The Consumer Financial Protection Bureau (CFPB) has introduced a proposal aimed at significantly restricting data brokers from selling individuals’ personal information without a legitimate purpose. This initiative seeks to extend the Fair Credit Reporting Act (FCRA) to encompass data brokers, thereby subjecting them to the same stringent regulations that currently govern credit reporting agencies.
Under the FCRA, credit agencies are limited in how they can share sensitive personal data, such as names and Social Security numbers. The CFPB’s proposal intends to apply these restrictions to data brokers, companies that collect and sell personal information. CFPB Director Rohit Chopra emphasized that this rule would clarify that data brokers are subject to federal protections under the FCRA, ensuring they adhere to consumer protection standards similar to those required of major credit bureaus.
If implemented, the proposal would classify the sale of sensitive personal data by brokers as equivalent to selling a consumer credit report, thereby imposing similar restrictions. This means that data brokers could only sell such information for legitimate purposes, such as assessing an individual’s eligibility for credit, insurance, or employment. The CFPB highlighted that this measure would prevent data brokers from circumventing their obligations and would require them to maintain accuracy and provide consumers with access to their own information.
The proposal has garnered widespread support, with concerns that personal data can be acquired by shell companies owned by criminals, leading to identity theft and other fraudulent activities. While the new rule would not prevent data breaches, it aims to significantly reduce the sale of personal data, potentially forcing some data brokers out of business.
This move by the CFPB reflects a growing trend toward enhancing consumer privacy protections. In December 2024, the Federal Trade Commission (FTC) settled with data brokers Mobilewalla and Gravy Analytics for selling data that tracked individuals’ religious and political beliefs and pregnancy status without consent. These companies agreed to cease using data on visits to sensitive locations and to implement opt-out mechanisms for individuals. This settlement marked the first instance of the FTC prohibiting the gathering of location data through online ad auctions, as part of the Biden administration’s effort to protect consumer privacy and limit data brokers’ activities.
Additionally, in March 2024, the U.S. House of Representatives passed the Protecting Americans’ Data from Foreign Adversaries Act, which would ban data brokers from selling Americans’ personal information to foreign adversaries like China and Russia. The bill passed unanimously and aims to prevent the misuse of sensitive data by foreign entities.
At the state level, California enacted the Delete Act (SB 362) in October 2023, providing consumers with a mechanism to direct data brokers to delete their personal information. The law requires data brokers to register with the California Privacy Protection Agency annually, process deletion requests submitted through the deletion mechanism, and undergo independent audits every three years. This legislation was the first of its kind in the United States and reflects a growing emphasis on consumer control over personal data.
The CFPB’s proposal is currently open for public comment until March 2025. However, its future remains uncertain due to potential changes in administration and regulatory priorities. Nonetheless, this initiative represents a significant step toward enhancing consumer privacy protections and regulating the data broker industry.
