At a White House Roundtable on protecting Americans from allegedly harmful “data broker” practices, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra announced the Bureau’s intention to expand the reach of the Fair Credit Reporting Act (FCRA) to data brokers. He stated, “Next month, the CFPB will publish an outline of proposals and alternatives under consideration for a proposed rule. We’ll soon hear from small businesses, which will help us craft the rule.”
The CFPB’s proposed rulemaking follows its March 2023 public inquiry into data brokers, discussed here. According to the CFPB, “many of the more than 7,000 responses echo the same concerns raised by Congress that the FCRA was originally designed to address.” Specifically in his remarks and in the concurrently released fact sheet, Director Chopra highlighted two proposals that the Bureau is currently considering. The first proposal would define a “data broker,” or an entity that sells certain types of consumer data, as a “consumer reporting agency.” Examples cited by the CFPB of data broker sales that should be treated as consumer reports include consumer payment history, income, and criminal records. According to the CFPB, this would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse.
A second proposal under consideration is ostensibly to address confusion around whether so-called “credit header data” is a consumer report. According to the Bureau, much of the current data broker market runs on personally identifying information taken from traditional credit reports. This includes key identifiers like name, date of birth, and Social Security numbers that are contained in consumer reports generated by the credit bureaus. The CFPB is proposing to clarify the extent to which credit header data constitutes a consumer report as a means to reduce “the ability of credit reporting companies to impermissibly disclose” certain credit header data. For example, the CFPB believes that such sales should not be permitted for targeted advertising, to train artificial intelligence (AI), or to sharpen chatbots.
Director Chopra concluded his remarks by stating that any updated rules under the FCRA can be enforced by the CFPB and state law enforcement. “The Federal Trade Commission, the Department of Transportation, the Department of Agriculture, and other agencies can enforce these rules for specific sectors under their jurisdiction.” The Bureau expects to publish a proposed rule for public comments in 2024.
Our Take
In his remarks, Director Chopra mentioned hearing from small businesses as the next step in the proposed rulemaking. For certain regulations, the CFPB — along with the Office of Advocacy in the Small Business Administration and the Office of Information and Regulatory Affairs in the Office of Management and Budget — convenes a Small Business Review Panel under the Small Business Regulatory Enforcement Fairness Act to receive feedback from small business panelists. Before the panel meets, the CFPB sends panelists an outline of the proposals under consideration, and the CFPB publishes that outline for the public. After receiving feedback from the small entity panelists, the CFPB will issue a report summarizing the feedback. Small businesses interested in participating as a panelist should contact the CFPB within the next week at CFPB_consumerreporting_rulemaking@cfpb.gov.
Following that report, the CFPB issues a notice of proposed rulemaking, which gives the broader public an opportunity to comment on a proposed rule. After considering those comments, the CFPB may make changes to the proposed rule before issuing a final rule.
Troutman Pepper will continue to monitor the CFPB’s actions in the FCRA space and provide updates.