The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
Many privacy regulations — such as the EU General Data Protection Regulation and the California Consumer Privacy Act — aim to protect consumers’ personally identifiable data from abuse, misuse and overuse. Yet personal data continues to be legally collected, aggregated, analyzed, packaged and resold. Information brokering has now become a revenue stream for many commercial organizations.
The information broker industry has emerged to profit from brokering consumer data. Industry trade groups, like the Association of Independent Information Professionals and the Data & Marketing Association, lead the way. It is important to examine just how private your personal data really is and what we can do to promote consumer data transparency.
In 2013, World Privacy Forum Executive Director Pam Dixon appeared before the U.S. Senate Committee on Commerce, Science and Transportation where she testified about problems with the information brokering industry.
The data broker industry includes about 4,000 companies, ranging from multinational corporations to small offshore operators. Their business models and data flows are complex, weaving through many affiliates of data brokers, resulting in an “affiliate storm” that makes it difficult for consumers to find the original compiler and seller of the data. To exacerbate this problem, the Center for Humane Technology has identified several growing trends:
Their 2020 documentary “The Social Dilemma” describes a case where frequently visited locations, garnered from GPS coordinates tracked on your mobile device, can associate one’s group of friends and relatives, and then apply those third-party preferences — buying habits and political views — back to the original target.
Even the use of so-called “privacy-centric” browsers and search engines are suspect to user tracking and data sharing. It was recently reported that DuckDuckGo — whose tagline is “The search engine that doesn’t track you” — shares data exclusively with Microsoft.
While current privacy legislation attempts to reduce personal information sprawl by requiring minimal data collection, these same regulations provide no assurance mechanisms to enforce it until it is too late. In addition, laws and regulations meant to ensure that such data is managed securely only allow for shallow consumer control; much of the onus of implementation is on the data collector themselves.
A 2013 U.S. Government Accountability Office report “Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace” highlighted the lack of regulatory oversight of data brokers. It expressed concerns that existing regulations are being circumvented by unscrupulous affiliates collecting and selling personally identifiable information.
Recent legislation such as the California Consumer Privacy Act and the GDPR has focused on consumer choices to opt out, request what data has been collected about them, or update and remove specific elements of their collected data.
Although the CCPA applies to secondary data brokers as well as consumer-facing businesses, the onus has been on consumers to explicitly exercise their rights against the data usage defaults put forth by the company. Those defaults typically stipulate consumers follow the companies’ data collection practices as the first tollgate to access their products and services.
The GDPR’s “right to be forgotten” requirement is equally ineffective, as it applies to the organization that originally captured your information, not to all the downstream buyers who received that data in the space between information origination and the consumer exercising that right. According to the Irish Council for Civil Liberties report on Real-Time Bidding, “On average, a European user’s data is shared with advertising and adtech middlemen 376 times per day — and for Americans, it’s double that: 747 times daily … Every time you load up a webpage, there’s a span of about 200 milliseconds where the webpage shares data about you and your browser.”
The Data Broker Accountability and Transparency Act of 2020 proposed mandated optouts to be required by data brokers, in addition to the U.S. Federal Trade Commission creating a national list of data brokers. According to a recent study, in 2020 more than $29 million was spent for lobbying against data broker regulations and the big tech data firms that collect personal data spent more than $100 million dollars to protect their interests. To no surprise, the bill did not even receive a vote.
Organizations themselves can be perplexed by the sheer number of statutes around data collection and usage which leads to inadvertent complexities in managing data. In the U.S. alone, there are a myriad of data privacy requirements embedded in many regulations, including but not limited to: the Graham Leach Bliley Act; Fair Credit Reporting Act; Fair and Accurate Credit Transactions Act; Commodity Exchange Act: Dodd-Frank Wall Street Reform and Consumer Protection Act; Personal Information Protection and Electronic Documents Act.
Regardless of the regulatory landscape, data brokers are not consumer-facing and do not abide by the requirement for minimal data collection. Once a set of data has been sold, the control of that data no longer under control of the seller or the consumer.
Since June, two major pieces of U.S. legislation have been introduced to address personal data privacy control in this $200 billion industry:
The American Data Privacy and Protection Act attempts to establish consumer rights using the term duties of loyalty which includes “additional requirements for large data holders (defined as organizations having sensitive personal data on 100,000 or more individuals or non-sensitive data on 5 million or more individuals) and third-party service providers that process data.” As progressive as this sounds, the act has a laundry list of exceptions to areas of state preemption, private right of action, centralized opt-out, et al.
U.S. Sen. Elizabeth Warren, D-Mass., along with several other senators, introduced legislation to ban data brokers from selling Americans’ location and health data. Given the vastly nested network of resale channels of user data, it remains to be seen how this regulation will be effective in attributing violations of data origin and enforcement.
Various privacy and cybersecurity experts have taken independent, different approaches to educate and support consumers.
The Center for Humane Technology focuses on educating the public about the overreach of technology and social media companies to “connect the dots” and build complex user profiles. Inrupt, co-founded by computer scientist and World Wide Web founder Tim Berners-Lee and Resilient Systems CEO John Bruce, allows consumers to build their own data repository where they can choose what elements to share with subscribed companies. The Electronic Frontier Foundation helps consumers control shared personal information through a number of tools. Author Michael Bazzell published “Extreme Privacy: What It Takes to Disappear,” which helps a layperson recognize and minimize data collection techniques.
While useful for consumer education in promoting secure behaviors, these efforts do not affect the current dominion of data brokering.
Dixon’s testimony supplies a concept that merits deeper consideration: A consumer at the receiving end of all the data reselling has difficulty finding the original compiler and seller of their own, otherwise private, data. The privacy gap lies in the need for transparency in the flow of personal information.
Hence, we must develop a new model for consumer data transparency: personal information privacy ontology.
To highlight a parallel effort, a 2021 presidential executive order now requires organizations doing business with the U.S. government to maintain a software bill of materials, disclosing all the programmatic ingredients — third-party software libraries — in their systems and software. This level of operational transparency ideally allows an organization to find and quickly remediate vulnerable or unsanctioned software components.
Like the visibility that SBOM affords software owners, a data privacy ontology is needed. Such an ontology may be sparse at first, but as more organizations are required to comply, a more complete picture of one’s collective data will be visible.
PIPO is a call for organizations to address two cascading issues of privacy: existing and future data sprawl.
The first step toward responsible data transparency needs to happen at the collection point, the consumer facing organizations. Each organization would need to employ either a chief data officer or data privacy officer to architect and oversee the classification and enrichment of personal data elements collected by that organization.
Each personal data element passing into an organization should be meta-tagged with four essential attributes:
This meta-tagging exercise can also help reduce data storage costs by providing deduplication and nonrepudiation of data elements.
To prevent the gaming of transparency requirements, it is imperative to apply PIPO to any element of personal information, not just the literal definition of PII. This nuance will prevent the loophole of sharing and distributing PII into nonidentifiable pieces only to be reassembled beyond the scope of any tracking/disclosure obligation.
The plethora of privacy laws discourages the desire to add more regulation. However, in the case of building a consistent implementation of transparency, there is no incentive for the data broker industry to self-monitor transparency and provide “data care” responsibility. The data broker industry which has been wildly profitable without regulatory oversight.
There needs to be a global standard for defining and managing the data transparency structure as well as inter-company processing. This standard then needs to be enforced through national regulations that are congruently supported by multi-national agreements.
One successful example of such enforcement is the Payment Card Industry Data Security Standard which started as a standard and eventually became a mandatory requirement in 2014 for all credit card transactions.
As an organization, ensure the identification, use and storage of consumer information is sufficiently tracked, since this will bolster both the security and privacy of those data elements. The results of this effort will assist with auditing and cyber-insurance compliance and materially reduce the impact radius of any breach.
As an individual, write to your local federal representative, and implore the resurrection of the Data Broker Accountability and Transparency Act of 2020.
Where possible, exercise that “right to be forgotten” before the data is packaged/sold (which is usually transmitted to data brokers in milliseconds). This may mean that one must forego that “free” mobile application, that “discounted” deal or the patronage to a popular web store.
When patronizing in person, actively exercise your consumer rights at the outset of any transaction: right to be informed, the right of access, the right to restrict processing, the right to data portability and the right to be forgotten; and remind participating organizations these rights need to be applied to their downstream information brokers.
While PIPO will not thwart unscrupulous practices, it is a prescriptive call for organizations to be proactive with data privacy and compliance because without visibility, regulatory controls cannot be effective.
Finally, if you are still unsure about the impact of data brokers on your life, take some time to watch John Oliver’s episode of Last Week Tonight on the topic of data brokers.
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200