Following a related request for information (RFI) earlier this year, the Consumer Financial Protection Bureau (CFPB) announced on August 15, 2023, its intention to launch rulemaking targeting data brokers. This rulemaking could significantly expand the scope of the entities and data subject to the Fair Credit Reporting Act (FCRA), including by imposing onerous requirements on entities and data not previously subject to the law.

In prepared remarks delivered at the White House Roundtable on Protecting Americans from Harmful Data Broker Practices, CFPB Director Rohit Chopra cautioned that the rise of “‘artificial intelligence’ and other predictive decision-making” has “create[d] financial incentives for . . . more data surveillance” and requires increased “accountability when it comes to misuse or abuse of . . . private information and activities.” Director Chopra’s remarks focused on “data brokers,” which he defined to include entities that “harvest data from multiple sources and then monetize individual data points or profiles about” consumers, such as “by sharing them with other companies using AI to make predictions and decisions.”

In his remarks, Director Chopra cited the FCRA as a “law that covers a broad range of background reports assembled on consumers, even beyond those used for extending loans.” The proposed rules that the CFPB is developing under the FCRA aim to ensure “that modern-day data companies assembling profiles about [consumers] are meeting the requirements under” the FCRA. In particular, Director Chopra highlighted two rulemaking proposals under consideration:

• Defining of data brokers subject to the FCRA. The CFPB is considering issuing a rule that defines “a data broker that sells certain types of consumer data as a ‘consumer reporting agency’ to better reflect today’s market realities.” Director Chopra noted the CFPB’s intention to treat the sale of “data regarding, for example, a consumer’s payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations.” This rule would, according to Director Chopra, trigger requirements that often apply to consumer reporting agencies, including “ensuring accuracy and handling disputes of inaccurate information, as well as prohibit[ing] misuse.”
• Subjecting credit header data to the FCRA. Director Chopra also noted that the CFPB is considering a rule clarifying that “key identifiers like name, date of birth, and Social Security Number”—often referred to as “credit header data”—qualify as consumer report data. According to the director, “[m]uch of the current data broker market runs on” this information “taken from traditional credit reports, such as those sold by” Equifax, Experian, and TransUnion. The new rules would, the director said, “reduc[e] the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.”

Takeaways

Director Chopra’s remarks underscore regulators’ ongoing monitoring of the data broker industry. Indeed, according to Director Chopra, the CFPB’s new proposed rules appear intended to “complement other work occurring across levels of government, especially by the [Federal Trade Commission],” which, in his view, “is leading so many efforts on privacy and data security.” The proposed rules could expand the entities and data subject to the FCRA and impose significant compliance requirements, as well as regulatory and class-action risk on data aggregators.

Director Chopra revealed that the CFPB intends to publish an outline of the details of the proposed rules, as well as various alternatives, in September 2023. The CFPB intends to release the proposed rules for public comment in 2024.

© 2023 Perkins Coie LLP