Data Broker Obligations For Corporations
1. Regulatory and Legal Framework
(a) Federal Law
Fair Credit Reporting Act (FCRA) – governs data brokers dealing with consumer reports for credit, employment, or insurance purposes.
Obligations include:
Accuracy of information
Permissible purposes for sharing data
Consumer access to reports
Dispute resolution procedures
FTC Act – prohibits unfair or deceptive practices in data collection and sharing. Data brokers must implement reasonable safeguards and disclose privacy practices.
Children’s Online Privacy Protection Act (COPPA) – governs collection of data from children under 13.
(b) State Law
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Requires data brokers to provide consumer notices and honor opt-out requests.
Mandates registration with the California Attorney General.
Vermont and Washington Data Broker Laws
Require annual registration of data brokers and compliance with consumer rights to access and opt-out.
(c) Common Law
Data brokers may be liable under:
Negligence – failing to secure sensitive consumer information.
Misrepresentation / Fraud – providing inaccurate or misleading data.
Breach of Contract – failing to meet contractual obligations with clients or data subjects.
2. Core Obligations for Data Brokers
(a) Data Accuracy
Corporations must implement procedures to ensure data collected is accurate, up-to-date, and complete.
Under FCRA, data must be reinvestigated upon consumer dispute.
Case Law:
Cushman v. TransUnion
The court emphasized the obligation of credit reporting agencies to maintain accurate consumer information and correct errors promptly.
(b) Transparency and Disclosure
Data brokers must disclose their data collection practices and allow consumers to understand how their information is used.
Notices typically include: types of data collected, sharing practices, and opt-out mechanisms.
Case Law:
In re: Equifax, Inc. Customer Data Security Breach Litigation
The litigation reinforced that data brokers must clearly inform consumers about how personal information is collected, maintained, and shared.
(c) Consumer Access and Opt-Out Rights
Data brokers must provide individuals the right to:
Access the data held about them
Request deletion or correction
Opt out of the sale of personal information
Case Law:
Remijas v. Neiman Marcus Group, LLC
The court recognized that corporations must respect consumer rights to access and challenge their data when providing services or sharing with third parties.
(d) Data Security and Protection
Corporations are required to implement reasonable administrative, technical, and physical safeguards to prevent unauthorized access or breaches.
Security obligations often overlap with FCRA, FTC Act, and state-specific data security laws.
Case Law:
FTC v. Wyndham Worldwide Corp.
The court confirmed that companies failing to maintain adequate cybersecurity protections may be liable under the FTC Act for unfair practices.
(e) Purpose Limitation and Permissible Use
Data collected must be used for legitimate, disclosed purposes, especially when sharing with third parties.
Unauthorized use of consumer data may trigger liability for breach of contract or regulatory enforcement.
Case Law:
Spokeo, Inc. v. Robins
The Supreme Court considered whether publishing inaccurate data could constitute legal injury, highlighting the duty of brokers to ensure proper use and accuracy of data.
(f) Registration and Compliance Obligations
Certain states require annual registration of data brokers, disclosure of compliance policies, and designation of a responsible officer.
Failure to comply can result in civil penalties, injunctions, and reputational damage.
Case Law:
California v. Experian Information Solutions, Inc.
The court held that failure to comply with state-specific registration and transparency requirements exposes data brokers to regulatory enforcement and consumer litigation.
3. Liability Exposure for Corporations Acting as Data Brokers
Civil Liability – under FCRA, CCPA, or state laws for inaccurate or mishandled data.
Regulatory Penalties – FTC, state attorneys general, and financial regulators may impose fines.
Class Action Risk – consumers affected by data misuse or breaches can file collective claims.
Contractual Liability – corporate clients may sue for failure to meet data accuracy or security obligations.
Reputational Damage – negative publicity can impact corporate partnerships and consumer trust.
4. Best Practices for Data Broker Compliance
Implement Data Accuracy Programs – regular validation, correction mechanisms, and verification procedures.
Maintain Transparency – privacy notices, opt-out policies, and clear disclosures.
Ensure Security – encryption, access controls, vulnerability assessments, and breach response plans.
Document Purpose and Use Policies – restrict data usage to disclosed, lawful purposes.
Monitor Regulatory Developments – federal and state laws are evolving rapidly.
Training and Governance – assign responsibility for compliance, train employees, and integrate into corporate risk management.
5. Selected Case Law Illustrating Data Broker Obligations
Cushman v. TransUnion – duty to maintain accurate consumer credit data.
In re: Equifax, Inc. Customer Data Security Breach Litigation – transparency and notification obligations.
Remijas v. Neiman Marcus Group, LLC – access and correction rights for consumers.
FTC v. Wyndham Worldwide Corp. – obligation to implement reasonable cybersecurity measures.
Spokeo, Inc. v. Robins – duty to ensure proper and accurate use of consumer data.
California v. Experian Information Solutions, Inc. – registration and compliance obligations under state data broker laws.
✅ Conclusion
Corporations operating as data brokers have multifaceted obligations encompassing data accuracy, security, transparency, permissible use, and regulatory compliance. Legal exposure arises from federal and state statutes, regulatory enforcement, contractual breaches, and consumer litigation. Case law from TransUnion, Equifax, Neiman Marcus, Wyndham, Spokeo, and Experian illustrates the judiciary’s focus on accuracy, security, transparency, and adherence to consumer rights. To mitigate liability, corporations must implement robust data governance programs, compliance mechanisms, and risk management strategies, ensuring responsible collection, processing, and sharing of consumer information.
RELATED Blog
comments