New CFPB Rules Are Coming for Data Brokers

Jesse Linebaugh, Andy Taylor
Faegre Drinker Biddle & Reath LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Faegre Drinker Biddle & Reath LLP

At a Glance

  • A data broker’s sale of data relating to a consumer’s payment history, income and criminal records would generally fall within the scope of a “consumer report” according to FCRA. 
  • A second proposal will clarify the extent to which credit header data constitutes a consumer report. This includes individual identifiers like name, date of birth, and Social Security number that data brokers often pull from traditional credit reporting agencies. 
  • A key outstanding question for the forthcoming rules is how broadly “data broker” will be defined.

The director of the Consumer Financial Protection Bureau (CFPB) recently announced that the agency will be developing new rules defining a data broker that sells certain types of consumer data as a “consumer reporting agency” under the Fair Credit Reporting Act (FCRA). The announcement, which was delivered at a White House Roundtable on Protecting Americans From Harmful Data Broker Practices, is designed “to ensure that modern-day data companies assembling profiles about individuals are meeting the requirements of FCRA.”

Expansion of FCRA

FCRA regulates the collection, dissemination and use of consumer credit information. Its primary objective is to ensure the accuracy, fairness and privacy of individuals’ credit information, which is commonly used for making important decisions such as lending, employment and insurance. FCRA establishes guidelines for consumer reporting agencies (CRAs), which are entities that gather and maintain consumer information, and mandates the rights of consumers to access and dispute inaccurate information in their credit reports.

The implications of defining a data broker that sells specific data as a CRA under FCRA are potentially far-reaching. A data broker’s sale of data relating to a consumer’s payment history, income and criminal records would generally fall within the scope of a “consumer report” according to FCRA. This is due to the typical use of such information in determinations like creditworthiness, employment eligibility and other decisions that significantly impact consumers’ lives. Therefore, if a data broker meets the criteria of a CRA under FCRA, it would be subject to the act’s regulations and obligations. 

The reclassification of data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s rigorous standards for data accuracy and privacy. This means ensuring that the information they provide to potential users, such as creditors or employers, is up-to-date and accurate. Additionally, data brokers would be required to provide consumers with the ability to access their own information, review its accuracy, and dispute any inaccuracies they find. Furthermore, if data brokers are deemed to fall under FCRA’s purview, they would be legally obligated to obtain consumers’ consent before selling their information for credit, employment or insurance purposes.

Credit Header Data

A second proposal under consideration by CFPB will clarify the extent to which credit header data constitutes a consumer report. This includes individual identifiers like name, date of birth, and Social Security number that data brokers often pull from traditional credit reporting agencies. According to the CFPB, it expects to propose to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.

Data Brokers Defined and Next Steps

A key outstanding question for both of these forthcoming rules is how “data broker” will be defined. In March, the CFPB launched an inquiry into the business practices of data brokers, which defined “data brokers” as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.” This exceedingly broad definition, if used in the upcoming rulemakings, could sweep in a plethora of companies that are not typically thought of as data brokers. It is also distinguished from new state privacy laws in California and Vermont, which impose specific obligations on data brokers. Under those laws, data brokers are distinguished from other companies by the fact that they do not have a direct relationship with the individuals whose data they maintain.

The CFPB plans to publish an outline of proposals and alternatives under consideration for a proposed rule in September. The proposed rule is expected to be released for public comment in 2024.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP
Faegre Drinker Biddle & Reath LLP
Contact
more
less

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide