- David Junkin
Most Vermonters haven't heard of Datastream Group, a Naples, Fla., company with 68 Facebook "likes" and a nondescript office on a street called Business Lane.
But Datastream Group knows a lot about them. The company purchases detailed data on more than 250 million consumers, then splits it into targeted lists — of smokers, diabetics, pet owners, political donors, boat owners, payday loan applicants and more — and sells those lists to marketing clients.
Consumers give out personal information, often unwittingly, with every click of a "sign up" button, response to an online survey or download of a free phone app. The companies that collect the data then sell it to obscure brokerages such as Datastream, whose CEO, Eric Reinertsen, made his name in the early 2000s on an MSNBC list of the world's top 10 email spammers.
This lucrative trade in data harvested from consumers' everyday digital lives operates nearly free of regulation and largely out of sight. It's a key component of the modern economy, but the risk for abuse is high.
A first-in-the-nation Vermont law that took effect in January is bringing the opaque industry into clearer view. The law does little to rein in bad actors. But, by requiring data brokers to register with the Secretary of State's Office, Vermont is assembling its own dossier of sorts on previously invisible links in the personal-data supply chain.
Seven Days downloaded the registrations from the secretary's website to see which firms are registering and what they are, or aren't, revealing about their practices. The list includes some prominent players, such as Equifax, the credit reporting company, and obscure ones, such as Project Applecart, a company that helps political campaigns and advocacy organizations reach new supporters.
The main finding, however, is that Vermont's new registry just scratches the surface. Only 130 companies have registered, likely just a fraction of those in the industry.
"It does seem to me there are entities that should be on there but do not appear to be," said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, a California-based consumer advocacy group that tried to assemble its own online list of data brokers but found that maintaining it was too daunting a task.
Many companies that did register with Vermont provided only cursory information about their business. Still, privacy advocates see the registry as a small but important step in the fight to regain control over our digital selves.
"I've never heard of many of these companies, and I bet most Americans haven't either," Lee Tien, a senior staff attorney at the digital rights group Electronic Frontier Foundation, said of the companies that appear on the Vermont registry. "And yet they're a huge part of the privacy issue in this country ... Who else is keeping a file on you?"
Like the better-known tech giants who gather users' data, brokers have quietly assembled sophisticated files on consumers by compiling digital bread crumbs and reselling them. Location data, internet search histories, product purchases and public records can all be combined to infer, sometimes incorrectly, facts about consumers' private lives that they never intended to share.
U.S. companies spent more than $19 billion last year on marketing efforts based on audience data from third-party firms, according to an estimate by the Interactive Advertising Bureau, an industry group. Brokered data also powers online "people search" products and screening tools used by landlords and employers.
The Federal Trade Commission first called for more transparency in the data broker industry in 2014. In September 2017, Equifax admitted that personal data for more than 145 million people had been hacked.
By that time, the Vermont Attorney General's Office and the state Department of Financial Regulation had already convened a working group, at the direction of state lawmakers, to study data brokers and to propose regulation. The public hearings that followed drew testimony from national privacy advocates and industry representatives.
Privacy advocates wanted to force data brokers to let consumers opt out of the lists they create and sell, while industry insiders said the brokers already do so voluntarily.
Vermont ultimately decided on a "cautious, conservative approach" focused on introducing transparency rather than imposing many new requirements, said assistant attorney general Ryan Kriger. By requiring the companies to register with the secretary of state, Vermont could make it easier for consumers to exercise opt-out privileges.
"If you don't know who those companies are, you can't contact them," Kriger said.
The bill that emerged from the working group's study became law last May despite objections from Gov. Phil Scott, who disagreed with the way it classified who counts as a "data broker." The governor allowed it to become law without his signature.
Vermont's government is the first in the U.S. to define the industry in law. The registry's utility hinged on getting it right: Define "data broker" too broadly or narrowly, and the law could capture so many or so few companies as to make the registry useless.
Kriger said the definition the state came up with — any business that knowingly collects, sells or licenses the personal information of a consumer with whom it doesn't have a direct relationship — was expected, based on testimony, to capture between 400 and 1,200 businesses.
More than a month after the January 31 filing deadline, the registry has so far come up short of that estimate. Companies that fail to register could face a penalty of $50 per day or up to $10,000 annually, though Kriger said the state hasn't penalized businesses that signed up late.
The AG's office delivered a preliminary report to the Vermont General Assembly this month that said the new law has been "effectively implemented." But the office is still waiting for a vendor to compile information from the individual online registrations into a single file for analysis.
In addition to registering, companies must answer several questions about their practices: whether they allow consumers to opt out, how they vet clients who purchase data, whether they possess data on minors, and whether they've had a data breach in the past year.
The data show that most brokers do claim to offer some form of opt-out choice, Seven Days' analysis found. Sometimes a simple email is enough. But some companies that claim to allow people to opt out described processes that are Kafkaesque. A California-based broker called Parasol Media answered yes to the opt-out question but explained its method as follows: "All information is collected by third party. They all have opt-out section." Parasol didn't name the third parties it uses.
Only one broker, a Tennessee-based tenant- and employee-screening provider called Data Facts, disclosed a security breach in the prior year.
The registry includes a single Vermont-based firm, a one-person shop called New England List Services that David Hare runs out of his Danville home.
Hare said he considers his business a true data brokerage because he doesn't create or store lists of consumer data. Instead, he rents lists from compilers such as Acxiom (one of the largest known data brokers) for marketing clients who want to run targeted sales campaigns. If a company wants to sell power tools to woodworkers, for instance, Hare said, he helps them rent a list of consumers who are most likely to be woodworking hobbyists. Matching marketers with new customers is rewarding, he said.
Hare said his responsibility as a broker is to "weed out" unscrupulous data buyers.
Brokers who registered provided scant detail in response to a question about their "credentialing process" for buyers. Datastream Group wrote simply that it keeps "full records" of its data purchasers. In an email to Seven Days, its CEO, Reinertsen, said he works only with clients who "demonstrate the same ethics and policies that we do here."
"Our industry as a whole is made of some very good people," he said.
The registry does not require brokers to say what information they collect, from whom they collect it or to whom they sell it. But that, said Stephens of the Privacy Rights Clearinghouse, would be precisely the most valuable information about their activities.
Nevertheless, Vermont's registry is already being considered a prototype nationally. In January, Apple CEO Tim Cook called for the FTC to create a registry that would allow consumers to track who is trading their personal data and delete it "on demand, freely, easily and online, once and for all." The Washington Post editorial board last month also called for a national data broker registry, pointing to Vermont's as a model.
Congress is already bracing for a battle over data privacy rules in the wake of the Facebook-Cambridge Analytica scandal, in which a personality quiz was exploited for presidential campaign marketing. Vermont legislators are contemplating additional protections, including creating a state "data privacy officer" and auditing how state government acquires and uses citizen data.
A sweeping California privacy law is set to take effect in 2020. Rules governing data brokers could be wrapped into the debate.
An anticipated sticking point is whether new federal rules should preempt the emerging patchwork of state legislation. If the feds do take on data brokers, they ought to build on the work done in Vermont, said Christopher Curtis, chief of the AG's public protection division.
"We would certainly hope that the Vermont standard we set would be seriously considered as an important benchmark," he said.
Seven Days digital editor Andrea Suozzo contributed to this report.