WASHINGTON — The Consumer Financial Protection Bureau has proposed
The proposal would clarify that data brokers are "consumer reporting agencies" under the Fair Credit Reporting Act when they sell sensitive customer data, subjecting them to rules requiring data be accurate, protected and accessible to consumers.
Specifically, the bureau said the proposal is aimed at addressing safety and national security concerns around personal data. Examples of risks posed by the current way personal data is treated include the risk of countries like China or Russia purchasing personal information about military service members, consumers risking criminal exploitation from identity thieves targeting vulnerable people and personal safety concerns for victims of stalking or domestic violence.
"These aren't isolated incidents," CFPB Director Rohit Chopra said. "They represent a systemic vulnerability in how our personal data is bought and sold."
The CFPB's proposed rule would require data brokers to be subject to the same requirements as credit bureaus and background check companies pursuant to the Fair Credit Reporting Act.
Any sale of information assembled by data brokers would be covered by the Fair Credit Reporting Act's protections, including ensuring that it's sold for what Congress has specified as a "permissible purpose" such as credit underwriting. The law prohibits the sale of data for advertising and training artificial intelligence models.
"Congress recognized the risks of data brokers more than 50 years ago and passed one of the world's first privacy laws, the Fair Credit Reporting Act," Chopra said. "Now this law doesn't just cover credit bureaus, the law establishes crucial guardrails for companies monetizing Americans personal information, including limiting data sharing to legitimate purposes like credit checks for loans."
Although the CFPB is proposing the rule in the waning days of the Biden administration, there's some degree of bipartisan consensus in Congress that more needs to be done to protect the data privacy of consumers. When Chopra appeared in Congress in June,
Currently, many third-party data brokers that resell personal information aren't covered by the Fair Credit Reporting Act. Expanding the umbrella of firms subject to those rules would require some data brokers — which the bureau declined to identify specifically — to obtain consumers' explicit authorization to share information such as a credit report "rather than burying permissions in fine print," the bureau said.
"Companies routinely sidestep the … Fair Credit Reporting Act by claiming they aren't subject to its requirements, even while selling the very types of sensitive personal and financial information that Congress intended the law to protect," Chopra said. "Today's proposal would crack down on a range of misuses of our data while preserving many of the legitimate uses."
Data brokers are companies that collect, aggregate, sell, resell, license, enable the use of, or otherwise share consumers' information. They gather information about credit, criminal, employment, and rental histories of hundreds of millions of Americans, along with other sensitive information.
Chopra previously outlined the ideas behind the proposed rulemaking
"There is already an extensive regulatory schema governing how banks and certain other financial institutions may use and transfer data," ABA said in a letter to the bureau. "The RFI appears to be motivated by the rise of new types of businesses that sell consumer data but claim not to be covered by these existing rules. Therefore, any CFPB activity on the subject should be targeted at those unregulated entities and not upset the existing framework."
A fact sheet from the CFPB released Tuesday morning defines a data broker as "companies that collect, aggregate, sell, resell, license, enable the use of, or otherwise share consumers' information," but did not explicitly spell out whether banks would be covered under the proposal.
The proposed rule also follows an executive order from President Joe Biden in February that
