AGENCY:

Bureau of Consumer Financial Protection.

ACTION:

Request for public comment.

SUMMARY:

The Consumer Financial Protection Bureau (CFPB) is seeking comments from the public related to data brokers. The submissions in response to this request for information will serve to assist the CFPB and policymakers in understanding the current state of business practices in exercising enforcement, supervision, regulatory, and other authorities.

DATES:

Comments must be received on or before June 13, 2023.

ADDRESSES:

You may submit comments, identified by Docket No. CFPB-2023-0020, by any of the following methods: Start Printed Page 16952

• Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

• Email: DataBrokersRFI_2023@cfpb.gov. Include the document title and Docket No. CFPB-2023-0020 in the subject line of the message.

• Mail/Hand Delivery/Courier: Comment Intake, Request for Information Regarding Data Brokers, Consumer Financial Protection Bureau, c/o Legal Division Docket Manager, 1700 G Street NW, Washington, DC 20552. Because paper mail in the Washington, DC area and at the CFPB is subject to delay, commenters are encouraged to submit comments electronically.

Instructions: The CFPB encourages the early submission of comments. All submissions should include the agency name and docket number for this request for information. Please note the number of the topic on which you are commenting at the top of each response (you do not need to address all topics.) In general, all comments received will be posted without change to https://www.regulations.gov. All comments, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Sensitive personal information, such as account numbers or Social Security numbers, should not be included. Comments generally will not be edited to remove any identifying or contact information.

FOR FURTHER INFORMATION CONTACT:

Erie Meyer, Chief Technologist and Senior Advisor, Office of the Director; Davida Farrar, Counsel, Office of Consumer Populations at 202-435-7700. If you require this document in an alternative electronic format, please contact CFPB_Accessibility@cfpb.gov.

SUPPLEMENTARY INFORMATION:

I. Background

In 1970, Congress enacted the Fair Credit Reporting Act (FCRA),^[1] one of the first data privacy laws in the world. The primary sponsor of the legislation, Senator William Proxmire, at the time publicly described an emerging consumer reporting market involving the dissemination of a wide range of information about Americans, including financial status, bill paying records, public records including arrests, suits, and judgments, dossiers, information on drinking, marital discords, adulterous behavior, general reputation, habits, and morals. The Senator stressed that “while the growth of this information network is somewhat alarming, what is even more alarming is the fact that the system has been built with virtually no public regulation or supervision.” ^[2]

Before voting on the FCRA, Congress held a series of investigative hearings and uncovered a wide variety of abuses in the industry. For example, Congress found that many consumers were unaware of the existence of the industry because non-disclosure agreements between consumer reporting agencies and users hid the arrangement behind a shroud of secrecy.^[3] In addition, the hearings revealed the practice of including disclaimers of accuracy in agreements between consumer reporting agencies and creditors; before the FCRA, consumer reporting agencies purported to be mere transmitters of information who were not responsible for accuracy.^[4] Congress also criticized the fact that consumers were not given access to their credit reports,^[5] and that credit reports often included obsolete or irrelevant information.^[6]

Ultimately, Congress found that consumer reporting agencies assumed a vital role in assembling and evaluating consumer credit and other information on consumers to meet the needs of commerce, but that rules were necessary to ensure they handed information fairly and equitably with regard to confidentiality, accuracy, relevancy, and proper use.^[7] The FCRA established comprehensive rules to govern the practices of consumer reporting agencies, including four key features: (1) a prohibition on using or disseminating certain personal data outside prescribed permissible purposes selected by Congress,^[8] (2) a requirement that consumer reporting agencies “follow reasonable procedures to assure maximum possible accuracy” of consumer reports,^[9] (3) a right of consumers to inspect data about themselves,^[10] and (4) due process to challenge false data.^[11]

The FCRA still remains on the books and has been amended from time to time.^[12] But since the enactment of the FCRA, companies using business models that sell consumer data have emerged and evolved with the growth of the internet and advanced technology. Many companies whose business models rely on newer technologies and novel methods purport not to be covered by the FCRA. These companies are sometimes labeled “data brokers,” “data aggregators,” or “platforms,” but they all share a fundamental characteristic with consumer reporting agencies—they collect and sell personal data.

With the passage of the Consumer Financial Protection Act (CFPA), Congress transferred rulemaking authority for most provisions of the FCRA from the Federal Trade Commission to the CFPB. The CFPA granted the CFPB the authority to enforce the FCRA along with other Federal regulators.^[13] The CFPA also granted the CFPB various additional authorities that may be applicable to companies that collect and sell personal data, including, for example, authorities pursuant to the Gramm-Leach Bliley Act's privacy provisions.^[14] The CFPB has used its authority to address unfair or deceptive acts or practices related to the handling of consumer data.^[15]

This request for information is seeking information to (1) help inform the CFPB about new business models that sell consumer data, including information relevant to assessments of whether companies using these new business models are covered by the FCRA, given the FCRA's broad definitions of “consumer report” and “consumer reporting agency,” ^[16] or other statutory authorities, and (2) collect information on consumer harm and any market abuses, including those that resemble harms Congress originally identified in 1970 in passing the FCRA.

II. Overview

Data brokers is an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers' personal information with other parties. Data brokers encompass actors such as first-party data brokers Start Printed Page 16953 that interact with consumers directly, as well as third-party data brokers with whom the consumer does not have a direct relationship. Data brokers include firms that specialize in preparing employment background screening reports and credit reports. Data brokers collect information from public and private sources for purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer-authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.^[17]

As part of the CFPB's statutory mandate to promote fair, transparent, and competitive markets for consumer financial products and services, this request for information is part of a series of efforts to examine data collection and use. In addition to supervision of consumer reporting agencies, including the three largest nationwide consumer reporting agencies, the CFPB endeavors to gain insight into the full scope of the data broker industry. The data broker industry is growing and expanding its reach into new spheres of consumers' personal lives, as more sophisticated computerization has increased the power of these companies to track and predict consumer behavior. Yet, many people lack an understanding of the scope and breadth of data brokers' business practices and the impact of those practices on the marketplace and peoples' daily lives.

The CFPB seeks to better understand the heterogeneity of these firms and to assist firms in understanding any compliance obligations under the FCRA and other laws as appropriate.

Data brokers collect or share a vast range of information, often building profiles of individuals by delving into the details of consumers' everyday interactions, including credit card purchases and web browsing activity. Data brokers also collect other types of sensitive and intimate personal information such as genetic and health information, religious affiliation, financial records, and geolocation data.^[18]

Government agencies, technology and privacy experts, financial institutions, consumer advocates, and others have identified numerous consumer harms and abuses related to the operation of data brokers, including significant privacy and security risks, the facilitation of harassment and fraud, the lack of consumer knowledge and consent, and the spread of inaccurate information.^[19]

People should be able to expect companies to safeguard their most personal and intimate information, and should be able to have knowledge and control over how companies obtain and use their data. Surveys have found that people are concerned about being tracked and surveilled by companies, and express concern about the lack of control over how data collected about them is used.^[20]

While observers have documented the increasing role of data brokers in the economy, there is still relatively limited public understanding of their operations and other impacts.

III. Request for Information

This request for information seeks comments from the public on data brokers. The CFPB welcomes stakeholders to submit data, analysis, research, and other information about data brokers. The CFPB also requests input from individuals who have interacted with or have been affected by data broker business practices. To assist commenters in developing responses, the CFPB has crafted the below questions that commenters may answer. However, the CFPB is interested in receiving any comments relating to data brokers.

Market-Level Inquiries

1. What types of data do data brokers collect, aggregate, sell, resell, license, derive marketable insights from, or otherwise share?

a. What do data brokers do with the data they collect other than the aggregation, selling, reselling, or licensing of data?

b. Please provide information about specific types of data that are financial in nature, such as information about salary, income sources, spending, investments, assets, use of financial products or services, investments, signals of financial distress, etc.

2. What sources do data brokers rely on to collect information? What collection methods do data brokers use to source information?

a. What specific types of information do data brokers obtain from public records databases? Which public records sources do data brokers use?

b. Are people unknowingly deceived or manipulated into supplying data to data brokers? Describe the nature of such deception or manipulation.

c. What technological components facilitate brokers' collection of data, including but not limited to: tracking scripts, web-based plug-ins, pixels, or software development kits (SDKs) in Apps?

3. What specific types of information do data brokers receive from financial institutions? Do financial institutions place any restrictions on the use of this data? Under what circumstances do consumers consent to this data sharing or receive an opportunity to opt-out of this sharing?

4. What specific entities and types of entities have relationships ( e.g., partnerships, vendor relationships, investor relationships, joint ventures, retail arrangements, data share agreements, third-party pixel usage) with data brokers? Describe the nature of those relationships and any relevant financial arrangements pursuant to such relationships.

5. Which specific entities and types of entities collect, aggregate, sell, resell, license, or otherwise share consumers' personal information with other parties?

6. Does the granular nature of data brokers' collection of information related to consumer preferences and behaviors influence consumer purchasing patterns or levels of indebtedness? Describe the nature of such collection and how it may influence purchasing patterns.

7. How do companies collect consumer data to create, build, or refine proprietary algorithms?

8. Does consumer data collected by data brokers facilitate a less competitive marketplace or more expensive financial products for consumers, and if so, how?

9. Can people avoid having their data collected?

a. Are there certain special populations that are less likely to be able to exercise control over the collection, aggregation, sale, resale, licensing, or other sharing of their data?

b. If so, which special populations and why?

10. Under what circumstances is deidentified, “anonymized,” or Start Printed Page 16954 aggregated data reidentified or disaggregated?

11. Can people reasonably avoid adverse consequences resulting from data collection across different contexts ( e.g., cross-device tracking, re-identification, mobile fingerprint matching)?

12. Which specific entities and types of entities purchase data from data brokers? How do these entities use the purchased data?

a. What specific uses concern marketing, decisioning, fraud detection, or servicing related to consumer financial products and services?

b. What, if any, restrictions do data brokers impose on the use of such data?

13. What data broker practices cause harms to people? What are those harms and types of harms?

a. Are there certain special populations that are more likely to experience harms? If so, which special populations and why?

b. Are data brokers selling, reselling, or licensing information about particular groups, including certain protected classes? If so, what are examples of this behavior?

c. What harms do people experience if they are unable to remove their information from data broker repositories?

14. What data broker practices provide benefits to people? What are those benefits?

15. What actions can people take to gain knowledge or control over data, or correct data that is collected, aggregated, sold, resold, licensed, or otherwise shared about them?

16. How can and does the activity of data brokers and their clients impact consumers beyond those whose data were collected or used by that data broker? How, if at all, can consumers reasonably avoid being targeted or influenced based on the activities of data brokers and their clients, even if they are able to avoid or opt-out of having their own data collected?

17. What information do State-level data broker registries provide? How is this information made available and used? Are State-level data broker registries adequate to prevent harm? How could they be improved?

18. What controls do data brokers implement in order to protect people's data and safeguard the privacy and security of the public? Are these controls adequate?

a. What controls exist related to who can purchase or obtain information from data brokers?

b. Are these controls adequate?

19. What controls do data brokers implement to ensure the quality and accuracy of data they have collected?

a. What controls exist related to ensuring the quality and accuracy of public records data, including court records?

b. Are these controls adequate?

20. How have data broker practices evolved due to new technological developments, including machine learning or other advanced computational methods?

21. Are there companies or other entities that help consumers understand and manage their relationship to, and rights with respect to, data brokers? If not, why not? What factors could further help such consumer-assisting companies and entities?

22. How might the CFPB use its supervision, enforcement, research, rulemaking, or consumer complaint functions with respect to data brokers and related harms?

Individual Inquiries

1. Have you experienced data broker harms, including financial harms? What are those harms?

2. Have you experienced data broker benefits? What are those benefits?

3. Are you able to detect whether harms or benefits are tied to a specific data broker? Are existing methods of detection adequate?

4. Have you ever attempted to remove your data from a specific data broker's repository for privacy purposes? If so,

a. Describe your experience engaging with the data broker in question.

b. What steps were you required to take to request the removal of your data? Did you face any hurdles in filing the data removal request? Did the data broker honor your request?

c. Was your information removed immediately, and if not, how long did the removal take?

d. Were you asked to share additional information with the data broker to have your data removed?

e. Were you charged a fee by the data broker to have your data removed?

f. Did you spend money on another service to help you get your data removed? Was it helpful?

g. If your data removal request was successful, did you receive advertising to remove your data from other sites?

h. When you found your information on data broker websites, how did that make you feel?

5. Have you ever attempted to view or inspect the data maintained about you? If so, describe your experience.

a. What steps were you required to take to view or inspect your data?

b. Did you face any hurdles in filing the request to view or inspect your data?

c. Did the data broker honor your request?

6. Have you ever attempted to correct your data? If so, describe your experience.

a. What steps were you required to take to request correcting your data?

b. Did you face any hurdles in filing the data correction request?

c. Did the data broker honor your request?

7. Have you taken any other steps to protect your privacy or security as a result of data broker harms? Were these steps adequate?

Footnotes