“A sprawling, unregulated ecosystem that can get very creepy, very fast.” These were the words of comedian John Oliver during a recent segment on his US-based TV show Last Week Tonight, in which he took aim at the data brokerage industry. On any closer inspection of this opaque ecosystem, it is difficult to find much fault with his description. The segment goes on to provide examples of real instances of this ‘creepiness’. One such example, is that of a single man who used a credit card (in person) to buy a pack of baby wipes to clean his office. The same day, he is bombarded with online ads for baby wipes and other kids-related products, despite having no children. A second, and more disturbing, anecdote is that of a man who received some postal marketing from a major office supplies retailer. Included in the marketing material, almost certainly by accident, was some of the information that the retailer had obtained about him. For some reason, there was included a reference to the fact that the man’s daughter had died; and not just that, but the fact that she had died, very specifically, in a car crash.
When it comes to the excessive collection and misuse of personal information, attention is usually (and for the most part, rightly) directed at the usual suspects, i.e. Facebook/Meta, Google, Amazon and co, which collect the data of their users more directly. However, the anecdotes detailed above both involve interactions with companies in the ‘offline’ space, which points the finger squarely at a broader and much less visible set of commercial entities: data brokers.
It should be made clear at this point that data brokering is not inherently negative or unlawful – there are areas such as scientific research and healthcare where brokers play a valuable part in advancing important causes.
To provide a general definition, data brokers are companies which buy or otherwise compile, aggregate, and repackage data from other companies, usually for the purpose of selling it, or at least selling access to it. Most people have probably never heard of Epsilon, Cuebiq, CoreLogic or Acxiom. However, it is likely that at least one of these companies has heard of you. If Acxiom’s claims are to be believed, they have compiled data on some 2.5 billion people – around 30% (!) of the world’s population. It does not require any particular insight to realise that this is a concerning statistic. As an interesting aside, the companies also give somewhat unsettling names to the groups of profiles they compile. Examples include “Kids and Cabernet”, “Rural and Barely Making It”, “Boomers and Boomerangs” and “Ethnic Second-City Strugglers”. Make of that what you will.
As might be implied, the two stories detailed at the beginning of this article both occurred in the United States where, while a growing number of data protection laws are being written at the state level, no unified data protection legislation exists at the federal level. (To explore why this is the case and how the situation might change, read our previous IGS insights piece here). However, it would be wrong to assume that because the European Union and (at least for now) the UK have far more comprehensive data protection laws in place, that these kinds of incidents could not and do not occur on this side of the pond.
In October 2020, the ICO concluded a two year long investigation into Experian, Equifax and TransUnion, three large data brokers that operate primarily as credit reference agencies (“CRAs”). The investigation was partly initiated as a result of a complaint by advocacy group Privacy International asserting that the industry, and the named CRAs in particular, did not comply with fundamental data protection principles; in particular, the claim was that CRAs were using personal data gathered specifically for credit referencing, for other potentially nefarious purposes. The findings in the ICO’s report served to categorically confirm that assertion: the ICO found “widespread and systemic data protection failings across the sector”, “significant data protection failures at each company” and that significant ‘invisible’ processing took place affecting millions of UK data subjects. Most starkly, the report highlighted that “Between the CRAs, the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.”
Following the ICO report, Equifax and TransUnion made sufficient enough changes that further action was no longer deemed necessary in order to achieve compliance. Experian on the other hand was issued with an enforcement notice for failing to meaningfully alter its practices, and immediately announced that it was going to appeal the decision. As far as can be ascertained, the first stage of this appeal was heard in January 2022 at the First-tier Tribunal (responsible for handling appeals against decisions made by many government regulatory bodies). A decision from the Tribunal is currently pending – which means it can be assumed that Experian’s marketing activities are still ongoing as normal, despite the ICO finding that they lacked transparency, failed to comply with Article 14 of the GDPR (regarding personal data not obtained from the data subject), used credit reference data for direct marketing purposes and lacked an appropriate lawful basis for processing.
It has become increasingly clear that massive challenges exist when it comes to effectively regulating and enforcing actions against this ubiquitous industry. The EU has evidently taken some notice, with the recently approved Data Governance Act specifically referring to ‘data intermediaries’ and the aim of increasing security and trust in the sector – part of the Act even sets out an official register for approved brokers. Two US senators have also this year introduced a bill to regulate and curb the activities of data brokers. As for the UK – well, it is difficult to imagine the scope of any data protection laws being expanded at present, given the current administration’s attitude towards the UK GDPR and other EU-derived legislation. Hopefully though, this pessimistic view will be proved wrong, and the UK will follow suit in attempting to address the clear problems with the data brokerage industry.