On March 15, the Consumer Financial Protection Bureau (CFPB) issued a Request for Information (Request) seeking public comment on the business practices of data brokers and how they impact the daily lives of consumers. Specifically, the CFPB is interested in hearing details about the types of data that data brokers collect and sell, as well as the sources they rely upon. This data will be used to inform the CFPB’s planned rulemaking under the Fair Credit Reporting Act (FCRA).

As discussed here, the CFPB forecasted this development in its 2022 Fall Rulemaking Agenda where it cryptically stated it was “considering whether to amend Regulation V.”

The Request defines data brokers as “firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.” Such personal information can include details of consumers’ credit card purchases, web browsing activities, genetic and health information, religious affiliation, financial records, and geolocation data. According to the CFPB, this data is then used for “purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.”

In the press release that accompanied the release of the Request, CFPB Director Chopra stated, “[m]odern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data. Our inquiry will inform whether rules under the [FCRA] reflect these market realities.” Notably, the CFPB previews its legal position, stating that the FCRA broadly applies to “data brokers like credit reporting companies and background screening firms, as well as those who report information to these firms.”

On this basis, the CFPB is seeking information about:

  • The data broker industry.
    • What types of data do data brokers collect and what do they do with the data other than reselling or licensing it?
    • What sources do data brokers rely on to collect information? Specifically, what information does data brokers receive from financial institutions?
    • Which entities purchase data?
    • What controls are in place to ensure the accuracy of the data collected?
    • Can people avoid having their data collected?
    • What controls are in place to protect people’s data and safeguard their privacy?
  • The consumer experience.
    • Have consumers experienced harms or benefits from the data broker industry?
    • Have consumers ever attempted to view, correct, or remove data from a broker’s repository for privacy purposes?

The request will be published in the Federal Register and the public will have until June 13 to submit comments.

Our Take

The prevailing industry view is that not all the data uses enumerated by the CFPB in its Request are regulated by the FCRA. Accordingly, the agency may well encounter judicial resistance to its proposed amendment to Regulation V. For instance, as the Fifth Circuit stated in its decision denying a CFPB civil investigation demand in CFPB v. The Source for Public Data, L.P., “the CFPB does not have ‘unfettered authority to cast about for potential wrongdoing.'”

Any perceived overreaching could also add fuel to certain Republican members of Congress who recently set forth proposals to reform the agency, as discussed here.

We will continue to monitor these developments and the Request for comments.