The CFPB Moves Ahead with FCRA Rulemaking to Rein in Data Brokers

The Consumer Financial Protection Bureau took a major step last week toward establishing stronger guardrails for data brokers and better protections for consumers. On September 21, the CFPB released a document outlining proposals and alternatives under consideration for the Bureau’s upcoming Fair Credit Reporting Act (FCRA) Rulemaking. The FCRA regulates the consumer reporting market by permitting certain specified uses of consumer reporting data and prohibiting others, imposing accuracy requirements onto credit reporting agencies, and providing consumers a right to dispute inaccurate or incomplete information in their credit reporting files. The CFPB has the authority to issue rules under the FCRA and shares enforcement power with the Federal Trade Commission.

If the rules the CFPB is considering come to fruition, consumers will be better protected from the harmful practices of the data broker industry. Data brokers use the millions of data points they collect about American consumers to predict and influence consumer behavior, combining the personal data they collect with other datasets, mining that data for insights (often using AI tools), and selling personal data to third parties. In EPIC’s recent comments and coalition letter to the CFPB, we emphasized the widespread harm caused by data brokers. Because of the types and volume of personal information they collect, data brokers have a deeply invasive reach into the lives of American consumers.

In addition to the privacy harms caused by industry practices, data brokers also inflict economic and broader social harms. For example, consumers may suffer privacy, economic, and reputational harms, as well as severe anxiety, when their data collected by a broker is subject to a security breach. Further, considering certain kinds of data when making determinations related to a person’s eligibility for credit, employment, or housing can exacerbate existing inequalities and perpetuate racial bias.

Even as data brokers profit off the intimate details of consumers’ lives, consumers generally lack the ability to know how their information is being collected, used, and shared, while the brokers themselves operate largely with impunity. The data broker industry has exploded as technology has advanced, and it is time for regulators to catch up to protect consumers from harm. The CFPB’s FCRA rulemaking offers the Bureau an opportunity to do that.

In EPIC’s comments to the CFPB in July 2023, we urged the CFPB to presumptively recognize all data brokers as consumer reporting agencies (CRAs) unless data brokers demonstrate that they undertake reasonable measures to prevent the data they collect and sell from being used for any of the enumerated purposes under the FCRA. Data brokers’ business models are built on the mass collection, transfer, and combination of consumer data. It is important to ensure that consumer reports are not combined with other datasets and then used for purposes that harm consumers. Presumptively subjecting all data brokers to the FCRA would mitigate these harms and go a long way towards reining in the data broker industry.

Proposals and Alternatives Under Consideration by the CFPB

Acknowledging the rapid growth and evolution of the consumer reporting market since the FCRA was enacted in 1970, the CFPB is considering proposals to expand the FCRA’s coverage over data brokers. Some of the most notable data broker-related proposals under consideration are summarized below.

• Defining Consumer Report and Consumer Reporting Agency: The FCRA applies to “consumer reporting agencies” that furnish “consumer reports.” These definitions have been interpreted broadly in the past, and the CFPB is considering proposals to codify existing law and to expand the applicability of the FCRA to data brokers.
  • First, the Bureau proposes that the definition of “consumer reports” include all consumer information provided to a third party for a permissible purpose pursuant to the statute, even if the data broker providing the information to the third party did not know or should not have known that the information was intended to be used for that purpose.
  • Second, data brokers that sell certain categories of consumer data, including data typically used to make credit and employment eligibility determinations, are selling consumer reports.
  • Third, data brokers that collect consumer information for permissible purposes, which are set forth by the FCRA, would be subject to obligations under the FCRA including not to sell that consumer information for non-permissible purposes and not to obtain consumer report information from a consumer reporting agency without a permissible purpose.
• Defining Assembling or Evaluating Consumer Information: Data brokers that facilitate data sharing by accessing consumer information and transmitting the data to third party recipients with the consent of consumers are engaged in “assembling or evaluating” consumer information under the FCRA, as long as the data broker also satisfied the definition of a CRA.
  • The CFPB is considering providing a more bright-line definition to clarify when third party entities who also facilitate data access between parties engage in “assembling or evaluating” consumer information.
• Credit Header Data: Credit header data includes identifying information like an individual’s name, current and former addresses, Social Security number, and phone numbers. Some CRAs sell credit header data for marketing or law enforcement purposes, which are not authorized purposes under the FCRA.
  • The CFPB is considering a proposal to clarify the extent to which credit header data constitutes a consumer report, which would likely reduce a CRA’s ability to sell or disclose credit header data without a permissible purpose.
• Targeted Marketing and Aggregated Data: The FCRA generally prohibits CRAs from furnishing consumer reports to third parties for marketing and advertising purposes because these are not permissible purposes under the FCRA.
  • In some instances, a CRA may not combine consumer reports with third party data and then deliver marketing materials on behalf of the third party. The CFPB is considering a proposal to clarify that even though a CRA in this situation has not shared information with the third party, the CRA has still furnished a consumer report to a user without a permissible purpose.
  • The CFPB is also considering proposals to clarify whether and when aggregated or anonymized consumer report information constitutes a consumer report.
• Data Security and Data Breaches: The CFPB is considering a proposal addressing CRAs’ obligations to protect consumer reports from data breaches or unauthorized access under the FCRA.

The CFPB’s proposals, if implemented, would make significant headway toward establishing reasonable guardrails for the data broker industry. In EPIC’s July 2023 comments, we also provided additional recommendations which are not currently reflected in the CFPB’s outline of proposals and alternative. EPIC continues to believe that the CFPB should also adopt the following recommendations to ensure that consumers are protected from harm caused by data brokers:

• Require data brokers to use Know Your Customer (KYC) protocols: Implementing KYC protocols to monitor subsequent uses of data sold by brokers would mitigate downstream misuse of data.
• Implement protections related to the use of alternative data in credit scoring models: Alternative data used to determine a consumer’s risk level (e.g., ZIP code, social media usage, shopping history, name capitalization) which is collected from secondary sources (e.g., social media websites) and shared with a third party should be subject to the FCRA to ensure that the inclusion of alternative data in credit scoring models does not harm consumers.
• Ban the use of credit reports in tenant screening: Credit reports often contain errors, do not reflect a person’s current ability to pay, and using a credit report to determine eligibility for tenancy perpetuates inequality and injustice.
• Ban the use of pre-conviction criminal proceeding information in credit reports: Before conviction, there has been no determination of guilt or innocence, and evidence shows that arrest statistics are influenced by racial bias. Using pre-conviction criminal proceeding data perpetuates that bias and introduces inaccuracy into credit reports.

Timeline of CFPB Progress Toward an FCRA Rulemaking

• March 2023: The CFPB launched an inquiry into the business practices of data brokers. The Bureau issued a Request for Information (RFI) seeking public feedback on how data brokers’ business practices impact consumers and details about the types of information data brokers collect and sell, and information.
• July 2023: EPIC submitted a comment in response to the CFPB’s RFI. The CFPB also held a public hearing focusing on coercive credit reporting and medical billing practices.
• August 2023: CFPB Director Rohit Chopra announced that the CFPB would be developing rules under the FCRA to “prevent misuse and abuse” by data brokers.
• September 2023: The CFPB announced that the FCRA rulemaking process would also include rules to remove medical bills from American’s credit reports. The CFPB also released an outline of proposals and alternatives under consideration. Following the announcement, the CFPB will convene a Small Business Review Panel to seek feedback from representatives of small businesses likely to be affected by the proposed rules pursuant to the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA). The panel will prepare written feedback in response to the proposals and questions provided in the outline provided by the CFPB, and the Panel Report will be published in the public rulemaking record once a proposed rule is published.
• October 2023: In addition to collecting feedback on its proposals from small business representatives, the CFPB is also seeking feedback on its proposals from other interested parties. Stakeholders may provide written feedback to the CFPB on its proposals via email to [email protected] no later than October 30, 2023.
• In the Future: After collecting feedback from small business representatives and other stakeholders, the CFPB will issue a proposed rule, or Notice of Proposed Rulemaking (NPRM) in the Federal Register. At that time, members of the public will have an opportunity to submit comments, and the CFPB will consider the comments it receives while formulating the final rule.

Conclusion

The CFPB’s signal that it will enhance FCRA’s coverage of data brokers through new rules marks an important step toward imposing meaningful limitations on the ways that data brokers collect and share consumer data, especially when the data is used to make important decisions related to a consumer’s eligibility for credit. We urge the CFPB to determine that all data brokers are presumptively subject to the FCRA unless a broker can prove that it prevents the data it collects, sells, and shares from being used for any of the FCRA’s enumerated purposes. EPIC supports the CFPB’s work to empower consumers, and we continue to encourage the Bureau to prioritize the consumer’s rights over the predatory business interests of data brokers as the rulemaking process moves forward.