SecureRedact

View Original

When your health data isn’t private: a deep dive into the world of data brokers

Personal data has become a valuable commodity, and data brokers are at the centre of this evolving marketplace. These bodies collect, analyse, and sell our information - often without our knowledge or consent. 

The recent boom in this industry, as well as the increased digital footprint of the general public, raises significant concerns about how data brokers operate, especially when it involves sensitive health information.


Understanding data brokers

Data brokers play a pivotal role in the collection and analysis of data. These entities - including prominent names like Acxiom, Experian, and Equifax - harvest and dissect vast amounts of information from various sources, ranging from mobile apps to web browsing activities. 

They gather personal details, such as health conditions, location data, and ethnicity, from a myriad of sources without the explicit consent of individuals. This information is then packaged and sold to companies aiming to target specific demographics with tailored advertisements or products. 

The location data industry alone is approximately worth a staggering $12 billion, encompassing collectors, aggregators, and marketplaces dedicated to the trade of personal information. 


The legal reckoning in the data broker industry 

The legal landscape surrounding data brokers is evolving and the lawsuits are beginning to pile up. 

The Federal Trade Commission (FTC) accused Kochava of compiling exhaustive health profiles of consumers, which could enable others to identify individuals and make them vulnerable to stigma, stalking, job loss, and physical violence. In this ongoing case, the FTC is seeking a permanent halt to Kochava’s collection of data and the deletion of collected geolocation information.

The FTC's action against X-Mode Social and Outlogic for selling sensitive location data marks a significant legal milestone—the first-ever settlement regarding the sale of sensitive location information. 

Reports have also surfaced that location data harvested by data brokers is used for a variety of controversial purposes, such as obtaining sensitive data on veterans and helping immigration officers bypass surveillance restrictions. 

In the wake of the Roe v. Wade judgement in 2022, there is heightened attention on data brokers’ collection of health and location data. In an Executive Order following the ruling, President Joe Biden emphasised the protection of reproductive health information.

These cases underline the urgent need for stricter oversight and regulation of data brokers. 


A spotlight on data privacy in the US 

While the data broker industry is not a new phenomenon, its expansion into the digital arena has significantly amplified privacy concerns. The modern data broker's ability to collect, analyse, and trade vast amounts of personal information is particularly concerning when such sensitive information is at stake because its misuse could lead to discrimination and social stigma. 

In the United States, data brokers navigate a complex landscape of federal and state regulations, yet no single, comprehensive law directly targets their activities.

Instead, they are subject to various sector-specific and general privacy laws, such as the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and state-level regulations like the California Consumer Privacy Act.

What about HIPPA? In this case, HIPAA is toothless as its protections primarily apply to covered entities, e.g. healthcare providers. In turn, it does not extend to data brokers, who often collect health-related information from non-medical sources. This creates a regulatory gap, allowing data brokers to operate outside of HIPAA's restrictions on selling health data.

The absence of a unified federal regulation specifically designed for data brokers begs the need for more tailored legislation that addresses the unique challenges and privacy concerns posed by the data brokerage industry.

As technology evolves, so too must our legal frameworks. 

The complexity of the data broker industry requires heightened individual awareness of digital footprints and the operations of data brokers. Legislators need to craft laws that are proactive, flexible and can adapt to future technologies, ensuring health information remains secure. 

Adopting privacy-enhancing methods, such as data anonymisation, can also be vital in safeguarding personal health data against unauthorised use. 


Take the lead: protect the sensitive health data you handle with Secure Redact today.