Citing the need to make sharing financial data safer for transactions like mortgages, the Consumer Financial Protection Bureau (CFPB) has proposed a new rule targeted at curbing the selling of consumer information by data brokers.
Data brokers aggregate personal and financial info from various sources, like public records and online forms, and then sell that information to third parties, posing risks ranging from scamming, doxing and identity theft to espionage.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said CFPB Director Rohit Chopra. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”
The CFPB’s proposal would do so by treating data brokers like companies that conduct credit or background checks, making them subject to the Fair Credit Reporting Act (FCRA) regardless of how the information they distribute is used. According to a statement from the CFPB, data brokers regularly sidestep the FCRA by claiming they aren’t subject to its stringent privacy protections; the proposed rule would explicitly put them under the FCRA’s umbrella. If it goes into effect, the sales of information like names, addresses or ages collected by data brokers would be covered by FCRA protections.
The rule would also require companies that need a consumer’s consent to obtain or share their credit report to get explicit authorization to do so, rather than hiding the permissions in fine print.
Chopra and the CFPB say that such changes would go a long way toward limiting data sharing to only legitimate purposes, like during the underwriting of a mortgage. But at least one trade group, however, has already pushed back against the proposed rule. The Consumer Data Industry Association (CDIA), which reports consumer reporting agencies like credit bureaus and background check companies, released a statement warning of “severe unintended consequences” if the rule were to pass.
If the rule were approved, the CDIA said that it could make it harder for retailers and lenders to identify and prevent fraud; hinder law enforcement in tracking fugitives or locating missing children; and raise challenges in tracking down parents evading child support responsibilities.
“Our members recognize the importance of consumer privacy,” said Dan Smith, president and CEO at CDIA. “We believe the CFPB’s approach is misguided and potentially harmful. We urge the CFPB to reconsider this proposal as neither the FCRA nor the Dodd Frank Act authorize the CFPB to arbitrarily expand the definition of what a credit report is or who is a credit reporting agency. This can only be authorized by congressional action.”