On Wednesday, March 15, the Consumer Financial Protection Bureau (CFPB) announced an inquiry into data brokers, issuing a “Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information.” This request for information (RFI) seeks information about: (1) the data broker market generally, including brokers’ information collection practices, the industry’s effects on consumers, and potential safeguards or controls to regulate data broker activity; and (2) individuals’ experiences in interacting with data brokers. The CFPB intends to use responses to the RFI to inform future rulemaking under the Fair Credit Reporting Act (FCRA). Public comments are due by June 13.

While any issuance by the CFPB of data broker regulations is far from imminent, the Bureau’s RFI is indicative of a growing appetite at both the federal and state levels to bring greater oversight to bear not just on data brokers, specifically, but on commercial uses of personal data more generally — a trend that we have seen on display with recent FTC enforcement actions and rulemaking activities, potential federal privacy legislation, and various state privacy law proposals, to name but a few examples.

In this post, we identify three key takeaways from the CFPB’s data broker RFI. We will continue to provide updates on major developments of federal privacy law and more. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.

1. A Growing Appetite for Data Broker Oversight: Data brokers are presently subject to very little federal or state oversight. There are no federal statutes specifically governing data brokers, and only two states (Vermont and California) have enacted data broker laws. The CFPB’s RFI, however, is the latest in a series of developments suggesting that more stringent oversight of these entities may be on the horizon. Last August, for example, the FTC issued an Advance Notice of Proposed Rulemaking (ANPR) requesting public comment regarding harmful commercial surveillance and data security practices, including the role that entities like data brokers play in facilitating such commercial uses of personal data. Nor is the RFI the CFPB’s first foray into regulating issues relevant to consumers’ control over their personal information. Since 2016, for instance, the Bureau has been engaged in the process of developing regulations to implement Section 1033 of the Dodd-Frank Act, which requires that entities offering financial products and services make available to consumers certain information generated through their use of such products and services (e.g., transaction and usage data). In addition to these federal regulatory activities, federal and state legislators have indicated a growing interest in data brokers. For instance, various state comprehensive privacy law proposals put forth in the 2023 legislative session have included data broker-specific provisions, and proponents of federal privacy legislation like the American Data Privacy Protection Act (ADPPA) have highlighted data brokers as a point of concern. Given these developments, the CFPB’s RFI should be viewed as just one part of a broader move towards increased government oversight of data brokers.

2. Market-Level and Individual Inquiries: The RFI includes two categories of requests: (1) “[m]arket-level inquiries” and (2) “[i]ndividual inquiries.” The market-level inquiries broadly aim to understand the data broker industry and how these organizations function, requesting information about, among other things, the types of data that data brokers collect and use, the sources from which data brokers collect personal information, the processes and procedures that data brokers use in handling consumer information, the impact that data brokers have on consumers more broadly, and the efficacy of existing state-level and data broker-internal controls and safeguards. The individual inquiries, meanwhile, focus on consumers’ experiences with data brokers. These inquiries request, for example, information about the harms and benefits that consumers have experienced in their interactions with data brokers, as well as details about consumer attempts to delete, view, or correct personal information held by data brokers.

3. FCRA as a Basis for Data Broker Regulations: The RFI makes clear that the CFPB views FCRA as a viable legal basis for regulating data brokers. That statute applies broadly to consumer reports and consumer reporting agencies, imposing requirements pertaining to the use, dissemination, and accuracy of consumer information held by reporting agencies. The CFPB possesses regulatory authority under FCRA, and the RFI indicates that the Bureau is intent on using it. The RFI highlights, for instance, how both data brokers and traditional consumer reporting agencies share the “fundamental characteristic” of “collect[ing] and sell[ing] personal data.” Moreover, the RFI expressly frames the goals of its requests in relation to FCRA. One goal, the Bureau asserts, is to “help inform the CFPB about new business models that sell consumer data, including information relevant to assessments of whether companies using these new business models are covered by the FCRA.” And the RFI identifies another goal of its inquiries as being to “collect information on consumer harm and any market abuses, including those that resemble harms Congress originally identified in 1970 in passing the FCRA.” The Bureau’s expansive interpretation of its FCRA regulatory authority could signal a broader future role for the CFPB in regulating within the data privacy sphere.