The Consumer Financial Protection Bureau (CFPB) has issued a request for information (RFI) to examine the practices of data brokers and businesses involved in the collection, use, and sale of consumer information on March 15, 2023. The purpose of the RFI is to help the CFPB and policymakers understand the current state of business practices and assess whether data brokers are covered by the Fair Credit Reporting Act (FCRA) and other statutory authorities. The CFPB is specifically interested in identifying any instances of consumer harm or market abuses, including those that Congress originally identified in passing the FCRA in 1970.
The CFPB's RFI signals a potential to engage in rulemaking to cover data brokers, as Director Rohit Chopra expressed concern over data surveillance practices and the monetization of sensitive consumer data. The RFI considers data brokers to be firms that collect, aggregate, sell, resell, or license consumers' personal information or otherwise share it with other parties. The CFPB is requesting information about first-party and third-party data brokers on the types of data they collect, the sources they rely on, and the controls they implement to ensure the quality and accuracy of the data.
Comments are due on or before June 13, 2023.
Since the FCRA's enactment in 1970, companies using business models that sell consumer data have emerged with the growth of the internet and advancements in technology, and they may not be covered by the statute. Therefore, the CFPB is seeking to assess whether the FCRA and other statutory authorities reflect the market realities of data brokers.
The FCRA, enacted in 1970 and amended since then, established rules to govern the practices of "consumer reporting agencies." The law includes a prohibition on using or sharing certain personal data outside of permissible purposes set by Congress; a requirement that consumer reporting agencies follow reasonable procedures to ensure the accuracy of consumer reports; a right of consumers to obtain consumer reports about themselves; and a process for consumers to challenge inaccurate data in the consumer reporting agencies' files.
Through the RFI, the CFPB is seeking information on both companies that interact with consumers directly (first-party data brokers) and companies that do not have a direct relationship with a consumer (third-party data brokers). The RFI cites to a Federal Trade Commission report that describes how companies collect information from public and private sources for the purposes of marketing and advertising, combining and analyzing data about consumers to make inferences about those consumers, detecting fraud, verifying a consumer's identity, and providing people search databases, among others.
Rulemaking authority for most provisions of the FCRA was transferred from the FTC to the CFPB with the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd Frank Act"). The CFPB also has the authority to enforce the FCRA (with others) and the privacy provisions of Gramm-Leach Bliley Act, and to address unfair or deceptive acts or practices related to the handling of consumer data.
The CFPB is also in the process of writing regulations to implement section 1033 of the Dodd-Frank Act, which provides that, subject to rules prescribed by the CFPB, a covered entity (for example, a bank) must make available to consumers, upon request, transaction data and other information concerning a consumer financial product or service that the consumer obtains from the covered entity. Section 1033 also directs the CFPB to prescribe by rule standards to promote the development and use of standardized formats for information made available to consumers.
The RFI asks for information in two categories: market level-inquiries (22 questions) and individual inquiries (7 questions). The following are some of the questions that the CFPB asked:
- What types of data, including data that are financial in nature, do data brokers collect, share, or derive marketable insight from?
- What sources do data brokers rely on to collect information? What technological components (e.g., tracking scripts, web-based plug-ins, pixels, or software development kits) facilitate brokers' collection of data?
- What types of information do data brokers receive from financial institutions?
- Does the nature of data brokers' collection of information related to consumer preferences and behaviors influence consumer purchasing patterns or levels of indebtedness? Does consumer data collected by data brokers facilitate a less competitive marketplace or more expensive financial products for consumers?
- Are data brokers sharing information about particular groups of people, including protected classes?
- What controls do data brokers implement to ensure the quality and accuracy of data they have collected?
- What actions can people take to gain knowledge or control over data, or correct data, that are collected or shared about them?
The RFI also solicits information from individuals about their direct experiences with data brokers.
For a complete list of questions, see the RFI.