Introduction

Data brokers are peculiar businesses: their business is analyzing and trading in our personal information,yet they are practically unknown to the average Canadian. In 2006, CIPPIC undertook a detailed study of the Canadian data brokerage industry, and updated in in 2018.  In this FAQ, we explain the basics of this evolving industry.

CIPPIC gratefully acknowledges the funding of the Contributions Program of the Officd of the Privacy Commissioner of Canada for this work.

F.A.Q.

Data Brokers

What is a data broker?

There is a great deal of disagreement over the the meaning of the term “data broker”.  It is not a term companies use to describe themselves. We describe a “data broker” as “a company whose primary business involves the trading and analysis of personal information”.  These are companies who gather, analyze and sell information about consumers.

What kinds of information do data brokers trade in?

Data brokers trade in a wide range of information about people.  Any information that may be of use to profile a consumer may be of interest to a data broker or its customer.  Consumer profiles are most common, but political profiles have their own customer base.

Where do data brokers get their data?

Data brokers get information about consumers from four sources:

  1. “Public” sources such as telephone directories and business and trade directories.
  2. “Vendor sources” that sell personal information outright (such as newspaper & magazine publishers’ subscriber lists, and book, music and movie clubs lists, retailers’ lists including mail order retailers, retailers dealing with requests for product information, or managing warranty card and product registrations, and service providers such as telcommunications and financial institutions), marketers (involved in surveys, contests, and similar offer; loyalty card service providers); and from non-profit and charitable organizations that sell their lists;
  3. “Utilizing sources” that use personal information for financial gain, such as social networks (although these services typically do not share their raw consumer data, but instead provide advertisers access to consumer profiles built on this data); and
  4. “Anonymized” sources that sell consumer information that is not identified with individual persons.  

What do data brokers sell?

By definition, data brokers sell data – information about individuals.  However, data brokers offer a broad the range of services in addition to data.  

  • Marketing Cloud Platforms – Marketing Cloud providers offer internet-based, “Software as a Service” (SaaS) “one-stop shops” for all marketing needs.  These platforms offer special, cross-platform services:

(a) Device Matching – These services identify individual customers across devices, allowing marketers to streamline ads and content to an individual user regardless of whether the consumer is using a phone, tablet, or computer.

(b) Data Management Platforms – These services offer a marketing database and interface for all types of consumer data, regardless of source, making that data actionable, offering insights into markets, and to serve targeted advertising

  • Social Media & Search – Social media platforms offer information to brokers not available in the past. People search tools and data append services “scrape” social media sites to add data to their products.
  • Retargeting / Behavioural Advertising – Ad “retargeting” serves ads across the web to users who have visited or performed a certain action on a specific website or app.
  • Scoring & Risk Mitigation Products – Many data broker services score and categorize current and prospective customers for marketing and risk-mitigation products. Marketing applications score consumers as, for example, “high-value” prospective customers or “under-performing” customers, prompting business to target these consumers with appropriate sales strategies. Risk-mitigation services, in contrast, are used to identify risky clients, such as those likely to default on loan payments or those more likely to commit fraud.  
  • Industry-Specific Scoring – Some data brokers offer industry-specific scoring solutions, catering to the needs of specific industries, such as automobile sales.
  • Scoring to Determine Level of Service Provided – Data brokers may use scoring to determine the level of service customers receive when making an inbound call to a company, allowing companies to prioritize the inbound calls of high value customers over those less valuable to the company.
  • People Search Products – People search products allow individuals to locate other individuals both physically and online and to discern between individuals with similar names. These products offer information about consumers obtained from publicly available sources, including social media. In Canada, people search products are reserved in their offerings than in the US.

Who are data brokers’ customers?

The obvious markets for data brokers’ products are marketers:  businesses who need to find consumers and match them to their products and services.  But anyone in need of information about individuals are potential customers of data brokers.  Political parties have long been purchasers of the products of data brokers. More recently, even law enforcement has become a customer of data brokers as they roll out predictive policing models built on data brokers’ records.

Are social networks data brokers?

We have defined a “data broker” as “a company whose primary business involves the trading and analysis of personal information”.  However, while social media companies plainly analyse the personal information they gather, they do this to build profiles of consumers rather than trading the information itself.  Accordingly, the do not fit within the meaning of the term data broker as we use it here.

Social media companies are themselves unique players in our data ecosystem, and in fact are acquirers of commercial data.  Social media sites are “social graphs” – networks of social connections that can be mapped. Social media is a source and purveyor of data in the data broker ecosystem.  By creating “application programming interfaces” that allow third parties access to social networks’ massive user base, social networks provide a rich source of data.

What laws regulate the activities of data brokers?

In Canada, PIPEDA, The Personal Information Protection and Electronic Documents Act, governs the commercial collection, use and disclosure of personal information.  Similar provincial laws may also apply to the activities of data brokers, or may apply instead.

What happens if a data broker suffers a data breach?

A data breach is the unauthorized disclosure of personal information through accident or hacking.  Most jurisdictions have data breach laws in place that establish rules for informing regulators and the public about data breach.  In Canada, >

Do different countries treat data brokers differently?

Different countries have adopted different approaches to protecting personal information, and these differences result in different regulatory approaches to the businesses of data data brokers.  Canada and the European Union, for example, have built personal information protection laws that generally require consumer consent to the collection, use and disclosure of personal information. This can be difficult for data brokers to do since they seldom have direct contact with consumers, and where they do, may find it difficult to obtain the kinds of consent they need to sell consumers’ personal information.  For that reason, many data brokers active in countries with robust personal information protection laws deal with aggregated data rather than data associated with particular individuals. The United States, in contrast, lacks a general personal information protection law, although some classes of information, such as health and financial information, are regulated by sector-specific laws. For general classes of personal information no covered by such laws, the Federal Trade Commission enforces its legislation against data brokers that engage in unfair or deceptive practices.  

Resources

Canadian Law

The Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5,  http://laws-lois.justice.gc.ca/PDF/P-8.6.pdf

Regulatory Reports on Data Brokers

Research Group of the Office of the Privacy Commissioner of Canada, “Data Brokers, a Look at the Canadian and American Landscape,” September 2014, available at: https://www.priv.gc.ca/media/1778/db_201409_e.pdf – This report provides an overview of data brokers and their operations based on the Canadian and American privacy environments. It examines privacy regulation in Canada and how data brokers from other jurisdictions are required to comply with these requirements while conducting business within Canada. The report finds that it is uncertain whether data brokers based in other jurisdictions comply with or are aware of Canadian privacy laws. The report concludes that there is an ongoing need to make privacy compliance requirements known to both consumers and data brokers in order to help inform consumer practices and to support consumer control, trust, and transparency.

Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” March 2012, available at: http://ftc.gov/os/2012/03/120326privacyreport.pdf – This report describes three different categories of data brokers: entities subject to the FCRA; entities that maintain data for marketing purposes; and non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of the FCRA. The report notes that while the FCRA addresses a number of critical transparency issues associated with companies that sell data for credit, employment, and insurance purposes, data brokers within the other two categories remain opaque. The Commission recommends legislation to improve transparency, and concludes that further examination is needed into the practices of data brokers. Specifically, the Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.

United States Committee on Commerce, Science, and Transportation, “A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes,” September 2013, available at: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=0d2b3642-6221-4888-a631-08f2f255b577 – This report is a summary of the U.S. Senate Committee on Commerce, Science and Transportation’s investigation into how data brokers collect, compile, and sell consumer information. The report finds that data brokers collect huge volumes of detailed information on hundreds of millions of consumers, that they sell products that identify financially vulnerable consumers, and that they provide information about consumer offline behaviors to tailor online outreach by marketers. The report concludes that data brokers that sell data for marketing purposes operate behind a veil of secrecy, with minimal transparency, and are subject to virtually no statutory consumer protections.

United States Government Accountability Office, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace,” September 2013, available at http://www.gao.gov/products/GAO-13-663 – This report examines (1) existing federal laws relating to the privacy of consumer information held by information resellers, (2) any gaps that may exist in this legal framework, and (3) views on approaches for improving consumer data privacy. The report focuses on privacy issues related to consumer information used for marketing and for individual reference services and determines that no overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, the report finds that a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. The report concludes that congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.

Federal Trade Commission, “Data Brokers: A Call for Transparency and Accountability,” May 2014, available at: http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-tradecommission-may-2014/140527databrokerreport.pdf – This report is a result of a study of nine data brokers representing a broad cross-section of the industry. The Commission used the information obtained from the data brokers and from publicly available sources to prepare the report. The findings describe how data brokers collect consumer data from numerous sources, largely without consumers’ knowledge, how they collect and store billions of data elements, including some on nearly every U.S. consumer, and how they combine and analyze data about consumers to make potentially sensitive inferences. Finally, the report makes recommendations to enhance transparency and consumer control.

Reports on Data Brokers

CIPPIC, “On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship” (2006) https://cippic.ca/sites/default/files/May1-06/DatabrokerReport.pdf

Wolfie Christl, Sarah Spiekermann, “Networks of Control: A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy” Cracked Labs (2016) http://crackedlabs.org/dl/Christl_Spiekermann_Networks_Of_Control.pdf

Wolfie Christl, “Corporate Surveillance in Everyday Life” Cracked Labs (2017) http://crackedlabs.org/en/corporate-surveillance

Wolfie Christl, “How Companies Use Personal Data Against People” Cracked Labs, (October 2017) http://crackedlabs.org/en/data-against-people

OECD, “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”, OECD Digital Economy Papers, No. 220 (2013) http://dx.doi.org/10.1787/5k486qtxldmq-en

Aaron Rieke, Harlan Yu, David Robinson, and Joris von Hoboken, “Data Brokers in an Open Society”, Upturn (2016) https://www.opensocietyfoundations.org/sites/default/files/data-brokers-in-an-open-society-20161121.pdf  

Academic Articles on Data Brokers

Tasha Glenn & Scott Monteith, “Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections,” Current psychiatry reports, 16 494 10.1007/s11920-014-0494-4, available at: https://www.researchgate.net/publication/265609084_Privacy_in_the_Digital_World_Medical_and_Health_Data_Outside_of_HIPAA_Protections – This article highlights how the rapidly expanding stores of data collected outside of HIPAA are encroaching on the traditional doctor patient relationship and eroding medical privacy. It explains how this could lead to a future in which data brokers have more detailed information about a patient than that directly disclosed to their physician, and why it is important to remember that the results of predictive models are not based on physician judgment or on a directly measured value, but are calculated values often by disciplines outside of medicine. Additionally, it points to the dangers of how the data brokers who sell predictive health models are not involved in patient care and have no training in medical ethics. The article concludes by calling for measures to increase awareness of the growth of medical and health data outside of HIPAA protection for both clinicians and patients.

Alexander Tsesis, “The right to Erasure: Privacy, Data Brokers, and the Indefinite Retention of Data,” 49 Wake Forest L. Rev. 433 (2014) – https://lawecommons.luc.edu/cgi/viewcontent.cgi?referer=https://www.google.ca/&httpsredir=1&article=1502&context=facpubs – This Article describes the many forms of data mining that organizations engage in to track online and offline behaviors and make far-reaching intrusions into personal lives. It focuses on how the practices are particularly pervasive on social media platforms, which market and trade personal profiles to third parties while presenting themselves as platforms for interpersonal communications. It then evaluates how internet use leaves personal data vulnerable to snooping and surveillance. Finally, it elaborates on European data regulations and compares them to current U.S. regulations. It explains how the European model provides significantly greater protections for privacy management than the U.S. model, and argues for the adoption of the EU’s right to erasure initiative and discusses the likelihood of its enforcement in the United States.

Huesch, Marco and Ong, Michael and Richman, Barak D., Could Data Broker Information Threaten Physician Prescribing and Professional Behavior? (June 2015). CESR-Schaeffer Working Paper No. 2015-009; Duke Law School Public Law & Legal Theory Series No. 2015-28. Available at SSRN: https://ssrn.com/abstract=2623186 – This article focuses on a study of physicians and big data which sampled of over 3,000 healthcare faculty and healthcare system staff at one university’s heath unit. It explores how data can be used without a physician’s knowledge to influence prescribing practices and other professional behaviour. The article describes how for around two thirds of the emails of physicians sampled, a rich set of information was available, identifying personal information spanning economic, family, interests and purchases data. It then highlights how this data could potentially be used by marketing teams who could duplicate the approach from the study to inform direct-to-physician marketing and identify susceptible segments of physicians. The article concludes by recommending greater clarity in what uses are being made of physician’s private transaction data, inferred purchase interests, and other potentially sensitive information.

Ashley Kuempel, “The Invisible Middlemen: A Critique and Call for Reform of the Data Broker Industry,” 36(2) Northwestern Journal of International Law & Business 207 (2016), available at https://scholarlycommons.law.northwestern.edu/njilb/vol36/iss1/4/ – This article explores the current data privacy framework in the U.S. and the privacy discrimination concerns it presents to consumers. It then explains why each of the legislative recommendations made by the FTC Report do not adequately protect American consumers, and demonstrates why certain provisions within the EU’s Data Directive should be used as a model for future U.S. data broker legislation. It concludes by offering solutions—that Congress should err on the side of overprotection by passing legislation in line with the Data Directive.  

Lipman, Rebecca E., Online Privacy and the Invisible Market for Our Data (January 18, 2016). Penn State Law Review, 2016, Available at SSRN: https://ssrn.com/abstract=2717581 – This article focuses on the commercial use of individuals’ data. It describes how the current system of buying and selling individuals’ data is problematic, and explores various laws and agencies that are active in this area of privacy law. It then proposes a new, mandatory notice and choice regime to empower individuals and to pressure companies to take greater responsibility for what they do with their customers’ data.

Sharona Hoffman, “Big Data and the Americans with Disabilities Act” (September 20, 2016). Hastings Law Journal, Case Legal Studies Research Paper No. 2016-33. Available at SSRN: https://ssrn.com/abstract=2841431 – This article focuses on health-related big data in the employment arena, specifically looking at how, based on big data analysis, individuals may not receive a job offer. It describes the incentives employers may have to exclude employees based on their health, including high health insurance costs, and the need for productive workers. It then explains why the Americans with Disabilities Act provides insufficient anti-discrimination protections, and offers two solutions to this issue. First, the ADA must be amended to prohibit discrimination based on an employer’s belief that an individual is likely to develop a physical or mental impairment in the future. Second, the law must require employers to disclose in writing to applicants and employees any practices other than medical exams and direct medical inquiries by which they seek health-related information, including predictive data. The article concludes that the best way to protect data subjects is to regulate the ways in which information can be used, and that a well-tailored means to address concerns about big data is to prohibit their use for discriminatory purposes.

Theodore Rostow, “What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers” (Updated March 16, 2017). Yale Journal on Regulation, Vol. 34, No. 2, 2016. Available at SSRN: https://ssrn.com/abstract=2870044 – This article argues that the creation of a market for individuals to buy data on their peers enables a new privacy harm: “relational control.” Relational control occurs when individuals acquire the private, covertly purchased data of those in their social or professional networks. This allows them to exert meaningful influence over the decisions of those around them and leads to potential harms unrecognized by privacy scholarship to date. The article explains why the threat of relational control is likely to grow, and assesses why legal interventions that scholars have proposed to the commercial privacy problem will fail to remedy the vulnerability of consumers to relational control. The article then offers possible paths for reducing the likelihood of relational control, and proposes a number of doctrinal shifts in existing privacy law that may reduce consumer exposure to the threat of relational control.