Select Page

by Marisel Gamez

Have you recently done an online search of your name? Chances are some of your personal information appears in search results and on websites you have never heard of. How is this possible? Is this legal? This report will briefly discuss the mechanisms and legality of data brokers.[1]

Data brokers can uncover and compile personal information through scraping, “a form of data mining where a program, or person, scours the web making copies of data found on target Web sites.”[2] Scraping is common on the internet, and used for a variety of purposes.[3] For example, Google utilizes scraping to compile accurate search results,[4] and targeted advertisers aggregate consumer data to personalize ads.[5] Data brokers can also obtain consumer data from other data brokers that “either hire people to visit local offices to compile the information or . . . have relationships with these offices that allow them to acquire this information automatically.”[6]

Significantly, consumers are often unaware of what personal information data brokers compile.[7] For example, “people-search” data brokers scrape and “offer information about consumers obtained from government and other publicly available sources” without the consumer’s knowledge.[8] This public information includes marriage records, criminal records, warranty card registration information, social media information, and property ownership and sale history. [9]

The Federal Trade Commission has strongly advocated for greater transparency in the data broker industry, including federal legislation that provides “consumers with access to information data brokers [hold] about them.”[10] Case law has not concretely established an all-encompassing rule on the legality of data brokers and scraping activity.[11] In the past, there have been actions against scraping activity as a violation of the Computer Fraud and Abuse Act.[12] For cases of data brokers scraping personal financial information from public records, there could be a claim for a violation of the Fair Credit Reporting Act (“FCRA”)[13] where the information was misused “for purposes governed by the FCRA, including eligibility for employment, credit, insurance, [or] housing.”[14] There is also a freedom of speech defense to consider for scraping activity and data brokers,[15] especially when the personal information is used to rate or categorize individuals online.[16] Additionally, there could be a claim for breach of contract in cases where scraping violates a host site’s terms of use.[17] Finally, there can be a claim for trespass to chattels where there is evidence of scraping activity physically harming the appropriated site’s servers or the operability of the host site.[18] There are also other federal laws that protect against scraping certain types of consumer data.[19]

Although the legality of data brokers and scraping will continue to develop, one thing is certain: keep an eye on what search results appear when you type in your name[20] and, if the option is available, seek to opt-out of data broker sites that feature your information.

[1] Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability, 3 (2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf (The primary business of data brokers “is collecting personal information about consumers from a variety of sources and aggregating, analyzing, and sharing that information, or information derived from it, for purposes such as marketing products, verifying an individual’s identity, or detecting fraud.”).

[2] Zachary Levine, FAQS, 12 E-Com. L. Rep., no. 10, Oct. 2010, at 18, 18.

[3] Myra F. Din, Note, Breaching and Entering When Data Scraping Should Be a Federal Computer Hacking Crime, 81 Brook. L. Rev. 405, 408 (2015).

[4] See How Google Search Works, Google, https://support.google.com/webmasters/answer/70897?hl=en (last visited Jan. 21, 2017).

[5] Din, supra note 3, at 408–09.

[6] Federal Trade Commission, supra note 1, at 12.

[7] Id. at 3.

[8] Id. at 34.

[9] Id. at 3, 34.

[10] Id. at 6.

[11] See generally Data Brokers and “People Search” Sites, Privacy Rts. Clearinghouse (Sept. 1, 2014), https://www.privacyrights.org/consumer-guides/data-brokers-and-people-search-sites; Jim Snell & Derek Care, Use of Online Data in the Big Data Era: Legal Issues Raised by the Use of Web Crawling and Scraping Tools For Analytics Purposes, Bloomberg BNA (Aug. 28, 2013), https://www.bna.com/legal-issues-raised-by-the-use-of-web-crawling-and-scraping-tools-for-analytics-purposes.

[12] Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2017); see QVC, Inc. v. Resultly, LLC, 99 F. Supp. 3d 525, 527 (E.D. Pa. 2015); Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932 (E.D. Va. 2010).

[13] Fair Credit Reporting Act, 15 U.S.C. §§ 1681–1681x (2017); Federal Trade Commission, supra note 1, at 35.

[14] Federal Trade Commission, supra note 1, at 34–35; FTC Charges Data Brokers with Helping Scammer Take More Than $7 Million from Consumers Accounts, Fed. Trade Comm’n (Aug. 12, 2015), https://www.ftc.gov/news-events/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million; see also Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550 (2016), as revised (May 24, 2016) (dictating that even if a Fair Credit Reporting Act violation occurred when a data broker disseminated inaccurate information about plaintiff’s background, there needs to be a resulting injury in fact to have standing).

[15] Sorrell v. IMS Health Inc., 564 U.S. 552, 570, 579–80 (2011).

[16] See Browne v. Avvo Inc., 525 F. Supp. 2d 1249 (W.D. Wash. 2007) (holding that subjective online ratings of attorneys are protected by the First Amendment, and plaintiffs, who are practicing attorneys, were not injured under the Washington Consumer Protection Act where there was no evidence that consumers were misled by the rating information).

[17]See Hines v. Overstock.com, Inc., 668 F. Supp. 2d 362, 366–67 (E.D.N.Y. 2009), aff’d 380 F. App’x 22 (2d Cir. 2010); Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 428–30 (2d Cir. 2004); Berkson v. Gogo LLC, 97 F. Supp. 3d 359, 398 (E.D.N.Y. 2015); Cvent, Inc., supra note 12, at 936–38 (explaining that breach of contract claims depend on certain criteria, such as enforceability of the terms, the visitor’s knowing assent to the terms, and whether the terms were unambiguous); see also Facebook, https://www.facebook.com/terms (last updated Jan. 30, 2015) (“You will not collect users’ content or information, or otherwise access Facebook, using automated means”); Terms of Use, Instagram, https://help.instagram.com/478745558852511 (last updated Jan. 19, 2013) (“We prohibit crawling, scraping, caching or otherwise accessing any content on the Service via automated means”).

[18] See Ticketmaster Corp. v. Tickets.com Inc., 127 F. App’x 346, 347 (9th Cir. 2005).

[19] See Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721–2725 (2017); Gramm–Leach–Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C. § 94 (2017)); Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended at 45 C.F.R. §§ 160, 162, 164 (2017)); Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506 (2017).

[20] Google has provided a means for users to control what personal information appears in search results. More information is available at: Remove Outdated Content, Google, https://support.google.com/websearch/answer/6349986?hl=en (last visited Jan. 21, 2017).