In remarks delivered yesterday at a roundtable convened by the White House on protecting Americans from harmful data broker practices, CFPB Director Chopra announced that the CFPB plans to propose a rule under the Fair Credit Reporting Act (FCRA) to address the practices of data brokers.  In connection with Director Chopra’s announcement, the CFPB issued FAQs about its rulemaking plans.  Both Director Chopra’s remarks and the FAQs highlight the use of data collected by data brokers to feed artificial intelligence used to make decisions about consumers.

In his remarks, Director Chopra indicated that in September 2023, in advance of convening a SBREFA panel, the CFPB plans to publish an outline of proposals and alternatives under consideration for a proposed rule.  The FAQs advise small businesses interested in participating as a panelist to contact the CFPB within the next week.  Director Chopra also indicated that the CFPB plans to issue a proposed rule in 2024.

In March 2023, the CFPB issued a request for information (RFI) about business models that collect and sell consumer data, such as data brokers, data aggregators, and platforms.  While neither Director Chopra nor the FAQs clearly indicate what is meant by the term “data broker,” the CFPB used the term “data broker” in the RFI to describe businesses that “collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.”  It indicated that the term encompassed companies that act as first-party data brokers and interact directly with consumers as well as third-party data brokers with whom consumers do not have a direct relationship.  It also included firms that specialize in preparing employment background screening reports and credit reports.  In describing the activities of data brokers, the CFPB stated that they “collect information from public and private sources for purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.”

The FAQs indicate that the CFPB received “more than 7,000 responses” to the RFI and describe some of the issues raised in response to the RFI.  Among the issues raised are the impact of “data broker harms” on protected classes and vulnerable individuals and the sharing of data in ways that consumers do not expect.

Most significantly, the CFPB suggested in the RFI that many data brokers who act as “consumer reporting agencies” under the FCRA nevertheless disclaim FCRA coverage.  The CFPB stated:

Many companies [that sell consumer data] whose business models rely on newer technologies and novel methods purport not to be covered by the FCRA.  These companies are sometimes labeled “data brokers,” “data aggregators,” or “platforms,” but they all share a fundamental characteristic with consumer reporting agencies—they collect and sell personal data.

As described by Director Chopra and the FAQs, the proposals under consideration would:

  • Define a data broker that sells certain data as a “consumer reporting agency” under the FCRA.  A data broker’s sale of data regarding, for example, a consumer’s payment history, income, and criminal records would generally be treated as a “consumer report” under the FCRA because it is typically used for credit, employment, and certain other determinations.
  • Clarify the extent to which “credit header data” constitutes a “consumer report” under the FCRA.  Such data is personally identifying information such as a consumer’s name, address, or social security number which is held by traditional consumer reporting agencies.