Over the last year, the Committee queried nine of the major data companies and invited testimony from privacy groups. What's emerged is that collectively, these companies own an astounding number of consumer profiles, and they're selling deeply personal information — sometimes to identity thieves — in categories like rape victims, people with cancer, and “Rural and Barely Making It.”
One data broker is selling lists of addresses and names of consumers suffering from conditions including cancer, diabetes, and depression, and the medications used for those conditions; another is offering lists naming consumers, their credit scores, and specific health conditions.
Of the nine companies the Committee approached — Acxiom, Experian, Epsilon, Reed Elsevier, Equifax, TransUnion, Rapleaf, Spokeo, and Datalogix — "some" were forthcoming. The report mentions Equifax as being particularly cooperative.
Others weren't. Acxiom, which according to the report has “multi-sourced insight into approximately 700 million consumers worldwide,” Experian, and Epsilon refused to explain how they collected their data or who they were selling it to, citing confidentiality clauses in their contracts. (The Attorney General of New Jersey recently released documents indicating Acxiom sold another company, Dataium, 400,000 dossiers for a mere $2,500.)
In October, Experian admitted that it sold personal information — including social security numbers and banking information — through a subsidiary to an alleged online identity theft ring. That same subsidiary, Court Ventures, also appeared on a list of companies that requested private information about gun permit holders in Virginia.
Equifax told the Committee they had information as specific as:
- Whether a consumer purchased a particular soft drink or shampoo product in the last six months
- Whether they use laxatives or yeast infection products
- How many OB/GYN doctor visits they've had within the last 12 months
- How many miles they traveled in the last 4 weeks
- The number of whiskey drinks they consumed in the past 30 days.
That data is then sorted into a dictionary with more than 75,000 data points like, "whether the individual or household is a pet owner, smokes, has a propensity to purchase prescriptions through the mail, donates to charitable causes, is active military or a veteran, holds certain insurance products including burial insurance or juvenile life insurance, enjoys reading romance novels, or is a hunter."
This fine-tuned data collection isn't new — last year, the Times reported a story of how Target figured out a teenager was pregnant before her father did. Even in 2007, the Times reported on a company selling lists like, “Oldies but Goodies,” 500,000 gamblers over 55 years old, for 8.5 cents each, and one list that said: “These people are gullible. They want to believe that their luck can change.”
But their databases are growing infinitely, and there are still no relevant consumer protection laws in place to protect individual privacy. And despite recent transparency efforts — like Acxiom's aboutthedata.com — that also means the consumers on these lists still have no right to find out what information is out there, or who is buying it.