A Federal Trade Commission order for commercial data miners to disclose information about how they obtain and use consumers' information likely will expose a dark market in health-related information, a leading privacy advocate says.
As laid out in a 15-page disclosure order
, the FTC seeks details about "the nature and sources of the consumer information the data brokers collect; how they use, maintain and disseminate the information; and the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold," according to an FTC news release
. The FTC will use information gathered in response to the request "to make recommendations on whether and how the data broker industry could improve its privacy practices."
This under-the-radar health information market is "where the Wild West is," said Pam Dixon, founder of the San Diego-based not-for-profit World Privacy Forum. "It's completely unregulated, and that's where the real risk to consumers is today. People with diseases and ailments and conditions, mental illness, obesity, sometimes specific medical diagnosis are in these lists" sold by data brokers, she said.
None of the nine data brokers targeted by the FTC order markets exclusively to healthcare organizations, though Acxiom, for example, has offered healthcare data services
as well as consulting services to leaders of a controversial national security surveillance program designed to use medical records as data sources. Besides Acxiom, the other data miners that received the FTC's order are Recorded Future, ID Analytics, CoreLogic, Datalogix, eBureau, Intelius, Peekyou and Rapleaf.
Two years ago, the FTC staked out a potentially broader role for individual consent in the use and disclosure of personal information, particularly more sensitive healthcare information, when it issued a report on its privacy agenda for commercial data brokers
The FTC staff found that "certain types of sensitive information"—including medical and financial information, precise geolocation and information about children—warrant special protection, and that "companies should seek affirmative express consent" before collecting, using and sharing it.
Retention of geolocation data—available from cellphone records but not HIPAA-protected—could be used to build consumer profiles, and that "raises important privacy concerns," according to the 2010 FTC report. "For instance, the retention of location information about a consumer's visits to a doctor's office or hospital over time could reveal something about that consumer's health that would otherwise be private.”
The FTC's decision to use such an order for compulsory provision of information "is very rare for the FTC," Dixon said. "They have haven't used this power in a long time," she said, adding: "This is a really good day for consumers. We need answers about data brokers. They've been lurking in the shadows and this will help bring them out."