Information Privacy


Protecting consumer privacy has become increasingly challenging. Rapidly changing technology allows companies to collect, store, analyze, and share vast amounts of data about consumers. This provides opportunities to use data for a wide range of purposes. Although many of these purposes are beneficial to consumers, they can also raise privacy concerns.

In 2012, the Federal Trade Commission released a privacy framework that provided a list of best practices that it recommends businesses adopt to provide consumers with greater control over their online and offline information privacy. These best practices are designed to update the Fair Information Practice Principles first developed some 40 years ago. The framework’s key principles are:

  • Privacy by design—privacy should be built into every stage of product development;
  • Simplified choice—consumers should be able to make privacy choices about their data at a relevant time and in a specific context. Data use inconsistent with the original context of collection requires separate disclosures to consumers at a relevant time and outside the general privacy policy; and
  • Greater transparency—practices regarding information collection and use should be more transparent. Privacy statements should be clearer, shorter, and more standardized. This will allow for better comprehension and comparison of privacy practices. General statements buried in privacy policies are not sufficient.

The Federal Trade Commission has called on Congress to pass legislation that provides baseline privacy protections for consumers. Such legislation would allow for civil penalties and other remedies. It would provide companies with an incentive to meet their data privacy obligations.

An area of concern is data broker companies. They collect, collate, analyze, and sell information about consumers’ online and offline behavior. Such companies often collect information about financial, retail, and recreational activities to create profiles of individual consumers. Unlike consumer reporting agencies, data brokers are not required to provide consumers with access to the information they have collected about them. As a result, most consumers are unaware that data brokers exist and do not know what kind of information is being sold to other companies.

Another area of concern is the tracking of consumers’ online browsing habits. Information about a consumer’s online activities can be collected, analyzed, shared, and sold without the consumer’s knowledge.

One recent positive development is the General Data Protection Regulation (GDPR), which went into effect in 2018. This is a European Union (EU) regulation that has worldwide reach. It requires companies that handle data from any EU citizen to ensure that all users, even those outside the EU, receive affirmative consent before they can track certain data. GDPR also gives EU residents the right to request their data from companies and ask for certain information to be deleted or corrected if it is inaccurate. GDPR’s penalties are severe. Companies that violate it face fines of the greater of 20 million euros or 4 percent of their global revenue. Therefore, some companies choose not to make their websites available in the EU.

Social networking is an extremely popular way for friends and relatives to stay in contact with one another. However, some individuals make detailed personal information available through social networking sites. This raises potential privacy concerns and can even lead to identity theft. A study by PC World found that one-third of those using social networks post at least three pieces of personally identifiable information in their online profiles. Information such as date or place of birth, address, and mother’s maiden name can provide identity thieves with enough information to commit identity theft.

In 2017 an estimated 16.7 million Americans were victims of identity fraud, resulting in $16.8 billion in consumer losses. Several federal laws protect against identity theft and fraud. This includes providing consumer protections related to credit files compiled by the three major credit bureaus. For example, federal law provides consumers with the right to:

  • review their credit file from each major credit reporting agencies once a year for free,
  • correct inaccuracies in their credit files. and
  • place a fraud alert or a security freeze on each credit file.

The Fair and Accurate Credit Transactions (FACT) Act of 2003 allows consumers to review their credit files from each of the three bureaus, correct inaccuracies in the files, and place a fraud alert when identity theft is suspected. In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 allows all Americans to place a security freeze on their credit reports for free. It also requires the Federal Trade Commission to post a website with links to credit reporting agencies to request a freeze.

Both these federal laws preempt state laws. The FACT Act preempts state law in a number of areas, including the sharing of information among affiliated companies. The Economic Growth, Regulatory Relief, and Consumer Protection Act preempts state security freeze laws, including those that would limit who can gain access to an individual’s credit record while under a credit freeze.



Sharing financial data

Policymakers and the private sector should protect individuals’ personally identifiable information. Regulations should address the collection, use, and dissemination of such information, as well as information about consumers’ use of goods and services without prior consent.

Consumer control

Consumers should maintain control over their personal information that is not publicly available. They should be able to review that information, correct inaccuracies, and decide how it may be collected and used at no cost to them. This includes online tracking information and discount programs such as electronic coupon programs.

Privacy protections should be embedded into products.

Privacy statements should be written in plain language and disclosed before a consumer uses a product or service. They should be clear, short, and standardized.

Consumers should provide informed consent before any sensitive non-public information is disclosed (see also Chapter 7, Health—Privacy and Confidentiality of Health Information; as well as Chapter 10, Utilities: Telecommunications, Energy and Other Services—Privacy Protections in the Use of Telecommunication and Utility Services).

Data brokers should provide consumers with reasonable access to data about them at no cost to the consumer. Consumers should be able to correct easily inaccurate information.

Privacy protections

Policymakers should protect the privacy of consumer data that is collected or purchased. Companies collecting or purchasing and using information on consumers should be required to adhere to established privacy framework recommendations.

The re-identification of data matches anonymous data with publicly available information to discover the identity of the individual to whom the data belongs. Companies that make non-personally identifiable information available to other companies should contractually prohibit the re-identification of the data after it is made available.

Identity theft

The federal government should strengthen protections and enforcement against identity theft. This includes increasing the security of information and databases of businesses that maintain large databases of consumer information, such as federally regulated financial institutions.

States should strengthen protections against identity theft in areas in which they have jurisdiction. This includes enhanced penalties and enforcement.

States should allow victims to make reports of identity theft at convenient locations. They should also provide greater resources and training should for state and local law enforcement personnel to improve their response to victims. Inter-jurisdictional cooperation in investigating identity crimes and apprehending perpetrators should be increased.

Financial education programs should include training about the dangers of posting personally identifying information on social networking sites.