On March 15, the Consumer Financial Protection Bureau (CFPB) issued a Request for Information (Request) seeking public comment on the business practices of data brokers and how they impact the daily lives of consumers. Specifically, the CFPB is interested in hearing details about the types of data that data brokers collect and sell, as well as the sources they rely upon. This data will be used to inform the CFPB’s planned rulemaking under the Fair Credit Reporting Act (FCRA).

As discussed here, the CFPB forecasted this development in its 2022 Fall Rulemaking Agenda where it cryptically stated it was “considering whether to amend Regulation V.”

The Request defines data brokers as “firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.” Such personal information can include details of consumers’ credit card purchases, web browsing activities, genetic and health information, religious affiliation, financial records, and geolocation data. According to the CFPB, this data is then used for “purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.”

In the press release that accompanied the release of the Request, CFPB Director Chopra stated, “[m]odern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data. Our inquiry will inform whether rules under the [FCRA] reflect these market realities.” Notably, the CFPB previews its legal position, stating that the FCRA broadly applies to “data brokers like credit reporting companies and background screening firms, as well as those who report information to these firms.”

On this basis, the CFPB is seeking information about:

  • The data broker industry.
    • What types of data do data brokers collect and what do they do with the data other than reselling or licensing it?
    • What sources do data brokers rely on to collect information? Specifically, what information does data brokers receive from financial institutions?
    • Which entities purchase data?
    • What controls are in place to ensure the accuracy of the data collected?
    • Can people avoid having their data collected?
    • What controls are in place to protect people’s data and safeguard their privacy?
  • The consumer experience.
    • Have consumers experienced harms or benefits from the data broker industry?
    • Have consumers ever attempted to view, correct, or remove data from a broker’s repository for privacy purposes?

The request will be published in the Federal Register and the public will have until June 13 to submit comments.

Our Take

The prevailing industry view is that not all the data uses enumerated by the CFPB in its Request are regulated by the FCRA. Accordingly, the agency may well encounter judicial resistance to its proposed amendment to Regulation V. For instance, as the Fifth Circuit stated in its decision denying a CFPB civil investigation demand in CFPB v. The Source for Public Data, L.P., “the CFPB does not have ‘unfettered authority to cast about for potential wrongdoing.'”

Any perceived overreaching could also add fuel to certain Republican members of Congress who recently set forth proposals to reform the agency, as discussed here.

We will continue to monitor these developments and the Request for comments.

Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Photo of Cindy D. Hanson Cindy D. Hanson

Consumer finance clients trust Cindy’s experience and skill to resolve their most challenging cases. Focused on class action defense, Cindy has handled numerous FCRA cases and is the point of contact for consumer protection defense.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and state laws.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield helps consumer-facing clients navigate compliance, litigation and regulatory risks posed by the complex web of state and federal consumer protection laws. He is a trusted advisor and tireless advocate, helping clients develop practical compliance and dispute-resolution strategies.