In the last days of the Biden administration, the Consumer Financial Protection Bureau (CFPB) under director Rohit Chopra was busy. From ordering Cash App’s operators to pay $175 million for allegedly allowing fraud to proliferate on its platform, to suing Capital One for allegedly cheating consumers out of $2 billion in interest payments, Chopra and his staff took actions their successors presumably will have no interest in taking given the Trump administration’s views on the role of a consumer protection-focused government agency.
Included in this flurry of last-minute activity was an ambitious proposal torein in the data broker industry in the form of a proposed rule. The rulewould amend Regulation V to address the harmful aspects of the data broker industry and bring most, if not all, data brokers under the scope of the Fair Credit Reporting Act (FCRA). In addition, the proposed rule would extend the FCRA’s protections to individuals whose information is collected and sold by data brokers who currently do not fall within the definition of a consumer reporting agency (CRA).
Understanding the Data Broker Industry
To understand why the CFPB proposed its rule, it is helpful to understand the data broker industry and the problems some industry players cause.
Data brokers collect, aggregate, and sell or license consumers’ information, including credit, employment, rental, and criminal information. They collect consumer information from a myriad of sources, including newspapers, periodicals, financial institutions, government records databases, social media, and internet cookies or other online tracking technologies. Unsurprisingly, some of the information data brokers collect is of a sensitive or private nature, such as information about consumers’ finances, physical and mental health, sexual orientations, religious affiliations, and their online browsing and shopping habits.
Advances in technology have made it possible for data brokers or endusers of the data they collect to re-identify consumers in datasets that have been de-identified, and identify specific individuals from aggregated data. But the information sold or licensed by data brokers is most often used to help businesses target their marketing toward consumers.
Unfortunately, some data broker practices pose risks to individuals’ safety and financial well-being. For example, information sold by data brokers could be used to coerce or gain leverage over individuals based on their financial situation or private information they do not wish publicized. Wrongdoers can also use data brokers’ information to stalk or harass people, including public officials, judges and law enforcement officers. The availability of sensitive information from data brokers poses a national security risk, as information about individuals in sensitive political, military, and diplomatic positions can be exploited by foreign adversaries through blackmail and espionage. Scammers can also use information sold by data brokers to target vulnerable individuals through sophisticated fraud schemes, such as stealing older adults’ retirement savings. Finally, predatory lenders can purchase data brokers’ lists of financially vulnerable individuals for their marketing campaigns, such as those lenders pitching high-interest loans to individuals in financial distress.
Extending the FCRA’s Regulatory Effect
The CFPB’s proposed rule, which is open for public comment until March3, would amend the FCRA by, among other things, altering its definitions of consumer reports and CRAs to extend its regulatory effect to data brokers.
The proposed rule would ensure data brokers who sell information about a consumer’s income or finances qualify as CRAs, regardless of the purpose for which the information a data broker sells is to be used. In addition, the rule would declare any communication by a CRA of any portion of a consumer’s personal information as a consumer report if the information was collected to prepare a consumer report about the consumer, and regardless of whether the CRA knew or expected the information could be used for a “permissible purpose” under the FCRA.(More on “permissible purposes” in a moment.)
The proposed rule would also deem any entity to be a CRA if it assembles or evaluates information about consumers, including by gathering, retaining, assessing, validating, confirming or altering the content of consumer information.
Amending Permissible Purposes for Furnishing or Obtaining Consumer Information
Under the FCRA, CRAs may furnish consumer reports only to those parties that have a “permissible purpose” for the information, such as a “legitimate business need” for information in a report related to a transaction a consumer initiates. The proposed rule would amend the permissible purposes for furnishing or obtaining consumer information.
Under the proposed rule, any information furnished by a CRA would be deemed a consumer report when it facilitates another party’s use of the information for that party’s financial gain, even if the CRA does not technically transfer the information to that party. Also, under the rule, aCRA can furnish a consumer report consistent with a consumer’s written instructions for any reason specified by the consumer so long as they sign a separate authorization, not hidden in fine print, that discloses certain information to the consumer, including the reason for obtaining the report. The proposed rule also clarifies that marketing is not a “legitimate business need” under the FCRA.
Additionally, the proposed rule reduces privacy risks associated with de-identification and re-identification of consumer information by, among other things, only permitting CRAs to sell certain kinds of personal identifiers, such as names, addresses, dates of birth, and Social Security numbers, to a user if the user was going to use that information for a permissible purpose.
There Would be Winners and Losers if the Proposed Rule Was Finalized
Should the CFPB’s proposed rule become final, some groups of individuals would benefit while some industries and organizations would most definitely not.
Individuals whose public positions or private relationships could motivate wrongdoers to purchase their personal information and use it in ways threatening their safety stand to benefit from the proposed rule.
For example, judges, law enforcement officers, military members, and diplomats who could be targets of physical attacks or coercion stand to benefit from wrongdoers not being able to purchase their personal information. In addition, survivors of sexual abuse, domestic violence, human trafficking, and other crimes where there is often a relationship between the perpetrator and the victim would benefit from their perpetrators not being able to purchase their addresses and other information that makes it easier to locate them.
On the other hand, businesses in the credit reporting and data sharing industries will face a changed regulatory environment, which could lead to reduced revenue and profits. Data brokers who sell consumer information but do not currently consider themselves CRAs under theFCRA, and CRAs who sell consumer data not explicitly regulated by theFCRA, will have to change their business practices to comply with theFCRA as amended by this proposed rule. So too would companies using consumer information for marketing or computer model training who might find fewer businesses willing to provide that information in the wake of the proposed rule becoming effective, or who might be unwilling to purchase the information after providers increase the prices of that information to account for the increased regulatory scrutiny they will likely face.
A Well-Intentioned Rule That May Never See the Light of Day
Today, many companies in the data broker industry do not view themselves as subject to the FCRA’s restrictions and requirements. If the proposed rule is adopted as currently written and goes into effect, it would substantially alter the way the data broker industry operates. But that is, as they say, “a big ‘if.’”
President Trump and his political appointees view the CFPB’s role, and the country’s need for more regulations from it, differently from how Biden and his appointees did. The Trump administration’s CFPB may water down the proposed rule or scrap it altogether, if there is a CFPB to speak of, given CFPB acting director U.S. Treasury Secretary Scott Bessent’s recent order (as of the time I’m writing this) for CFPB staff to cease much of the agency’s work.
Even if the administration does neither, there’s no guarantee the proposed rule would fare well in litigation from data brokers or data broker industry associations challenging the substance of the rule or theCFPB’s authority to promulgate it.
Though all Americans would benefit from the protections in the proposed rule, its fate is unclear. If it does not go into effect at the federal level during the Trump administration, at the very least, the proposed rule provides state legislatures interested in regulating data brokers a potential roadmap for doing so at the state level.