INFORMATION RESELLERS: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, GAO-14-251T, Dec 18, 2013
“No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, laws tailored to specific purposes, situations, or entities govern the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, or to the online collection of information about children. The current statutory framework for consumer privacy does not fully address new technologies–such as tracking of online behavior or mobile devices–and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. No federal statute provides consumers the right to learn what information is held about them for marketing and who holds it. In many circumstances, consumers also do not have the legal right to control the collection or sharing with third parties of sensitive personal information (such as health information) for marketing purposes. As a result, although some industry participants have stated that current privacy laws are adequate, GAO found that gaps exist in the current statutory framework for information privacy. The framework also does not fully reflect the Fair Information Practice Principles, widely accepted principles for protecting the privacy and security of personal information that have served as a basis for many privacy recommendations federal agencies have made.”