Like most people, I worry about unscrupulous people getting my personal information and using it in harmful ways.
Hopefully, a rule the Consumer Financial Protection Bureau is proposing will help protect consumers’ information.
The rule would limit the sale of personal identifiers such as Social Security numbers and phone numbers collected by certain companies and make sure that people’s financial data, such as income, is only shared for legitimate purposes like facilitating a mortgage approval, and not sold to scammers targeting people in financial distress.
It would make clear that when data brokers sell certain sensitive consumer information they’re “consumer reporting agencies” under the Fair Credit Reporting Act, or FCRA, requiring them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse.
“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” CFPB Director Rohit Chopra said in a statement. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”
The data broker industry collects and sells detailed information about Americans’ personal lives and financial circumstances to anyone willing to pay, Chopra said.
The CFPB’s proposal would ensure data brokers comply with federal law and would:
- Treat data brokers like credit bureaus and background check companies: Companies that sell data about income, credit history, credit score, or debt payments would be considered consumer reporting agencies required to comply with the FCRA, regardless of how the information is used.
- Protect consumers’ personal identifiers from abuse and misuse: When consumer reporting agencies collect information such as names, addresses, or ages for credit reports, any later sale of that information would be covered by the FCRA's protections.
- Require consumer consent for data sharing: Under the proposed rule, companies relying on consumers’ consent to obtain or share a consumer’s credit report would need separate, explicit authorization, rather than burying permissions in fine print.
These changes would significantly limit the ability of data brokers to sell sensitive contact information that could be used to target, harass, or dox individuals seeking privacy protection, including domestic violence survivors, he said.
The proposed rule is part of a broader government-wide initiative to protect Americans' sensitive personal data, including recent executive orders and actions by other federal agencies. In October, the U.S. Department of Justice proposed a rule to prevent access to Americans’ sensitive personal data by Russia, Iran, China, and other countries of concern.
“It’s vital that Americans are protected from privacy intrusions, hacking, deceptive internet marketing schemes and other online threats,” Mitria Spotser, director of federal policy for the Center for Responsible Lending, an advocacy organization, said in a statement. “We applaud the CFPB for doing its job and adding rules and guardrails that respect and preserve the privacy of the vast datasets of information data brokers collect about each of us.
Spotser said the center urges the Trump administration to finalize this important CFPB rule.
Yes, hopefully, the incoming administration will do something positive for consumers and recognize the importance of this rule. Smaller government and government with fewer rules are poor goals if consumers continue to be harmed.
Or the US (a veto proof majority of Congress) could simply make it a crime to sell that data at all, couldn’t it? Or would that be too extreme a protection of “consumers” or those who have to deal w/the effects of idenity theft (with few to no affordable/realistic civil remedies against those who make theft likely/possible)? As it is, the US gov’t has yet to draft & approve legislation that would make corporations that requirre confidential data (health insurers, health care “providers”, banks/CUs, et al) to have the burden of demonstrating they weren’t negligent in safeguarding that data and have to pay an annually CPI adjusted amount (starting at $50,000/person, the amount I read a couple of years ago is generally spent in recovering from identity theft) for each security breach. Also be required to publicly disclose (major news media) and contact each person whose data may have been stolen/exposed) for every breach. Right now, corporations, et al aren’t required to disclose all breaches. It’s more reasonable to expect corporations, particularly large ones, to provide excellent quality data security, then for individuals (some of whom have neither the knowledge nor the monetary resources to use & keep updated the latest forms of tech security), i.e, “consumers.”
And to forbid the use of contract provisions such as: consumer agrees to mandatory arbitration and forfeiture of their right to participate in class actions against the corporate entity–which is not a standard provision in just about all “cosumer” contracts. Thanks to the current right wing/anti-consumer majority on the US Supreme court. Although it predates the current majority (but Roberts, Scalia, et al wrote the decisions).
You’re right that the federal government needs to do much more to protect consumers’ data. I like the idea of big fines and criminal prosecutions. However, these days with the Republicans and corporations in control of all three branches of government, it will be a miracle if anything gets done.