The Consumer Financial Protection Bureau (“CFPB”) has withdrawn its proposed rule that would have expanded the Fair Credit Reporting Act (“FCRA”) to cover a broad swath of data broker activities. The notice, published in the Federal Register on May 15, 2025, came in the wake of the controversial dismissal of all but three hundred CFPB employees and provides some regulatory clarity for businesses in the financial services, data broker, and advertising technology industries.

The Proposed Rule

The CFPB’s December 2024 proposal aimed to bring many data brokers under the FCRA by treating the sale of certain personal and financial information — such as income, credit history, and debt payments — as activities of a “consumer reporting agency.” This would have imposed new obligations, including requiring explicit consumer consent for data sharing and restricting the purposes for which such data could be sold or used. The rule was designed to address concerns about national security, surveillance, and consumer harm, and would have required data brokers to comply with FCRA requirements even if the data was not intended for credit eligibility purposes.

Why the CFPB Withdrew the Rule

According to the withdrawal notice, the CFPB determined that rulemaking was “not necessary or appropriate at this time.” It claimed that the proposed rule did not align with the agency’s current interpretation of the FCRA, which is itself under revision. The CFPB also cited questions raised by commenters about its statutory authority and substantive concerns about the rule’s scope and compliance burdens.

The CFPB signaled it may revisit the issue in the future, but it is unlikely that we see further developments in this area at the federal level during this administration.

What this Means for Businesses

The withdrawal of the data broker rule provides immediate regulatory relief, but it does not eliminate all compliance risks or future uncertainty:

No Expansion of FCRA for Data Brokers, For Now.

The status quo remains, with the FCRA applying only to traditional consumer reporting agencies and their defined activities.

State and Other Federal Laws Still Apply. While the CFPB’s proposal is no longer under consideration, state data privacy laws, such as the data broker laws in California, Oregon, Texas, and Vermont, and existing federal requirements from the Federal Trade Commission remain in effect. Businesses must ensure compliance with these frameworks.

Public and Political Pressure Remains. Privacy advocates and policymakers continue to push for stricter oversight of data brokers, citing risks to national security, consumer safety, and individual privacy. The regulatory environment will likely shift again with changes in political leadership or agency priorities.