On September 15, 2023, the CFPB issued an outline of its proposal to promulgate a rule under the Fair Credit Reporting Act (“FCRA”) which would regulate the consumer data collection and selling activities of data brokers. The CFPB acknowledged that while consumer credit reporting agencies have long been subject to the FCRA’s restrictions and requirements, “data brokers” – companies that collect and sell certain consumer data – have generally avoided such compliance obligations under the FCRA’s current scope.
Data brokers collect and sell both private data (such as information about a consumer’s finances or health conditions) and public data (such as information about criminal records or lawsuits), and data brokers use that information for a variety of purposes, including to generate reports for use in credit and employment decisions, to create lists of consumers with certain attributes for use in marketing, and to operate databases to detect fraud. According to the CFPB, the collection and sale of such information by third-party data brokers with whom the consumer does not have a direct relationship poses privacy risks to consumers and can also facilitate fraud, identity theft, harassment, discrimination, and abusive and unfair conduct.
The CFPB’s outline (“September Outline”) provides additional details on the data broker rulemaking the agency first announced in August. The September Outline further reinforces that the proposed rule, if adopted, would likely impact a wide range of companies that sell or facilitate access to consumer data, whether they operate in the traditional consumer credit reporting space or not.
Data brokers and other companies that engage in activities that would be covered under the CFPB’s so-called data broker rule should remain up to date on the development of the proposed rule, and should consider reviewing their policies and procedures concerning the collection and sale of consumer data to assess FCRA compliance in the event the data broker rule is adopted.
The Data Broker Rule
On August 15, 2023, the CFPB announced it was drafting a proposed rule that would regulate data brokers in a manner similar to credit reporting agencies under the FCRA. Notably, while consumer credit reporting agencies have long been subject to the FCRA’s framework of accuracy requirements, information-sharing restrictions, and other compliance obligations, data brokers have largely avoided FCRA compliance obligations and related liabilities.
As part of the proposed rule, the CFPB noted it was considering defining data brokers as consumer reporting agencies covered by the FCRA to the extent they sold certain types of sensitive consumer data. The bureau stated that “under such a proposal, a company's sale of data regarding, for example, a consumer's payment history, income, or criminal records would generally be a consumer report.” If such data were to be deemed a consumer report, companies that sell such data would have to comply with the FCRA’s “permissible purpose” restrictions which means that the data could only be sold for permissible purposes like employment applications or credit underwriting, and not for purposes like targeted advertising or training artificial intelligence.
The announcement also explained that the data broker rule would likely clarify that credit header data (i.e., information like a person’s name, age, address, and Social Security number) would also constitute a consumer report, and provided that consumers would retain the rights to receive copies of such consumer reports and dispute any inaccuracies in them – rights currently granted with respect to traditional consumer credit reporting information under the FCRA.
The September Outline
The September Outline was prepared by the CFPB for consulting small businesses on the potential impact of proposed CFPB regulations, as required under the Small Business Regulatory Enforcement Fairness Act (SBREFA). As part of the SBREFA process, the CFPB must consult with small business entities that are likely to be subject to the regulation and must collect the advice and recommendations of small entity representatives about whether the proposed regulations might increase the cost of credit for small entities and whether effective alternatives may exist.
With respect to data broker regulation specifically, the September Outline largely echoed the agency’s statements in August. The following discusses key aspects or additional details in the September Outline regarding the proposed data broker rule:
- The CFPB stated that regulating data brokers as consumer reporting agencies “would limit the sale of certain data broker data for advertising or marketing, for the most part constraining the sale of data to only those companies or persons to whom the consumer applied for credit, insurance, employment, housing, or some other service, or to whom the consumer otherwise authorized access.”
- The bureau noted that currently, “some data brokers that collect, aggregate, sell, resell, license, or otherwise share personal information about consumers with other parties act as consumer reporting agencies under the statute, but others that engage in very similar activities or sell the same types of data do not,” and that “[b]y engaging in these activities outside of the FCRA’s protections regarding, for example, data confidentiality and accuracy, these companies threaten consumer privacy and arguably evade the FCRA’s purposes and objectives.”
- The CFPB reiterated that a data broker’s sale of a person’s payment history, income, and criminal records would generally be considered as furnishing a consumer report, regardless of the purpose for which the data was actually used or collected, or the expectations of a data broker collecting or selling that information, because data of this kind is typically used for credit and employment determinations. In turn, a data broker “assembling or evaluating” and selling this type of personal data would be a consumer reporting agency because the company would be assembling or evaluating information on consumers for the purpose of furnishing consumer reports (assuming it met the other definitional requirements to be a consumer reporting agency).
- The bureau is considering a bright line rule clarifying in which circumstances vendors or intermediaries that facilitate electronic data access between parties could be “assembling or evaluating” consumer information when they transmit consumer data between data sources and users.The CFPB proposed, as an example of circumstances where the bright-line rule would apply, a vendor that transmits public records information from public records databases to users.The September Outline suggests that, to the extent a vendor or intermediary is “assembling or evaluating” consumer information when engaged in these practices, they could be considered consumer reporting agencies if they met the other definitional requirements.
- The CFPB is also considering a proposal to clarify the extent to which consumer credit header data (such as name, address, Social Security number, phone number) constitutes a consumer report. The proposal would likely reduce consumer reporting agencies’ ability to sell or otherwise disclose credit header data from their consumer reporting databases without a permissible purpose or authorization from the consumer.
- The CFPB is considering clarifying that certain practices by consumer reporting agencies that assist third parties in marketing to consumers could violate the FCRA’s restriction on furnishing consumer reports for non-permissible purposes. Specifically, the agency noted situations where a consumer reporting agency might use information from consumer reports or its databases, combined with information from another party, for targeted marketing on behalf of a third party.Even if the consumer reporting agency delivers the marketing material itself, if it does so on behalf of a third party, the consumer reporting agency could be deemed to have furnished a consumer report for an impermissible purpose under the FCRA.
The CFPB confirmed that as part of the SBREFA process, it is convening a Small Business Review Panel to obtain input from small entity representatives on the proposals under consideration for an FCRA rulemaking, and that within 60 days of convening, the panel will create a report for the CFPB to consider as it prepares a formal proposed rule. In addition to consulting with small businesses under the SBREFA process, the CFPB is conferring with other Federal agencies, including the prudential regulators and the FTC, on the proposed data broker rule, and has also invited commentary from other stakeholders who are not small entity representatives, with written feedback due by October 30, 2023.
Given the breadth of the data broker rule being considered by the CFPB, companies that in any manner facilitate or monetize access to consumer data (as broadly contemplated in the September Outline) should remain apprised of new developments regarding this proposed rulemaking. Such companies should also consider conducting a proactive review of their policies and procedures regarding the collection or sale of consumer data to assess what changes may be needed to comply with FCRA obligations in the event the data broker rule is adopted.