Privacy Protection Through Regulation | Part 1
Jul 17, 2023
Background: In early 2023, we started preparing a public opinion on data rights and regulation for the Consumer Financial Protection Bureau (CFPB). Over the last few months, we've shared an overview of the CFPB's Request for Information (RFI), our perspective on the industry, and a few high level predictions.
For our final response, we summarized hundreds of pieces of feedback from our members who support stricter regulation on a harmful and creepy industry. We also summarized our data from sending millions of removal request and escalations to hundreds of data brokers. We shared our final response and a few recommendations with the CFPB publicly before the extended July 2023 deadline. In addition to the CFPB, we want to share our response and perspective on regulation with you.
Part 1 | Privacy Protection Through Regulating Consumer Reporting Organizations
The earliest version of consumer reporting was a local businessman asking your neighbors, “does this person pay you back?” People vouched for one another according to social norms. Now, instead of the local businessman and our neighbors, we deal with faceless corporations profiting from data about our lives. Thousands of records about voting history, salary data, social media behavior, credit, employment, education, medical history, and criminal accusations are sucked up from the internet and crafted into detailed profiles.
Some businesses use personal information for good: to more efficiently expand access to financial products and resources. But in this massive data ecosystem, it’s easy to make mistakes. A data broker might associate Bob Smith’s criminal records with another Bob Smith’s profile. Even though this association is harmful, there are no social norms holding them accountable. Instead beefy consumer profiles are in high demand for ad targeting or risk evaluation: more data = more money, less data = less money. Companies are incentivized to fight any request that challenges their data. And there is little consequence for ignoring consumer requests, even as complaints to the FTC, FBI, state attorney generals, and CFPB grow.
“It’s a real battle. I have sent multiple emails to various personal info sites and it seems that it is never ending. Government regulation should offer citizens the opportunity to opt out their personal info without having to repeat the process multiple times. It is exhausting.”
Kanary Member, 2023
At Kanary, we are a team of technologists, not lawyers or lobbyists. We believe collaboration with regulators is a win-win for consumers and legislators. We want to highlight three recommendations based on our work empowering consumers against data brokers.
Update the definition of “consumer reporting” to apply to a broader list of companies.
Provide consumers with updates about violations.
Monitor the impact of penalties - are they correcting behavior over time?
Source: Consumer Complaint Database - Complaints against Experian since 2012
These recommendations come from years of work in this industry, summarized in two sections.
Challenges we face working with consumer reporting companies.
Member testimonials of the damage caused by these systems.
We hope to establish paths to providing technology and data that enforce violations going forward.
Background on Kanary
Kanary detects, evaluates, and removes unwanted consumer data. Our membership of over 5,000 people and organizations trust us to help them be safer online. We are thorough in our work, but in the digital age we face a harsh reality: if information is leaked online, anyone can access it. With the help of Kanary, members save time contacting sites, filling out forms, getting past blockers, and verifying compliance. When a site resurfaces data, we play whack-a-mole on our members’ behalf, tracking repeat offenders and filing requests.
Recommendations For The CFPB
We recommend the CFPB evaluate three areas of the FCRA.
Definitions. Expand the definition of a consumer reporting organization. Include those selling, sharing, posting, or advertising alongside data that targets lists of individuals.
Enforcement. Increase frequency of enforcement and connect this data to the complaints database. Alleviating consumer skepticism about the impact of regulation is critical. For example, in the last month alone, over 25k complaints have been filed against Experian, yet 2017 was the most recent enforcement against Experian.
Tracking. Track complaints after violations to ensure penalties are severe enough to correct behavior in the long run.
Based on our operations across hundreds of companies, we believe further enforcement and tracking should follow a decentralized model with top-down federal guidance. While a centralized registry like the Do Not Call List may seem like the solution, there are gaps and histories of abuse. Centralized data broker registry lists grow stale quickly because they are a nuisance to reference and maintain. A distributed system might start with empowering consumers to seal data at the source. This might start with tools for consumers to work with county-clerks to better manage public records, then connect these ground-level complaints to larger penalties.
What's Next After The Request For Information?
Kanary believes our data about violations and sites compliance can be invaluable as the CFPB scales enforcement of existing FCRA violation. We expect to see them working with individuals and companies like Kanary to take the following next steps:
Track progress and flag ongoing violations to help consumers understand which enforcement is most impactful.