Information Resellers:

Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace

GAO-13-663: Published: Sep 25, 2013. Publicly Released: Nov 15, 2013.

Additional Materials:

Contact:

Alicia P. Cackley
(202) 512-8678
cackleya@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, videotape service providers, or to the online collection of information about children.

The current statutory framework for consumer privacy does not fully address new technologies--such as the tracking of online behavior or mobile devices--and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. With regard to data used for marketing, no federal statute provides consumers the right to learn what information is held about them and who holds it. In many circumstances, consumers also do not have the legal right to control the collection or sharing with third parties of sensitive personal information (such as their shopping habits and health interests) for marketing purposes. As a result, although some industry participants have stated that current privacy laws are adequate--particularly in light of self-regulatory measures under way--GAO found that gaps exist in the current statutory framework for privacy. And that the framework does not fully reflect the Fair Information Practice Principles, widely accepted principles for protecting the privacy and security of personal information that have served as a basis for many of the privacy recommendations federal agencies have made.

Views differ on the approach that any new privacy legislation or regulation should take. Some privacy advocates generally have argued that a comprehensive overarching privacy law would provide greater consistency and address gaps in law left by the current sector-specific approach. Other stakeholders have stated that a comprehensive, one-size-fits-all approach to privacy would be burdensome and inflexible. In addition, some privacy advocates have cited the need for legislation that would provide consumers with greater ability to access, control the use of, and correct information about them, particularly with respect to data used for purposes other than those for which they originally were provided. At the same time, industry representatives have asserted that restrictions on the collection and use of personal data would impose compliance costs, inhibit innovation and efficiency, and reduce consumer benefits, such as more relevant advertising and beneficial products and services. Nonetheless, the rapid increase in the amount and type of personal information that is collected and resold warrants reconsideration of how well the current privacy framework protects personal information. The challenge will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can accord.

Why GAO Did This Study

In recent years, information resellers--companies that collect and resell information on individuals--dramatically increased the collection and sharing of personal data for marketing purposes, raising privacy concerns among some in Congress. Recent growth in the use of social media, mobile applications, and other technologies intensified these concerns. GAO was asked to examine privacy issues and information resellers. This report addresses (1) privacy laws applicable to consumer information held by resellers, (2) gaps in the law that may exist, and (3) views on approaches for improving consumer data privacy.

To address these objectives, GAO analyzed laws, studies, and other documents, and interviewed representatives of federal agencies, the reseller and marketing industries, consumer and privacy groups, and others. GAO focused primarily on consumer information used for marketing purposes.

What GAO Recommends

Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information. Any changes should seek to provide consumers with appropriate privacy protections without unduly inhibiting commerce and innovation. The Department of Commerce agreed that strengthened privacy protections could better protect consumers and support innovation.

For more information, contact Alicia Puente Cackley at (202) 512-8678 or cackleya@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Matter for Congressional Consideration

    Matter: Congress should consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace--particularly in relation to consumer data used for marketing purposes--while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord. Among the issues that should be considered are: (1) the adequacy of consumers' ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA; (2) whether there should be additional controls on the types of personal or sensitive information that may or may not be collected and shared; (3) changes needed, if any, in the permitted sources and methods for data collection; and (4) privacy controls related to new technologies, such as web tracking and mobile devices.

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Apr 7, 2014

    Mar 28, 2014

    Feb 25, 2014

    Feb 13, 2014

    Jan 16, 2014

    Jan 6, 2014

    Dec 18, 2013

    Dec 11, 2013

    Nov 26, 2013

    Looking for more? Browse all our products here