Some consumers see the tracking and selling of their data as being the price they pay for having free access to sites like Facebook. But the data brokers who buy this data are not always innocuous advertisers merely looking to better target their ads.
As Pam Dixon testified in front of the Senate Committee on Commerce, Science, and Transportation,
data brokers “will sell any information about any person, regardless of sensitivity, for 7.9 cents a name, which is the price of a list of rape sufferers which was recently sold.”
Individuals’ Medical Histories and Financial Habits Up for Sale
Data brokers are compiling and selling lists of what diseases people have (ranging from cancer to Alzheimer’s to clinical depression to bipolar disorder) and what medications people are taking. While health care providers and health insurers are highly restricted in what they can do with medical data, under the Health Insurance Portability and Accountability Act (HIPAA), data brokers face no such restrictions.
Data brokers are also selling lists of individuals who are late on payments to predatory loan companies and lists of “eager senior buyers” to pushy salesmen. As of 2014, there were between 3,500 and 4,000 data brokers buying or selling information.
FCC Rule Under Obama: ISPs Need Consent to Sell Data & Must Secure It
To stem the flow of consumer information without their consent, the Federal Communications Commissions (FCC), under President Obama, passed a privacy rule requiring Internet Service Providers (ISPs) to obtain consumers’ consent before selling their browsing data to third parties, such as data brokers or advertising companies.
The rule covered both wired internet providers (such as Comcast and Time Warner) and wireless internet providers (such as AT&T, Verizon, T-Mobile, and Sprint).
The FCC privacy rule also required that ISPs take “reasonable measures” to ensure that the data they collected on customers was secure from hackers.
Comcast, Other ISPs Successfully Lobby for Repeal
Almost immediately, ISPs began lobbying Congress to repeal the FCC rule. Comcast and other ISPs set up a new lobbying group, called “21st Century Privacy Coalition,” just to oppose the new FCC regulations.
The main argument against the FCC rule, advanced by the ISPs and their lobbyists, was that it was unfair for companies such as Facebook or Twitter to be able to sell customers’ browsing history, but not for ISPs to do so.
The FCC rule itself, however, provided a refutation to this argument in its final rulemaking, stating that “only three companies (Google, Facebook, and Twitter) have third party tracking capabilities across more than 10 percent of the top one million websites, and none of those have access to more than approximately 25 percent of web pages. In contrast, a[n] [internet service] provider sees 100 percent of a customer’s unencrypted Internet traffic.”
Data Privacy Under Trump: ISPs Can See 100% of What Consumers Do…
Under the Congressional Review Act of 1996 (CRA), Congress has the power to repeal rules created by government agencies. Once a rule is repealed under the CRA, the agency is prohibited from ever enacting the rule again.
After the 2016 election, the Republican-controlled Congress no longer faced a veto from President Obama, and passed legislation to repeal the FCC privacy rule. President Trump signed the repeal into law on April 3, 2017. As a result, the FCC privacy rule never went into effect and never will.
In essence, Google, Facebook, and Twitter can see only a fraction of what their users do on the most popular websites, whereas ISPs can see everything a consumer does on the internet, including even obscure websites that the consumer visits. Unless a consumer proactively does something to hide their internet traffic, such as using a Virtual Private Network (VPN) or Tor, ISPs can see 100 percent of what the consumer looks at and searches for on the internet.
…and Their Data Doesn’t Need to be Secured
Congress’s repeal of the FCC privacy rule not only has privacy implications, but also raises data security concerns. While it is concerning whenever customer information is stolen, it is particularly concerning if a hacker can gain access to millions of people’s entire browsing history by hacking an ISP’s network. The FCC rule would have required ISPs to take “reasonable measures” to protect customer data, ensuring that if ISPs were collecting browsing histories, at least the data was well protected. But Congress’s repeal of the FCC rule not only prevented the privacy provisions from going into effect, but also prevented the data security provisions from being implemented.
How to Protect Your Data
Unfortunately, with the repeal of the FCC rule, ISPs do not have to honor consumers’ implementation of do-not-track or private browsing in their browsers (such as Chrome, Safari, or Microsoft Edge).
Consumers can, however, hide their browsing data from their ISPs by using a VPN on their computers and smartphones. A VPN establishes a tunnel between a user’s computer and the VPN server. Traffic that travels along this tunnel cannot be seen by an outside party, including an internet service provider.
However, the VPN server could still keep a log of the user’s internet activity, which is why users should select a trustworthy VPN provider, which does not keep any logs of their browsing activity.
Some of PC Magazine’s top VPN services for 2017 are:
- IPVanish VPN
- Private Internet Access VPN
- KeepSolid VPN Unlimited
- Spotflux Premium VPN
The most trustworthy and easy-to-use VPN services often have a monthly subscription fee (typically around $10 a month).
Some data brokers also offer opt outs for consumers to remove their names and information from the broker’s database. However, it is not clear that the opt-out mechanisms actually provided by many data brokers provide any real “out.” Without regulation, consumers who try to opt out are at the whims of the data broker. There is no enforcement ensuring that consumers information is actually removed. And, in fact, some data brokers require consumers to submit even more information to them in order to “opt out.”
For example, Corelogic, one of the largest data brokers, requires consumers to submit their full name, current address, previous address, date of birth, and Social Security number in order to opt out. Some large data brokers, such as Intelius, require consumers to upload their driver’s licenses in order to opt out. One data broker charges a fee of $1,000 to opt out.
In contrast, opts out for more heavily regulated industries, such as telemarketers, are much smoother, with the advent of the Federal Trade Commission’s (FTC’s) Do Not Call Registry.
Massive Data Breaches on the Rise
Many large data breaches have occurred in just the last few years, including:
- Target (2013) (affecting 40 million customers)
- Yahoo (2013) (affecting 1 billion users)
- JPMorgan Chase (2014) (affecting 83 million customers)
- Yahoo (2014) (affecting 500 million users)
- Home Depot (2014) (affecting 50 million customers)
- Ashley Madison (2015) (affecting 36 million users)
- Anthem (2015) (affecting 80 million customers)
- Adult Friend Finder (2016) (affecting 412 million users)
- MySpace (2016) (affecting 360 million users)
Very large data breaches appear to be somewhat more common among online websites than for health insurers or banks because the latter two are required by HIPAA (for insurers) and the Gramm-Leach-Bliley Act (for banks) to implement reasonable security measures. Hopefully, even absent specific regulation, ISPs will adequately protect their customers’ data, including their browsing habits. If not, consumers’ only recourse may be the courts.
Leveraging the Law to Protect Privacy
With the FCC privacy rule gone for now, consumers are likely to turn to the courts, invoking state laws against unfair and deceptive business practices and common law privacy rights to protect their interests and to seek relief when their information is obtained or disclosed without their consent.
The law firm of Girard Gibbs LLP is an established leader in data breach and privacy litigation. Partners Daniel Girard and Eric Gibbs currently serve in court-appointed leadership roles in federal litigation concerning data breaches at the Office of Personnel Management, Anthem, and Sony, as well as internet privacy cases involving Vizio and Lenovo. Eric Gibbs achieved a landmark ruling in litigation against Adobe that makes it easier for consumers to seek relief in the wake of a breach. Members of the firm’s data breach and privacy team are frequently invited to speak at universities and conventions of the American Association for Justice, Consumer Attorneys of California, HarrisMartin, and others.
Girard Gibbs has been recognized as a Tier-1 law firm by U.S. News – Best Lawyers consecutively since 2013.
About Aaron Blumenthal
Aaron Blumenthal represents consumers in class action litigation involving data breaches and privacy violations, defective products, false advertising, whistleblower actions, and more.
Mr. Blumenthal was recently invited to speak at the Berkeley Center for Law and Technology about the future of data breach class actions, damages in privacy cases, and other topics.