Top US Consumer Watchdog Has a Plan to Fight Predatory Data Brokers

The CFPB’s idea of using existing US law to regulate data brokers is not novel. In February 2023, a group of consumer-focused nonprofits urged Chopra to enforce the powers the FCRA affords regulators to prevent data brokers from engaging in these potentially damaging practices.

“Protecting the personal information of all people in the US is increasingly urgent in our current political climate,” says Laura Rivera, attorney with Just Futures Law, a nonprofit that supports grassroots activists. “The stakes are too high to continue to let the data broker industry sell our information at their discretion, where the status quo has made it ripe for abuse and targeting from harmful actors.”

In a briefing with WIRED on Monday, CFPB officials declined to comment on whether they believe the regulatory action will be short lived, as president-elect Donald Trump plans to empower a number of Silicon Valley figures to reorganize the federal government with the aim of targeting “waste and fraud.”

Elon Musk, who is coleading an office named after a meme coin—the Department of Government Efficiency, or DOGE—directly attacked the CFPB’s work last week, calling for the agency to be “deleted.” Musk’s remarks followed an attack on the agency’s work by Marc Andreessen, a venture capitalist, who claimed on a recent episode of Joe Rogan’s podcast that the agency is “terrorizing” banking startups.

The CFBP was founded in 2011 with the aim of protecting consumers from the kinds of fraud and abuse that kicked off the 2008 financial crisis.

A CFPB official tells WIRED that the agency is also concerned about data being transmitted in ways that companies allege protects people’s identities but in reality can be “de-anonymized” in simple ways, as studies have repeatedly shown. “As technology advances, we surmise that it will be even easier to de-mask purportedly de-identified data,” one official said. The proposed rule thus includes a range of guidelines for credit reporting agencies involved in selling data they alleged has been de-identified.

Asked whether the proposal would extend to US government agencies, an official says that US law sets forth “very clear pathways” for the government to purchase personally identifying data for law enforcement and intelligence purposes. In a recent case, US Immigration and Customs Enforcement was discovered by reporters to have purchased access to the personal data of Americans in an attempt to investigate immigrants—data acquired by the media conglomerate Thomson Reuters, which it provided to custeroms in contracts the company disclosed were worth more than $100 million. (Thomson Reuters previously denied that the purpose of the data is to track undocumented immigrants and has emphasized that its database does not contain information that normally requires a search warrant to access.)

“We are not disrupting any of those pathways,” a CFPB official says. The agency is requesting comment, however, on the potential impacts of such government purchases to ensure that access is “appropriate.”

Emily Peterson-Cassin, director of corporate power at the nonprofit advocacy group Demand Progress’s Education Fund, commended the CFPB’s proposal and urged the incoming Trump administration to see it through.

“The CFPB is doing something important that will resonate with every single American. Anyone you pick off the street can tell you about the daily scam texts, emails and calls they receive from fraudsters who easily buy our contact information from shady, unaccountable data brokers,” Peterson-Cassin says. “Finally, someone—specifically the CFPB—has stepped in to stop this daily plague affecting hundreds of millions of people by applying real standards to their sale of our sensitive information.”