Data brokers face sweeping new regulations from CFPB
The Consumer Financial Protection Bureau (CFPB) on Tuesday proposed a long-anticipated rule to limit how data brokers can traffic in and sell Americans' sensitive personal and financial data.
The proposal would classify data brokers selling certain types of individual data as consumer reporting agencies, subjecting them to tough accuracy and other requirements under the Fair Credit Reporting Act (FCRA).
The potential rule, for which comments are due by March 2025, would limit the sale of consumers’ Social Security and phone numbers and ensure that financial data, including income, is only shared for essential reasons such as enabling mortgage approvals. It also would require consumers to explicitly authorize the sale of this data and would create protections to prevent the abuse of it.
CFPB considers and sometimes integrates suggestions from comments before implementing a final rule.
A national security threat
If the proposal is formally adopted by the incoming Trump administration, the rule is expected to have a significant impact on the data broker industry, which gathers and sells exceptionally sensitive financial and other data about consumers, often for pennies per record.
The threat data brokers pose to national security has become an increasing concern for politicians on both sides of the aisle in recent months. CFPB highlighted that threat in its announcement.
CFPB noted that data brokers’ currently unregulated collection and sale of sensitive personal information on military members, politicians and national security officials “enables the creation of detailed dossiers for potential espionage, surveillance, or blackmail operations, allowing relatively small investments to be leveraged into mass surveillance operations.”
The prospects for the proposed rule being adopted under President Donald Trump are unclear, but some privacy advocates said they hope that the new administration will respond to the fact that data brokers do sell location, health and financial information to entities in hostile foreign countries.
“The president-elect has often spoken about protecting national security and reducing crime,” said John Davisson, director of litigation at the Electronic Privacy Information Center. “A rule reining in data brokers would serve both aims by protecting service members, veterans and state secrets from foreign adversaries while undercutting fraud and identity theft.”
Davisson added that the incoming national security adviser, Rep. Mike Waltz (R-FL), introduced legislation last year to protect the personal data of service members against identity theft and fraud.
“Carrying forward this rulemaking should be an easy win for the next administration,” Davisson said.
An expansion of existing regulations
In addition to facilitating fraud and threatening national security, data brokers’ practices also fuel violence, stalking and other safety threats to both law enforcement and domestic violence survivors, according to the CFPB, which noted the risks posed by the unfettered sales of unlisted addresses and phone numbers.
By regulating data brokers in the same way that credit bureaus and background check companies are treated, the rule would impose the strict restrictions FCRA imposes on the sale of income, debt payments and credit history and scores on data brokers no matter how the purchaser plans to use the information.
Under FCRA, buyers of individuals’ personal identifiers are regulated downstream so that subsequent buyers of the data beyond the original purchaser also must adhere to FCRA when trading in the names, addresses or ages of individuals.
FCRA also mandates that consumers agree to allow their data to be shared. The proposed rule makes clear that consent cannot be buried in “fine print,” and that data brokers must instead receive separate and explicit permission from consumers before obtaining or sharing their credit reports.
Data broker expert Justin Sherman said that both political parties have pushed for consumers to have more rights and protections governing their credit data and the need for FCRA to be overhauled for the “modern age” is recognized across the aisle.
But he said the CFPB’s proposed rule does not address the full scale of data broker abuses and emphasized that much remains to be done.
“For all the CFPB's essential work on this topic, it also underscores how far we have to go; the ultimate solutions to data brokerage privacy and security threats, including the serious threats to our national security, are legislative, and it's yet another reminder that Congress needs to regulate this industry that harms all Americans,” he said.
The proposed rule was spurred by what CFPB called “extensive market monitoring” revealing consumer protections were being flouted by the data broker industry on a massive scale.
Sherman said that data brokers routinely claim they are not consumer reporting agencies despite being just that.
“Too many companies walk like a consumer reporting agency, and quack like a consumer reporting agency, yet magically claim on their website they're not FCRA-covered and conveniently provide people none of the rights and protections they're entitled to,” he said.
CFPB’s motives
Agency Director Rohit Chopra referred to a vast and extremely damaging Chinese hack of American telecommunications networks that was discovered last month when announcing the proposed rule, underscoring the seriousness of the problem.
“Often, our adversaries don't need to hack anything,” Chopra said. “Data brokers … are making this data available to anyone willing to pay.”
Recent news revealing how data brokers sold data about U.S. military personnel in Germany with no questions asked as well as the 2020 murder of a federal judge’s son by a disgruntled lawyer who found her unpublished home address through a data broker also were cited by Chopra. (Law enforcement and other government agencies’ access to consumer reports’ data for investigations would not be constrained by the rule if it is made final, Chopra said).
He also highlighted the staggering number of Americans who can be impacted by a single breach of a data broker’s systems, citing the hack of data broker National Public Data this summer.
Hackers responsible for that breach accessed nearly 3 billion records, including Social Security numbers.
“These aren't isolated incidents — they represent a systemic vulnerability in how our personal data is bought and sold,” Chopra said.
Under the proposal, data brokers will no longer be able to “pretend that they are somehow different” from the credit agencies and consumer background check companies that FCRA strictly regulates, Chopra said.
Any company peddling data about a person's income, financial tier, credit history, credit scores or debt payments would be subject to FCRA’s requirements under the rule, Chopra said.
“Today’s proposal is a major step forward to ensure that companies trafficking in Americans' most sensitive information face real consequences for putting people at risk,” Chopra said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.