CFPB Takes Aim at Data Brokers in Proposed Rule Amending FCRA

On December 3, the CFPB announced a proposed rule to enhance oversight of data brokers that handle consumers’ sensitive personal and financial information. The proposed rule would amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to require data brokers to comply with credit bureau-style regulations under FCRA if they sell income data or certain other financial information on consumers, regardless of its end use.

Should this rule be finalized, the CFPB would be empowered to enforce the FCRA’s privacy protections and consumer safeguards in connection with data brokers who leverage emerging technologies that became prevalent after FCRA’s enactment.

What are some of the implications of the new rule?

  • Data Brokers are Now Considered CRAs. The proposed rule defines the circumstances under which companies handling consumer data would be considered CRAs by clarifying the definition of “consumer reports.” The rule specifies that data brokers selling any of four types of consumer information—credit history, credit score, debt payments, or income/financial tier data—would generally be considered to be selling a consumer report.
  • Assembling Information About Consumers Means You are a CRA. Under the rule, an entity is a CRA if it assembles or evaluates information about consumers, including by collecting, gathering, or retaining; assessing, verifying, validating; or contributing to or altering the content of such information. This view is in step with the Bureau’s recent Circular on AI-based background dossiers of employees. (See our prior discussion here.)
  • Header Information is Now a Consumer Report. Under the proposed rule, communications from consumer reporting agencies of certain personal identifiers that they collect—such as name, addresses, date of birth, Social Security numbers, and phone numbers—would be consumer reports. This would mean that consumer reporting agencies could only sell such information (typically referred to as “credit header” data) if the user had a permissible purpose under the FCRA.
  • Marketing is Not a Legitimate Business Need. The proposed rule emphasizes that marketing is not a “legitimate business need” under the FCRA. Accordingly, CRAs could not use consumer reports to decide for an advertiser which consumers should receive ads and would not be able to send ads to consumers on an advertiser’s behalf.
  • Enhanced Disclosure and Consent Requirements. Under the FCRA, consumers can give their consent to share data. Under the proposed rule, the Bureau clarified that consumers must be provided a clear and conspicuous disclosure stating how their consumer report will be used. It would also require data brokers to acknowledge a consumer’s right to revoke their consent. Finally, the proposed rule requires a new and separate consumer authorization for each product or service authorized by the consumer. The Bureau is focused on instances where a customer signs up for a specific product or service, such as credit monitoring, but then receives targeted marketing for a completely different product.

Comments on the rule must be received on or before March 3, 2025.

Putting It Into Practice: With the release of the rule so close to the end of Director Chopra’s term, it will be interesting to see what a new administration does with it. We expect a new CFPB director to scale back and rescind much of the informal regulatory guidance that was issued by the Biden administration. However, some aspects of the data broker rule have bipartisan support so we may see parts of it finalized in 2025.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP. by: A.J. S. Dhaliwal, Mehul N. Madia, Maxwell Earp-Thomas of Sheppard, Mullin, Richter & Hampton LLP For more on the CFPB, visit the NLR Financial Institutions Banking section

  • Related Posts

    Congress Passes Defense Bill with AI Provisions — AI: The Washington Report

    On December 18, Congress passed the FY 2025 National Defense Authorization Act (NDAA), which includes a number of AI provisions. The NDAA is expected to be signed into law by…

    Texas Attorney General Launches Investigation into 15 Tech Companies

    Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Congress Passes Defense Bill with AI Provisions — AI: The Washington Report

    • By admin
    • December 22, 2024
    • 2 views

    Why People on TikTok Are Slathering Their Face with Beef Tallow

    • By admin
    • December 21, 2024
    • 3 views
    Why People on TikTok Are Slathering Their Face with Beef Tallow

    Texas Attorney General Launches Investigation into 15 Tech Companies

    • By admin
    • December 21, 2024
    • 9 views
    Texas Attorney General Launches Investigation into 15 Tech Companies

    Meat Substitutes Linked to 42% Higher Depression Risk in Vegetarians

    • By admin
    • December 20, 2024
    • 8 views

    Dow Jones Today: Stocks Turn Higher as Investors Digest Benign Inflation Data

    • By admin
    • December 20, 2024
    • 8 views
    Dow Jones Today: Stocks Turn Higher as Investors Digest Benign Inflation Data

    Kroger/Albertsons Ruling Provides Lessons for Merger Remedy Divestitures

    • By admin
    • December 20, 2024
    • 8 views
    Kroger/Albertsons Ruling Provides Lessons for Merger Remedy Divestitures