CFPB Proposes Rule to Crack Down on Data Broker Industry

A proposed rule unveiled by CFPB officials Tuesday seeks to protect Americans’ sensitive personal and financial information by limiting the sale of that information by data brokers.

According to the CFPB announcement, the proposed rule would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies and make sure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress.

CFPB Director Rohit Chopra stated the proposed rule will protect citizens from crime and illegal foreign surveillance. The CFPB said it believes the proposed rule makes clear that data brokers are consumer reporting agencies when selling certain information under the Fair Credit Reporting Act (FCRA). With this clarification, the CFPB said, the data brokers would be mandated to comply with requirements under that law.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking and spying,” Chopra said. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

The CFPB's proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including:

National security and surveillance risks: Countries of concern, like China and Russia, can purchase detailed personal information about military service members, veterans, government employees and other Americans for pennies per person. This enables the creation of detailed dossiers for potential espionage, surveillance or blackmail operations, allowing relatively small investments to be leveraged into mass surveillance operations.
Criminal exploitation: Identity thieves and scammers purchase detailed financial profiles to target vulnerable consumers, particularly seniors and financially distressed individuals. These criminals can use this data to execute sophisticated fraud schemes and steal retirement savings, often targeting Americans who can least afford the losses.
Violence, stalking and personal safety threats to law enforcement personnel and domestic violence survivors: The availability of sensitive contact information poses risks to those who are targeted for their profession, such as judges, police officers, prosecutors and other government employees. Domestic violence survivors also face grave dangers when their current addresses and phone numbers are readily available for purchase through data brokers. Several states have already had to take action to protect judges and law enforcement officers after violent incidents, including the 2020 murder of a federal judge's son by an attacker who purchased her home address.

According to the CFPB, it developed this proposed rule based on extensive market monitoring that revealed widespread evasion of consumer protections. The agency found that data brokers routinely sidestep the FCRA by claiming they aren't subject to its requirements – even while selling the very types of sensitive personal and financial information Congress intended the law to protect. This proposed rule would further Congress's goal of protecting Americans' privacy and financial information.

To address the risks stated above, the proposed rule would:

Treat data brokers just like credit bureaus and background check companies: Companies that sell data about income or financial tier, credit history, credit score or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.
Protect consumers' personal identifiers from abuse and misuse: When consumer reporting agencies collect information like names, addresses or ages for credit reports, any subsequent sale of that information would be covered by the FCRA's protections.
Require clear consumer consent for data sharing: Under the proposed rule, companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print.

Comments on the proposed rule will be accepted until March 3, 2025.

NOT FOR REPRINT

Editor-in-Chief at CU Times. To connect, email at [email protected]. As Editor-in-Chief of CU Times since 2016, Michael Ogden has led the editorial team in all aspects of content strategy and execution, including the creation of the publication’s exclusive and proprietary research database of the credit union industry’s economic landscape. Under Michael’s leadership, CU Times has successfully shifted to an all-digital editorial product with new focuses on the payments, fraud, lending and regulatory beats. Most recently, he introduced a data-focused editorial product for subscribers that breaks down credit union issues into hard data, allowing for a deeper and more factual narrative for readers. In 2024, he launched the "Shared Accounts With CU Times" podcast, which offers a fresh, inside-the-newsroom perspective through interviews with leaders from the credit union industry and the regulatory world. He dives into pressing credit union issues, while revealing the personalities working behind-the-scenes to push the credit union world forward. His background includes years as a radio and TV anchor/reporter and a public relations and digital/social media manager, where he covered the food and music industries, as well as cooperatives and credit unions. Over the years, he has launched numerous exclusive video and podcast series, including a successful series of interactive backstage interviews with musicians at music festivals, showcasing his social media and live streaming production skills.