Social networks and interaction with people icons showing regulations for data brokers

US Consumer Finance Watchdog Proposes New Restrictions on Data Brokers

The Consumer Financial Protection Bureau (CFPB) appears to have data brokers in its crosshairs, announcing that it is developing a new rules proposal for the industry. The agency has indicated that the new rules will limit what types of personal data can be sold, prevent disclosure of some sensitive information presently found in credit report headers, and provide consumers with a greater right of access to and correction of such data.

The announcement came ahead of a roundtable meeting at the White House on curbing the worst practices of predatory data brokers. A variety of participants summarized numerous issues with the industry, and CFPB head Rohit Chopra specifically noted a focus on the impact of AI and announced that an outline of proposals and alternatives will be released sometime in September.

Unethical data brokers characterized as “surveillance firms” by CFPB head

The White House roundtable signaled that the Biden administration is paying increasing attention to regulating data brokers and reining in their worst practices. The new focus has likely been triggered by recent advances in AI, which both increases the ability of brokers to draw connections between pieces of personal data and has prompted them to acquire even more of it. Forum participants also noted that these private data hoards frequently include outdated or completely false information, yet are packaged for sale as a tool to assist credit, housing and employment decisions.

CFPB Director Rohit Chopra said that the agency would be putting forward proposals for regulating data brokers in the coming weeks. Chopra named two proposals that are already under consideration: labeling some data brokers as “consumer reporting agencies” so as to put them under the existing safeguards provided by the Fair Credit Reporting Act (FCRA), and limiting what can appear in “credit header data” provided by the three major credit reporting bureaus.

Established in 1970, the FCRA provides a set of protections that are remarkably similar to those established by modern federal and state data privacy laws: guarantees of free access to stored personal data, the right to dispute errors, and safeguards against third-party access. However, at present it applies to a limited amount of companies. It is primarily meant to govern the “big three” credit reporting agencies, but it also does apply to a subset of screening companies that handle things like rental applications, employment, insurance and credit decisions. There is legal room for the CFPB to classify data brokers that sell related types of protected information in this way, for example those that include income or criminal records in the profile packages that they sell.

The CFPB will also examine how much personal information the credit bureaus are allowed to share as part of the headers of credit reports, which contain sensitive personal information such as Social Security numbers and dates of birth. Data brokers often use header information as the base of individual profiles, yet the files they generate from this information are not necessarily considered a “consumer report” for the purposes of FCRA protection. This may change under the proposed new rules.

Fuller scope of proposed regulations, involvement of other federal agencies to be announced in September

The CFPB is not the only agency paying renewed attention to data brokers. The Federal Trade Commission (FTC) has also been working on new regulations for the industry for over two years now, collecting public comment on the drafting of new privacy rules in late 2022. The agency first began establishing a new legal definition of “data brokers” in the modern age in early 2021.

However, all of this comes after a summer of revelations of the US government also turning to these same data brokers to purchase information on citizens. A May report from the Office of the Director of National Intelligence found that the FBI, Department of Defense, U.S. Navy, Coast Guard, Department of Homeland Security and Defense Intelligence Agency all have contracts with private data brokers. Some of the agencies say that they only use broker files for security clearance investigations, or in pursuit of known threat actors. The agencies may be exploiting a Fourth Amendment loophole by purchasing millions of records at once, one that the recently introduced “The Fourth Amendment Is Not for Sale Act” looks to close.

There is also still no clear path to a federal data privacy law, with years now of multiple proposals that ultimately go nowhere piling up. Much of the current push by the CFPB and FTC would be covered by something like the EU’s General Data Protection Regulation (GDPR).

Dustin Nofziger, counsel at Pryor Cashman, also notes that the data brokers will have legal ammunition to fight back given the current precarious state of the CFPB: “The ability of the CFPB to promulgate new rules or to enforce its existing rules is in serious question, with the Supreme Court to consider the constitutionality of the CFPB’s unique funding scheme this term. While the constitutional issue is outstanding, data brokers can be expected to vigorously challenge any CFPB efforts to impose new rules upon the industry.”