December 3, 2024

CFPB: Rule Proposed to Stop Data Brokers from Selling Sensitive Personal Data

Rule seeks to protect Americans from crime and illegal foreign surveillance

The Consumer Financial Protection Bureau (CFPB) today proposed a rule to rein in data brokers that sell Americans’ sensitive personal and financial information. The proposed rule would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies and make sure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress. The proposal would make clear that when data brokers sell certain sensitive consumer information they are “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA), requiring them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said CFPB Director Rohit Chopra. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

The data broker industry collects and sells detailed information about Americans’ personal lives and financial circumstances to anyone willing to pay. The CFPB’s proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including:

To address these risks, the proposed rule would:

These changes would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or dox individuals seeking privacy protection, including domestic violence survivors. The proposed rule would preserve existing pathways created by the FCRA for government agencies to access consumer report information for legitimate law enforcement, counterterrorism, and counterintelligence purposes.

Congress enacted the FCRA, one of the first data privacy laws in the world, in 1970 to, among other things, strictly limit the use of personal data by a growing data surveillance industry. The CFPB’s proposed rule would ensure that the FCRA’s strong privacy protections safeguard consumers from modern day data brokers that rely on emerging technologies and newer business models to collect and sell consumer data.

The CFPB developed this proposed rule based on extensive market monitoring that revealed widespread evasion of consumer protections. The agency found that data brokers routinely sidestep the FCRA by claiming they aren’t subject to its requirements – even while selling the very types of sensitive personal and financial information Congress intended the law to protect. This proposed rule would further Congress’s goal of protecting Americans’ privacy and financial information.

The proposed rule is part of a broader government-wide initiative to protect Americans’ sensitive personal data, complementing recent Executive Orders and actions by other federal agencies. In October, the Department of Justice proposed a rule to prevent access to Americans’ sensitive personal data by Russia, Iran, China, and other countries of concern.

This post was originally published here.