Earlier this month, the Consumer Financial Protection Bureau (the “CFPB”) announced that it had issued a request for information (“RFI”) seeking public comment on “companies that track and collect information on people’s personal lives. In issuing this new Request for Information, the CFPB wants to understand the full scope and breadth of data brokers and their business practices, their impact on the daily lives of consumers, and whether they are all playing by the same rules.” The deadline for submitting comments in response to the RFI is June 13, 2023.
Through the RFI, the CFPB is seeking to (1) inform itself about new business models that involve the sale of consumer data, including information to assess whether companies using these new business models are covered by the Fair Credit Reporting Act (the “FCRA”) (whether or not such companies consider themselves to be), and (2) collect information on consumer harm and market abuses, including those that Congress was trying to address in enacting the FCRA.
What is a data broker?
The term “data brokers” has meant different things to different people historically, depending on the context. Most commonly, it has been used to describe a business that buys and sells personal information about individuals with whom the business does not have a direct relationship. A business would typically be found to have a “direct relationship” if the individual was a customer, client, subscriber, user, or registered user of the business’s goods or services or was an employee, contractor, or agent of the business. This is generally how laws such as California’s and Vermont’s data broker registration law define “data broker.” Such laws also typically include exclusions from the term, including in the case of the California law, for consumer reporting agencies regulated by the FCRA and financial institutions regulated by the Gramm-Leach-Bliley Act, and in the Vermont law, businesses that develop or maintain third-party e-commerce or application platforms, provide publicly available information related to a consumer’s business or profession, or provide publicly available information via alert services for health or safety purposes.
Interestingly, the CFPB appears to be departing from common understandings of what a “data broker” is. The RFI asserts without comment that the term encompasses “actors such as first-party data brokers that interact with consumers directly, as well as third-party data brokers with whom the consumer does not have a direct relationship.” The RFI also states that the term includes “firms that specialize in preparing employment background screening reports and credit reports” and those that “collect information from public and private sources for purposes including … credit and insurance underwriting.” In other words, consumer reporting agencies subject to regulation by the FCRA.
The FCRA was enacted in 1970 to regulate the activities of “consumer reporting agencies,” which is a term that generally means a business that for a fee, regularly assembles or evaluates certain types of personal information for certain enumerated purposes that are considered to be particularly impactful on consumers (such as employment screening, lending, insurance underwriting, and tenant screening) and delivers such information to a third party. Under the Dodd-Frank Act, the CFPB has jurisdiction to enforce violations of the FCRA.
According to the RFI, the FCRA included four key features:
- a prohibition on using or disseminating certain personal data outside prescribed permissible purposes selected by Congress;
- a requirement that consumer reporting agencies “follow reasonable procedures to assure maximum possible accuracy” of consumer reports;
- a right of consumers to inspect data about themselves; and
- due process to challenge false data.
If a business is found to be willfully violating the FCRA, plaintiffs can recover statutory damages of $100 to $1,000 per violation, in addition to punitive damages and attorney fees. In addition, the CFPB (along with other federal and state enforcement agencies) can also enforce the FCRA and recover civil penalties.
Areas of concern for the CFPB
The CFPB is concerned that, while the core provisions of the FCRA have not been materially amended since its enactment in 1970, companies “using business models that sell consumer data have emerged and evolved with the growth of the internet and advanced technology. Many companies whose business models rely on newer technologies and novel methods purport not to be covered by the FCRA.” As a result, consumers are not entitled to the FCRA’s protections when a business sells consumer data in a context that it does not consider to be regulated by the FCRA.
The RFI alludes to specific areas of concern within the data broker industry including “significant privacy and security risks, the facilitation of harassment and fraud, the lack of consumer knowledge and consent, and the spread of inaccurate information.”
Because of the CFPB’s concerns over potential violation of the FCRA and other consumer protection laws, we recommend that companies that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties consider how they can shore up their compliance posture ahead of what will likely be increased scrutiny of their practices. After providing some additional detail regarding the RFI, we offer our thoughts as to how they might do so below.
Questions Included in the RFI
The RFI seeks input from the public on the following types of questions:
- Market-level Inquiries. The CFPB seeks high-level information regarding the data broker industry and the market for their services, including:
- What types of data do data brokers collect, aggregate, sell, resell, license, derive marketable insights from, or otherwise share?
- What specific types of information do data brokers receive from financial institutions? Do financial institutions place any restrictions on the use of this data?
- How do companies collect consumer data to create, build, or refine proprietary algorithms?
- Does consumer data collected by data brokers facilitate a less competitive marketplace or more expensive financial products for consumers, and if so, how?
- What controls do data brokers implement in order to protect people’s data and safeguard the privacy and security of the public? Are these controls adequate?
- What controls do data brokers implement to ensure the quality and accuracy of data they have collected?
- How have data broker practices evolved due to new technological developments, including machine learning or other advanced computational methods?
- Individual Inquiries. In addition to questions about the data broker industry and the markets they serve, the CFPB is also seeking information regarding individuals’ experiences with data brokers, including whether the individual:
- Has experienced data broker harms, including financial harms. If so, what are those harms?
- Has ever attempted to remove their data from a specific data broker’s repository for privacy purposes. If so, the RFI asks several specific questions regarding the process for doing so.
- Has ever attempted to view or inspect their data included in a data broker’s repository. If so, the RFI asks several specific questions regarding the process for doing so.
- Has ever attempted to correct their data included in a data broker’s repository. If so, the RFI asks several specific questions regarding the process for doing so.
Suggested Next Steps
Based on the concerns that the CFPB expresses in the RFI, the focus on FCRA compliance and the nature of the questions included in the RFI, businesses such as FinTechs, data brokers serving the consumer financial services industry that do not consider themselves consumer reporting agencies, and marketing services providers serving the consumer financial services industry are all likely to be subject of CFPB scrutiny.
We suggest that any business that might reasonably fall within the CFPB’s expanded definition of “data broker,” and particularly those described in the preceding paragraph, prepare for enhanced scrutiny of its use of personal information and ensure that it is able to articulate and demonstrate how its data practices protect consumers. Specifically, we would recommend that such a business:
- Objectively and critically assess whether its products should be considered regulated by the FCRA. It is not always obvious what activities should be considered subject to the FCRA and many businesses have in good faith concluded that their products and services are not subject to it. However, given the CFPB’s focus on products and services incorporating personal information and the penalties for violating the FCRA described above, it may be time to reconsider previous positions.
- Ensure that it can articulate and demonstrate that it has reasonable controls in place to confirm the accuracy of the personal information it includes in its products and services, including in its AI-based products.
- Ensure that it can articulate and demonstrate that it has reasonable security measures in place which may include a written information security program, incident response plan, cybersecurity insurance, and process to vet the security posture of vendors or business partners receiving sensitive information.
- Evaluate what services it has to ensure consumer protection, specifically whether it:
- Allows consumers to access the personal information the business holds;
- Allows consumers to correct such personal information; and
- Allows consumers to delete such personal information.
- Evaluate the strength of its complaint-handling process, if any. Does the business document complaints it receives, whether received through its website, by email or otherwise? Does it have a standard operating procedure for responding to and resolving such complaints? Does it track how each complaint is resolved? Having such controls in place will allow businesses to demonstrate to the CFPB that it takes consumer complaints seriously.
Privacy World will continue to monitor developments regarding this RFI and CFPB activity in this space.