The recent, enormous, Equifax data breach highlights multiple problems with credit reporting agencies and more broadly the vast array of entities that collect, store, and sell sensitive personal information about you - often without your consent.
The Equifax breach is so troubling because of the type of information stolen -- everything in one place for criminals to commit new account identity theft and other financial harms -- and the incredible number of Americans impacted. As more consumers have learned about the most powerful tool to protect themselves -- the security freeze -- they have also learned that in all but seven states, one must pay all three credit reporting agencies a fee to freeze and unfreeze their credit reports.
This puts in stark relief a fundamental problem with credit reporting agencies: as U.S. PIRG Consumer Program Director Ed Mierzwinski has written, "You can pick your bank and you can pick your friends, but you are stuck with the credit bureaus, no matter how poorly they work in the marketplace." If you wish to participate in the financial marketplace, the credit reporting agencies will, by default, collect, store, and share private personal information about you with others. They control your data, and if you want to limit how and when they share it with creditors, potential employers, landlords or others, you have to pay.
But financial information is not all that is being collected about you to turn into profit for someone else. Your online behavior, geolocation, even biometric information - such as your thumbprint or face - is also being collected, stored, aggregated, and sold, often without your consent. What's worse, once this information has been collected about you, there is little to nothing you can do to control how it is used, or even to know who has it and how they are using it.
This summer, the Illinois General Assembly passed the Illinois PIRG-supported House Bill 3449, sponsored by Representative Ann Williams. HB3449 is simple - it requires that apps and services clearly and conspicuously inform you and receive your consent before collecting your geolocation information. Many consumers understand some location data is being collected about them, especially by location-based apps like ride-sharing or maps, but would be surprised to know that sometimes this information is constantly being collected, shared or sold. Many more apps, including children's game apps, also collect geolocation information.
Typically, notice of this information collection is buried in long terms of service agreements, which few read or can even understand. This cannot be considered "informed consent." By forcing apps to clearly and conspicuously inform consumers and acquire their explicit consent before collecting geolocation information, consumers regain some control over incredibly sensitive personal information.
HB3449 sits on Governor Rauner's desk, with four days left to take action. We're calling on him to sign the bill into law. If he has not heard from you yet, now would be an excellent time to contact his office.