CFPB Announces Plan to Impose New Regulations on Data Brokers

Published: Sep. 12, 2023

Updated: Sep. 21, 2023

The Consumer Financial Protection Bureau (“CFPB”) announced that it would proceed with its rulemaking process to expand Fair Credit Reporting Act (“FCRA”) style protections to include some data broker practices. The rulemaking follows the agency’s March 2023 inquiry into data brokers’ consumer financial data practices, in which the CFPB solicited public input on the data brokers’ business models, including the types of data they collect and sell and the sources they rely upon. The agency plans to publish an outline of its proposals and alternatives under consideration in September and the proposed rules for public comment in 2024.

Under the FCRA, consumers receive rights related to consumer reports to ensure accurate information about themselves, dispute errors, access their information, and restrict how others can use it.  In some ways, the FCRA served as a roadmap for the type of consumer rights that are now available under some state privacy laws, such as the California Consumer Privacy Act. As the FCRA covers a broad range of consumer reports assembled on consumers, including credit reports and certain background checks, the CFPB intends to modernize the law to account for emerging uses of artificial intelligence and other predictive decision-making technologies. According to the CFPB, the misuse of artificial intelligence and other data broker practices may harm consumers. For instance, the CFPB suggests that the current data broker practices may enable bad actors to identify vulnerable groups that could be targeted for financial scams and could facilitate harassment and fraud.

The CFPB proposed two noteworthy definitions in connection with its rulemaking: (1) expanding “consumer reporting agency” to include data brokers that sell certain types of consumer data obtained from “credit header data”; and (2) clarifying the term “credit header data” by defining particular categories of consumer data within scope.  Accordingly, these data brokers would be providing data, which would now constitute a “consumer report,” and therefore, trigger FCRA’s requirements for ensuring accuracy, handling disputes of inaccurate information, and prohibiting misuse. Given the CFPB’s focus on consumer financial data, we expect that the agency will pay careful attention to how it modifies the definition of “consumer reporting agency”. Assuming the agency does not overreach its authority in regulating such activities, data brokers will need to be mindful of whether their business practices require any adjustments to selling certain types of consumer data obtained from credit headers. Otherwise, we expect data broker services will likely move to using other non-regulated consumer data points within their service offerings.

Second, the CFPB’s proposed rules intended to clarify when “credit header data” constitutes a consumer report. The CFPB alleges that much of the data broker industry relies on consumer reporting companies—such as Equifax, Experian, and TransUnion—for consumers’ names, dates of birth, and Social Security numbers in consumer reports. As such, the agency’s rulemaking purports to clarify when data brokers’ usage of consumer data obtained from credit header data falls within FCRA’s scope to limit credit reporting companies’ disclosure of “sensitive contact information.” As a result, according to the CFPB, it would generally be impermissible under the FCRA to sell this kind of data other than for a “permissible purpose,” such as “credit underwriting, employment applications, insurance underwriting, and government benefits applications, but not for targeted advertising, to train AI, to sharpen chatbots or similar AI services, or to individuals who could be stalkers or perpetrators of domestic violence.”

Once finalized, various agencies including the CFPB, Federal Trade Commission, and state law enforcement can enforce these rules for those under their jurisdiction. We will continue to monitor these proposals for how they might practically impact data broker activities, including sharing data with them or relying on it from them.