The Consumer Financial Protection Bureau (CFPB) today proposed a rule to rein in data brokers that sell personal and financial information.
The proposed rule would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies. The rule would also ensure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval.
Further, the proposal would make clear that when data brokers sell certain sensitive consumer information they are “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA). This would require them to comply with accuracy requirements, provide consumers with access to their information, and maintain safeguards against misuse.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” CFPB Director Rohit Chopra said. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”
The data broker industry collects and sells detailed information about Americans’ personal lives and financial circumstances to anyone willing to pay. This means that countries of concern, like China and Russia, can purchase detailed personal information about military service members, veterans, government employees, and other Americans for pennies per person.
To address these risks, the proposed rule would:
• Treat data brokers just like credit bureaus and background check companies: Companies that sell data about income or financial tier, credit history, credit score, or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.
• Protect consumers’ personal identifiers from abuse and misuse: When consumer reporting agencies collect information like names, addresses, or ages for credit reports, any subsequent sale of that information would be covered by the FCRA’s protections.
• Require clear consumer consent for data sharing: Under the proposed rule, companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print.
These changes would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or dox individuals.
The CFPB developed this proposed rule based on extensive market monitoring that revealed widespread evasion of consumer protections. The agency found that data brokers routinely sidestep the FCRA by claiming they aren’t subject to its requirements.