CFPB proposes new rule to regulate expansive data broker industry

In an era where personal data is increasingly commodified, the Consumer Financial Protection Bureau (CFPB) is attempting to regulate the sprawling industry of data brokers. A newly proposed rule released Tuesday aims to put data brokers in line with the Fair Credit Reporting Act (FCRA), ensuring accountability and consumer privacy amid widespread security issues.

Initially established in 1970, the FCRA was one of the first pieces of legislation aimed at protecting consumer privacy. The proposed changes by the CFPB intend to broaden the law to include data brokers, holding them to the same standards as traditional consumer reporting agencies such as Equifax, Experian, and TransUnion.

The CFPB’s proposed rule redefines consumer reports to encompass any broker that obtains personal data related to credit and financial assessment. The brokers would be required to demonstrate a “permissible purpose” for sharing consumer information, limiting the use of consumer data for marketing purposes unless explicit consumer consent is granted.

Furthermore, the proposed rule mandates clear disclosure to the public concerning the use of their data, ensuring individuals can provide informed consent or withdraw it if they so choose. This aims to close current loopholes that allow for vague data-sharing authorizations.

“These changes reflect a widespread consensus that current privacy protections are inadequate,” CFPB Director Rohit Chopra said in a call with reporters. “Today’s proposed rule is a major step forward to ensure that companies trafficking in Americans’ most sensitive information face real consequences for violating long-standing law and for putting people and our country at risk.”

Data brokers collect information from a wide array of sources — such as retail transactions, online behaviors, and publicly available records — to compile extensive profiles on individuals, aggregating information on financial standings, health statuses, and lifestyle choices, among others. The industry has grown significantly, leveraging advancements in technology to not only amass but also potentially re-identify de-identified data, raising both privacy and ethical concerns.

The collected data is predominantly used to generate detailed consumer reports, which are then purchased by companies in sectors like credit, insurance, and real estate to inform business decisions. However, the practice has frequently been criticized for operating in the shadows, often without the explicit consent of the individuals whose data is being used.

Alarmingly, these data sets are also susceptible to misuse. Scammers and identity thieves access this data to exploit the vulnerable, targeting individuals for identity theft, financial fraud, or scams. Moreover, national security risks loom large, as adversaries could potentially acquire sensitive data about U.S. military personnel and government employees, potentially compromising security operations.

Last week, Wired published an article that examined how more than 3 billion phone coordinates collected by a U.S. data broker exposed the detailed movements of U.S. military and intelligence workers in Germany.

Earlier this year, a breach at data broker National Public Data compromised 2.9 billion records, including full names, addresses, birth dates, phone numbers, and Social Security numbers. The stolen data spans at least three decades and was being sold on the cybercrime underground with server credentials for $3.5 million. In October, the Federal Police of Brazil arrested a person allegedly responsible for the breach. 

If implemented, the rule could instigate sweeping changes across the data-broker landscape, potentially curbing the unauthorized distribution of sensitive consumer data while enhancing privacy protections. However, the agency’s future is unclear in President-elect Donald Trump’s forthcoming administration. Last week, Elon Musk posted on social media that he wants to “delete” the CFPB as part of his effort under the new Department of Government Efficiency. Trump has tasked Musk and tech entrepreneur Vivek Ramaswamy to use the newly formed office to eliminate government spending. 

Despite the focus, a CFPB official said they believe the rules can survive in the new administration. 

“I think there’s a broad bipartisan recognition that data brokers pose real dangers, both to Americans’ privacy and to national security,” a CFPB official said during the call. “This is an issue that unites a broad array of voices, and so we think that means that concern about this issue will not disappear.”