COMMENT CALL: The Consumer Financial Protection Bureau (CFPB) has published a proposed rule that would extend the reach of the Fair Credit Reporting Act (FCRA) and its implementing rules (Reg. V) to cover data brokers.
Under the proposal, data brokers that sell certain sensitive consumer information would be treated as “consumer reporting agencies” (commonly called credit bureaus) under the FCRA, requiring them to comply with accuracy requirements, give consumers access to their information, and maintain safeguards against misuse.
The proposal would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by data brokers and make sure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress.
CFPB sees threats from data broker practices
The data broker industry collects and sells detailed information about Americans’ personal lives and financial circumstances to anyone willing to pay. The CFPB says that its proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including:
- National security and surveillance risks: Countries of concern, like China and Russia, can purchase detailed personal information about military service members, veterans, government employees, and other Americans for pennies per person. This enables the creation of detailed dossiers for potential espionage, surveillance, or blackmail operations, allowing relatively small investments to be leveraged into mass surveillance operations.
- Criminal exploitation: Identity thieves and scammers purchase detailed financial profiles to target vulnerable consumers, particularly seniors and financially distressed individuals. These criminals can use this data to execute sophisticated fraud schemes and steal retirement savings, often targeting Americans who can least afford the losses.
- Violence, stalking, and personal safety threats to law enforcement personnel and domestic violence survivors: The availability of sensitive contact information poses risks to those who are targeted for their profession, such as judges, police officers, prosecutors, and other government employees. Domestic violence survivors also face grave dangers when their current addresses and phone numbers are readily available for purchase through data brokers. Several states have already had to take action to protect judges and law enforcement officers after violent incidents, including the 2020 murder of a federal judge’s son by an attacker who purchased her home address.
Key elements of the proposal
To address these risks, the proposed rule would:
- Treat data brokers just like credit bureaus and background check companies: Companies that sell data about income or financial tier, credit history, credit score, or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.
- Protect consumers’ personal identifiers from abuse and misuse: When consumer reporting agencies collect information like names, addresses, or ages for credit reports, any subsequent sale of that information would be covered by the FCRA’s protections.
- Require clear consumer consent for data sharing: Under the proposed rule, companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print.
These changes would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or “dox” individuals seeking privacy protection, including domestic violence survivors. (“Doxing” means publicly identifying or publishing private information about someone, especially as a form of punishment or revenge.)
The CFPB says that the proposed rule would preserve existing methods for government agencies to access consumer report information for legitimate law enforcement, counterterrorism, and counterintelligence purposes.
For more information
Check these resources for more insights on the proposal:
- CFPB fact sheet about the proposal.
- CFPB Director Chopra’s remarks on the proposal.
- A “Legal Update” article on the proposal from the Husch Blackwell law firm (The League’s outside counsel).
Make your voice heard
The League plans to comment on the proposal, and we would like some input from you. Do you support the CFPB’s proposal? Why or why not? What changes should the CFPB make?
Please share you views with The League’s SVP & General Counsel, Paul Guttormsson, by Feb. 24, 2025, so that our letter (which is due by March 3, 2025) will reflect the concerns of Wisconsin credit unions.
Feel free to address any aspects of the proposal, but the proposal includes a variety of questions that commenters are asked to address in parts III through VIII, as well as five general questions in part IX.