United States Government Accountability Office
Highlights of GAO-13-663, a report to the
Chairman, Committee on Commerce, Science,
and Transportation, U.S. Senate
September 2013
INFORMATION RESELLERS
Consumer Privacy Framework Needs to Reflect
Changes in Technology and the Marketplace
Why GAO Did This Study
In recent years, information resellers—
companies that collect and resell
information on individuals—
dramatically increased the collection
and sharing of personal data for
marketing purposes, raising privacy
concerns among some in Congress.
Recent growth in the use of social
media, mobile applications, and other
technologies intensified these
concerns. GAO was asked to examine
privacy issues and information
resellers. This report addresses (1)
privacy laws applicable to consumer
information held by resellers, (2) gaps
in the law that may exist, and (3) views
on approaches for improving consumer
data privacy.
To address these objectives, GAO
analyzed laws, studies, and other
documents, and interviewed
representatives of federal agencies,
the reseller and marketing industries,
consumer and privacy groups, and
others. GAO focused primarily on
consumer information used for
marketing purposes.
What GAO Recommends
Congress should consider
strengthening the consumer privacy
framework to reflect the effects of
changes in technology and the
increased market for consumer
information. Any changes should seek
to provide consumers with appropriate
privacy protections without unduly
inhibiting commerce and innovation.
The Department of Commerce agreed
that strengthened privacy protections
could better protect consumers and
support innovation.
What GAO Found
No overarching federal privacy law governs the collection and sale of personal
information among private-sector companies, including information resellers.
Instead, a variety of laws tailored to specific purposes, situations, or entities
governs the use, sharing, and protection of personal information. For example,
the Fair Credit Reporting Act limits the use and distribution of personal
information collected or used to help determine eligibility for such things as credit
or employment, but does not apply to information used for marketing. Other laws
apply specifically to health care providers, financial institutions, videotape service
providers, or to the online collection of information about children.
The current statutory framework for consumer privacy does not fully address new
technologies—such as the tracking of online behavior or mobile devices—and
the vastly increased marketplace for personal information, including the
proliferation of information sharing among third parties. With regard to data used
for marketing, no federal statute provides consumers the right to learn what
information is held about them and who holds it. In many circumstances,
consumers also do not have the legal right to control the collection or sharing
with third parties of sensitive personal information (such as their shopping habits
and health interests) for marketing purposes. As a result, although some industry
participants have stated that current privacy laws are adequate—particularly in
light of self-regulatory measures under way—GAO found that gaps exist in the
current statutory framework for privacy. And that the framework does not fully
reflect the Fair Information Practice Principles, widely accepted principles for
protecting the privacy and security of personal information that have served as a
basis for many of the privacy recommendations federal agencies have made.
Views differ on the approach that any new privacy legislation or regulation should
take. Some privacy advocates generally have argued that a comprehensive
overarching privacy law would provide greater consistency and address gaps in
law left by the current sector-specific approach. Other stakeholders have stated
that a comprehensive, one-size-fits-all approach to privacy would be burdensome
and inflexible. In addition, some privacy advocates have cited the need for
legislation that would provide consumers with greater ability to access, control
the use of, and correct information about them, particularly with respect to data
used for purposes other than those for which they originally were provided. At the
same time, industry representatives have asserted that restrictions on the
collection and use of personal data would impose compliance costs, inhibit
innovation and efficiency, and reduce consumer benefits, such as more relevant
advertising and beneficial products and services. Nonetheless, the rapid increase
in the amount and type of personal information that is collected and resold
warrants reconsideration of how well the current privacy framework protects
personal information. The challenge will be providing appropriate privacy
protections without unduly inhibiting the benefits to consumers, commerce, and
innovation that data sharing can accord.
View GAO-13-663. For more information,
contact Alicia Puente Cackley at (202) 512-
8678 or