The public generally blames obscure, faceless and nameless online hackers for breaching online accounts and distributing personal data. However, these small-time criminals are barely making a dent in the unauthorized access and dissemination of personal consumer information. The biggest threat to consumer privacy is not rogue hackers and seedy, scam artists, but legitimate companies on the Dow Jones, NASDAQ, and Standard & Poor’s indices.
From Internet providers to credit card companies, from banks to mortgage and insurance companies, Fortune 500 companies are collecting, buying, selling and sharing consumer information at a dizzying rate.
According to an article in the New York Times, Acxiom Corporation, a data broker in Little Rock, Ark., has the world’s largest database of information, tracking more than 500 million consumers worldwide. With 23,000 servers, it collects such consumer information as education level, age, sex, race, height and weight, in addition to marital and political status and buying habits.
Acxiom sells this information to a diverse list of clients, which include Toyota, Ford, Macy’s, Wells Fargo and E*Trade. And apparently, there’s money to be made in the selling of consumer information: The company reported sales of $1.13 billion in 2011.
And while Acxiom stands out for being the largest and most prosperous data broker, the company is far from being the only organization that profits from selling online consumer data. On December 18, 2012, the Federal Trade Commission (FTC) issued orders to Acxiom and eight other data brokers (Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf and Recorded Future), asking them to provide information regarding how they collect and use consumer data, and the extent to which consumers have the option to view their own data or choose against having it sold.
However, the FTC only requested the information so that it could analyze the industry’s privacy practices and make recommendations. That’s the limit of the Commission’s powers, as the FTC states, “There are no current laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing or other similar purposes.”
And while data brokers like Acxiom can presumably skirt the law since their data collection does not meet the stipulations for legal prosecution, some companies have actually violated specific parts of the law and have been prosecuted for their actions.
In October 2012, Equifax, one of the largest credit reporting agencies in the country, paid $1.6 million to settle a case brought by the FTC. Between 2008 and 2010, Equifax sold 17,000 prescreened lists of consumers who were late on their mortgage payments to third-party companies. Those third-party companies then marketed loan modification and debt relief services to these consumers. One of the companies, Direct Lending Source, resold the data to fraudulent companies that secured large upfront fees for loans that were never modified.
But Equifax was not alone. Last year, the FTC also went after the two biggest Internet juggernauts. In August 2012, Google agreed to pay $22.5 million, the largest FTC fine in history, and the first ever fine for violating its Internet privacy order. Google bypassed or overrode the privacy settings on Apple’s Safari browser on iPhones and iPads. As a result, even if users blocked tracking features, Google’s cookies– small files stored on the computer that allow the company to keep a record of browsing history - allowed the company to monitor their movements without their knowledge and against their consent.
The same week, the FTC reached a settlement with Facebook. Although no fine was levied, the company agreed to 20 years of FTC privacy audits in response to charges that it promised its users privacy, then allowed their data to be used and shared without their permission. In this instance, the FTC could not impose a fine because it was making an agreement; the Commission can only fine companies for breaking agreements. Facebook also agreed to give consumers “clear and prominent notice” and to “obtain their express consent before sharing information beyond their privacy settings.”
Facebook’s notoriously deceptive privacy issues led Scholars and Rogues, an unconventional political blog, to crown the company “the most congenitally dishonest company in America.” This title is based, in part, on the fact that whenever the company adds new features – which is quite often – the settings change; and in particular, the privacy settings default to allowed status. In addition, all Facebook users are automatically assigned a Facebook email account, and frequently the user’s preferred address is hidden and replaced with the Facebook email address.
But even if consumers close their Facebook accounts and vow to never perform another Google search, they’re not taking significant steps to protect their privacy – unless they keep their money hidden in a mattress and pay cash for all of their transactions. Otherwise, they’re subject to banks and credit card companies that also collect and sell personal data. Wells Fargo, Citi and Discover are just three of the financial institutions poised to share almost a billion dollars this year by selling consumer shopping data.
Banks compile customer information – where they shop, what they buy, and how much they spend – and then send targeted “deals” from retailers to the consumers who fit the retailer’s profile. According to CNN, if the consumer decides to cash in on the deal, the issuing bank can receive 10 percent to 15 percent of the purchase price of the product.
In most of these instances, there are no legal implications. But what are the ethical issues of major companies collecting and selling consumer information for profit, especially since it is usually done without the consumer’s knowledge or consent?
There are obvious privacy and security issues, since this information can include everything from names, addressees and phone numbers to credit card numbers and other financial information.
Do companies have an ethical obligation to protect the sensitive data of their clients and customers? In the case of Equifax, shouldn’t the company at least investigate the organizations that they are selling data to? And shouldn’t consumers have the right to decline having their information sold?
Some people may consider Internet tracking and targeted marketing harmless. But Beth Given, in her article, Internet Privacy: A Contradiction in Terms?, lists several potentially detrimental scenarios, including targeting economically distressed people with payday loans, children who lack the mature judgment of (most) adults, marketing bogus cures to those with serious medication problems, and engaging in discriminatory marketing. Discriminatory pricing means that some consumers are offered products and services at higher prices than others.
Echoing the last sentiment, Congressman Edward Markey of Massachusetts, co-chairman of the House Bipartisan Congressional Privacy Caucus, is also concerned that consumers may be categorized as desirable or undesirable without their informed consent. He has also expressed concern over the vulnerability of children being tracked and targeted.
Perhaps the most insidious tactics include the “evercookies,” or “supercookies” that are stored on a user’s computer and are almost impossible to delete, since they are stored in numerous locations. As a result, even after performing a thorough cleaning, just one missed cookie can repopulate the other locations.
While there’s no ethical gray area regarding evercookies and supercookies, since they are designed to avoid detection, and subsequently, deletion, the pros and cons of collecting and selling consumer data for a profit are hotly debated by marketers and online privacy groups.
What cannot be debated is the right of consumers to control their privacy. And an online environment shouldn’t change that fact. If a data broker opened a consumer’s physical mailbox and sifted through the contents, there would be no question that this behavior was out of line. Likewise, if a broker somehow tapped into a phone line and listened to a private conversation to help “understand the consumer’s habits,” this would also be unacceptable.
The same rules should apply in a digital environment. However, as a wise, anonymous Internet observer once noted, “If you’re not paying for it, you’re not the customer; you’re the product being sold.”