The Electronic Privacy Information Center (EPIC) submits these comments in response to the Consumer Financial Protection Bureau (CFPB)’s recent Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information published on March 21, 2023.
Data brokers can and should be regulated under the FCRA, CFPA, and similar laws, and EPIC urges the CFPB to adopt an expansive definition of data broker misconduct to capture the variety of harmful activity that data brokers undertake; shift the regulatory burden from individual consumers exercising their rights to data brokers and other entities profiting off harmful data collection and use; coordinate efforts with the FTC to prioritize data minimization and data security within its regulations; and clarify its interpretations of FCRA provisions and definitions using illustrative examples.
EPIC is a public interest research center in Washington, D.C., established in 1994 to focus public attention on emerging privacy and civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC has long advocated for robust safeguards to protect consumers from exploitative data collection, use, distribution, and retention practices, including data minimization restrictions under which data can only be collected, used, or disclosed as necessary, consistent with the reasonable expectations of the consumer. EPIC has also fought for greater oversight into how companies and government agencies target individuals based on data collected about those individuals, greater transparency regarding the lifecycle of collection and disclosure of Americans’ personal data, and more robust regulatory enforcement to safeguard the rights of consumers.
EPIC’s comment, which responds to questions throughout the CFPB’s Request for Information, is organized into the following topics: the data lifecycle and business of data brokers; the negative impacts of ubiquitous commercial data collection on consumers; the insufficiency of existing regulations and mechanisms to constrain harmful data broker practices and protect consumers; and specific recommendations for the CFPB. We are available to discuss any aspect of our comment with the CFPB and welcome any questions you may have.