CFPB proposes new rule to regulate expansive data broker industry

In an era where personal data is increasingly commodified, the Consumer Financial Protection Bureau (CFPB) is attempting to regulate the sprawling industry of data brokers. A newly proposed rule aims to put data brokers in line with the Fair Credit Reporting Act (FCRA), ensuring accountability and consumer privacy amid widespread security issues. 

The CFPB’s proposed rule redefines consumer reports to encompass any broker that obtains personal data related to credit and financial assessment. The brokers would be required to demonstrate a “permissible purpose” for sharing consumer information, limiting the use of consumer data for marketing purposes unless explicit consumer consent is granted. 

The proposed rule also mandates clear disclosure to the public concerning the use of their data, ensuring individuals can provide informed consent or withdraw it if they so choose. This aims to close current loopholes that allow for vague data-sharing authorizations. 

Data brokers collect information from a wide array of sources — such as retail transactions, online behaviors, and publicly available records — to compile extensive profiles on individuals, aggregating information on financial standings, health statuses, and lifestyle choices, among others. The industry has grown significantly, leveraging advancements in technology to not only amass but also potentially re-identify de-identified data, raising both privacy and ethical concerns. 

The collected data is predominantly used to generate detailed consumer reports, which are then purchased by companies in sectors like credit, insurance, and real estate to inform business decisions. However, the practice has frequently been criticized for operating in the shadows, often without the explicit consent of the individuals whose data is being used. 

These data sets are also susceptible to misuse. Scammers and identity thieves access this data to exploit the vulnerable, targeting individuals for identity theft, financial fraud, or scams. Moreover, national security risks loom large, as adversaries could potentially acquire sensitive data about U.S. military personnel and government employees, potentially compromising security operations. 

If implemented, the rule could instigate sweeping changes across the data-broker landscape, potentially curbing the unauthorized distribution of sensitive consumer data while enhancing privacy protections. However, the agency’s future is unclear in President-elect Donald Trump’s forthcoming administration.  

Despite the focus, a CFPB official said they believe the rules can survive in the new administration.