June 13 -- Comment period extended until July 15, 2023. https://www.federalregister.gov/d/2023-12550
Mar 21 -- The Consumer Financial Protection Bureau (CFPB) is seeking comments from the public related to data brokers. The submissions in response to this request for information will serve to assist the CFPB and policymakers in understanding the current state of business practices in exercising enforcement, supervision, regulatory, and other authorities. Comments must be received on or before June 13, 2023.
In 1970, Congress enacted the Fair Credit Reporting Act (FCRA), one of the first data privacy laws in the world. The primary sponsor of the legislation, Senator William Proxmire, at the time publicly described an emerging consumer reporting market involving the dissemination of a wide range of information about Americans, including financial status, bill paying records, public records including arrests, suits, and judgments, dossiers, information on drinking, marital discords, adulterous behavior, general reputation, habits, and morals. The Senator stressed that “while the growth of this information network is somewhat alarming, what is even more alarming is the fact that the system has been built with virtually no public regulation or supervision.”
Before voting on the FCRA, Congress held a series of investigative hearings and uncovered a wide variety of abuses in the industry. For example, Congress found that many consumers were unaware of the existence of the industry because non-disclosure agreements between consumer reporting agencies and users hid the arrangement behind a shroud of secrecy. In addition, the hearings revealed the practice of including disclaimers of accuracy in agreements between consumer reporting agencies and creditors; before the FCRA, consumer reporting agencies purported to be mere transmitters of information who were not responsible for accuracy. Congress also criticized the fact that consumers were not given access to their credit reports, and that credit reports often included obsolete or irrelevant information.
Ultimately, Congress found that consumer reporting agencies assumed a vital role in assembling and evaluating consumer credit and other information on consumers to meet the needs of commerce, but that rules were necessary to ensure they handed information fairly and equitably with regard to confidentiality, accuracy, relevancy, and proper use. The FCRA established comprehensive rules to govern the practices of consumer reporting agencies, including four key features: (1) a prohibition on using or disseminating certain personal data outside prescribed permissible purposes selected by Congress, (2) a requirement that consumer reporting agencies “follow reasonable procedures to assure maximum possible accuracy” of consumer reports, (3) a right of consumers to inspect data about themselves, and (4) due process to challenge false data.
The FCRA still remains on the books and has been amended from time to time. But since the enactment of the FCRA, companies using business models that sell consumer data have emerged and evolved with the growth of the internet and advanced technology. Many companies whose business models rely on newer technologies and novel methods purport not to be covered by the FCRA. These companies are sometimes labeled “data brokers,” “data aggregators,” or “platforms,” but they all share a fundamental characteristic with consumer reporting agencies—they collect and sell personal data.
With the passage of the Consumer Financial Protection Act (CFPA), Congress transferred rulemaking authority for most provisions of the FCRA from the Federal Trade Commission to the CFPB. The CFPA granted the CFPB the authority to enforce the FCRA along with other Federal regulators. The CFPA also granted the CFPB various additional authorities that may be applicable to companies that collect and sell personal data, including, for example, authorities pursuant to the Gramm-Leach Bliley Act's privacy provisions. The CFPB has used its authority to address unfair or deceptive acts or practices related to the handling of consumer data.
This request for information is seeking information to (1) help inform the CFPB about new business models that sell consumer data, including information relevant to assessments of whether companies using these new business models are covered by the FCRA, given the FCRA's broad definitions of “consumer report” and “consumer reporting agency,” or other statutory authorities, and (2) collect information on consumer harm and any market abuses, including those that resemble harms Congress originally identified in 1970 in passing the FCRA.
Data brokers is an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers' personal information with other parties. Data brokers encompass actors such as first-party data brokers that interact with consumers directly, as well as third-party data brokers with whom the consumer does not have a direct relationship. Data brokers include firms that specialize in preparing employment background screening reports and credit reports. Data brokers collect information from public and private sources for purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.
As part of the CFPB's statutory mandate to promote fair, transparent, and competitive markets for consumer financial products and services, this request for information is part of a series of efforts to examine data collection and use. In addition to supervision of consumer reporting agencies, including the three largest nationwide consumer reporting agencies, the CFPB endeavors to gain insight into the full scope of the data broker industry. The data broker industry is growing and expanding its reach into new spheres of consumers' personal lives, as more sophisticated computerization has increased the power of these companies to track and predict consumer behavior. Yet, many people lack an understanding of the scope and breadth of data brokers' business practices and the impact of those practices on the marketplace and peoples' daily lives.
The CFPB seeks to better understand the heterogeneity of these firms and to assist firms in understanding any compliance obligations under the FCRA and other laws as appropriate. Data brokers collect or share a vast range of information, often building profiles of individuals by delving into the details of consumers' everyday interactions, including credit card purchases and web browsing activity. Data brokers also collect other types of sensitive and intimate personal information such as genetic and health information, religious affiliation, financial records, and geolocation data.
Government agencies, technology and privacy experts, financial institutions, consumer advocates, and others have identified numerous consumer harms and abuses related to the operation of data brokers, including significant privacy and security risks, the facilitation of harassment and fraud, the lack of consumer knowledge and consent, and the spread of inaccurate information.
People should be able to expect companies to safeguard their most personal and intimate information, and should be able to have knowledge and control over how companies obtain and use their data. Surveys have found that people are concerned about being tracked and surveilled by companies, and express concern about the lack of control over how data collected about them is used.
While observers have documented the increasing role of data brokers in the economy, there is still relatively limited public understanding of their operations and other impacts.
This request for information seeks comments from the public on data brokers. The CFPB welcomes stakeholders to submit data, analysis, research, and other information about data brokers. The CFPB also requests input from individuals who have interacted with or have been affected by data broker business practices. To assist commenters in developing responses, the CFPB has crafted the below questions that commenters may answer. However, the CFPB is interested in receiving any comments relating to data brokers. . . .