On December 3, 2024, the Consumer Financial Protection Bureau (“CFPB”) proposed a rule to limit the sale of personal information by data brokers. Per the CFPB, the proposed rule would “make sure people’s financial data is only shared for legitimate purposes . . . and not sold to scammers targeting those in financial distress.” 

Reasoning

The CFPB states it developed the proposed rule based on “extensive monitoring that revealed widespread evasion of consumer protections” by data brokers that “routinely sidestep the FCRA by claiming they aren’t subject to its requirements.” This has raised CFPB concerns regarding national security and surveillance risks, criminal exploitation of consumers, and risks of violence or personal threats to law enforcement and domestic violence survivors. 

Obligations

The proposed rule would clarify obligations for data brokers including: 

• Data brokers to be treated as credit bureaus: Where data brokers sell data about income or financial tier, credit history, credit score, or debt payments, they would be considered consumer reporting agencies. As such, they would be required to comply with the FCRA, regardless of how the information is used. Additionally, the New York Department of Financial Services has additional requirements for credit reporting agencies including registration obligations and certain prohibited practices. 
• Consumer information must be protected: Where consumer reporting agencies collect certain information such as names, addresses, or ages for credit reports, a subsequent sale of that information would be covered by the FCRA’s protections.
• Consumer consent required for data sharing: Companies that rely on consumer consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so. Authorizations could not be “buried in fine print.” 

It is not known how the new administration will view this proposed rule. Individuals interested in submitting public comments should do so on or before March 3, 2025.