Withdrawal of Data Broker Protection Regulation by the CFPB

The Consumer Financial Protection Bureau (CFPB) has opted to withdraw its proposed 2024 regulation aimed at limiting the sale of American citizens’ personal information by data brokers.

In a notice published in the Federal Register, the CFPB stated that it “has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter.”

The data brokerage industry generates approximately $300 billion in annual revenue, driven by the collection and sale of personally identifiable information (PII). Data brokers obtain and sell sensitive information, such as financial details, personal behaviors, and interests, often without obtaining user consent or clarifying that consent has been given.

The proposed rule, introduced in December 2024, sought to prevent data brokers from selling Americans’ sensitive personal and financial information. It aimed to restrict the dissemination of critical identifiers, such as Social Security Numbers (SSNs) and phone numbers, to ensure that financial data, including income details, would be shared only for legitimate purposes—such as mortgage approvals—rather than being sold to scammers targeting financially vulnerable individuals.

The regulation was designed to require data brokers to comply with federal laws to mitigate serious threats stemming from current industry practices. It aimed to address risks related not just to national security and criminal exploitation but also to the safety of individuals, specifically those in law enforcement and survivors of domestic violence, by limiting incidents of doxxing.

The CFPB’s intention was to classify data brokers similarly to credit bureaus and background check companies, compelling them to adhere to the Fair Credit Reporting Act (FCRA) without regard to how they utilize financial information. This proposal would have mandated that data brokers acquire explicit and independently authorized consumer consent.

This framework intended to improve consumer protections without disrupting the existing pathways established under the FCRA.

However, acting CFPB Director Russell Vought indicated that the agency has determined the rule is not required at this time, citing updates to Bureau policies.

Consumer advocacy groups have expressed concerns regarding this decision. Matt Schwartz, a policy analyst at Consumer Reports, emphasized that the absence of regulation leaves consumers vulnerable, stating, “Data brokers collect a treasure trove of sensitive information about virtually every American and sell that information widely, including to scammers looking to rip off consumers.”

Should data brokers be held accountable under the FCRA, they would be required to:

– Ensure the accuracy and privacy of the data they collect and distribute.
– Provide consumers with processes to dispute and rectify inaccurate information.
– Notify consumers when their data is utilized in decisions pertaining to credit, insurance, or employment.
– Potentially face enforcement actions and penalties for non-compliance, as previously undertaken by the Federal Trade Commission (FTC) and CFPB.

In summary, the withdrawal of the CFPB’s proposed rule raises significant concerns regarding the protection of consumer data in an increasingly data-driven economy.