Personal Information, Private Companies

The recent Congressional hearings on Facebook have highlighted the ways that companies collect and use personal information for marketing purposes.  So, what rights do you have to your own information?

Our 2013 report on information resellers remains relevant today.

Information Resellers

Information resellers—sometimes called data brokers—collect your information from public sources (e.g., property records), publicly available information (e.g., telephone directories), and private sources (e.g., certain businesses or websites). They then aggregate this information and sell it. Resellers can include companies like credit bureaus, as well as marketing agencies.

Figure showing typical flow of consumer data through resellers to third-party users

The consumer information that each reseller maintains and sells varies. This information can include names, addresses, family members, neighbors, credit histories, motor vehicle records, insurance claims, criminal records, employment histories, incomes, ethnicities, purchase histories, interests, and hobbies.

Marketing lists held by some information resellers can get very specific—for example, we noted there were lists of individuals with an interest in topics such as astrology, boating, cats, science fiction, baking, country music, or motorcycles, or an interest in specific ailments such as back pain, erectile dysfunction, clinical depression, or prostate problems.

What privacy protections does federal law provide?

There is no overarching federal privacy law that covers the collection and sale of your personal information among private-sector companies. There are also no federal laws designed specifically to address all the products sold and information maintained by information resellers.

Instead, the federal privacy framework is made up of a set of narrowly tailored laws that apply to specific purposes, in certain situations, or to certain sectors or entities. For example, the Fair Credit Reporting Act has rules about how information in your credit report can be shared—but it doesn’t apply to information used for marketing.  Another example is the Health Insurance Portability and Accountability Act, which has rules about how your health information can be used and disclosed.

Old laws, new tech

We found that the current privacy framework doesn’t reflect new technology and marketing practices. We recommended that Congress think about strengthening the current framework with regard to things like:

  • Consumers’ ability to access, correct, and control their personal information
  • The need for additional controls on the types of personal or sensitive information that may or may not be collected and shared
  • Potential changes to permitted sources and methods for data collection
  • Privacy controls related to new technologies like web tracking and mobile devices

However, Congress has yet to act on our recommendations. To learn more, check out our full report.

You can also read our other reports on commercial privacy issues related to students, the internet of things, smartphone tracking applications, facial recognition technology, and connected vehicles, as well as our blog post on financial technology.


  • Questions on the content of this post? Contact Alicia Puente Cackley at cackleya@gao.gov.
  • Comments on GAO’s WatchBlog? Contact blog@gao.gov.
Image | This entry was posted in Business Regulation and Consumer Protection and tagged , , , , . Bookmark the permalink.