketing uses and other uses.
    Senator Thune. OK.
    Mr. Chairman, thank you.
    The Chairman. Thank you.
    Senator Fischer?

                STATEMENT OF HON. DEB FISCHER, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Fischer. Thank you, Mr. Chairman and Ranking 
Member.
    Ms. Rich, in your testimony, you referenced the 
commission's activities with regard to enforcement. Can you 
describe to me what you think the focus of the enforcement 
activity should be?
    Ms. Rich. Well, we always, in our enforcement, focus on 
uses of data that have the potential to harm consumers. And 
most of our enforcement actions have been in the area of the 
Fair Credit Reporting Act because that is where we have our 
strongest tools. And when data is used for purposes covered by 
the FCRA, it can be used to deny consumers important benefits 
like employment or credit.
    Senator Fischer. Do you think that the FTC has done a good 
job with its existing authority to address what has been the 
number-one consumer complaint for the past 13 years running, 
and that is fighting identity theft?
    Ms. Rich. We are trying our hardest. We don't have the 
authority to go after the perpetrators of identity theft, but 
one of the main reasons we are so strong in our data security 
enforcement is that we do believe that it is the responsibility 
of companies to protect sensitive information, and to maintain 
and protect it from getting in the hands of identity thieves.
    Senator Fischer. Are you able to identify the thieves 
themselves? And what happens then? How does that all work?
    Ms. Rich. Well, you know, many of the thieves are overseas. 
We do work with criminal authorities, and sometimes they are 
investigating the thieves while we are investigating the 
companies that failed to maintain reasonable procedures to 
protect the data.
    Often, the thieves are never caught because they are in 
Russia or China. But if a company does not maintain reasonable 
procedures to protect data, we have some good tools to hold 
them liable. Although, we continue to recommend passage of a 
strong data security law that would give us civil penalty 
authority and strengthen those tools.
    Senator Fischer. Have you brought those forward before this 
committee? I am a new member on the Committee. Has the FTC 
suggested those in the past?
    Ms. Rich. Yes. Senator Rockefeller would be very--Chairman 
Rockefeller would be very familiar with our advocacy for data 
security and data breach legislation.
    Senator Fischer. OK. Thank you very much.
    Mr. Turow, when we talk about the data broker--and you had 
a definition of a data broker as somebody who connects the dots 
for marketers, is that correct, in your testimony?
    Mr. Turow. That is not my only definition, but certainly 
that is what they do. They can do that.
    One thing I would like to point out--may I go on?
    Senator Fischer. Yes.
    Mr. Turow. One thing I would like to point out that I don't 
know if we have had enough discussion about today, which is, it 
is not just discrete bits of information that is going on more 
and more and that are sold, and it is not just the aggregation 
of these. Really, what is happening is the industry and so much 
of our world is turning into an actuarial activity. It really 
is the predictive analytics that are changing the ballgame.
    And so a person can be giving out the most benign-sounding 
piece of data, and that can turn against him or her in an 
instant if it gets put into an algorithm that comes up with an 
either accurate or inaccurate sense of who that person is.
    And we have no way to deal with this at this point and no 
way--even to where I have been told in the ad industry that the 
word ``soccer mom''--that I have had people tell me they don't 
know, necessarily, how a person is tagged as a soccer mom. The 
number of data points--seriously told me this--the number of 
data points that are involved in designating a soccer mom, the 
person said in the ad agency to me, was such that they couldn't 
tell me where that got that designation from.
    Now, if it is true, that is very complicated. And if it is 
not true, that is a problem in itself. And I was trying to 
figure out why it is that ad companies can't tell people where 
particular labels on them come from. And now I am being told 
more and more it is the algorithm, it is the predictability.
    Senator Fischer. With your definition or an expanded 
definition, then, how many private companies do you think can 
be classified as this, just in the United States? How many 
private companies are we talking about?
    Mr. Turow. I haven't seen a definition, but I would agree 
that more and more we are dealing with companies of all sorts 
connecting lots----
    Senator Fischer. It would be like any small business?
    Mr. Turow. I wouldn't worry----
    Senator Fischer. The big box retailers? Who?
    Mr. Turow.--so much about a small business, but I would 
worry about big supermarkets.
    Senator Fischer. Big box retailers?
    Mr. Turow. I would worry about, yes, big box stores. I 
would worry about a whole lot of companies that on a daily--we 
haven't talked about retail outlets and the fact that the 
Internet inside a store and the connecting of online and 
offline is taking place increasingly as people walk through 
looking at products, the so-called moment of truth, and how 
that relates to the algorithms I have been discussing. What 
does it mean to have predictive analytics stare you in the face 
while you are deciding diapers, OK, or something even more 
important?
    And, in fact, the notion--it may be that Experian doesn't 
deal with over-the-counter drugs, but there are companies that, 
in one way or another, take what people purchase over the 
counter and solicit opinions through sweepstakes about their 
health activities and purchases and sell them, very clearly.
    Senator Fischer. So what I hear you saying is what I 
believe, that really almost any retailer could be classified 
then----
    Mr. Turow. If they share data, and I have----
    Senator Fischer. And how, then, do you believe the 
government should become involved in private business in this 
country, when you have that expanded definition?
    Mr. Turow. It obviously makes it much more complicated. And 
that is what I have begun to believe that, at least as a start, 
there may be some useful public discussion in asking how many 
data points firms are allowed to buy and sell about us at a 
time and how they can be merged to other data points, so that 
we won't have continual flows of data being appended to our 
lives.
    It is really an interesting difficulty that you bring up--
--
    Senator Fischer. OK. Thank you.
    Mr. Turow.--aside from the fact that, for example, if you 
go to Kroger's website and look at their privacy policy, I 
couldn't figure out head nor tail whether they sell that stuff, 
because they use words like ``affiliates'' and 
``subsidiaries,'' and it is done in such a way that it is 
extremely difficult to tell.
    And I know of one company that sells bracelets for health 
where I looked at their website, and basically at one point 
after they say what data they can get out of the bracelet, they 
say, some of this data might indicate poor health on your part. 
And then the issue is, what do they do with it?
    Senator Fischer. Right.
    Mr. Turow. And we don't know. You can't tell.
    Senator Fischer. Right. Thank you.
    Mr. Chairman, could I ask Ms. Rich if she wanted to say 
something? She is eager----
    Ms. Rich. I am going like this.
    Senator Fischer. And I was trying to stay within my time 
limit, seriously. Thank you, Mr. Chairman.
    Ms. Rich?
    Ms. Rich. I just wanted to add something to the point you 
were making about the number of data brokers. One of the things 
that we--the way we think about it at the FTC, to make it a 
more manageable issue and problem, is to focus on the non-
consumer-facing data brokers, because, after all, if the issue 
is really about transparency, at least that is where the 
concerns are the greatest, that consumers don't even know who 
those invisible, behind-the-scenes companies are.
    And although I think that there has been a lot of 
discussion about how the definition is so broad we can work on 
that. But I think it is kind of proof of the problem, not that 
there isn't a solution. Because the fact that Pam says there 
are thousands of data brokers and the Committee report says 
hundreds and the industry says hundreds, I mean, I think that 
is part of the problem. We don't know who all these entities 
are and we don't have a handle on it. And that is part of the 
proof that there really isn't transparency in this industry.
    Senator Fischer. So would you say that just about any 
website that a person goes to, they are in danger of having 
information gathered that they may not want to have either 
private companies or the government know about?
    Ms. Rich. Well, I mean, as I was saying, if we are talking 
about the data broker issue, we would prefer to focus on the 
non-consumer-facing sites, where they are truly not 
transparent.
    You know, we have other recommendations for consumer-facing 
websites. We think there should be choices and opt-outs there 
so that consumers have some ability to prevent sales to third 
parties if they so choose.
    But for this data broker problem, we at the FTC would 
really like to focus on the non-consumer-facing sites.
    Senator Fischer. OK. Thank you very much.
    Thank you, Mr. Chair.
    The Chairman. Thank you, Senator Fischer.
    We have a vote at 4:30. I would like to ask one more 
question.
    And this is coming right at you, Dr. Turow. You have been 
taking all kinds of notes.
    Mr. Turow. I have.
    The Chairman. So you are ready. I would like to further 
explore the notion that data brokers are selling products to 
help marketers target pitches to the specific interests and 
needs of consumers.
    Let's take a product called ``Relying on Aid.'' This is a 
grouping of consumers that the data broker defines as follows: 
``These single retirees of limited means and meager retirement 
savings are just barely able to make ends meet.''
    The description goes on to say, ``With only a high school 
education at best, it has been hard to get ahead. Poorly 
insured and Medicare/Medicaid-dependent, they are generally 
pessimistic about their economic situation,'' and, 
incidentally, about themselves.
    My question to you, Professor Turow: In your testimony, you 
highlight some other ways companies may be using such consumer 
lists that don't necessarily involve product pitches, such as 
deciding who should have to wait longer for customer service, 
who should be rejected as a valued customer, or who should be 
offered coupons for only non-nutritious foods.
    What thoughts come to your mind when you hear data brokers 
are marketing descriptions like ``Relying on Aid'' to potential 
consumers?
    Mr. Turow. It is not unpredictable. It has been going on 
for years. It is a problem, I agree, and it is going to get 
worse as the baby boomers get older. I think we are only 
beginning to see the tip of the iceberg here.
    But I think one of the issues is also that, as we get more 
individualized----
    The Chairman. What do you mean, tip of the iceberg?
    Mr. Turow. I think we are going to have this huge 
generation of older people in 15 years that are going to be----
    Senator Thune. Not you.
    [Laughter.]
    Mr. Turow.--divebombed with these kinds of offers. And I 
was beginning to say, it is going to be more particularized.
    The thing about that category, Chairman Rockefeller, is 
that it is a category. More and more, that is going to become 
anachronistic. And what it is going to be is a particular 
person who can be maybe even more persuaded because of other 
characteristics that predict that. So that category will be 
broken up----
    The Chairman. Including low self-esteem.
    Mr. Turow. Yes, and a lot of other things: what kind of car 
they drive that leads them to be this, that, and the other 
thing. So that you won't even be able to point to the category 
in a catalog anymore; it will be something that you won't be 
able to easily track down. And yet those people will be 
targeted increasingly because of the situations they are under. 
The same category, only divided up into millions and millions 
of people and personalized.
    The Chairman. So what would you do about it?
    Mr. Turow. As I said, I think--well, these are social 
questions. And I believe that we have to worry about the kinds 
and the amounts of data that get combined. I don't have an 
answer for that. I think it is a very important social 
discussion. At this point in time, we haven't had that social 
discussion.
    People don't even know this stuff is going on. Our studies 
have shown that people know they are being tracked. But when 
you ask people basic questions of how this stuff works and how 
they think it works--we did a 2005 study in which Americans 
said, a majority, a clear majority of Americans said that they 
think that price discrimination is illegal. OK?
    We continually find that people see the word ``privacy 
policy'' on a website, they think it means--and we have done 
this five times in national surveys--they think the words 
``privacy policy'' means that the site can't share information 
about you without your permission.
    The ad icon is a great idea, but it doesn't work. You know, 
the studies have shown, including one that we did a couple of 
years ago, that Americans, like Senator Booker, have no clue 
that it exists most of the time.
    I suggest--and that is how I got into the algorithm thing. 
The idea for an icon that I had originally, before this one 
came out, was that when you clicked on an ad that was tailored 
to you, you could find out who gave you the ad, what were the 
elements of the ad, why did you get that particular ad just at 
that moment.
    But those data are considered too proprietary, and then 
people tell me the algorithm doesn't help. And so, at this 
point in time, there is nobody who wants to volunteer to give 
that information.
    The Chairman. And people use barcoding, don't they----
    Mr. Turow. Well, I----
    The Chairman.--to find out names and addresses and other 
stuff?
    Mr. Turow. Oh, yes. And even if you are anonymous--a very 
short example that happened to me. It is not quite a big data 
company, but it shows the direction.
    I was at O'Hare, and I had to switch planes when one of my 
planes was canceled. So I went to the customer service place of 
the affiliated airline. They asked me to put my barcode in, and 
they gave me a number. On the side of me, on the screen, it 
said, the amount of time it will take to serve you will be 
based on your priority in terms of your status with our loyalty 
program.
    The Chairman. Interesting.
    Mr. Turow. And so I, fortunately, had a lot of points, I 
got served pretty quickly, but I noticed there were people who 
were just sitting there. And that meant that they didn't get 
the flights that they could have gotten.
    The Chairman. This is segmenting Americans. It is pre-
predicting what will happen to them by virtue of the 
circumstances into which they fall.
    Mr. Turow. And who is valued----
    The Chairman. And all the research has been done to put 
them in that situation so they can control how they market and 
maximize their profit and maybe end up absolutely giving a 
horrible experience to that consumer.
    Mr. Turow. I agree.
    The Chairman. Senator Thune, I have something I want to 
say, but you are important around here. Do you want----
    Senator Thune. No, go ahead. I am fine.
    The Chairman. OK.
    I want to come back--since before 9/11, I have been on the 
Intelligence Committee, and every day I wake up to seven 
newspapers with nothing but NSA headlines. And I am here to 
tell you, as one of the authors of FISA and the PATRIOT Act and 
all the rest of it, that the NSA is so secure in its protection 
of privacy as compared to this group that we are talking to, 
these data brokers, it is not even close.
    This affects, as was pointed out, anybody, everybody. Who 
knows? NSA knows. They are only likely to interact at a .000001 
percent of people that they conclude need, you know, further 
observation. This is everybody, anybody, but more than that, 
divided into race, economic activities, education.
    And there is something--I can't prove it is wrong, but 
there is something lethal about it. There is something unfair 
about it. It is something like--you know, if somebody is poor 
or less educated--and this is what I have spent my life--I come 
from West Virginia, where a lot of people face these problems. 
They are stigmatized. They have to live with it. The system is 
stacked against them. And a lot of people are making a lot of 
money out of it, and one are the data brokers.
    I am not asking for an argument because the bell just went 
off. But I am here to say that this is a very serious 
situation. I think everybody here agrees this has not been 
talked about. We have done an investigation of it, FTC has 
looked at it, you all have looked at it, you certainly have. 
And we have to continue on this thing.
    You know, the slogan of one of the companies that the 
Committee reviewed in this investigation, the company says it 
lives by the following words: ``Just because you can doesn't 
mean you should.'' Unfortunately, I have been thinking about 
this because today's testimony and the Committee's inquiry 
shows the industry as a whole is falling far short of that 
standard--appears to be falling far short of that standard. In 
fact, it seems to me the motto of data brokers is: ``We can, 
and indeed we will.'' Full of optimism.
    We heard from Ms. Dixon about the lists generated by data 
brokers from genetic disease sufferers and dementia sufferers 
to payday-loan responders, products that seem tailor-made for 
businesses seeking to take advantage of consumers. I hate that. 
I personally am revolted by that. I have seen it in the 
treatment of coal miners and their safety. I have seen it in 
every aspect of life in the state that I come from and 
elsewhere, living abroad. I don't like it.
    I think it is our job as a government to minimize that 
possibility and to bring out into sunlight what is going on. If 
Senator Booker doesn't know that this is happening to him--he 
does now, and he doesn't like it. Senator McCaskill really 
nailed something that could not be responded to.
    And so we are going to continue on this track. I think it 
is serious, and I think it is a dark underside of American life 
on which people make a lot of money and cause a lot of people 
to suffer even more and, therefore, have even lower self-
esteem, which is not the America we want.
    This hearing is adjourned.
    [Whereupon, at 4:30 p.m., the hearing was adjourned.]
                            A P P E N D I X

 Response to Written Question Submitted by Hon. John D. Rockefeller IV 
                            to Jessica Rich
    Question. Ms. Rich, the Commission currently has authority under 
the Fair Credit Reporting Act to seek enforcement actions against data 
brokers that provide information that is used to make eligibility 
decisions about consumers. Furthermore, the Commission has its broad 
organic authority under the FTC Act to enforce against unfair or 
deceptive acts or practices. However, the Commission lacks authority to 
mandate the type of transparency that all of the hearing's witnesses 
apparently agree is important for the industry. In this context, does 
the FTC have authority to require data brokers to allow consumers to:

   Access the information data brokers possess on them?

   Correct any inaccuracies?

   Affirmatively ``opt out'' and prevent the data broker from 
        selling their information?

    Answer. Although the FTC has used its authority under the Fair 
Credit Reporting Act (FCRA) and the FTC Act to take action against 
unlawful practices by data brokers, the FTC does not have the authority 
to impose the requirements you identify. The FTC has consistently 
treated the Fair Credit Reporting Act (FCRA) as an enforcement 
priority. It has brought almost 100 cases alleging violations of the 
FCRA, obtaining in excess of $30 million in civil penalties. However, 
as we explained in our March 2012 report Protecting Consumer Privacy in 
an Era of Rapid Change: Recommendations for Businesses and Policymakers 
(Privacy Report), the FCRA covers only some data broker activities. The 
FCRA generally does not cover data brokers that maintain data for 
marketing purposes and for other non-marketing purposes, such as to 
locate people or detect fraud. Thus, consumers do not have, for all 
data broker activities, the access, correction, or consumer control 
rights the FCRA provides for data brokers engaged in certain 
eligibility determinations.
    In addition, the FTC has used its authority under the FTC Act to 
address unfair or deceptive practices in the data broker industry. See, 
e.g., United States v. ChoicePoint, Inc., No. 1:06-cv-00198 (N.D. Ga. 
Feb. 15, 2006) (FTC alleged, among other things, that a data broker 
engaged in unfair practices by failing to properly screen or monitor 
purchasers of sensitive consumer data) ; In re U.S. Search, Inc., FTC 
Docket No. C-4317 (Mar. 25, 2011) (FTC alleged that a data broker 
deceived consumers by offering an opt out that was ineffective). Unless 
they are implemented as remedies to a violation of the FTC Act, 
however, we do not currently have the authority to require data brokers 
to provide consumers with access or correction rights, or to allow 
consumers to suppress or opt out of the sale or use of data held by 
data brokers.
    In recognition of these gaps, the agency recommended legislation, 
in its March 2012 Privacy Report, that would offer the consumer rights 
you have identified.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Kelly Ayotte to 
                              Jessica Rich
    Question 1. Earlier this year, FTC Commissioner Julie Brill called 
upon state AGs to take a more active role in investigating and holding 
accountable data brokers for violations of the Fair Credit Reporting 
Act. Can you talk about the role of state law enforcement officials in 
this field? Does your agency work closely with your state law 
enforcement counterparts on pursing privacy and marketing complaints?
    Answer. The FTC has consistently treated the Fair Credit Reporting 
Act (FCRA) as an enforcement priority. It has brought almost 100 cases 
alleging violations of the FCRA, obtaining in excess of $30 million in 
civil penalties. State attorneys general (AG) also have a role to play 
in enforcing the FCRA. Under section 621 of the FCRA, state AGs can 
bring an FCRA enforcement action, so long as they provide the FTC and 
the Consumer Financial Protection Bureau with advance notice; the FTC 
has the right to intervene in such matters. This provision ensures that 
states coordinate their FCRA enforcement efforts with the appropriate 
Federal regulators. In addition, we work very closely with the states 
to educate identity theft victims of their rights under the FCRA. Our 
Tax Identity Theft Awareness week, involving multiple outreach events 
across the country, is a good example of our collaborative efforts with 
states to protect consumers in this area. See ftc.gov/taxidtheft.
    Outside the FCRA, the FTC and state AGs cooperate often on privacy 
and security and related marketing investigations. One notable example 
is the action the FTC brought with 35 state AGs against LifeLock for 
deceptive claims about the effectiveness of LifeLock's identity theft 
services and its security measures. This 2010 action is one of the 
largest FTC-state coordinated privacy-related settlements on record. 
The FTC has also pursued several Do Not Call privacy cases with state 
AGs serving as co-plaintiffs, including enforcement actions brought 
against Dish Network, LLC, United States Benefits, LLC and Worldwide 
Info Services, Inc. In addition, the FTC participates in monthly 
telephone conferences with members of the National Association of 
Attorneys General's Do Not Call working group. The FTC continues to 
coordinate with state AGs on a variety of law enforcement 
investigations involving privacy and security in order to avoid 
duplication of efforts and ensure appropriate and responsible 
allocation of enforcement resources.

    Question 2. When we look at current Federal law governing data 
brokers, we have Fair Credit Reporting Act, Graham-Leach-Bliley, HIPPA, 
Children's Online Privacy Protection Act, and Electronic Communications 
Privacy Act. Plus there are 50 AGs policing behavior and activity. In 
addition to that, we have brokers touting their aggressive self-
regulatory policies. Can you address specifically what more 
legislation, mandates or regulations you think we need? Some have 
argued that before we add more laws and/or regulations to the books, we 
should enforce the ones we have.
    Answer. While these statutes all provide important protections for 
consumer data, they have limitations. Gramm-Leach-Bliley, for example, 
applies only to financial institutions; HIPAA covers only medical 
records maintained by specifically defined medical providers; the 
Children's Online Privacy Protection Act does not cover data collection 
or use for individuals age 13 and over; and the Electronic 
Communications Privacy Act is focused on government access to 
electronic data. Similarly, as we explained in our March 2012 report 
Protecting Consumer Privacy in an Era of Rapid Change; Recommendations 
for Businesses and Policymakers (Privacy Report), the Fair Credit 
Reporting Act covers only some data broker activities. The FCRA 
generally does not cover brokers that maintain data for marketing 
purposes and for other non-marketing purposes, such as to locate people 
or detect fraud.
    The Commission agrees that self-regulation can be an effective way 
to protect consumer interests while promoting innovation. The 
Commission has long supported robust, enforceable self-regulatory 
mechanisms established by industry to protect consumers. As we noted in 
our Privacy Report, however, self-regulatory efforts by the data broker 
industry have lagged. The Commission has monitored data brokers since 
the 1990s. In 1997, the Commission held a workshop to examine database 
services used to locate, identify, or verify the identity of 
individuals, referred to at the time as ``individual reference 
services.'' The workshop prompted industry members to form the self-
regulatory Individual Reference Services Group (IRSG). The Commission 
subsequently issued a report on the workshop and the IRSG in which it 
commended the progress made by the industry's self-regulatory programs, 
but noted that the industry's efforts did not adequately address the 
lack of transparency of data broker practices. Although industry 
ultimately terminated the IRSG, a series of public breaches--including 
one involving ChoicePoint--led to renewed scrutiny of the practices of 
data brokers. The Privacy Report noted that the industry has continued 
to operate since then with a lack of transparency. To address this 
concern, the Privacy Report expressed support for legislation that 
would give consumers access to information held by data brokers.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Amy Klobuchar to 
                             Jerry Cerasale
    Question. Most consumers would like to believe that any of their 
personal information held by companies is private, secure, and 
accurate. However, with rapidly changing marketing strategies and 
technology platforms, consumers are no longer sure that this is the 
case.
    Mr. Cerasale: How do your members, both large and small marketers, 
work to promote consumer trust in your services? How can a lack of 
consumer trust in private data storage and use policies impact the 
broader economy?
    Answer. Consumer trust forms the bedrock of the Data-Driven 
Marketing Economy--and the American economy as a whole. Consumer trust 
is critical to a company's success, regardless of the size of the 
business. This is especially true for remote sellers that rely on 
customers to purchase goods sight unseen. Businesses have every 
incentive to protect and promote consumer trust in the goods and 
services they deliver.
    While businesses are already incentivized to promote consumer 
trust, DMA supports this incentive with a robust ethics and compliance 
program that calls on its members to adhere to its Guidelines on 
Ethical Business Practice. For more than four decades, DMA has 
administered its Guidelines and promoted accountability for its 
members, setting a high bar for responsible marketing. The DMA Ethics 
Policy and Ethics Operating Committees develop, update and enforce 
DMA's Guidelines as part of DMA's public trust with regulators and 
consumers. The accountability program is flexible enough to address 
ongoing changes in technology, markets, consumer interest and new 
business practices.
    Data security is a prime example of DMA's commitment to maintaining 
consumer trust, having long served as a core principle of the DMA's 
Guidelines. Like many elements in the Guidelines, the DMA's data 
security standards have remained far from static. In January 2014, the 
DMA approved updated Business Ethical Guidelines on data security, 
calling on every data-driven marketer to take proactive measures to 
further enhance data security across the data-driven marketing 
industry.
    In addition to data security, DMA members are committed to offering 
consumers' choice, and to using marketing data for marketing purposes, 
not for eligibility such as employment and financial transactions. 
These and other consumer-friendly practices help build and maintain 
trust in the data-driven marketplace.
    When it comes to assessing whether businesses have gained 
consumers' trust and confidence, the proof is in the numbers. Remote 
selling, including through ecommerce, is a fast growing segment of our 
economy. More broadly, the data-driven marketing economy (``DDME'') 
added $156 billion in revenue to the U.S. economy and fueled more than 
675,000 jobs in 2012 alone.
    $110 billion and 46,000 jobs depend on the ability of firms to 
exchange data across the DDME.\1\ Indeed, responsible use of data by 
marketers has revolutionized one of the most costly aspects of doing 
business in any industry. As businesses of all sizes innovate to 
deliver more efficient, convenient, and secure marketing and 
transactional solutions, consumers are responding with a vote of 
confidence with their feet and with their pocketbooks.
---------------------------------------------------------------------------
    \1\ Deighton and Johnson, The Value of Data: Consequences for 
Insight, Innovation & Efficiency in the U.S. Economy (2013), available 
at http://ddminstitute.thedma.org/#valueofdata
---------------------------------------------------------------------------
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Kelly Ayotte to 
                             Jerry Cerasale
    Question 1. Do self-regulatory programs, such as the DMA's 
Guidelines for Ethical Business Practice, and other industry codes of 
conduct based on these and other guidelines, promote responsible use 
and sharing of data in the marketplace? How widespread is adoption of 
these programs in the marketing industry? How do governing 
organizations enforce the rules of these programs against bad actors?
    Answer. Yes. Self-regulatory programs, like the one administered by 
the DMA, not only promote, but also require companies to engage in the 
responsible use and sharing of data in the data driven marketing 
economy (``DDME''). The DMA believes that self-regulation and education 
are important components for addressing consumer privacy while ensuring 
that data flows continue to benefit consumers and the economy.
    DMA Reach & Scope. The DMA has established an enforceable framework 
of industry best practices that focus on providing transparency, 
choice, and other protections to consumers. At the foundation of this 
framework are the DMA Guidelines for Ethical Business Practice (``DMA 
Guidelines''), which have been adopted by all DMA members, representing 
every segment of the marketing industry. In addition, the DMA enforces 
its guidelines against both members and non-members covering thousands 
of companies, making the DMA Guidelines the standard for the industry.
    DMA members deeply value consumer trust and understand that 
responsible data practices are critical to building and maintaining 
customer relationships. To that end, the DMA and its members have 
developed and implemented more than 50 code sections in the DMA 
Guidelines that regulate marketing data practices, which are regularly 
updated to adapt to new technologies and business practices. The DMA 
Guidelines address a wide variety of marketing practices including, the 
conduct of data brokers, sweepstakes, mobile marketing, internet-based 
marketing, and texting.
    Enforcement. The DMA has a long history of enforcing these 
guidelines. The DMA Guidelines have been applied to hundreds of cases 
concerning a wide range of issues including deception, unfair business 
practices and personal information protection. In addition, companies 
that represent to the public that they are DMA members, but fail to 
comply with the DMA Guidelines, may be liable for deceptive advertising 
under Section 5 of the FTC Act and comparable state laws.
    Compliance Process. The DMA receives complaints from consumers, 
members, nonmembers, and consumer protection agencies. These complaints 
are reviewed by the DMA's Ethics Operating Committee and if a potential 
violation is found to exist, the company will be contacted, 
investigated, and advised on how it can cure the violation. Most 
companies work with the Ethics Operating Committee voluntarily to cease 
or change the questioned practice. However, if a company does not 
cooperate with the Ethics Operating Committee, action can be taken by 
the Board of Directors and the results of the investigation may be made 
public. For example, from February 2012 to June 2013, the DMA Corporate 
& Social Responsibility Committee reviewed 55 cases and 12 of these 
were made public.\1\ Additional Board actions could include public 
censure, suspension or expulsion from the DMA. The DMA also refers 
cases to Federal and state law enforcement authorities for review when 
appropriate.
---------------------------------------------------------------------------
    \1\ Direct Marketing Association, DMA Annual Ethics Compliance 
Report 2012-2013 (2013), available at http://thedma.org/compliance/.
---------------------------------------------------------------------------
    Education. Beyond enforcement of the DMA Guidelines, the DMA also 
provides education to both businesses and consumers about responsible 
data collection and use. Through the regular publishing of case reports 
that summarize questioned marketing promotions, webinars, in-person 
seminars, and regular communication with its members, the DMA helps to 
promote best practices in the industry. This communication and 
education is a great benefit to small businesses as they begin to 
market their products and services to consumers. The DMA also maintains 
a section of our website focused on consumers entitled ``Consumer 
Help,'' and offers consumers a centralized tool to help manage their 
direct mail and e-mail preferences at DMAChoice.org.

    Question 2. In large part, New Hampshire's economy depends on small 
businesses and start-up companies. My husband is the owner of a small 
business. Does the use and sharing of data across all sectors of the 
economy help or hurt the ability of small businesses to compete with 
larger entities in the marketplace? Does the use and sharing of data 
increase or decrease barriers to entry in the marketplace? How do these 
trends impact job creation?
    Answer. Small businesses benefit significantly from the use and 
sharing of data. A recent study entitled, The Value of Data: 
Consequences for Insight, Innovation & Efficiency in the U.S. Economy 
(``Value of Data''), quantified the important role that the use and 
sharing of data plays in fueling economic growth.\2\ This study, which 
was conducted independently by Professors John Deighton of Harvard 
Business School and Peter Johnson of Columbia University, revealed that 
the Data Driven Marketing Economy (``DDME'') was a major asset to small 
businesses and start-ups.
---------------------------------------------------------------------------
    \2\ Deighton and Johnson, The Value of Data: Consequences for 
Insight, Innovation & Efficiency in the U.S. Economy (2013), available 
at http://ddminstitute.thedma.org/#valueofdata (hereinafter ``The Value 
of Data'').
---------------------------------------------------------------------------
    The Value of Data study found that the sharing of data across the 
DDME enables small businesses to compete effectively with larger 
competitors. Data gives all companies, and especially small businesses, 
the ability to effectively match products to customers both on and 
offline, lowering barriers to market entry for specialized or niche 
offerings. Thanks to the responsible use and sharing of data across the 
economy, small business have access to data they would not otherwise 
have available to them, enabling them to more efficiently and 
effectively market their products and better compete in the 
marketplace. Data sharing also allows small businesses to incrementally 
build their customer base, and grow their product in ways never before 
available to companies of their size.
    The Value of Data study also found that the DDME generated $156 
billion in revenue to the United States economy and fueled more than 
675,000 jobs in 2012 alone. Further, the study found that an additional 
1,038,000 people owe their employment to these DDME jobs.\3\ The study 
also found that in New Hampshire, the DDME was responsible for $1 
billion in revenue and 3,000 jobs in the state's economy.\4\ The study 
estimated that 70 percent of the value of the DDME--$110 billion in 
revenue and 475,000 jobs nationwide--depends on the ability of firms to 
share data across the DDME. If this ability to share data were 
curtailed, those jobs and revenue would be impacted and the U.S. 
economy would be much less efficient.
---------------------------------------------------------------------------
    \3\ The Value of Data at 74.
    \4\ The Value of Data at 96-98.
---------------------------------------------------------------------------

                                   08