A new proposal by the Consumer Financial Protection Bureau would use a 54-year-old privacy law to impose new oversight of the data broker industry. But first, the agency must survive Elon Musk.
Photograph: Bloomberg; Getty Images
The United States government’s leading consumer protection watchdog announced Tuesday the first steps in a plan to crack down on predatory data broker practices that the agency says help fuel scams, violence, and threats to US national security.
The Consumer Financial Protection Bureau is proposing a rule that would allow regulators to police data brokers under the Fair Credit Reporting Act (FCRA), a landmark privacy law enacted more than a half century ago. Under the proposal, data brokers would be limited in their ability to sell certain sensitive personal information, including financial data and credit scores, phone numbers, Social Security numbers, and addresses. The CFPB says that closing the loopholes allowing data brokers to trade in this data with little to no oversight will benefit vulnerable people and the US as a whole.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” Rohit Chopra, CFPB’s director, said in a statement. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”
Passed in 1970 as the first US privacy law, the FCRA requires “credit reporting agencies” to adhere to certain standards of accuracy and privacy in their dealing with people’s financial information, including credit histories, credit scores, debt payment histories, and other related data. The CFPB’s proposal aims to treat data brokers like credit reporting agencies when they deal in this sensitive data. It would require data brokers to obtain “separate, explicit authorization” before acquiring or sharing people’s credit information, rather than burying these permissions in expansive legal documents that surveys show are often unread or impossible for the average person to parse.
In a conversation with reporters on Monday, Chopra pointed to the recent attacks on US telecommunications systems, which the government has attributed to China, to emphasize the value of personal data to the nation's foreign rivals. “But often, our adversaries don't need to hack anything,” he says. “Data brokers, the outfits that collect and sell detailed information about our personal and financial lives, are making this data available to anyone willing to pay a price.”
The action proposed by the CFPB is aimed, Chopra says, at stopping data brokers from “enabling scammers, stalkers and spies undermining our personal safety and America's national security.”
The CFPB’s idea of using existing US law to regulate data brokers is not novel. In February 2023, a group of consumer-focused nonprofits urged Chopra to enforce the powers the FCRA affords regulators to prevent data brokers from engaging in these potentially damaging practices.
“Protecting the personal information of all people in the US is increasingly urgent in our current political climate,” says Laura Rivera, attorney with Just Futures Law, a nonprofit that supports grassroots activists. “The stakes are too high to continue to let the data broker industry sell our information at their discretion, where the status quo has made it ripe for abuse and targeting from harmful actors.”
In a briefing with WIRED on Monday, CFPB officials declined to comment on whether they believe the regulatory action will be short lived, as president-elect Donald Trump plans to empower a number of Silicon Valley figures to reorganize the federal government with the aim of targeting “waste and fraud.”
Elon Musk, who is coleading an office named after a meme coin—the Department of Government Efficiency, or DOGE—directly attacked the CFPB's work last week, calling for the agency to be “deleted.” Musk's remarks followed an attack on the agency's work by Marc Andreessen, a venture capitalist, who claimed on a recent episode of Joe Rogan’s podcast that the agency is “terrorizing” banking startups.
The CFBP was founded in 2011 with the aim of protecting consumers from the kinds of fraud and abuse that kicked off the 2008 financial crisis.
A CFPB official tells WIRED that the agency is also concerned about data being transmitted in ways that companies allege protects people's identities but in reality can be "de-anonymized" in simple ways, as studies have repeatedly shown. "As technology advances, we surmise that it will be even easier to de-mask purportedly de-identified data," one official said. The proposed rule thus includes a range of guidelines for credit reporting agencies involved in selling data they alleged has been de-identified.
Asked whether the proposal would extend to US government agencies, an official says that US law sets forth "very clear pathways" for the government to purchase personally identifying data for law enforcement and intelligence purposes. In a recent case, US Immigration and Customs Enforcement was discovered by reporters to have purchased access to the personal data of Americans in an attempt to investigate immigrants—data acquired by the media conglomerate Thomson Reuters, which it provided to custeroms in contracts the company disclosed were worth more than $100 million. (Thomson Reuters previously denied that the purpose of the data is to track undocumented immigrants and has emphasized that its database does not contain information that normally requires a search warrant to access.)
“We are not disrupting any of those pathways,” a CFPB official says. The agency is requesting comment, however, on the potential impacts of such government purchases to ensure that access is “appropriate.”
Emily Peterson-Cassin, director of corporate power at the nonprofit advocacy group Demand Progress’s Education Fund, commended the CFPB’s proposal and urged the incoming Trump administration to see it through.
“The CFPB is doing something important that will resonate with every single American. Anyone you pick off the street can tell you about the daily scam texts, emails and calls they receive from fraudsters who easily buy our contact information from shady, unaccountable data brokers,” Peterson-Cassin says. “Finally, someone—specifically the CFPB—has stepped in to stop this daily plague affecting hundreds of millions of people by applying real standards to their sale of our sensitive information.”