Data Brokers Do Not Abide by GDPR or Basic Data Privacy Regulation - How Does It Impact Your Online Data?
Data Broker is a business entity that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Such entities do not comply with GDPR or Data Privacy norms.
Well, you may not have heard the term ‘Data Broker’ before, but such enterprises not only exist, rather their business flourish on online data of consumers. They do not share any consumer interface, instead, they collect information on users from as many sources as possible, buying and selling such information amongst their own network monetizing as per their needs.
Companies like Facebook, Google, Instagram, and WhatsApp are facing multi-billion dollars penalty against GDPR violation, whereas the data brokers are collecting your information from hundreds of sources and minting money through sales of such valuable information. However, the situation is completely different in Vermont, a smart state in the US which just passed the first law to provide the much-required protection to its citizens.
Now data brokers in Vermont will have to register with the state. It is a mandate that they must take standard security measures and notify authorities of security breaches (this wasn’t the case before). Using their data for criminal purposes like fraud is now a legally actionable offense on its own. Till the time they operate carefully, data brokers can manage to camouflage and maintain a masked profile on consumers. TechCrunch talked with the director of the World Privacy Forum, Pam Dixon, about this practice. According to Pam, if you use an actual credit score, it is regulated under the Fair Credit Reporting Act. But if you take a thousand points like shopping habits, zip code, housing status, you can create a new credit score which you can use and it’s not discrimination.
While healthcare data like blood tests are protected from meddling, it’s not illegal for a company to make a calculated conjecture about the status of your health from the medicine you purchase from the local pharmacy or order online. Now your name appears on a clandestine list concluded diabetics, and that data gets sold to, say, Facebook, which combines it with its own metrics and allows advertisers to target it.
Do not get flummoxed, Facebook does that or rather carried on the practice for years, only ending it under the present scrutiny, the famous Cambridge Analytica stunt. When you look at Facebook’s targeting, you would find around ninety odd targets, such as race, income, housing status and much more, that’s all Acxiom data, according to Pam. Acxiom is one of the largest data brokers.
Data brokers have been secretly supplying your personal information to the interested parties for a long time and encashing the same in ways innumerable. Believe it, advertising is the least of its applications. Your data is used for informing shadow credit scores, restricting services and offers to certain categories of people, setting terms of insurance, not to forget loans, and more.
Vermont’s new law, which got effective late last week, the same time as GDPR, is the nation’s first to address the data broker problem directly. So if you ponder seriously, you would notice Europe has catapulted American regulators with the monumental GDPR.
Pam laments, it has been an immense oversight. Until Vermont passed this law there was no regulation for data brokers. It’s that serious. They have been looking for something like this to be put in place for like twenty years. The concern, Pam said, has always been defining a data broker. It’s much harder than you might fathom, considering how secretive and influential these companies are. When every company collects data on their customers and occasionally monetizes it, how to catch the point where an ordinary business ends and data brokering begins?
The World Privacy Forum fought previous laws, and they fought this one. But Pam, who along with the companies themselves was part of the state’s hearings to create the law, said Vermont smartly averted this snag. Pam explained that the way the bill is written is extremely well thought through. Vermont state lawmakers didn’t worry as much about the definition, but focused on the activity. In fact, the directness and clarity of the law are a pleasant surprise.
While data brokers offer multiple benefits, there are also risks associated with the widespread aggregation and sale of data about consumers. It includes risks related to consumers’ ability to know and control information held as well as sold about them. It also encompasses risks arising from the unauthorized or harmful acquisition and use of consumer information.
As I said before, consumers may not be aware that data brokers exist, who the companies are, or what information they collect, and may not be aware of available alternative or remedy or way out.
This straightforward description of a subtle and widespread problem greatly enabled by technology is a rarity in a world dominated by legislators and judges who regularly demonstrate ignorance on high-tech topics. (You can read the full law here.)
A substantial number of companies will find themselves encompassed by the law’s broad definition, which states that Data Broker means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
In other words, anyone who collects data second hand and resells it, comes under the purview of the law. There are a few exceptions like consumer-focused information services, but it seems unlikely that any of the real brokers will escape the ordeal.
With the mandate to register, along with a few other disclosures, brokers will be required to make, consumers will be aware of which they can opt out of and how. In case you find yourself the victim of a crime that used broker data, for instance, an insurance premium rate secretly raised because of a covertly discovered medical condition, or a job offer revoked because of race, you have legal recourse.
Data Security at these companies will have to meet a minimum level of standard, as well as access controls. It's important to note that data breach rules mean prompt notification in case personal data is leaked in spite of the measures in place.
The law in Vermont is a good first step in preventing data breaches and maintaining data privacy. As it is aimed to prove extremely beneficial to the citizens, let’s hope for other states and countries to soon replicate it. If you want to protect yourself and keep your loved ones safe, please join me in spreading the message.