Introduction
The worldwide market for personal data is large and growing, but not widely understood by the average consumer. Consumers are generally unaware of how valuable their data is and there is no comprehensive set of tools to give people an idea of how much of their personal information is being actively traded by various companies. Recent scandals like the Equifax data breach and settlement have brought more scrutiny to the security practices of publicly traded companies that handle consumer data. However, there is an entire industry that is little understood and less regulated that trades exclusively in consumer data.
Third-Party Data Aggregators
The consumer data broker industry is a multibillion-dollar industry. Every year companies spend billions looking for insight into consumer behavior and marketing techniques by analyzing user data for spending and browsing habits. There are few laws governing the sale and collection of personal data. While most of the value to companies is in the aggregation of all of this data, there is potential for misuse on a personal level through release of information that can lead to doxxing or stalking.
One of these third-party data aggregators came to national attention during the Russian election interference scandals after the 2016 US Presidential Election. A consulting company, Cambridge Analytica, was charged misusing consumer data purchased from Facebook to target likely voters for misinformation campaigns. People rightly questioned why a shady UK consulting company so easily had access to Facebook user data, but the story largely died down without much further discussion of the implications of such a marketplace. Cambridge Analytica shut its doors, but, unsurprisingly, reformulated a short time later under a new name.
When there is a scandal involving third-party data aggregators, or misuse of personal information, people take note. The idea of being personally targeted by companies or campaigns based on private information is generally distasteful to people, but if it is not out in the open, there is less of a push to curb those practices. That is why companies rely on third-party aggregators. There is plausible deniability over what happens to the information they collect.
There is also problem with the incentive structure for these non-consumer facing companies. When Equifax suffers a security breach, there is significant tangible reputational damage as a publicly traded company. There is a real incentive for Facebook or Target to avoid the negative publicity associated with mishandling personal data. If the company buys and sells data and analysis behind closed doors, this incentive is missing entirely. Unsurprisingly, the security practices among third party data aggregators are notoriously lax.
Bringing Scrutiny to the Data Ecosystem Marketplace
Third party data aggregators might be most dangerous because they are the so secretive. Little is known about just how many of them are out there and large corporations are reluctant to disclose their business dealings with these companies. Therefore, it is important to bring public attention to the issue.
People care about data privacy and in the coming decades, the sophistication of data collection and analysis practices will only grow. Most people would be alarmed at the rate they are being targeted for advertisements and solicitations, but the possibility of breaches within this industry is potentially greater and more alarming. With little regulation and no public pressure to handle user data carefully, these companies will neglect to do so.
Higher public scrutiny could come in the form of media and academic attention, which has been growing in recent years. It will also require greater transparency from public companies about who it transacts with and what happens to user data after it is sold.
Possible Solutions
Solutions to this problem are typically presented in two forms. Government regulatory schemes that protect data and market-oriented schemes that allow consumers to take ownership over their own data and profit from it when companies use it.
There are downsides to either plan. Government regulation might be necessary to curb some of the dangerous practices within the industry but given the challenges in developing political consensus on such issues and the amount of money at stake, it is hard to imagine a comprehensive scheme that could be implemented any time soon. The technology also shifts so quickly in this industry that any new regulations would have to be flexible enough to keep up.
Liability schemes have also been suggested where companies have a duty to ensure the safety of consumer data. This would open up the consumer facing companies to liability if a breach were to occur within the third-party aggregator industry involving data they originally collected. This is a promising solution, but an ideal solution would prevent catastrophic breaches rather than compensating people after the fact.
If consumers were to legally own their own data and were able to profit off of it, it is hard to see how it would be worth it. The downsides of breaches or misuse would still greatly outweigh the benefits of what would likely be negligible compensation.
Conclusion
The third-party data aggregator industry is not widely understood by the media, scholars or consumers. It thrives off of this secrecy and much of the danger associated with mishandling or misuse of consumer data is made possible by this lack of understanding.
There likely needs to be a move towards curbing the growth of this industry or at least containing its downsides. This won’t happen until the industry receives more scrutiny from the public at large.
* Michael Cronin is an Associate Editor on the Michigan Technology Law Review.