CFPB Proposes Rule Taking Aim at Data Brokers
Last week, the Consumer Financial Protection Bureau (CFPB) proposed a rule that would restrict data brokers’ access to consumer data and the ability to sell that information. Data brokers collect and sell consumer-level data like credit scores and debt repayment histories, but the rule would classify them as consumer reporting agencies.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said CFPB Director Rohit Chopra. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”
When classified as consumer reporting agencies, data brokers would be subject to the regulations of the Fair Credit Reporting Act (FCRA), which limits the ways brokers would be able to collect and utilize consumers’ data. The rule would also require data brokers to demonstrate “permissible purpose” when collecting that data.
PYMNTS noted one of the most significant changes in the rule, that consumers would have to give permission for their data to be used. “Companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print,” said the CFPB.
The bureau’s rule would ensure that data brokers address significant threats to consumer data, including criminal exploitation; national security and surveillance risks; and violence and personal safety threats to both law enforcement personnel and domestic violence survivors.
The proposed rule would address these risks by treating data brokers like background check companies and credit bureaus, as well as protect consumers’ personal identifiers from misuse and abuse, which would be covered by the FCRA.
The CFPB’s rule is part of a broader initiative to protect consumers’ sensitive data, complementing other actions by the federal government. For example, the Department of Justice proposed a rule in October preventing access to consumers’ personal data by Russia, China, Iran, and other countries of concern.