July 25, 2012
Don Robert
Chief Executive Officer Experian
475 Anton Blvd.
Costa Mesa, CA 92626

Dear Mr. Robert,

The business of data brokerage, namely the collecting, assembling, maintaining, and selling to third-parties of consumers’ personal information, has grown into a multiple billion dollar industry. By combining data from numerous offline and online sources, data brokers have developed hidden dossiers on almost every U.S. consumer. This large scale aggregation of the personal information of hundreds of millions of American citizens raises a number of serious privacy concerns.

According to a recent article in The New York Times (“A Data Giant is Mapping, and Sharing, the Consumer Genome”, June 16, 2012), consumer profiles developed by data brokers often extend far beyond age, race, and sex, to include “weight, height, marital status, education level, politics, buying habits, household health worries, vacations — and on and on”. Data brokers then advertise these detailed profiles to third parties to use for targeted advertisement, among other purposes.

The implications of data brokers’ practices extend beyond customizing advertisements at consumers. A number of privacy advocates, as the Times article points out, “are more troubled by data brokers’ ranking system, which classify some people as high-value prospects, to be offered marketing details and discounts regularly, while dismissing others as low-value — known in industry slang as ‘waste’. This practice may have long-term impacts on access to education, health care, employment, and other economic opportunities. Some have termed this practice “Weblining”, analogous to the illegal practice of “Redlining” in the physical world.

The aggregation of personal details for sale to marketers has the potential to affect nearly all Americans, but children and teens are particularly at risk. Because of this, we have questions concerning whether you are collecting information about children and teens and, if so, what kind of information you are collecting.

Consumers, regardless of age, often have little or no knowledge about the identity of data brokers, how they collect personal information, and to which outside parties they sell or otherwise provide this information. A growing number of privacy advocates, along with the Federal Trade Commission (FTC), have called for increased transparency by data brokers, including disclosure of their business practices and the rights consumers have over their own personal information.

As Members of Congress who are concerned about privacy, we ask that you provide answers to the following information requests and questions:

1. Please provide a list of each entity (including private sources and government agencies and offices) that has provided data from or about consumers to you or your contractors or affiliates from January 2009 through the present.

2. Please list each type of data you or your affiliates or enterprise partners has collected from or about consumers, including racial, ethnic, or religious information, from January 2009 through the present.

3. Please describe each method by which you have collected information from or about consumers from January 2009 through the present and answer the following questions:

a. Do you use social media to collect information about consumers? If yes, what types of information do you collect from social networks-(i.e., friends, interests, etc.)? If yes, from what platforms do you collect this information?

b. Do you collect data on consumers’ mobile use and activity? If yes, what types of information do you collect about consumers’ mobile use and activity? If yes, for what purposes is this information used (i.e., targeting on real-time ad exchanges)?

4. Please explain each product or service, both online and offline, that you have offered to third parties from January 2009 to the present that uses data collected from or about consumers. For each product or service, please describe:

a. Each type of data that is used in or by the product or service.

b. Each type of entity that you sell or otherwise provide the product or service to.

c. Any prohibitions or restrictions (i.e., contractual, technological, etc.) on the sale or use of the product or service.

d. Whether or not the products or services involve lead-generation, including the sale of offer clicks or leads. If so, please explain.

e. Whether or not the products, services, or business practices subject you or any affiliates to the Fair Credit Reporting Act (FCRA). If so, what products or services are subject to FCRA?

f. Whether or not your company maintains completely separate, firewalled databases or data used for both FCRA and non-FCRA purposes. If used for both purposes, please explain.

5. Are consumers able to access personal information that is held by your company? If no, why not? If yes:

a. How may consumers access this information?

b. What information are consumers given access to? Please list each type of information.

c. How are consumers made aware of their right to access this information?

d. What kinds of personal information are they required to provide to verify their identities?

e. Do your terms of service allow you secondary uses of that verification information? If yes, what uses?

f. flow many consumers have requested access and how many requests has your company complied with?

g. How long has your company provided consumers with this access?

6. Are consumers able to correct personal information that is held by your company? If no, why not? If yes:

a. How may consumers request corrections?

b. How are consumers made aware of their right to correct this information?

c. What kinds of personal information are they required to provide to verify their identities?

d. Do your terms of service allow you secondary uses of that verification information? If yes, what uses?

e. How many consumers have requested corrections and how many has your company corrected?

f. How long has your company provided consumers with this option to request correction?

7. Are consumers able to opt-out of the use or sharing of personal information about them? If no, why not? If yes:

a. Is this a simple, full opt-out or do consumers select from a range of limited opt- out options? Please describe the various options that are offered.

b. Does this opt-out completely prohibit all uses, including collecting and targeting, or is it limited to an opt-out of targeting?

c. How may consumers opt-out?

d. How are consumers made aware of their right to opt-out?

e. What kinds of personal information are they required to provide to verify their identities?

f. Do your terms of service allow you secondary uses of that verification information? If yes, what uses?

g. How many consumers have requested to opt-out and how many requests has your company complied with?

h. How long has your company provided consumers with the option to opt-out?

8. Are consumers able to request the deletion of their personal information? If not, why not? If yes:

a. How may consumers request deletion?

b. How are consumers made aware of their right to delete this information?

c. What kinds of personal information are they required to provide to verify their identities?

d. Do your terms of service allow you secondary uses of that verification information? If yes, what uses?

e. How many consumers have requested deletion and how many requests has your company complied with?

f. How long has your company provided consumers with this option to request deletion?

9. Does the company charge consumers a fee for any access, correction, opt-out, or deletion services? If yes, state the amount the company charges for each service. If yes, what is the total revenue earned by the company through such fees during each of the last five years?

10. How does your company store each type of data collected from or about consumers (please distinguish between types of data, if applicable)? What security measures do you have in place to safeguard the data collected?

11. What encryption protocols or other security measures do you put in place to prevent the loss of or acquisition of data that is transferred between your company and outside entities?

12. What review process do you have in place for entities who wish to purchase personal information from you (i.e., do you evaluate their data security measures or whether the entity is a legitimate business)? Do you conduct any follow-up audits? If not, why not? If yes, please describe the nature and timing of these audits.

13. Do you provide notice to consumers about your data collection, use, or sharing practices? If no, why not? If yes, please describe how you provide this notice.

14. Does your company compile information from or about children or teens? If yes:

a. Do you also sell or otherwise provide this information to another entity?

b. Do you distinguish between information about children ages 12 and under from information about
teenagers ages 13-17?

c. Are different procedures in place to allow children and teens to access, correct, or delete their personal information, or opt-out of sharing of this personal information? If not, why not?

Thank you for your attention to this important matter. Please provide responses to these questions no later than August 15, 2012. If you have any questions, please have a member of your staff contact Joseph Wender (202-225-2836) in Congressman Markey’s office or Emmanual Guillory in Congressman Barton’s office (202-225-2002).

Sincerely,