Digital trust and data broker practices

Why are regulators so focused on location data and location data brokers? Location data allows joinability attacks on (inadequately) de-identified and anonymized data sets. This means that the public availability of granular location data enables the re-identification of TONS of other sensitive data sets. Here's an example: In 2015, researchers studied how easily a person could be re-identified using only their credit card transactions. They showed that using just four credit card transactions, they could re-identify 90% of cardholders. Traditional data masking techniques didn't offer significant additional user privacy. 🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯🤯 Location data was the critical attack vector for this re-identification attack. Because credit card transactions are tied to physical retail locations, they provide timestamped location history for each cardholder. By cross-referencing this location history with data from commercial location data brokers, you can join "de-identified" cardholders to identifiable users in the commercial data sets. And as more and more of our daily activity happens online, the same pattern works with commercially available web browsing data ("digital location"). When you view location data and web browsing data as an attack vector against other data sets -- especially combined with pseudonymous identities that can be joined to advertising platforms -- it makes MUCH more sense why we've seen the FTC target physical and digital location data brokers in recent enforcement actions!

Yesterday, the Consumer Financial Protection Bureau proposed a rule that would include data brokers as "consumer reporting agencies" under the Fair Credit Reporting Act (FCRA) when they sell certain sensitive consumer information (e.g., credit history, credit score, debt payments (including on non-credit obligations), or income). The proposed rule would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or dox individuals seeking #privacy protection, including domestic violence survivors, and would require them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse. Here is a link to the fact sheet for the proposed rule: https://lnkd.in/ek7jcW-y.

NEW for The Drum: Today, two US federal agencies – the Federal Trade Commission and the Consumer Financial Protection Bureau – are cracking down on data brokering, aiming to protect Americans' sensitive information from being shared without their consent. The FTC on Tuesday settled landmark cases against Mobilewalla and Gravy Analytics for unlawfully selling location data, while the CFPB proposed a new rule that would put data brokers under stricter federal oversight and limit their ability to sell sensitive personal data like phone numbers and Social Security numbers. Should the CFPB's proposal be adopted, advertisers' access to third-party data would be restricted, resulting in disruptions to audience segmentation and ad targeting. Luckily, many adland stakeholders have already read the writing on the wall and are shifting away from third-party data strategies, opting instead for first-party approaches and contextual targeting. Get the full story here, with commentary from Check My Ads Institute's Arielle Garcia, Compliant's Jamie Barnard and Monks' Michael Cross: #advertising #adland #adtech #digitalads #data #dataprivacy #dataprotection #privacy #databrokering #databroker #media #digitalmedia #compliance #gdpr #privacylaw #regulation #privacyregulation #tech #technews #privacynews