The Consumer Financial Protection Bureau wants to propose new regulations that would require data brokers to comply with the Fair Credit Reporting Act. In a speech at the white house Earlier this month, CFPB Director Rohit Chopra said the agency is studying policies to “ensure greater accountability” for companies that buy and sell consumer data, according to a executive order President Joe Biden issued in late February.
Chopra said the agency is considering proposals that would define data brokers that sell certain types of data as “consumer reporting agencies,” thereby requiring those companies to comply with the Fair Credit Reporting Act (FCRA). The statute prohibits sharing certain types of data (for example, your credit report) with entities unless it serves a specific purpose described in the law (for example, if the report is used for employment purposes or to extend a line of credit to someone).
The CFBP views the buying and selling of consumer data as a matter of national security, not just a matter of privacy. Chopra cited three massive data breaches — the 2015 Anthem breach, the 2017 Equifax hack, and the 2018 Marriott breach — as examples of foreign adversaries illicitly obtaining personal data from Americans. “When Americans' health information, financial information, and even travel locations can be gathered into detailed records, it's no surprise that this creates risks when it comes to security,” Chopra said. But the focus on high-profile hacks obscures a more widespread and entirely legal phenomenon: the ability of data brokers to sell detailed personal information to anyone willing to pay for it.
Citing the February executive order, Chopra noted that data brokers can sell data to “countries of interest, or entities controlled by those countries, and may fall into the hands of foreign intelligence services, militaries or other companies controlled by foreign governments.” . In other words, instead of hacking into hotel chains and credit bureaus to gain access to the personal data of millions of Americans, intelligence agencies can buy information that is just as detailed, if not more detailed.
“For example, data brokers can make it easier to target individuals by allowing entities to purchase lists that match multiple categories, such as 'Intelligence and Counterterrorism' with 'substance abuse,' 'heavy drinker,' or even 'late'. in paying bills,'” Chopra said. saying. “In other contexts, entities can purchase records for a few cents per person, allowing relatively small investments to be leveraged for mass collection.” Put another way, the White House is concerned that America's adversaries (most explicitly China) could use Americans' data to identify targets for blackmail and surveillance.
The government is increasingly concerned about foreign governments' access to Americans' data. In March, the House passed a bill that would prohibit data brokers from selling Americans' personally identifiable information to “any entity controlled by a foreign adversary.” Under the Americans' Data Protection from Foreign Adversaries Act, data brokers would face sanctions from the Federal Trade Commission if they sell sensitive information, such as location or health data, to any person or company based in certain countries. The Senate has yet to vote on the bill.
US government agencies also rely on data brokers to monitor Americans. In 2022, the American Civil Liberties Union released a series of documents showing how the Department of Homeland Security used location data to track the movement of millions of cell phones (and the people who own them) within the United States.
