Summary

The Data Brokers Project follows up on CIPPIC’s 2006 study of the Canadian Data Brokerage industry. Data brokers, companies “whose primary business involves the trading and analysis of personal information,” are intimately familiar with the personal information of Canadian consumers, but are poorly understood by many consumers themselves. This industry has seen radical changes in the last decade, and in this project we take a look back at these changes and the impact they have had on the shape, practices, and products of the data broker industry in Canada.

With this site, we hope to reach out and educate Canadians about this industry and on how their data is being used.

There are several parts to this project. There is the report, of course, which goes in depth into our findings (you can find our draft report here). We've compiled podcast episodes featuring industry experts discussing various aspects of the field, along with blog posts we've published over the years about the data brokers project. We also have an interactive map that will help visualize how Canadian personal information is being used.

Whether by reading short posts, listening to podcasts, following a visual map, or reading our full report, you’ll come away from this site with a fuller understanding of how your personal information is being collected and used.

Project ressources

CIPPIC Blog:

1-Welcome to CIPPIC’s website for the Data Brokers Project (2018)

2-Boots that Stalk: How Data Brokers Can Affect the Ads You See Online (2018)

3-Custom Audiences & Unintended Consequences: How Misused Data Products Can Hurt Democracy (2018)

4-“Please Wait While We Predict Your Value”: Data Brokers and Fairness (2018)

5-Data Breach Notifications Come to Canada, But More Required to Meet the Challenges Posed by Data Brokers (2018)

6-Data Broker Regulation: Change on the Horizon? (2018)

7-Change in the Air? ETHI’s PIPEDA Recommendations and More (2018)

8-The Equifax Breach – Background (2018)

9-The Equifax Breach – Possible Ways Forward (2018)

10-Data Brokers Profiles - Oracle Data Cloud, Oracle DLX (Datalogix), Bluekai (2018)

11-Data Brokers Profiles – Acxiom and LiveRamp (2019)

12-Statistics Canada’s participation in commercial data broker activities (2019)

13-Data-Driven Direct Marketing: Quality over Quantity (2019)

14-Does Canada Post sell personal information to third parties? (2019)

CIPPIC Podcast:

1-CIPPIC Podcasts: Introduction to the Data Brokers Project

2-CIPPIC Podcasts: What do data brokers do?

3-CIPPIC Podcasts: Data Brokers & Democracy

4-CIPPIC Podcasts: Equifax Breach

Data Brokers

Data brokers are peculiar businesses: their business is analyzing and trading in our personal information,yet they are practically unknown to the average Canadian. In 2006, CIPPIC undertook a detailed study of the Canadian data brokerage industry, and updated in in 2018. In this FAQ, we explain the basics of this evolving industry.

CIPPIC gratefully acknowledges the funding of the Contributions Program of the Officd of the Privacy Commissioner of Canada for this work.

Ressources

Canadian Law

The Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, http://laws-lois.justice.gc.ca/PDF/P-8.6.pdf

Regulatory Reports on Data Brokers

Research Group of the Office of the Privacy Commissioner of Canada, “Data Brokers, a Look at the Canadian and American Landscape,” September 2014, available at: https://www.priv.gc.ca/media/1778/db_201409_e.pdf – This report provides an overview of data brokers and their operations based on the Canadian and American privacy environments. It examines privacy regulation in Canada and how data brokers from other jurisdictions are required to comply with these requirements while conducting business within Canada. The report finds that it is uncertain whether data brokers based in other jurisdictions comply with or are aware of Canadian privacy laws. The report concludes that there is an ongoing need to make privacy compliance requirements known to both consumers and data brokers in order to help inform consumer practices and to support consumer control, trust, and transparency.

Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” March 2012, available at: http://ftc.gov/os/2012/03/120326privacyreport.pdf – This report describes three different categories of data brokers: entities subject to the FCRA; entities that maintain data for marketing purposes; and non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of the FCRA. The report notes that while the FCRA addresses a number of critical transparency issues associated with companies that sell data for credit, employment, and insurance purposes, data brokers within the other two categories remain opaque. The Commission recommends legislation to improve transparency, and concludes that further examination is needed into the practices of data brokers. Specifically, the Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.

United States Committee on Commerce, Science, and Transportation, “A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes,” September 2013, available at: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=0d2b3642-6221-4888-a631-08f2f255b577 – This report is a summary of the U.S. Senate Committee on Commerce, Science and Transportation’s investigation into how data brokers collect, compile, and sell consumer information. The report finds that data brokers collect huge volumes of detailed information on hundreds of millions of consumers, that they sell products that identify financially vulnerable consumers, and that they provide information about consumer offline behaviors to tailor online outreach by marketers. The report concludes that data brokers that sell data for marketing purposes operate behind a veil of secrecy, with minimal transparency, and are subject to virtually no statutory consumer protections.

United States Government Accountability Office, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace,” September 2013, available at http://www.gao.gov/products/GAO-13-663 – This report examines (1) existing federal laws relating to the privacy of consumer information held by information resellers, (2) any gaps that may exist in this legal framework, and (3) views on approaches for improving consumer data privacy. The report focuses on privacy issues related to consumer information used for marketing and for individual reference services and determines that no overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, the report finds that a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. The report concludes that congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.

Federal Trade Commission, “Data Brokers: A Call for Transparency and Accountability,” May 2014, available at: http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-tradecommission-may-2014/140527databrokerreport.pdf – This report is a result of a study of nine data brokers representing a broad cross-section of the industry. The Commission used the information obtained from the data brokers and from publicly available sources to prepare the report. The findings describe how data brokers collect consumer data from numerous sources, largely without consumers’ knowledge, how they collect and store billions of data elements, including some on nearly every U.S. consumer, and how they combine and analyze data about consumers to make potentially sensitive inferences. Finally, the report makes recommendations to enhance transparency and consumer control.

Reports on Data Brokers

CIPPIC, “On the Data Trail: How detailed information about you gets into the hands of organizations with whom you have no relationship” (2006) https://cippic.ca/sites/default/files/May1-06/DatabrokerReport.pdf

Wolfie Christl, Sarah Spiekermann, “Networks of Control: A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy” Cracked Labs (2016) http://crackedlabs.org/dl/Christl_Spiekermann_Networks_Of_Control.pdf

Wolfie Christl, “Corporate Surveillance in Everyday Life” Cracked Labs (2017) http://crackedlabs.org/en/corporate-surveillance

Wolfie Christl, “How Companies Use Personal Data Against People” Cracked Labs, (October 2017) http://crackedlabs.org/en/data-against-people

OECD, “Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value”, OECD Digital Economy Papers, No. 220 (2013) http://dx.doi.org/10.1787/5k486qtxldmq-en

Aaron Rieke, Harlan Yu, David Robinson, and Joris von Hoboken, “Data Brokers in an Open Society”, Upturn (2016) https://www.opensocietyfoundations.org/sites/default/files/data-brokers-in-an-open-society-20161121.pdf

Academic Articles on Data Brokers

Tasha Glenn & Scott Monteith, “Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections,” Current psychiatry reports, 16 494 10.1007/s11920-014-0494-4, available at: https://www.researchgate.net/publication/265609084_Privacy_in_the_Digital_World_Medical_and_Health_Data_Outside_of_HIPAA_Protections – This article highlights how the rapidly expanding stores of data collected outside of HIPAA are encroaching on the traditional doctor patient relationship and eroding medical privacy. It explains how this could lead to a future in which data brokers have more detailed information about a patient than that directly disclosed to their physician, and why it is important to remember that the results of predictive models are not based on physician judgment or on a directly measured value, but are calculated values often by disciplines outside of medicine. Additionally, it points to the dangers of how the data brokers who sell predictive health models are not involved in patient care and have no training in medical ethics. The article concludes by calling for measures to increase awareness of the growth of medical and health data outside of HIPAA protection for both clinicians and patients.

Alexander Tsesis, “The right to Erasure: Privacy, Data Brokers, and the Indefinite Retention of Data,” 49 Wake Forest L. Rev. 433 (2014) – https://lawecommons.luc.edu/cgi/viewcontent.cgi?referer=https://www.google.ca/&httpsredir=1&article=1502&context=facpubs – This Article describes the many forms of data mining that organizations engage in to track online and offline behaviors and make far-reaching intrusions into personal lives. It focuses on how the practices are particularly pervasive on social media platforms, which market and trade personal profiles to third parties while presenting themselves as platforms for interpersonal communications. It then evaluates how internet use leaves personal data vulnerable to snooping and surveillance. Finally, it elaborates on European data regulations and compares them to current U.S. regulations. It explains how the European model provides significantly greater protections for privacy management than the U.S. model, and argues for the adoption of the EU’s right to erasure initiative and discusses the likelihood of its enforcement in the United States.

Huesch, Marco and Ong, Michael and Richman, Barak D., Could Data Broker Information Threaten Physician Prescribing and Professional Behavior? (June 2015). CESR-Schaeffer Working Paper No. 2015-009; Duke Law School Public Law & Legal Theory Series No. 2015-28. Available at SSRN: https://ssrn.com/abstract=2623186 – This article focuses on a study of physicians and big data which sampled of over 3,000 healthcare faculty and healthcare system staff at one university’s heath unit. It explores how data can be used without a physician’s knowledge to influence prescribing practices and other professional behaviour. The article describes how for around two thirds of the emails of physicians sampled, a rich set of information was available, identifying personal information spanning economic, family, interests and purchases data. It then highlights how this data could potentially be used by marketing teams who could duplicate the approach from the study to inform direct-to-physician marketing and identify susceptible segments of physicians. The article concludes by recommending greater clarity in what uses are being made of physician’s private transaction data, inferred purchase interests, and other potentially sensitive information.

Ashley Kuempel, “The Invisible Middlemen: A Critique and Call for Reform of the Data Broker Industry,” 36(2) Northwestern Journal of International Law & Business 207 (2016), available at https://scholarlycommons.law.northwestern.edu/njilb/vol36/iss1/4/ – This article explores the current data privacy framework in the U.S. and the privacy discrimination concerns it presents to consumers. It then explains why each of the legislative recommendations made by the FTC Report do not adequately protect American consumers, and demonstrates why certain provisions within the EU’s Data Directive should be used as a model for future U.S. data broker legislation. It concludes by offering solutions—that Congress should err on the side of overprotection by passing legislation in line with the Data Directive.

Lipman, Rebecca E., Online Privacy and the Invisible Market for Our Data (January 18, 2016). Penn State Law Review, 2016, Available at SSRN: https://ssrn.com/abstract=2717581 – This article focuses on the commercial use of individuals’ data. It describes how the current system of buying and selling individuals’ data is problematic, and explores various laws and agencies that are active in this area of privacy law. It then proposes a new, mandatory notice and choice regime to empower individuals and to pressure companies to take greater responsibility for what they do with their customers’ data.

Sharona Hoffman, “Big Data and the Americans with Disabilities Act” (September 20, 2016). Hastings Law Journal, Case Legal Studies Research Paper No. 2016-33. Available at SSRN: https://ssrn.com/abstract=2841431 – This article focuses on health-related big data in the employment arena, specifically looking at how, based on big data analysis, individuals may not receive a job offer. It describes the incentives employers may have to exclude employees based on their health, including high health insurance costs, and the need for productive workers. It then explains why the Americans with Disabilities Act provides insufficient anti-discrimination protections, and offers two solutions to this issue. First, the ADA must be amended to prohibit discrimination based on an employer’s belief that an individual is likely to develop a physical or mental impairment in the future. Second, the law must require employers to disclose in writing to applicants and employees any practices other than medical exams and direct medical inquiries by which they seek health-related information, including predictive data. The article concludes that the best way to protect data subjects is to regulate the ways in which information can be used, and that a well-tailored means to address concerns about big data is to prohibit their use for discriminatory purposes.

Theodore Rostow, “What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers” (Updated March 16, 2017). Yale Journal on Regulation, Vol. 34, No. 2, 2016. Available at SSRN: https://ssrn.com/abstract=2870044 – This article argues that the creation of a market for individuals to buy data on their peers enables a new privacy harm: “relational control.” Relational control occurs when individuals acquire the private, covertly purchased data of those in their social or professional networks. This allows them to exert meaningful influence over the decisions of those around them and leads to potential harms unrecognized by privacy scholarship to date. The article explains why the threat of relational control is likely to grow, and assesses why legal interventions that scholars have proposed to the commercial privacy problem will fail to remedy the vulnerability of consumers to relational control. The article then offers possible paths for reducing the likelihood of relational control, and proposes a number of doctrinal shifts in existing privacy law that may reduce consumer exposure to the threat of relational control.