The Consumer Financial Protection Bureau (CFPB) announced this week that it intends to increase the scrutiny on data brokers to better protect service members, law enforcement officials, domestic violence victims, senior citizens, and other populations from surveillance, doxing, fraud, and threats of violence when cyber threat actors purchase personal and financial information from data brokers through legitimate means. The CFPB proposed updated regulations that would make data brokers subject to the Fair Credit Reporting Act’s (FCRA) accuracy requirements and restrict the sale of certain data, such as FICO scores, “credit header” information (Social Security numbers, address, and telephone numbers), only for purposes allowed under the FCRA — i.e., loan application checks and prevention of fraud. Currently, the FCRA applies to consumer credit reporting agencies (e.g., Equifax, Experian, and TransUnion), but the CFPB seeks to broaden its reach to data brokers, too.

The proposed regulations would also require data brokers that sell consumer data to obtain consent through explicit disclosures to consumers. Further, the proposed regulations would explicitly prohibit the use of covered data for marketing purposes.

In the press release, CFPB Director Rohit Chopra said, “By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying. The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

We’ll watch this rule closely to see how far it gets. The final decision on this rule will be up to the new head of the CFPB based on President-elect Donald Trump’s pick for that role. While the incoming administration is expected to lessen regulatory restraints on businesses, the proposed rule is supported by law enforcement, national security officials, and lawmakers from both parties, which may increase the chances for the survival of this CFPB regulation. Public comments close on March 3, 2025.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.