CFPB Freeze Leaves Data Broker Regulations in Limbo
February 6, 2025
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s consider how a landmark data privacy rule – which would have classified data brokers as "consumer reporting agencies" under the Fair Credit Reporting Act (FCRA) – faces an uncertain future.
Background
In early December 2024, the Consumer Financial Protection Bureau (CFPB) proposed a data privacy rule intended to regulate data brokers. The proposed rule would have implemented sweeping restrictions on data brokers' ability to sell Americans' sensitive personal information. It was set to take effect March 3rd, but now faces an unclear path forward as new leadership has reportedly instructed the CFPB “to stop all rulemaking, communications, litigation, and other activities.” To read more about the CFPB freeze, you can click on the following article from Bloomberg:
Key Components of the Proposed Rule
Despite the freeze, we think that the rule deserves consideration by our readers because it would have marked a significant expansion in consumer data protection by classifying data brokers as "consumer reporting agencies" under the FCRA. This classification would represent a fundamental shift in how data brokers are regulated, requiring them to:
+ Obtain explicit consumer consent before sharing personal data;
+ Implement stringent accuracy requirements;
+ Provide consumers access to their collected information;
+ Maintain strict safeguards against misuse; and
+ Limit the sale of sensitive identifiers like Social Security numbers.
Currently, data brokers operate with relatively little federal oversight, allowing them to collect and sell personal information with minimal restrictions. Under FCRA classification, they would face the same stringent requirements that currently govern credit bureaus like Equifax, Experian, and TransUnion, as well as other consumer reporting agencies.
For more information and to review the text of the proposed rule, you can click on the following link (and archived on the Wayback Machine):
Our Thoughts
Without the CFPB's proposed rule, there will still be no comprehensive federal framework for regulating data brokers. This leaves consumers vulnerable to privacy violations and data exploitation, with protections varying significantly by state. It also leaves data brokers facing an increasingly complex regulatory landscape, with different states imposing varying registration requirements, opt-out standards, security protocols, and enforcement mechanisms. This fragmentation creates significant complexity and compliance costs for data brokers while making it difficult to standardize their business practices nationwide.
Moreover, without the rule, we continue to face national security vulnerabilities, as foreign actors can continue to purchase sensitive data about American citizens, including military and government personnel. You can learn more about that issue by reviewing the CFPB’s fact sheet on that subject, currently available at the following link (and archived on the Wayback Machine):
https://files.consumerfinance.gov/f/documents/cfpb_fcra-nprm-fact-sheet_2024-12.pdf
Looking ahead, the key question is whether other federal agencies might step in to fill the regulatory gap, or if Congress might take legislative action to address data broker practices. The situation underscores the precarious nature of data privacy regulations in the United States and the need for sustained, bipartisan commitment to protecting consumer privacy and providing businesses with a cohesive federal framework to replace the current patchwork of state regulations.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.