On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) published its highly anticipated notice of proposed rulemaking (NPRM) that would regulate data brokers and the sale of Americans’ personal and financial information. The NPRM would extend the reach of the Fair Credit Reporting Act (FCRA) and its implementing Regulation V to include data brokers, thereby subjecting them to increased federal regulatory oversight. The CFPB’s proposed rule addresses the agency’s growing concerns over the privacy implications of sensitive personal data being bought and sold on the open market. NPRM comments must be submitted by March 3, 2025, meaning that new leadership under the Trump administration will decide whether to issue a final rule.
Background
Over the past decade, the data broker industry has experienced exponential growth, drawing increased regulatory attention. In March 2023, and in response to this identified growth, the CFPB issued a Request for Information (RFI) to gain insight into the data broker ecosystem. This inquiry led to Director Rohit Chopra’s announcement in September 2023 of the CFPB’s intention to propose a new rule that would expand the FCRA’s definition of Consumer Reporting Agencies (CRAs) to include data brokers.
Last fall, the CFPB convened a Small Business Review Panel process and released an outline of the proposals under consideration (the SBREFA Outline). The SBREFA Outline contemplated a comprehensive FCRA rulemaking that would address both data brokers and the reporting of medical debt. The CFPB later decided to release the medical debt proposed rule in June 2024, bifurcating the rulemaking into two parts. The CFPB has not yet finalized the medical debt rule.
The proposed data broker rule stems from the CFPB’s stated concerns about the collection and sale of sensitive consumer data. The CFPB argues that data brokers, by collecting and selling vast amounts of personal and sensitive information—often without consumers’ knowledge or consent—harm consumer privacy and pose significant risks. Specifically, the CFPB has stated that “[i]naccurate information causes consumers to be denied access to products, services, or opportunities that they would have qualified for had the information been accurate.” Additionally, the CFPB has suggested that “[s]ensitive consumer information can be used to target certain consumers for identity theft, fraud, or predatory scams, or other harmful purposes.”
The proposed rule
The CFPB’s proposed rule seeks to newly treat data brokers as CRAs and certain information that they sell as Consumer Reports under the FCRA. By doing so, data brokers would be subject to various provisions of the FCRA that they are not currently required to comply with. Key implications of this proposed rule are highlighted below.
Data brokers under the FCRA
Data brokers are described in the NPRM’s preamble as entities that “collect, aggregate, sell, resell, license, enable the use of, or otherwise share consumers’ personal information with other parties.” The proposed rule intends to subject data brokers to the provisions of the FCRA, yet oddly, the proposed rule does not specifically define the term “data broker.” Rather, the CFPB includes such data brokers by reference to the activities in which they engage.
Under the proposed rule, a person is deemed to “assemble or evaluate consumer credit information”—as used in the definition of a CRA under FCRA—“if the person: (i) collects, brings together, gathers, or retains such information; (ii) appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates such information; or (iii) contributes to or alters the content of such information.”
It is this first prong that seeks to subject data brokers to the FCRA. Any person that “collects, brings together, gathers or retains” consumer credit information for the purpose of furnishing consumer reports will now be subject to the FCRA. The proposed rule’s examples of “assembling and evaluating” include those persons who “retain[] information about consumers, such as by retaining data files containing consumers’ payment histories in a database or electronic file system.”
Consumer reports and credit-header data
The proposed rule provides that data brokers selling information about a consumer’s credit history, credit score, debt payments, or income or financial tier generally would be CRAs. Further, the communication of certain personal identifiers collected by CRAs to prepare a consumer report—such as names, addresses, dates of birth, Social Security numbers, and phone numbers (what industry stakeholders commonly refer to as “credit header data”)—would constitute consumer reports. This would subject data brokers, as CRAs, to the provisions of the FCRA governing consumer reports, including its accuracy, access, and dispute resolution requirements.
The proposal takes a categorical approach to its treatment of credit-header data. That is, the CFPB did not propose any express exceptions for use of credit header data for fraud prevention, identity verification, compliance with Bank Secrecy Act (BSA) or Know-Your-Customer (KYC) requirements, or law enforcement uses. They took this position even after receiving feedback through the SBREFA process and from a variety of stakeholders, including members of Congress and law-enforcement officials, that subjecting credit-header data to the FCRA could unintentionally constrain and increase the expense of these processes. In the proposal, the CFPB dismisses these concerns as “overstat[ing] the consequences” of subjecting credit-header data to the FCRA and claims that “identifying information would still be available in various ways.” Commenters likely will heavily scrutinize this part of the proposal.
Permissible purposes
The FCRA imposes clear bright-line rules providing that people may only obtain consumer reports from CRAs for certain specified purposes, known as permissible purposes. These permissible purposes include evaluating a consumer’s eligibility for credit, insurance, employment, and other purposes listed in section 604 of the FCRA. CRAs are forbidden from furnishing consumer reports to those who lack a permissible purpose. If subject to the FCRA, data brokers would now only be able to provide consumer reports to those with a permissible purpose.
Consumer’s consent
Under the proposed rule, data brokers would need to provide clear and conspicuous disclosures to obtain consumer consent to furnish their information. Under the FCRA, one permissible purpose includes consumer consent. The CFPB has stated a concern that some CRAs may rely on broad and vague consumer authorizations to furnish and obtain consumer reports. Thus, the proposed rule requires that consumers be provided a clear and conspicuous disclosure stating how their consumer report will be used to meet the requirements of this purpose. Further, the proposed rule would limit how such reports could be procured, used, and retained, and it would give consumers the right to revoke their consent.
Consumer rights
Data brokers would also be subject to the consumer rights provisions outlined in the FCRA. Under the FCRA, consumers are entitled to various rights, including the right to challenge the accuracy of information in their file and to receive notification when a third party uses their consumer report information to make an adverse decision regarding their application for credit, housing, or employment. In response to a consumer dispute, CRAs are obligated to correct or remove inaccurate, incomplete, or unverifiable information and must refrain from reporting outdated negative information.
Takeaways
If enacted, the proposed rule would significantly impact the data broker industry and potentially sweep other companies into the FCRA’s ambit. The proposed rule would restrict the information that data brokers can sell to third parties. Additionally, the proposed rule would likely increase administrative costs significantly due to compliance with the various provisions of the FCRA. While the stated policy objectives are stopping bad actors—“data brokers [that are] enabling scammers, stalkers, and spies,” in Chopra’s words—the NPRM’s sweeping approach will impose significant compliance costs on all data brokers and other companies and diminish the positive outcomes of data broker activities such as enhanced credit availability. And unless the CFPB were to reconsider its position on credit-header data, the proposed rule could unintentionally constrict and add to the expense of fraud prevention, identity verification, and BSA/KYC compliance.
Notably, though, the CFPB’s proposed rule may be dead on arrival. The proposed rule has a 90-day comment period, which will bring the rule’s enactment into the next administration. As outlined in our election report, the new administration will likely not be keen on expanding the scope of the FCRA, particularly in the sweeping fashion of the proposal. However, it is possible there are discrete elements in the proposal that could garner support from new leadership.
Despite our predictions, interested parties should not overlook the NPRM or its comment period. It will be important to memorialize concerns and socialize relevant data for the record in case the new administration decides to move forward in some capacity and because the proposal could serve as a replicable model for state regulation of data broker activities.
Contact us
If you have any questions about this study or other consumer financial issues, contact Chris Friedman, Marci Kawski, Mike G. Silver, Shelby Lomax, Jakob Seidler, or your local Husch Blackwell attorney.