Data Brokers and the Myth of "Opting-Out"
Ty Ehuan, Political Science B.A. & Economics B.S., the university of North Carolina at Chapel Hill
There is a multi-billion dollar industry surrounding the collecting and selling of your data. The companies who participate in this, known as data brokers, operate in a little-known marketplace that advertises thousands of pieces of information on billions of individuals. And while the need for regulation on Big Tech has started to enter the public discourse, limits on data brokers are also necessary.
Unknown to the vast majority of people, the sheer volume of this data economy is staggering. A report by Justin Sherman, a cyber-fellow at Duke’s Sanford School of Public Policy, found that one broker advertised over “7000 attributes” on each consumer while another claimed “the ability to reach over 2.5 billion consumers” This information can include real-time location data, spending habits, demographic information, political affiliations, and various other sensitive topics that individuals may not want available to everyone.
Data brokers are not just a U.S. problem either. They hold data on billions of individuals across the globe and are aided by a variety of actors throughout the information ecosystem. These range from large tech companies, who track their users across the web and profit off this information in a variety of ways, to advertising technology companies whose real-time bidding process can be easily exploited by brokers and other malicious actors to gain detailed profiles on individuals.
The breadth and accessibility of this data brokerage industry is what makes it such a large concern. Everyone from private individuals to foreign governments can purchase from these brokers creating a myriad of privacy and security risks. Privacy is a matter of life or death for survivors of domestic violence but abusers can use these brokers to continually track their victims. Government agencies and law enforcement buy detailed location data to track Americans while avoiding the fourth amendment requirement for a warrant. Foreign nations can use data brokers to collect sensitive information on government and military personnel creating national security risks. These and various other dangers make data brokerage a threat to democracy.
This brokered data is also used in various forms of discriminatory decision making that disproportionately harms marginalized groups. Tenant screening reports draw from these sources which are rife with inaccuracies and other problematic elements such as containing expunged criminal records. It can also be used for discriminatory advertising that allows advertisers to aim housing and job applications at specific racial or ethnic groups. This data is even used by political campaigns to target minority groups for malicious purposes such as voter suppression.
All of these potential harms give data brokers a chilling power over individuals, yet it is nearly impossible to get this information taken down. The vast majority of brokers claim some form of opt-out mechanism, but because they market to businesses and not consumers most people are unaware they exist. Even if a person does know that these companies are holding their information, there are thousands of data brokers all of whom have different opt-out processes.
There are some methods to automate this opt-out process, but in most instances they are of limited efficacy. According to data from Mine, a company that offers a free service for reclaiming user information, deletion requests were completed over 55 percent of the time across the past 3 months. This stands in stark contrast with the deletion requests sent to 9 major data brokers who collectively had a compliance rate of only 1.2 percent. These companies hold far more sensitive information on individuals than the average consumer-facing website Mine interacts with, yet even some of the largest data brokers are vastly less likely to comply with requests to be taken out of their systems. This makes removing your information from the data brokerage ecosystem essentially impossible.
Legal obligations are often no deterrent for these brokers either. Companies that process the data of individuals in the European Union, California, and various other countries have a legal requirement to respond to Data Subject Request’s (DSR). Failure to respond to these DSR’s can lead to significant monetary fines, yet a study by Consumer Reports containing 234 data brokers registered in California found a litany of violations. Even in the European Union where data privacy has often been at its strongest there is simply not enough resources or knowledge to force complete compliance.
One could argue that part of this disparity arises due to the automated nature of Mine’s deletion requests. If brokers have a specific link you have to visit to delete yourself from their collection they may not respond to an email request. And even if they do, they may require further proofs of identity before they acquiesce. Yet these hurdles are precisely the issue. Data brokers hold sensitive data on individuals. The process to remove this data should be as simple and easy as possible. Instead simply finding an opt-out method is difficult or impossible, and when one does they are often faced with numerous forms and identification requirements. At the end of this there is still no guarantee the request will be completed or that the data won’t be re-uploaded.
Data brokers have a fundamental disregard for user privacy. They hold sensitive information on individuals and their failure to remove it when requested makes addressing these risks even more critical. It is inexcusable that their compliance rates are so much lower than the average company and stronger regulation is vital to address this gap. Until laws on who data brokers can sell to and how to easily opt out of their data collection are put into place they will remain a threat to democracy.
*Mine has provided general research funding to the Duke University Sanford School of Public Policy Cyber Policy Program, but does not exercise any control over the content or conclusions of this research.