.svg)
The US Consumer Financial Protection Bureau (CFPB) is working on a proposal that would bring data aggregators under existing consumer reporting law.
During a White House event on data brokers, CFPB director Rohit Chopra said his agency is working on developing rules to ensure that “modern-day digital data brokers are not misusing or abusing our sensitive data”.
The CFPB issued a request for information (RFI) in March to understand potential harms to consumers and had previously reached out to Apple, Google, PayPal, Square and other bigtech firms in 2021 to get information about how they collect and use personal payments data.
In the course of this formal inquiry, Chopra said, his agency learned about significant harms, from the identification of victims for financial scams to the facilitation of harassment and fraud.
“While these firms go by many labels, many of them work to harvest data from multiple sources and then monetize individual data points or profiles about us, sometimes without our knowledge,” Chopra said.
Currently, there is no federal law in the United States that regulates the data broker industry.
In 2018, Vermont became the first US state to pass legislation for data brokers, which was followed by a similar law in California the following year.
Although these and other efforts at the federal and state level are taking form, Chopra said he wants to “make sure we’re using our existing laws on the books”.
In 1970, Congress passed the Fair Credit Reporting Act (FCRA) giving a number of new rights and protections to consumers against data surveillance.
It includes safeguards to ensure accurate information, the rights to dispute errors and to access their own information, and limits the selling and using of consumer report data unless for a few authorised permissible purposes.
For Chopra, the current issues about online data collection “mirror debates from over fifty years ago”.
“Today’s surveillance firms have modern technology to build even more complex profiles about our searches, our clicks, our payments, and our locations.”
“These detailed dossiers can be exploited by scammers, marketers, and anyone else willing to pay,” he added.
Data brokers, aggregators and consumer reporting agencies
In an accompanying document, the agency revealed that it is considering two new measures to address these concerns.
First, it would establish that data brokers or other companies “in the surveillance industry” can be covered under the FCRA if they sell certain types of consumer data, for example payment history, income or criminal records.
Data brokers that sell such types of consumer data will be defined as a "consumer reporting agency".
Second, the agency would “clarify” that so-called credit header data is a consumer report.
Credit header data includes personally identifying information such as name, address or social security number, which is held by traditional credit bureaus.
The CFPB says much of the existing data broker market relies on credit header data purchased from the big three credit bureaus — Equifax, Experian, and TransUnion — to create their individual dossiers.
This would mean that selling header data would generally be illegal unless it has a "permissible purpose".
Credit header data could be sold for purposes like credit underwriting, employment applications, insurance underwriting and government benefits applications, but not for targeted advertising or to train artificial intelligence.
The agency said it will publish an outline of these proposals next month and plans to propose a rule for public comment in 2024.
Rulemaking sparked record interest
The comment period for the RFI closed in mid-July with a record number of more than 7,000 submissions.
Consumer advocacy groups have generally supported the CFPB approach, which they argue would increase protections for consumers, while fintech firms have raised concerns about it.
In a letter submitted to the CFPB request for information in July, the Financial Technology Association (FTA) argued that data aggregation is “significantly different” from data brokering.
According to the fintech association, unlike data brokers, data aggregators collect and share data with the consumer’s permission and FTA members, which include data aggregators, do not sell financial information.
The association also pointed out that data aggregators do not have the ability to correct the financial data the consumer authorises for sharing and may not be able to comply with that provision of the FCRA.
The FTA instead said the CFPB’s upcoming open banking rule would be better suited to cover the data-sharing activities of data aggregators.
A similar argument was raised by the American Bankers Association (ABA), which urged the CFPB to clarify that its data broker considerations are distinct from data sharing under the future open banking rules.
It also asked the agency to explicitly exclude banks from the definition of data brokers.
“Any CFPB activity on the subject should be targeted at those unregulated entities and not upset the existing framework,” the banking lobby group wrote.
