The CFPB is Taking Aim at Data Brokers: Work With Kanary To Get Your Voice Heard
Jun 5, 2023
There's an exciting development happening behind the scenes in our industry: The Consumer Financial Protection Bureau (CFPB) is finally taking a closer look at data brokers.
“Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data” – CFPB Director Rohit Chopra.
If you’ve been a Kanary member, you’re familiar with these brokers. They’re responsible for much of the personal information that we find and remove for members. If you’d like more background on the industry, we recommend this review by the Electronic Privacy Information Center (EPIC).
The CFPB posted a Request for Information (RFI) asking the public and experts alike to weigh in. Our team wanted to provide a brief overview of the RFI, our perspective on the industry, and share how you can get involved, either individually or as a part of Kanary’s response.
The CFPB & Data Brokers: The Rules Don’t Reflect Reality
The US Government had an “Oh Sh*t” moment after the 2008 financial crisis. The financial industries took a gamble on Americans' mortgages and it was time to crack down. Into this environment was born the Consumer Financial Protection Bureau. Their jurisdiction includes banks, credit unions, securities firms, payday lenders, mortgage-servicing operations, foreclosure relief services, and debt collectors. Anyone who might have a broad impact on the financial health of the American consumer. Because this industry went unchecked for so long, many Americans lost homes, fell into debt, and lost their savings due to unregulated and predatory companies.
Now in 2023, 12 years after its founding, the CFPB is turning its focus on another looming issue impacting consumer’s financial security: technology. Algorithms are used to target predatory loans to the vulnerable. Social media is used to falsely advertise investment products to the elderly. The government is realizing it’s time to investigate the private companies that collect our data and control much of the information we consume.
The last major piece of legislation passed related to personal data and financial services was the Fair Credit Reporting Act in 1970 (FCRA). In the 50+ years since this passed, technology has made companies and governments powerful beyond imagination in their ability to collect our information and measure our creditworthiness. Data brokers, the companies that collect, aggregate, and sell your personal information to others, have made many of these powerful algorithms possible. Grappling with regulating a $250 billion dollar data broker industry, the CFBP is asking, “Do the rules from the 1970 FCRA reflect the current market realities?”
It seems like their initial impression is… no. The rules don’t reflect reality.
People have few choices about entering into business or being tracked by companies.
The industry largely operates out of public view.
This data can be sold to influence those making decisions impacting the financial security of Americans like employment, credit, and benefits.
While many brokers include disclaimers that the data they sell and expose cannot be used for any purposes covered by the Fair Credit Reporting Act, there is no traceability and they can't enforce or prevent abuse. It falls under the CFPB's jurisdiction to evaluate whether the information collected by data brokerages could end up affecting employment, housing, or credit decisions.
We Need New Regulation For Data Brokers
Earlier this year, our team had an informal meeting with members of the CFPB. We discussed our data on the failed compliance of most data brokers, the whack-a-mole nature of an “Opt Out” based system, and the stalking, harassment, and discrimination our members face because of these companies. We also highlighted that the source of harmful personal data leaks isn’t always data brokers. Large tech platforms like Google amplify sensitive personal data like home addresses without consent from individuals. Government agencies like the DMV sell registration data to private companies as a revenue stream.
The US has been slow-moving when it comes to protecting personal information. It doesn't help that brokers are spending tens of millions of dollars lobbying against these rules or that many federal agencies have purchased this information, sidestepping a need for probable cause.
While Kanary is building a first line of defense to monitor and clean up leaked personal data, our job would be much easier if the US government enacted federal-level privacy law. Once a law made clear the rules for personal data protection, then the CFPB and FTC (Federal Trade Commission) could enforce penalties for violations. Until there is a meaningful financial consequence for the companies invading our privacy and ignoring our rights to consent, little will change.
Kanary’s Comments & The RFI, Due Date: July 15, 2023
Our team is drafting a response to the CFPB’s request for comment. Having spent over 5 years battling the industry, we will use the following info in our response:
Data on broker-level compliance to consumer data removal requests
Details about the convoluted and misleading privacy practices of major data brokers like PeopleConnect
Member testimonials (anonymized for privacy) to specify the financial harm the systems have on consumers
For number 3, we need your help. If you’d like to directly comment on the Request for Information, please see the specific links and instructions below. If you’d prefer to anonymously share your story through Kanary, please email our team: [email protected].
The CFPB is accepting public input to help inform their planned rule-making sessions. July 15, 2023. The CFPB is interested in hearing about people’s direct experiences with these companies, including when individuals attempt to remove, correct, or regain control of their data.
Here’s the notice on the CFPB site.
Here’s where you can share a formal comment (it’s PUBLIC, don’t share PII!) on regulations.gov.
Here’s where you can read the full RFI pdf - only 13 pages!
Expectations For Slow Progress
We’re not legal experts, but we understand that the CFPB has rule-making and enforcement authority. In the past, they needed Congress, thank God that’s not how it works anymore. A few rules and updates they’ve made inform what they might do in this case.
Require disclosure of credit scores when they’re used to take an adverse action or in risk-based pricing (aka you should know your credit score if it negatively is impacting you)
Debt collectors can’t sue or threaten to sue to collect a time-barred debt
Shield certain demographic data from underwriters during applications for credit
Prohibit debt collectors from charging consumers pay-to-pay fees (also known as convenience fees) for making payment a particular way, such as by telephone or online
You could imagine the CFPB taking any of the rules applying to consumer reporting agencies and applying them more broadly as it pertains to consumer privacy and fair practice to data brokers. For example…
Prohibit data brokers from charging consumers to review or opt-out from their personal data being used
Prohibit certain demographic, medical, or location data from sale to public or private buyers
Require disclosure of personal data, algorithmic ratings, or profiling (reputation score, income estimation, education level) when used in adverse action, ad targeting, or price discrimination
We can start to paint a picture of what consumer privacy and data rights could look like under the CFPB. As with any government organization, reviews take a long time and lobbyists are paid good money. We’re optimistic and along for the ride, even if we’re going well under the speed limit.
Updated 5/8/23 to reflect the CFPB's new deadline of July 15.