On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) published its long-anticipated proposed rule aimed at regulating data brokers under the Fair Credit Reporting Act (FCRA).  Although the CFPB’s future is uncertain under the upcoming administration, if implemented, the rule would significantly expand the reach of the FCRA. 

In the accompanying press release, the CFPB stated that its “proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including” national security and surveillance risks; criminal exploitation; and violence, stalking, and personal safety threats to law enforcement personnel and domestic violence survivors.  The CFPB expanded on these stated risks in a separate fact sheet.

To address these risks, the proposed rule would treat data brokers like credit bureaus and background check companies: Companies that sell data about income or financial tier, credit history, credit score, or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.  So, the rule would turn data brokers’ disclosure of such information into the communication of consumer reports subject to FCRA’s regulation.  The CFPB did not propose any express exceptions for use of credit header data for fraud prevention, identity verification, compliance with Bank Secrecy Act or Know-Your-Customer requirements, or law enforcement uses.    

If enacted, the proposed rule would significantly impact the data broker industry and restrict the information that data brokers can sell to third parties.  It would also likely increase compliance costs for all data brokers—regardless of the types of data in which they deal.  Unsurprisingly, as with other CFPB initiatives of late, industry reactions were immediate and clear.  For example, the Consumer Data Industry Association (CDIA) expressed concerns that the proposed rule could have “severe unintended consequences for public safety, law enforcement, and the consumer economy.”  Specifically, the CDIA noted that the proposed rule could make “it harder to identify and prevent fraudulent schemes” and that it “may become more difficult for police to identify and track fugitives or locate missing and exploited children.”  It therefore called “on the CFPB to engage in a more collaborative approach with industry stakeholders and lawmakers to address data privacy concerns without compromising the integrity and efficiency of the credit reporting system that has long been the envy of the world.”

In any event, the proposed rule has a 90-day comment period, meaning that the comment period alone will run until March 3, 2025.  Based on the incoming Trump administration’s apparent position toward the CFPB and FCRA, it seems unlikely that the rule will go into effect as proposed.  But until anything becomes formal, companies that would be impacted by the proposed rule should still consider submitting comments to ensure that their interests are protected.