Online Data Brokers and Fair Information Practices: Testimony to the California Assembly Select Committee on Privacy

Advocacy Testimony

Assembly Privacy Hearing: Online Data Brokers and Fair Information Practices


Thank you Chairman Chau of the Select Committee on Privacy … and members of the Committee for the opportunity to speak at this hearing on Online and Mobile App Ecosystems.  


My name is Beth Givens and I’m Director of the Privacy Rights Clearinghouse. We are nonprofit consumer advocacy organization based in San Diego. We were established 21 years ago before the Internet was prominent, and well before the arrival of smartphones. Individuals with questions and complaints about a wide variety of privacy issues contact us for assistance and troubleshooting.


The number one complaint going back several years is the online data broker industry. Other complaint topics also touch on the online world …   in particular social media, the posting of photos that individuals don’t want publicly displayed … also defamation online and the creation of imposter social media accounts… just to name a few.   


Just a few words about our online data broker complaints.  Data brokers are companies that compile information about people from public sources like property records and criminal records as well as from publicly available sources like social media. Online data brokers enable you to search by an individual’s name, but you also can also conduct reverse look-up searches by phone number, residential address, and email address.   


A typical complaint that we receive about online data brokers goes something  like this – usually in an angry voice : 


“I just did an online search on my name, just to see what’s out there about me.  I found several companies that provide my home address free of charge, and for a fee, will sell a profile with more information, kind of like a background check on me. How did they get this information?  How can I get off? I want to opt out of all them. I don’t want my information for sale.  Is there a place I can go to opt out of all at once?”   


And by the way, such complaints from law enforcement officers and victims of domestic violence and stalking are particularly heart-rending.


We tell these individuals that this industry is largely unregulated … That you cannot, generally, get a free copy of the information they have compiled about you, like you can with your 3 credit reports. … That it’s difficult to correct errors… We add that some of these data brokers offer opt-outs, but they don’t have to. It’s not required by law. And even if you opt out, the company could change its privacy policy tomorrow and decide it no longer offers an opt out.


The California Legislature is the only state, to the best of my knowledge, that has passed legislation giving certain individuals the right to opt out of data brokers websites. This is the law giving victims of domestic violence and stalking who are enrolled in the Secretary of State’s address confidentiality program the ability to send letters to search engines and online database companies demanding the removal of their personal information, including home address. 


Let me move on to a different topic, one that has been behind the scenes for much of today’s hearing. That topic is the Fair Information Practices, or FIPs. 


FIPs are the building blocks of strong privacy laws and policies, as well as the foundation of privacy-protective practices by companies, government agencies, healthcare institutions … essentially all organizations that collect, use, and share personal information responsibly.   The White Paper prepared for this hearing includes information about the Fair Information Practices. 


Here are the basic privacy Principles:


  • First, you have a right to know that records of information about you exist.  In some versions of the FIPs, this is called the Transparency Principle – or the Openness Principle.
  • You have a right of access to these records and initially, to have consented to the collection, use and dissemination of such records. This is usually called the Individual Participation Principle.
  • The entity compiling personal records should practice Purpose Specification – that is, revealing the purpose or purposes  up front for the intended use of your personal information.  
  • And related to the Purpose Specification Principle is the Data Minimization or Use Limitation Principle – which calls for the collection of only the personal data necessary to accomplish the stated purposes. This principle includes data retention, which is major part of effective privacy protection practices.
  • Data quality is an important principle – to ensure that the personal data is accurate, relevant, timely, and complete – with the related provision giving individuals the ability to correct erroneous data.
  • Another principle refers to Security of  the collection of personal information – and at a time when we learn of data breaches on a daily basis, this is particularly relevant today. As you know, California was the first state to require entities that experience data breaches of certain personal information – such as Social Security numbers, financial account information, and medical records – to notify the affected individuals about the breach so they can take steps to reduce their risk of harmful uses such as identity theft.
  • And finally, the Accountability Principle, demonstrating compliance with the principles.

You are probably saying to yourselves, “how quaint” some of these principles are. And yes, in this age of Big Data, the ubiquity of the Internet, and the far reach of surveillance technologies, many of these principles appear to hearken back to a different age.  And in fact they do. 


There are a number of variations on the FIPs, both here in the U.S. and in other countries, notably the European Union.


The first versions of the FIPs were developed in the U.S. in 1973 and 1974 – the passage of the federal Privacy Act of 1974. And at the same time, European nations, including Sweden and Germany passed national privacy laws, based on the FIPs. The OECD, an international body, adopted a set of FIPs, which the U.S. signed on to,  in 1980. And the European Union’s Data Privacy Directive – which was based on the FIPs -- was adopted in 1995.


Regarding today’s hearing … What is the relevance of the Fair Information Practices to the work of the Assembly Select Committee on Privacy, and more broadly, to the efforts by California Assemblymembers, Senators, and Committee chairs and members who are debating a significant number of privacy-related bills this year?


First, as I stated earlier, the FIPs form the foundation of strong privacy laws. I personally find the FIPs useful when I examine bills, for example – as a kind of checklist to determine both the strengths of the bill as well as identifying areas where such bills might be improved.


But, given the cutting edge topics that are at the heart of today’s hearing –those being Internet and mobile communications – do the FIPs continue to be relevant in what you have called  “The Brave New World”? 


My answer would be … “largely yes.” But it all depends on the details. A very weak form of the FIPs – simply notice and choice – was promoted for a number of years and can still be found as forming the basis of many company privacy policies today.


In closing, we at the Privacy Rights Clearinghouse believe that the over-arching principles of Transparency and Consumer Control over Personal Information together are at the heart of consumer privacy protection. The more robust versions of the Fair Information Practices -- when fully implemented in laws, policies and best practices – embody both Transparency and Control. They can go a long way toward giving individuals the tools they need to protect their privacy.  But … the implementation of such robust versions of FIPs, in my opinion,  is not the norm.


Thank you for the opportunity to participate in today’s hearing.