Personal Information, Private Companies
The recent Congressional hearings on Facebook have highlighted the ways that companies collect and use personal information for marketing purposes. So, what rights do you have to your own information?
Our 2013 report on information resellers remains relevant today.
Information Resellers
Information resellers—sometimes called data brokers—collect your information from public sources (e.g., property records), publicly available information (e.g., telephone directories), and private sources (e.g., certain businesses or websites). They then aggregate this information and sell it. Resellers can include companies like credit bureaus, as well as marketing agencies.
The consumer information that each reseller maintains and sells varies. This information can include names, addresses, family members, neighbors, credit histories, motor vehicle records, insurance claims, criminal records, employment histories, incomes, ethnicities, purchase histories, interests, and hobbies.
Marketing lists held by some information resellers can get very specific—for example, we noted there were lists of individuals with an interest in topics such as astrology, boating, cats, science fiction, baking, country music, or motorcycles, or an interest in specific ailments such as back pain, erectile dysfunction, clinical depression, or prostate problems.
What privacy protections does federal law provide?
There is no overarching federal privacy law that covers the collection and sale of your personal information among private-sector companies. There are also no federal laws designed specifically to address all the products sold and information maintained by information resellers.
Instead, the federal privacy framework is made up of a set of narrowly tailored laws that apply to specific purposes, in certain situations, or to certain sectors or entities. For example, the Fair Credit Reporting Act has rules about how information in your credit report can be shared—but it doesn’t apply to information used for marketing. Another example is the Health Insurance Portability and Accountability Act, which has rules about how your health information can be used and disclosed.
Old laws, new tech
We found that the current privacy framework doesn’t reflect new technology and marketing practices. We recommended that Congress think about strengthening the current framework with regard to things like:
- Consumers' ability to access, correct, and control their personal information
- The need for additional controls on the types of personal or sensitive information that may or may not be collected and shared
- Potential changes to permitted sources and methods for data collection
- Privacy controls related to new technologies like web tracking and mobile devices
However, Congress has yet to act on our recommendations. To learn more, check out our full report.
You can also read our other reports on commercial privacy issues related to students, the internet of things, smartphone tracking applications, facial recognition technology, and connected vehicles, as well as our blog post on financial technology.
- Comments on GAO’s WatchBlog? Contact blog@gao.gov.
GAO Contacts
Related Products
GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.
The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.
Please send any feedback on GAO's WatchBlog to blog@gao.gov.