At a White House Roundtable on protecting Americans from allegedly harmful “data broker” practices, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra announced the Bureau’s intention to expand the reach of the Fair Credit Reporting Act (FCRA) to data brokers. He stated, “Next month, the CFPB will publish an outline of proposals and alternatives under consideration for a proposed rule. We’ll soon hear from small businesses, which will help us craft the rule.”

The CFPB’s proposed rulemaking follows its March 2023 public inquiry into data brokers, discussed here. According to the CFPB, “many of the more than 7,000 responses echo the same concerns raised by Congress that the FCRA was originally designed to address.” Specifically in his remarks and in the concurrently released fact sheet, Director Chopra highlighted two proposals that the Bureau is currently considering. The first proposal would define a “data broker,” or an entity that sells certain types of consumer data, as a “consumer reporting agency.” Examples cited by the CFPB of data broker sales that should be treated as consumer reports include consumer payment history, income, and criminal records. According to the CFPB, this would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse.

A second proposal under consideration is ostensibly to address confusion around whether so-called “credit header data” is a consumer report. According to the Bureau, much of the current data broker market runs on personally identifying information taken from traditional credit reports. This includes key identifiers like name, date of birth, and Social Security numbers that are contained in consumer reports generated by the credit bureaus. The CFPB is proposing to clarify the extent to which credit header data constitutes a consumer report as a means to reduce “the ability of credit reporting companies to impermissibly disclose” certain credit header data. For example, the CFPB believes that such sales should not be permitted for targeted advertising, to train artificial intelligence (AI), or to sharpen chatbots.

Director Chopra concluded his remarks by stating that any updated rules under the FCRA can be enforced by the CFPB and state law enforcement. “The Federal Trade Commission, the Department of Transportation, the Department of Agriculture, and other agencies can enforce these rules for specific sectors under their jurisdiction.” The Bureau expects to publish a proposed rule for public comments in 2024.

Our Take

In his remarks, Director Chopra mentioned hearing from small businesses as the next step in the proposed rulemaking. For certain regulations, the CFPB — along with the Office of Advocacy in the Small Business Administration and the Office of Information and Regulatory Affairs in the Office of Management and Budget — convenes a Small Business Review Panel under the Small Business Regulatory Enforcement Fairness Act to receive feedback from small business panelists. Before the panel meets, the CFPB sends panelists an outline of the proposals under consideration, and the CFPB publishes that outline for the public. After receiving feedback from the small entity panelists, the CFPB will issue a report summarizing the feedback. Small businesses interested in participating as a panelist should contact the CFPB within the next week at CFPB_consumerreporting_rulemaking@cfpb.gov.

Following that report, the CFPB issues a notice of proposed rulemaking, which gives the broader public an opportunity to comment on a proposed rule. After considering those comments, the CFPB may make changes to the proposed rule before issuing a final rule.

Troutman Pepper will continue to monitor the CFPB’s actions in the FCRA space and provide updates.

Photo of David M. Gettings David M. Gettings

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA) and associated FCC regulations, the Fair Debt Collection Practices Act, the Truth in Lending Act, the Electronic Fund Transfer Act, and many similar state consumer protection statutes.

Photo of Cindy D. Hanson Cindy D. Hanson

Consumer finance clients trust Cindy’s experience and skill to resolve their most challenging cases. Focused on class action defense, Cindy has handled numerous FCRA cases and is the point of contact for consumer protection defense.

Photo of Stefanie Jackman Stefanie Jackman

Stefanie takes a holistic approach to working with clients both through compliance counseling and assessment relating to consumer products and services, as well as serving as a zealous advocate in government inquiries, investigations, and consumer litigation.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and

Ethan Ostroff’s practice focuses on financial services litigation and consumer law compliance counseling. Ethan is part of the firm’s national practice representing consumer-facing companies of all types in defense of individual and class action claims and counseling them on compliance with federal and state laws.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Photo of Chris Willis Chris Willis

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending…

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending them in individual and class action lawsuits brought by consumers and enforcement actions brought by government agencies.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield helps consumer-facing clients navigate compliance, litigation and regulatory risks posed by the complex web of state and federal consumer protection laws. He is a trusted advisor and tireless advocate, helping clients develop practical compliance and dispute-resolution strategies.

Photo of Chris Capurso Chris Capurso

Chris focuses his practice on consumer financial services compliance, guiding clients through the many federal and state laws and regulations that impact consumer credit programs.