Generally, one hears the term “big data” and, in the next breath, about the host of privacy issues implicated by that big data. Indeed, a quick google search confirms that in many of the top links appearing in a google search of “big data” include the word “privacy.”
There is a reason for this, of course: big data often contains a lot of information aggregated from different sources about individuals. Many times, consumer do not know in the first place that different pieces of information about them have been collected (or, if they know it has been collected, they do not know the information has been retained); they do not know that such information has been aggregated; and they do not know the aggregated information has been (and is being) further disseminated. Single pieces of information on their own pose a privacy risk. The aggregation of the information, which is then disseminated, poses a greater and different privacy risk.
Consumer watchdog agencies have long had their eyes on the impact of “big data” in a wide variety of areas, including on a company’s credit-making decisions. For example, in a report issued in 2014, the Federal Trade Commission warned companies they “should be mindful of the law when using big data analytics to make FCRA [Fair Credit Reporting Act]-covered eligibility determinations.”
In connection with credit-making decisions, there is another type of data, however, that has also drawn concerns about privacy. This is “alternative data,” and in February, the Consumer Financial Protection Bureau issued a “Request for Information” about the use of alternative data in the credit process, including how it relates consumer privacy.
In the CFPB’s report, alternative data is defined by what it is not: traditional data. Traditional data includes the information that is typically maintained in a credit file of a consumer reporting agency (e.g., the types and amounts of credit extended to a particular consumer and repayment of that credit), civil judgments, and information that is generally included on a loan application. The report gives the following examples of alternative data:
- Utility, phone, rent, and insurance bills;
- Checking account information and assets;
- Educational/occupational attainment (schools attended, degrees obtained, etc.);
- Behavioral data, such as internet usage; and
- Social media connections.
The CFPB’s privacy concerns of the use of alternative data are similar to those implicated by big data, specifically, the concern is that the “the data are of a sensitive nature and consumers may not know the data were collected and shared nor expect or be aware it will be used in decisions in the credit process.” With traditional data, consumers have the opportunity, pursuant to the FCRA, to dispute and correct mistaken information on their consumer reports. However, unlike the traditional data, because consumers may not know the data was collected and shared in the first place, or what data a lender is using, the CFPB fears that, with the use of alternative data, consumers have lost the ability to control and correct any errors in the information.
In an apparent effort to learn more about lenders’ use of alternative data in credit-making decisions, the RFI seeks responses to several questions, including those pertaining to privacy issues. For example, the RFI asks respondents to:
- Describe the source of the data, being as specific as possible, including if the data are provided by the consumer or obtained from or through a third party.
- Describe the format in which the data are received or generated, being as specific as possible.
- Describe the quality of the data, in terms of apparent errors, missing information, and consistency over time.
- Describe the original purpose for which the data were originally generated . . . and the standard for coverage, quality, completeness, consistency, accuracy and reliability that the original data provider applied and to identify whether the consumer was able to see, dispute, or correct the data at the time they were originally collected or with the original collector of the data or with the subsequent user.
- Describe the steps that are being taken to mitigate consumer privacy risks of using alternative data.
The RFI seeks responses from a variety of groups, including consumers, privacy advocates, lenders, regulators and data brokers. These comments are due May 19th.
What these responses will provide and how the CFPB will react remains to be seen, but those of us at Husch Blackwell will be watching with bated breath. We will keep you updated on any regulatory changes as a result of the CFPB’s attention to this issue.