The Senate Banking, House, and Urban Affairs Committee held a hearing today to discuss the impact of data brokers on financial data privacy, credit, insurance, employment, and housing.
Chairman Mike Crapo, D-Idaho, said he is concerned about data collection by both government agencies and private companies. He called it “troubling” that the vast number of Americans do not know how their data is being collected or used. Crapo referenced a 2013 Government Accountability Office (GAO) report which said the Consumer Privacy Framework fails to “fully address new technologies and the growing marketplace for personal information.” Crapo called attention to the fact that five years after the report, the Framework hasn’t been updated to incorporate the GAO’s recommendations.
During his opening remarks, Ranking Member Sherrod Brown, D-Ohio, described this issue as “bipartisan” and said the Senate needed to further address the “shadow industry” of data brokers to ensure consumer data privacy is protected.
The hearing heard from Alicia Cackley, director of Financial Markets and Community Investment at the GAO, and Pam Dixon, executive director of the World Privacy Forum.
Cackley, who helped write the GAO report Crapo referenced in his opening statement, called for Congress to implement the GAO’s 2013 recommendations. She also referenced the GAO’s 2015 High-Risk Report, where the GAO expanded its cybersecurity area of concern to include the protection of personally identifiable information. “We also conducted more recent work in the consumer privacy area on facial recognition technology, financial technology, internet privacy, and consumer data protection,” she explained. “In our 2019 High-Risk Report, we reiterated our recommendation that Congress consider what additional actions are needed to protect consumer privacy.”
In terms of existing legislation governing data brokers and protection of consumer data, Cackley explained, “As we reported in 2013 and as continues to be the case, no overarching Federal privacy law governs the collection, use, and sale of personal information among private-sector companies, including information resellers.” She added that there are also “no Federal laws designed specifically to address all the products sold and information maintained by information resellers. Federal laws addressing privacy issues in the private sector are generally narrowly tailored to specific purposes, situations, types of information, or sectors or entities – such as data related to financial transactions, personal health, and eligibility for credit.”
Dixon focused both her testimony and her answers to the Senators’ questions are four primary ideas and offered two potential solutions. During her testimony, Dixon highlighted the rise of a new type of credit score and prediction algorithms. “Credit scores have been joined by literally thousands of new, unregulated predictive scores ranging from financial scores – consumer lifetime value scores – to health scores – frailty scores – to educational scores – College Board’s ‘adversity score,’” she explained. “[W]hen prediction is applied to individuals and groups and is used without appropriate guardrails, the predicting and scoring of Americans’ preferences, skills, and imagined future can introduce meaningful harms to individuals, groups, and institutions.” She further explained that these new credit scores and predictions that are currently being sold are not regulated by the Fair Credit Reporting Act (FCRA). Second, the modern technology environment is “facilitating more scores being used in more places in consumers’ lives, and not all uses are positive.” Additionally, she alleged that the credit scores are created without “due process” for consumers and the scores can cause consumers “exceptional harm.”
In terms of solutions, Dixon said that Congress needs to expand the FCRA to “regulate currently unregulated financial scores that affect consumers.” Specifically, she said Congress needs to call on companies to “immediately make consumers’ unregulated credit scores available to them,” as well as close the loopholes in the FCRA that allow for these new scores to go unregulated. She also said Congress needs to “launch a study commission to analyze and determine what new areas of eligibility need to be considered as falling under the FCRA.” Additionally, Dixon said Congress must enact a “standards law that will provide due process and fair standard setting in the area of privacy.” “By doing these things,” Dixon said. “Congress will protect consumers and allow them to act to fill in gaps where privacy harms are occurring, along with other stakeholders.” She shared draft legislation the World Privacy Forum has prepared to create a “voluntary consensus standard” to regulate the industry.