I brought you word of the CFPB’s Request for Information back in March. The comments from the public are in and last week the CFPB announced they will proceed with the rulemaking process around data broker practices. As if things were not already complicated enough with the FTC and FCC, throw a little CFPB in there for good measure.

The reasoning behind this effort from the CFPB is of course to protect consumers, their personal data, and how they may be affected by predictive decisions by AI or similar programs. The risks associated with the wide use of data surveillance today are the primary reason that Congress enacted the Fair Credit Reporting Act (FCRA) way back in 1970. Now more than ever data brokers have more access to our daily lives than ever before tracking our location, interest, clicks, searches and who knows what else. Think of this as a way to ensure that modern-day technology is in compliance with old-school FCRA requirements.

Here are two possibilities for new rules that are being reviewed.

“First, our rules under consideration will define a data broker that sells certain types of consumer data as a “consumer reporting agency” to better reflect today’s market realities. The CFPB is considering a proposal that would generally treat a data broker’s sale of data regarding, for example, a consumer’s payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations. This would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse.

A second proposal under consideration will address confusion around whether so called “credit header data” is a consumer report. Much of the current data broker market runs on personally identifying information taken from traditional credit reports, such as those sold by the big three credit reporting conglomerates – Equifax, Experian, and TransUnion.

This includes key identifiers like name, date of birth, and Social Security number that are contained in consumer reports generated by the credit reporting companies. The CFPB expects to propose to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.”

The CFPB plans to release an outline of the proposed new rules next month and again seek public comment in 2024. If you are a small business and would like to get involved the CFPB would like to hear from you. Don’t sleep on opportunities that may impact your daily business practices. Check out the FAQs on the CFPB’s site and stay tuned for future updates.


Leave a Reply