As internet usage has exploded over the years, consumers' personal data, online behavior, and locations are increasingly being tracked. But how safe is that personal information?
Businesses collect, use, and sell consumer data. But consumers may be unaware of how it's being collected and used and generally aren't able to stop its collection or verify its accuracy.
The U.S. doesn't have a comprehensive privacy law governing the collection, use, or sale of personal data. And existing federal consumer protection laws may not be enough. Our past reports include recommendations for consumer data collection and associated growing privacy risks.
Businesses collect, use, and sell consumer data for their commercial benefit, but consumers may be unaware of how their data are being collected and used. Consumers generally do not have the ability to stop the collection of their data, verify data accuracy, or maintain privacy.
The Big Picture
As technologies change, consumers may not always know what data businesses are collecting about them, or how those data are used and shared. Advanced, internet-connected technologies help businesses gather increasing amounts of personal data, track online behavior, and monitor consumers' locations and activities, intensifying concerns about the privacy and accuracy of consumer data.
Over the past decade, we have found that the increasing collection and use of personal information raises concerns related to consumer privacy and protection. Concerns also exist about adverse effects resulting from potential bias and a lack of transparency. The U.S. does not have a comprehensive privacy law governing the collection, use, and sale or other disclosure of consumers' personal data. Existing federal consumer protection laws may not apply to some newer uses of consumer data.
What GAO's Work Shows
1. Consumer Scores Pose Risks
Companies collect personal and transactional data to create consumer scores, which businesses and other entities—such as hospitals and universities—use to predict how consumers will behave in the future. These are separate and distinct from credit scores, which serve a different purpose. But the full range of consumer scores and their uses is unknown, creating a variety of potential risks:
- Biased outcomes. Bias in consumer scores can arise from using data that reflect biases or social inequities.
- Inaccurate scores. Inaccurate or out-of-date data can result in inaccurate or unreliable scores.
- Differential treatment. When businesses use scores to maximize their aims and treat consumers differently, some consumers may be treated unfairly.
No federal law expressly governs the creation, sale, and use of consumer scores, and gaps may remain in federal consumer protections.
We recommended that Congress consider ways to determine and implement appropriate consumer protections for consumer scores beyond existing federal laws, such as allowing consumers to view and correct data and to be informed of score uses and their potential effects.
Key sectors where consumer scores are used
2. Facial Recognition Technology Raises Consumer Privacy and Accuracy Concerns
Businesses can use facial recognition technology to verify or identify people and provide them with access to buildings or online accounts. They can also use the technology to authorize payments, identify shoplifters, and even monitor the spread of COVID-19.
Functions of Facial Recognition Technology
But consumers may be unaware of potential privacy and data security risks associated with this technology, such as loss of anonymity, lack of consent, and performance differences between demographic groups, which could lead to misidentification or profiling.
We recommended that Congress strengthen the federal consumer privacy framework to reflect changes in technology and the marketplace (a recommendation we had made previously in a 2013 report).
3. Additional Federal Authority over Internet Privacy Could Enhance Consumer Protection
In April 2018, Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of its users with a political consulting firm. This disclosure followed other recent incidents involving the misuse of consumers' personal data from the internet, which is used by about three-quarters of Americans.
Yet we found that while the Federal Trade Commission has the lead in overseeing internet privacy across all industries, with some exceptions, there is no comprehensive U.S. internet privacy law governing private companies’ collection, use, or sale of internet users’ data, leaving consumers with limited assurance that their privacy will be protected.
We recommended that Congress consider comprehensive legislation on internet privacy that would enhance consumer protections and include the oversight authorities agencies should have.
Challenges and Opportunities
- Consumers are generally unaware of the risks to themselves and their data—such as biased outcomes—as technology changes rapidly. Gaps in federal oversight may leave consumers unprotected.
- Congress is considering legislation to provide consumers with additional data privacy rights and to create oversight mechanisms.
- By enacting comprehensive legislative changes, Congress can help address long-standing challenges and create a framework that will address changing risks.
More from GAO’s Portfolio
Consumer scores: GAO-22-104527
Facial recognition technology: GAO-20-522
Internet privacy: GAO-19-52
Information resellers: GAO-13-663
For more information about this Snapshot, contact: Alicia Puente Cackley, Director, Financial Markets and Community Investment, CackleyA@gao.gov, (202) 512-8678