October 03, 2023

New CFPB Rules Are Coming for Data Brokers

At a Glance

  • A data broker’s sale of data relating to a consumer’s payment history, income and criminal records would generally fall within the scope of a “consumer report” according to FCRA. 
  • A second proposal will clarify the extent to which credit header data constitutes a consumer report. This includes individual identifiers like name, date of birth, and Social Security number that data brokers often pull from traditional credit reporting agencies. 
  • A key outstanding question for the forthcoming rules is how broadly “data broker” will be defined.

The director of the Consumer Financial Protection Bureau (CFPB) recently announced that the agency will be developing new rules defining a data broker that sells certain types of consumer data as a “consumer reporting agency” under the Fair Credit Reporting Act (FCRA). The announcement, which was delivered at a White House Roundtable on Protecting Americans From Harmful Data Broker Practices, is designed “to ensure that modern-day data companies assembling profiles about individuals are meeting the requirements of FCRA.”

Expansion of FCRA

FCRA regulates the collection, dissemination and use of consumer credit information. Its primary objective is to ensure the accuracy, fairness and privacy of individuals’ credit information, which is commonly used for making important decisions such as lending, employment and insurance. FCRA establishes guidelines for consumer reporting agencies (CRAs), which are entities that gather and maintain consumer information, and mandates the rights of consumers to access and dispute inaccurate information in their credit reports.

The implications of defining a data broker that sells specific data as a CRA under FCRA are potentially far-reaching. A data broker’s sale of data relating to a consumer’s payment history, income and criminal records would generally fall within the scope of a “consumer report” according to FCRA. This is due to the typical use of such information in determinations like creditworthiness, employment eligibility and other decisions that significantly impact consumers’ lives. Therefore, if a data broker meets the criteria of a CRA under FCRA, it would be subject to the act’s regulations and obligations. 

The reclassification of data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s rigorous standards for data accuracy and privacy. This means ensuring that the information they provide to potential users, such as creditors or employers, is up-to-date and accurate. Additionally, data brokers would be required to provide consumers with the ability to access their own information, review its accuracy, and dispute any inaccuracies they find. Furthermore, if data brokers are deemed to fall under FCRA’s purview, they would be legally obligated to obtain consumers’ consent before selling their information for credit, employment or insurance purposes.

Credit Header Data

A second proposal under consideration by CFPB will clarify the extent to which credit header data constitutes a consumer report. This includes individual identifiers like name, date of birth, and Social Security number that data brokers often pull from traditional credit reporting agencies. According to the CFPB, it expects to propose to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.

Data Brokers Defined and Next Steps

A key outstanding question for both of these forthcoming rules is how “data broker” will be defined. In March, the CFPB launched an inquiry into the business practices of data brokers, which defined “data brokers” as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.” This exceedingly broad definition, if used in the upcoming rulemakings, could sweep in a plethora of companies that are not typically thought of as data brokers. It is also distinguished from new state privacy laws in California and Vermont, which impose specific obligations on data brokers. Under those laws, data brokers are distinguished from other companies by the fact that they do not have a direct relationship with the individuals whose data they maintain.

The CFPB plans to publish an outline of proposals and alternatives under consideration for a proposed rule in September. The proposed rule is expected to be released for public comment in 2024.

Related Industries