Data brokers could be mining employee data, the CFPB isn’t happy

Data brokers are already in your workplace, surveilling your employees and selling what they gather, whether you know it or not. And we’re not the only one who thinks there’s a creep factor here. The Consumer Financial Protection Bureau recently published a request for information regarding data brokers. The Federal Trade Commission recently dinged a digital healthcare platform for sharing consumers’ sensitive health information for advertising purposes.

With that in mind, companies should be paying extra close attention to employee data.

Where do all the data come from?

To understand the breadth of the issue, you have to understand how data brokers have gotten into your workplace. There are many avenues.

Via your keystroke and mouse-jiggling trackers

The National Labor Relations Board is already concerned with employers monitoring employees after hours. It has also expressed unease over the sale of employees’ data by the companies collecting it to financial institutions, insurers, and other employers.

Via your 401(k) plan record-keeper

In 2021, a federal trial court ruled that employees’ personal information—their names, contact information, Social Security numbers, financial information, investment history, investments, account balances, etc.—wasn’t a plan asset. As such, their employer didn’t breach its fiduciary duty under ERISA when it shared this information with its third-party record-keeper, who used the information to market profitable nonplan financial products and services, such as IRAs and credit cards, to employees. The case is Harmon v. Shell Oil Co.

Via wellness plans

Wellness plans, of course, are constrained by HIPAA’s privacy provisions. But there’s a sneakier way in. Wellness plans can offer employees smartwatches, which monitor their progress through the wellness program.

According to a survey by Morning Consult, 40% of individuals with wearables used the technology multiple times a day.

The problem? The data that smartwatches generate are often inaccurate, which defeats the purpose of wearing one in the first place. It’s also not clear whether data generated by wearables is HIPAA-protected; if the entity gathering the data isn’t a HIPAA-covered entity, the data may not be protected.

Via tracking pixels

We can thank the FTC for this one. Never heard of tracking pixels? We hadn’t either, except in the most roundabout way. Tracking pixels include a broad range of HTML and JavaScript embedded in websites and emails (OK, we shamelessly stole this sentence from the FTC). Now we know why we were told not to click on the displaying images link when we open emails.

You’ve seen the TV commercials for GoodRx and similar apps—get free coupons or lower drug-prescription costs. But nothing is free. Apparently, consumers were trading their personal health information via pixels for these discounts. And they weren’t told.

In its enforcement action, the FTC snagged GoodRx for $1.5 million in civil penalties for failing to report its unauthorized disclosure of consumer health data via pixels to tech companies and for violating the FTC’s Health Breach Notification Rule.

What the CFPB wants to know

The CFPB wants to understand the full scope and breadth of data brokers and their business practices. Importantly, the CFPB says data brokers include firms specializing in preparing employment background screening reports and credit reports.

Here’s a sampling of the questions it wants answers to:

  • What types of data do brokers collect, aggregate, sell, resell, license, derive marketable insights from, or otherwise share?
  • Can people avoid having their data collected?
  • What do data brokers do with the data they collect, other than aggregating, selling, reselling, or licensing data?
  • What collection methods do data brokers use to source information?

What can you do?

You can ask your 401(k) record keeper, health plan, payroll provider, etc. whether they collect employees’ information and, if they do, how they use it. If you don’t like the answer, you have two basic choices:

  • Allow third parties to collect data only from employees who opt-in.
  • If the status quo must prevail, be upfront and warn employees.