While credit bureaus collect detailed information about individuals’ personal and financial lives, they are legally restricted in how they use it, limiting its application to specific permissible purposes such as evaluating someone’s eligibility for credit or employment.
In contrast, the data brokerage industry has operated with no such constraints—until now.
Currently, would-be identity thieves and scammers can legally buy the same detailed financial profiles available to credit bureaus and other legitimate entities. These criminals can use this data to execute sophisticated fraud schemes, phishing attacks, and other malicious activities. The Consumer Financial Protection Bureau (CFPB) has issued a proposal that would require data brokers to comply with the same protections as the credit bureaus.
The Proposed Measures
The CFPB’s proposed rule would treat data brokers in the same category as credit bureaus and background check companies. Anyone that sells data about income or financial status, credit history, credit score, or debt payments would be considered a consumer reporting agency and required to comply with the Fair Credit Reporting Act of 1970. Brokers could only sell such information if the buyer can demonstrate a permissible purpose under the FCRA. The proposal also clarifies that marketing does not constitute a legitimate business need.
The proposal would also specifically restrict the sale of personal identifiers, sometimes referred to as credit header data. This would make it substantially harder for bad actors to improperly obtain sensitive information like Social Security numbers and home addresses, while still allowing financial institutions to use this data to stop identity theft and fraud.
Additionally, the CFPB would require clear consumer consent before sharing any sensitive data. Companies would need to obtain separate, direct authorization to share a consumer’s credit report, rather than relying on permissions buried in the fine print.
Legislative Solutions
Congress has attempted to address this issue before, though previous legislative efforts haven’t gained much traction. In April, two bipartisan lawmakers from Washington State introduced The American Privacy Rights Act (APRA) to regulate the buying and selling of personal data collected from consumers, both with and without their consent.
The goal was to establish a national data security standard that gives consumers more control of their information. However, the bill was tabled in June in the face of Republican opposition.
