CFPB Requests Information About Data Brokers for Planned Rulemaking
The Consumer Financial Protection Bureau (CFPB) announced on March 15, 2023, that it is issuing a Request for Information (RFI) about the business practices of data brokers, which the agency said will assist it in "planned rulemaking" under the Fair Credit Reporting Act (FCRA). The CFPB has explained it is seeking information on (1) "new business models that sell consumer data," including information relevant to assessments of whether companies using these new business models are covered by the FCRA, and (2) "consumer harm and any market abuses, including those that resemble harms Congress originally identified . . . in passing the FCRA."
The CFPB's Request for Information
Noting that the FCRA was first passed in 1970, the CFPB explains that "companies using business models that sell consumer data have emerged and evolved with the growth of the internet and advanced technology," describing these companies as "data brokers," "data aggregators," or "platforms." The notice states that many such companies that "rely on newer technologies and novel methods purport not to be covered by the FCRA," but "share a fundamental characteristic" with "consumer reporting agencies," which are regulated by the FCRA—"they collect and sell personal data."
The Request for Information describes "data brokers" as entities "that collect, aggregate, sell, resell, license, or otherwise share consumers' personal information with other parties," including "first-party data brokers that interact with consumers directly, as well as third-party data brokers with whom the consumer does not have a direct relationship." The notice explains that such data brokers "collect information from public and private sources for purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases."
In an effort "to gain insight into the full scope of the data broker industry," the CFPB poses questions on a variety of topics, such as the following:
- Types and Sources of Data. The notice seeks information regarding the types and sources of information collected by data brokers, including what data brokers do with various types of information as well as the collection methods and technologies they use to source information.
- Relationships With Other Entities. The notice poses questions about data brokers' relationships with other entities, such as financial institutions, vendors, investors, and customers.
- Privacy, Security, and Accuracy Controls. The notice seeks information on any controls data brokers implement to protect people's data and privacy, including any controls determining who can purchase or obtain information from data brokers. The notice also requests information about any controls to ensure the quality and accuracy of the data that data brokers have collected.
- Influence on Consumer Behavior. The request asks for information on whether the "granular nature" of data brokers' collection of information regarding consumer preferences and behavior influences consumers' "purchasing patterns or level of indebtedness."
- Algorithms and Machine Learning. The notice seeks information about how data brokers create, build, or refine proprietary algorithms, as well as how new technological developments (such as machine learning (ML)) have influenced data brokers' businesses.
Takeaways
The CFPB's Request for Information underscores its ongoing monitoring of data brokers and signals that the agency may engage in rulemaking activity to bring under the FCRA a number of data brokers that have not previously been understood to be subject to the law. Given the significance of any such change in the law, data brokers and data aggregators should monitor and consider participating in the CFPB's rulemaking process.
Public comments must be submitted by June 13, 2023.
© 2023 Perkins Coie LLP