CRL Supports CFPB Proposal to Limit Data Brokers from Selling Personal Information

Washington, DC – The Consumer Financial Protection Bureau (CFPB) has proposed a rule to rein in data brokers that sell Americans' sensitive personal and financial information.

The proposed rule would limit the sale of personal identifiers like Social Security and phone numbers collected by certain companies and make sure that financial data, such as a person's income, is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress.

The proposal makes clear that when data brokers sell certain sensitive consumer information they are "consumer reporting agencies" under the Fair Credit Reporting Act, requiring them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse. Mitria Spotser, director of federal policy at the Center for Responsible Lending (CRL) released the following statement:

“It’s vital that Americans are protected from privacy intrusions, hacking, deceptive internet marketing schemes and other online threats,” said Mitria Spotser, director of federal policy for the Center for Responsible Lending (CRL). “We applaud the CFPB for doing its job and adding rules and guardrails that respect and preserve the privacy of the vast datasets of information data brokers collect about each of us. We urge the incoming administration to finalize this important rule from the Consumer Bureau.”

Background

The data broker industry collects and sells detailed information about Americans' personal lives and financial circumstances to anyone willing to pay. Congress enacted the Fair Credit Reporting Act (FCRA), one of the first data privacy laws in the world, in 1970 to, among other things, strictly limit the use of personal data by a growing data surveillance industry. The proposed rule would:

• Treat data brokers just like credit bureaus and background check companies: Companies that sell data about income or financial tier, credit history, credit score, or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.
• Protect consumers' personal identifiers from abuse and misuse: When consumer reporting agencies collect information like names, addresses, or ages for credit reports, any subsequent sale of that information would be covered by the FCRA's protections.
• Require clear consumer consent for data sharing: Under the proposed rule, companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization to do so, rather than burying permissions in fine print.

###

Press Contact: Alfred King alfred.king@responsiblelending.org