News Release: New GAO data broker report discusses key WPF work on sales of mental health lists, more


San Diego — 15 November, 2013: The General Accounting Office (GAO) issued its long-awaited report on data brokers, INFORMATION RESELLERS: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. The report discusses key World Privacy Forum testimony and research. “We are pleased with the GAO report,” said Pam Dixon, Executive Director of the World Privacy Forum. “In particular, we are glad the GAO highlighted our work calling for a stop to the selling of people’s sensitive medical and health information for marketing purposes. This is a practice that is causing great harm, the GAO made the right call in pointing out new controls are needed.”

Here are the specifics:


– The GAO report discusses Pam Dixon’s Congressional testimony about the unwelcome sales of mental health lists, and how that is still legal.

“Under most circumstances, information that many people may consider very personal or sensitive legally can be collected, shared, and used for marketing purposes. This can include information about an individual’s physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations, and sexual habits and orientation. For example, in 2009 testimony before Congress, a representative of the World Privacy Forum said that some marketers maintain lists that contain information on individuals’ medical conditions, including mental health conditions.54 HIPAA provisions apply only to covered entities and not, for example, to health-related marketing lists used by e-health websites or other noncovered entities. Information resellers that do not qualify as covered entities can collect and use information about consumers’ health histories and treatments for marketing purposes.”  GAO, p. 19

 Here are the links to Pam Dixon’s Congressional testimony about this:


– The GAO report also discusses the WPF report Many Failures: A Brief History of Privacy Self-Regulation in the United States. 

“The World Privacy Forum issued a report in 2011 stating that a majority of industry self-regulatory programs were inadequate in protecting consumer privacy and failed in one or more substantive ways. For example, the report asserted that self-regulatory organizations formed their programs in secret, that the programs covered only a fraction of an industry or an industry subgroup, and that self- regulatory organizations lacked the ability to enforce the guidelines or practices among members. The Privacy Forum report cited examples of self-regulatory efforts that were no longer in existence, such as the Individual Reference Services Group.”  GAO, p. 34.

 Here are the links to WPF’s Many Failures report cited by the GAO:


-Related: This October, the World Privacy Forum published the first of three new reports about data brokers. This report, Data Brokers and the Federal Government, is available here:

The Data Brokers and the Federal Government report is Part III in a three-part series of reports concerning data brokers that World Privacy Forum is publishing.


Pam Dixon
+1 760.470.2000