As the year draws to a close, the end of 2024 has been marked by a flurry of rule-making by the Consumer Financial Protection Bureau (CFPB).
In the latest salvo, the agency on Tuesday (Dec. 3) proposed a new rule that would curtail data brokers’ access to consumers’ data and the ability to sell that information.
In a release Tuesday, the CFPB said that the rule would “stop data brokers from selling sensitive personal data to scammers, stalkers and spies.”
The rule would classify data brokers — which collect and sell consumer-level data, including details about credit scores, social security numbers and debt repayment histories — as consumer reporting agencies. Under that designation, they would be subject to the rules of the Fair Credit Reporting Act (FCRA), which defines and limits the ways in which the data brokers would be able to collect and use the data they collect — and they must demonstrate “permissible purpose” as they do so.
Among the most significant changes: Consumers would have to give their permission for their data to be used. “Companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print,” said the CFPB.
The commentary period extends to March 3.
“The data broker industry collects and sells detailed information about Americans’ personal lives and financial circumstances to anyone willing to pay,” the CFPB wrote in its announcement.
The agency called out specific risks tied to four data types — credit history, credit score, debt payments and income or financial tier. The agency also highlighted national security risks, noting that countries such as China or Russia are able to purchase detailed information on military personnel and government employees “for pennies” and set the stage for blackmail. Elsewhere, identity thieves can purchase financial profiles to target individuals.
Diving into the proposed rule, which runs more than 200 pages, the CFPB stated: “In recent years, the consumer reporting marketplace has evolved in ways that imperil Americans’ privacy.”
Provisions are made for a consumer’s right to revoke consent previously granted, the proposal noted. Data brokers must ensure that a “consumer is provided a method to revoke consent that is as easy to access and operate as the method by which the consumer initially provided consent to the furnishing of their consumer report. The proposal would also provide that a consumer could not be charged any costs or penalties to revoke consent.”
Per the proposed rule, “the disclosure would need to be clear, conspicuous, and segregated from other material. After providing the disclosure, entities would be required to obtain the consumer’s express, informed consent for their consumer report to be furnished, and the consumer’s signature, either in writing or electronically.”
That approach, we note, would mark a change from current practice, wherein obtaining consent is part of the “larger terms and conditions language.”
There also would be a limit on the length of time during which the language could be used. The CFPB wrote that data “users would only be allowed to continue accessing a consumer report for up to one year after the date on which the particular consumer consents for the report to be furnished.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More