The Consumer Financial Protection Bureau wants to propose new regulations that would require data brokers to comply with the Fair Credit Reporting Act. Speaking at the White House earlier this month, CFPB Director Rohit Chopra said the agency was working on policies to “ensure compliance with the purchase and sale of consumer goods” under an executive order issued by President Joe Biden in late February. Companies that use data should take greater responsibility.”
Chopra said the agency is considering a proposal to define data brokers that sell certain types of data as “consumer reporting agencies,” thereby requiring those companies to comply with the Fair Credit Reporting Act (FCRA). The regulations prohibit sharing certain types of data (such as your credit report) with entities unless they serve a specific purpose specified by law (for example, if the report is used for employment purposes or to extend a line of credit to someone).
CFBP views the buying and selling of consumer data as a national security issue, not just a privacy issue. Chopra cited three large-scale data breaches — the 2015 Anthem breach, the 2017 Equifax hack and the 2018 Marriott breach — as examples of foreign adversaries illegally obtaining Americans’ personal data. “When Americans’ health information, financial information, and even their travel movements can be compiled into detailed profiles, it’s no surprise that this increases security risks,” Chopra said. But for the much-discussed The focus on high-profile hacks obscures a much more common and entirely legitimate phenomenon: the ability of data brokers to sell detailed personal information to anyone willing to pay.
Citing the February executive order, Chopra noted that data brokers can sell data to “concerned countries or entities controlled by those countries, and the data could fall into the hands of foreign intelligence services, militaries, or other companies controlled by foreign governments.” Change In short, instead of hacking hotel chains and credit reporting agencies to obtain the personal data of millions of Americans, intelligence agencies could purchase just as detailed (or even more detailed) information.
“For example, data brokers could facilitate the targeting of individuals by allowing entities to purchase listings that match multiple categories, such as ‘intelligence and counterterrorism’ versus ‘substance abuse,’ ‘alcoholics’ or even ‘bill delinquent,'” Chopra explain. “In other cases, entities can purchase records for pennies per person, allowing for large-scale collections with relatively small investments.” In other words, the White House is worried about U.S. adversaries — most notably China — —Americans’ data can be exploited to identify targets for extortion and surveillance.
The government is increasingly concerned about foreign governments gaining access to Americans’ data. In March, the House of Representatives passed a bill that would ban data brokers from selling Americans’ personally identifiable information to “any entity controlled by a foreign adversary.” Under the Protecting Americans’ Data from Foreign Adversaries Act, data brokers face penalties from the Federal Trade Commission if they sell sensitive information, such as location or health data, to any person or company in certain countries. The Senate has yet to vote on the bill.
U.S. government agencies also rely on data brokers to spy on Americans. In 2022, the American Civil Liberties Union released a series of documents showing how the Department of Homeland Security uses location data to track the movements of millions of cellphones and their owners across the United States.