Consumer Data: Increasing Use Poses Risks to Privacy – Government Accountability Office

As internet usage has exploded over the years, consumers’ personal data, online behavior, and locations are increasingly being tracked. But how safe is that personal information?
Businesses collect, use, and sell consumer data. But consumers may be unaware of how it’s being collected and used and generally aren’t able to stop its collection or verify its accuracy.
The U.S. doesn’t have a comprehensive privacy law governing the collection, use, or sale of personal data. And existing federal consumer protection laws may not be enough. Our past reports include recommendations for consumer data collection and associated growing privacy risks.

Businesses collect, use, and sell consumer data for their commercial benefit, but consumers may be unaware of how their data are being collected and used. Consumers generally do not have the ability to stop the collection of their data, verify data accuracy, or maintain privacy.
As technologies change, consumers may not always know what data businesses are collecting about them, or how those data are used and shared. Advanced, internet-connected technologies help businesses gather increasing amounts of personal data, track online behavior, and monitor consumers’ locations and activities, intensifying concerns about the privacy and accuracy of consumer data.

Over the past decade, we have found that the increasing collection and use of personal information raises concerns related to consumer privacy and protection. Concerns also exist about adverse effects resulting from potential bias and a lack of transparency. The U.S. does not have a comprehensive privacy law governing the collection, use, and sale or other disclosure of consumers’ personal data. Existing federal consumer protection laws may not apply to some newer uses of consumer data. 
1. Consumer Scores Pose Risks
Companies collect personal and transactional data to create consumer scores, which businesses and other entities—such as hospitals and universities—use to predict how consumers will behave in the future. These are separate and distinct from credit scores, which serve a different purpose. But the full range of consumer scores and their uses is unknown, creating a variety of potential risks:
No federal law expressly governs the creation, sale, and use of consumer scores, and gaps may remain in federal consumer protections.
We recommended that Congress consider ways to determine and implement appropriate consumer protections for consumer scores beyond existing federal laws, such as allowing consumers to view and correct data and to be informed of score uses and their potential effects.
Key sectors where consumer scores are used

2. Facial Recognition Technology Raises Consumer Privacy and Accuracy Concerns
Businesses can use facial recognition technology to verify or identify people and provide them with access to buildings or online accounts. They can also use the technology to authorize payments, identify shoplifters, and even monitor the spread of COVID-19.
Functions of Facial Recognition Technology

But consumers may be unaware of potential privacy and data security risks associated with this technology, such as loss of anonymity, lack of consent, and performance differences between demographic groups, which could lead to misidentification or profiling.
We recommended that Congress strengthen the federal consumer privacy framework to reflect changes in technology and the marketplace (a recommendation we had made previously in a 2013 report).
3. Additional Federal Authority over Internet Privacy Could Enhance Consumer Protection
In April 2018, Facebook disclosed that a Cambridge University researcher may have improperly shared the data of up to 87 million of its users with a political consulting firm. This disclosure followed other recent incidents involving the misuse of consumers’ personal data from the internet, which is used by about three-quarters of Americans.
Yet we found that while the Federal Trade Commission has the lead in overseeing internet privacy across all industries, with some exceptions, there is no comprehensive U.S. internet privacy law governing private companies’ collection, use, or sale of internet users’ data, leaving consumers with limited assurance that their privacy will be protected.
We recommended that Congress consider comprehensive legislation on internet privacy that would enhance consumer protections and include the oversight authorities agencies should have.
Challenges and Opportunities
More from GAO’s Portfolio 
Consumer scores: GAO-22-104527 
Facial recognition technology: GAO-20-522 
Internet privacy: GAO-19-52  
Information resellers: GAO-13-663
For more information about this Snapshot, contact: Alicia Puente Cackley, Director, Financial Markets and Community Investment,, (202) 512-8678
Stay informed as we add new reports & testimonies.


Leave a Comment